Joseph Sutton [Tue, 23 May 2023 02:20:30 +0000 (14:20 +1200)]
tests/auth_log: Simplify isRemote()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 02:57:47 +0000 (14:57 +1200)]
tests/auth_log: Rename ‘self’ parameter to ‘cls’
This method operates on the class, not on an instance of the class.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 02:57:03 +0000 (14:57 +1200)]
tests/auth_log: Call setUpClass() method of base class
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 01:07:07 +0000 (13:07 +1200)]
tests/auth_log: Don’t silently override remoteAddress
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 02:04:19 +0000 (14:04 +1200)]
tests/auth_log_winbind: Expect an empty remote address
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 19 May 2023 02:54:00 +0000 (14:54 +1200)]
tests/audit_log: Pre-compile GUID regex
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 19 May 2023 01:15:45 +0000 (13:15 +1200)]
s4:kdc: Move parameter comments adjacent to parameters
This is more consistent with the non-NULL parameters, and makes it
easier to swap in the real values when we get them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 22 May 2023 23:17:22 +0000 (11:17 +1200)]
audit_tests: Check return value of json_new_array()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 22 May 2023 23:16:56 +0000 (11:16 +1200)]
s3:utils: Check return value of json_new_object()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 22 May 2023 23:15:50 +0000 (11:15 +1200)]
lib:audit_logging:tests: Check return value of json_new_{object,array}()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 22 May 2023 23:15:17 +0000 (11:15 +1200)]
lib:audit_logging: Check return value of json_new_object()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 22 May 2023 22:05:10 +0000 (10:05 +1200)]
s4:kdc: Use talloc_steal() rather than talloc_reference()
This is consistent with the other uses in this file (in
authn_policy_ntlm_client() and authn_policy_server()).
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 22 May 2023 22:01:27 +0000 (10:01 +1200)]
s4:kdc: Make parameters const
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 22 May 2023 21:59:33 +0000 (09:59 +1200)]
s4:kdc: Make functions static
These functions are used only internally.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 22 May 2023 21:42:46 +0000 (09:42 +1200)]
s4:auth: Allocate user_info_dc->sids on correct talloc context
‘user_info_dc->sids’ must live for at least as long as ‘user_info_dc’,
or a use-after-free may result.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 22 May 2023 21:21:17 +0000 (09:21 +1200)]
s4:kdc: Allocate user_info_dc->sids on correct talloc context
‘user_info_dc->sids’ must live for at least as long as ‘user_info_dc’,
or a use-after-free may result.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 May 2023 00:04:49 +0000 (12:04 +1200)]
selftest: Report better error message if environment is unknown
Now we get the error “environment [...] is unknown” rather than “samba
can't start up known environment”.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 02:30:22 +0000 (14:30 +1200)]
s4/messaging/py: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 00:52:17 +0000 (12:52 +1200)]
s4/messaging/py: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 00:49:28 +0000 (12:49 +1200)]
s4/messaging/py: Fix leak of p_server_id
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 00:48:56 +0000 (12:48 +1200)]
s4/messaging/py: Check py_return_ndr_struct() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 00:47:54 +0000 (12:47 +1200)]
s4/messaging/py: Fix callback return value leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 00:46:56 +0000 (12:46 +1200)]
s4/messaging/py: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 00:32:02 +0000 (12:32 +1200)]
s4/messaging/py: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 00:30:12 +0000 (12:30 +1200)]
s4/messaging: Return the number of previously-registered functions that are removed
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 May 2023 00:00:07 +0000 (12:00 +1200)]
s4/messaging/py: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 19 May 2023 00:54:11 +0000 (12:54 +1200)]
s4/messaging/py: Add more helpful error message for a wrongly-sized tuple
>>> m = Messaging((1,2,3,4,5))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
TypeError: function takes exactly 1 argument (5 given)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 19 May 2023 00:41:21 +0000 (12:41 +1200)]
s4/messaging/py: Document lp_ctx parameter of messaging.Messaging()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 19 May 2023 00:39:52 +0000 (12:39 +1200)]
s4/messaging/py: Remove incorrect function names in messaging.Messaging()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 03:31:43 +0000 (15:31 +1200)]
pyglue: Raise an exception on error
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 03:30:58 +0000 (15:30 +1200)]
pyglue: Check generate_random_str() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 01:52:05 +0000 (13:52 +1200)]
pyglue: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 23 Sep 2022 04:27:46 +0000 (16:27 +1200)]
s4:kdc: Note correct constant
KRB5_PADATA_PW_SALT is wrong. It’s an unrelated constant that just
happens to share the same value.
Heimdal uses the correct constant, kERB_ERR_TYPE_EXTENDED.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Thu, 18 May 2023 09:28:46 +0000 (11:28 +0200)]
gp: sshd policy correctly sort policy
The sshd_config man page says that key value
pairs 'the first obtained value will be used'.
So we need to sort policies from last to first.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 19 01:23:19 UTC 2023 on atb-devel-224
SATOH Fumiyasu [Fri, 12 May 2023 05:53:10 +0000 (14:53 +0900)]
tests: Replace iconv(1) UTF-16LE conversion with a python3 call
GNU libiconv and its iconv(1) do NOT define 'utf16le' as
an alias of 'UTF-16LE' encoding.
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
SATOH Fumiyasu [Sat, 13 May 2023 13:30:04 +0000 (22:30 +0900)]
selftest: Report "unknown environment" if setup returns "UNKNOWN"
Samba*::setup_*() may return the string "UNKNOWN".
```
$ ./configure --with-ads ...
...
$ make
...
$ make test
...
Can't use string ("UNKNOWN") as a HASH ref while "strict refs" in use at /.../samba-4.18.2/selftest/target/Samba.pm line 131.
```
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
SATOH Fumiyasu [Tue, 9 May 2023 07:54:16 +0000 (16:54 +0900)]
build:waf: Check value of GNU_TLS_* with detected env
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
SATOH Fumiyasu [Tue, 9 May 2023 07:52:04 +0000 (16:52 +0900)]
build:wafsamba: Allow lib for CHECK_VALUEOF()
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 18 Apr 2023 02:28:01 +0000 (14:28 +1200)]
s4:kdc: Check lifetime of correct ticket
The ticket returned by kdc_request_get_ticket() is the main TGT
presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a
user-to-user ticket, make sure we check the lifetime of that ticket
instead. To do this we need to pass the appropriate ticket into the
plugin function.
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 05:49:31 UTC 2023 on atb-devel-224
Joseph Sutton [Wed, 17 May 2023 21:54:12 +0000 (09:54 +1200)]
third_party/heimdal: Import lorikeet-heimdal-
202305172147 (commit
dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 22:59:53 +0000 (10:59 +1200)]
tests/krb5: Add tests presenting short-lived ticket in various scenarios
With the Heimdal KDC, we erroneously accept short-lived FAST and
user-to-user tickets.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 23:07:36 +0000 (11:07 +1200)]
tests/krb5: Rename modify_requester_sid_time() to modify_lifetime()
...now that the requester SID parameter is optional.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 23:05:56 +0000 (11:05 +1200)]
tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter
This is so callers can modify the lifetime of a ticket without
necessarily changing the requester SID.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 23:03:40 +0000 (11:03 +1200)]
tests/krb5: Use consistent time between get_KerberosTime() calls
Otherwise get_KerberosTime() calls time.time() itself, the value of
which can change between calls.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 23:01:47 +0000 (11:01 +1200)]
tests/krb5: Move modify_requester_sid_time() to RawKerberosTest
We shall make use of it in KdcTgsTests.
Also move add_requester_sid(), which this function depends upon.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 03:49:09 +0000 (15:49 +1200)]
s4:kdc: Remove manual addition of error data
This is now handled by the hdb_samba4_set_ntstatus() call above.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 03:47:18 +0000 (15:47 +1200)]
s4:kdc: Add NTSTATUS e-data to KDC reply
If an NTSTATUS code has been set in the KDC request structure, encode it
as KERB-ERROR-DATA and add it to the KDC reply.
hdb_samba4_set_ntstatus() adds the NTSTATUS code to the request
structure.
hdb_samba4_get_ntstatus() gets that status code back from the request
structure.
hdb_samba4_set_edata_from_ntstatus() encodes the status code and adds it
to the reply.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 04:13:40 +0000 (16:13 +1200)]
third_party/heimdal: Import lorikeet-heimdal-
202305170245 (commit
9c903d03c31ec96af79e2723e3ae41890dd83122)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 1 Dec 2022 02:35:56 +0000 (15:35 +1300)]
s4:kdc: Add function to attach an NTSTATUS code to a Kerberos request structure
Our KDC plugin can use this to store NTSTATUS codes that can be added to
the final KDC reply later.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 03:38:09 +0000 (15:38 +1200)]
s4:kdc: Use more suitable type for final_ret
This now matches the return type of the function.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 04:43:12 +0000 (16:43 +1200)]
tests/krb5: Set expected_status even if expect_status is not true
We might get an NTSTATUS code even if we aren’t explicitly saying that
we expect one.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 04:42:08 +0000 (16:42 +1200)]
tests/krb5: Be less particular about getting NTSTATUS codes for KDC TGS tests
Samba currently doesn’t return a status code in these error cases.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 03:28:24 +0000 (15:28 +1200)]
tests/krb5: Be less particular about expected status codes for S4U tests
Samba doesn’t return a status code for these error cases, so lower our
expectations of getting them.
We don’t have to add ‘'expect_status': None’ to all these test cases,
but this makes it clear at a glance that ‘expected_status’ isn’t
actually being checked, and gives us the opportunity to change this
aspect of each individual test in the future.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 03:05:44 +0000 (15:05 +1200)]
s4:kdc: Use talloc_get_type_abort()
We dereference this pointer immediately after this call, so we should be
sure it is not NULL.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Mar 2023 02:10:50 +0000 (15:10 +1300)]
s4:kdc: Add support for constructed claims (for authentication silos)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224
Joseph Sutton [Wed, 17 May 2023 00:02:47 +0000 (12:02 +1200)]
s4:kdc: Make use of dsdb_search_one()
Ensure we get exactly one object back, or an error.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 May 2023 00:07:44 +0000 (12:07 +1200)]
s4:kdc: Don’t perform unnecessary search to get account objectClass
We now have this information in the ldb_message.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 May 2023 23:55:16 +0000 (11:55 +1200)]
s4:kdc: Have get_claims_for_principal() take the entire principal
The ldb_message contains more information than just the DN, such as
which authentication policy or silo is assigned.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 03:06:40 +0000 (15:06 +1200)]
s4:kdc: Enforce TGT lifetime authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 03:06:40 +0000 (15:06 +1200)]
s4:kdc: Look up authentication policies for Kerberos clients and servers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 23:58:38 +0000 (11:58 +1200)]
s4:kdc: Make maximum lifetime and renew time signed
This is now consistent with Heimdal, and with our usage of time_t
elsewhere.
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 May 2023 04:48:09 +0000 (16:48 +1200)]
s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag
This corresponds with the HDB_F_ARMOR_PRINCIPAL flag in Heimdal, and
indicates a lookup of an armor ticket client principal, rather than the
principal of the main TGT. This helps us to determine whether an
authentication policy will apply to a principal acting as a client, and
hence whether we have to look up the policy in the database.
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 May 2023 21:06:17 +0000 (09:06 +1200)]
third_party/heimdal: Import lorikeet-heimdal-
202305160500 (commit
8836d64dee78a74aa740e31b7ad406b8a8cfdad0)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 3 May 2023 22:59:49 +0000 (10:59 +1200)]
s4:kdc: Add helper functions for authentication policies
These functions are not yet used.
They are arranged into two libraries: ‘authn_policy’, containing the
core functions, and ‘authn_policy_util’, containing utility functions
that can access the database. This separation is so that libraries
depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions
without introducing a dependency cycle.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 10 May 2023 02:54:21 +0000 (14:54 +1200)]
s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure
Just copying the structure fields is prone to lead to use-after-frees if
we access them after the original structure and its fields are freed.
Instead, call authsam_shallow_copy_user_info_dc() to make the copy. This
properly references the fields in the original structure so that they
will not be freed until we are sure we have finished with them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 May 2023 23:18:38 +0000 (11:18 +1200)]
s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 May 2023 23:00:24 +0000 (11:00 +1200)]
s4:kdc: Add NTSTATUS strings to log messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 May 2023 22:00:48 +0000 (10:00 +1200)]
lib:audit_logging: Fix typo in log message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 May 2023 21:57:12 +0000 (09:57 +1200)]
lib:audit_logging: Add function to add a formatted time value to a JSON message
json_add_timestamp() is limited to adding a ‘timestamp’ field with the
current time. The new function can add an arbitrary timestamp with an
arbitrary field name.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 May 2023 21:55:52 +0000 (09:55 +1200)]
lib:audit_logging: Add function to add an optional boolean value to a JSON message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 May 2023 21:53:02 +0000 (09:53 +1200)]
lib:audit_logging: Add function to add flags to a JSON message
This replaces a couple of calls to snprintf() in
log_authentication_event_json() and log_successful_authz_event_json()
respectively.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 11 May 2023 02:45:13 +0000 (14:45 +1200)]
s4:auth: Remove superfluous semicolon
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 May 2023 23:17:35 +0000 (11:17 +1200)]
s4:auth: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 10 May 2023 22:40:27 +0000 (10:40 +1200)]
auth: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 10 May 2023 01:00:08 +0000 (13:00 +1200)]
auth: Correct parameter order in header
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:28:22 +0000 (16:28 +1200)]
s4:kdc: Fix diagnostic messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:26:35 +0000 (16:26 +1200)]
s4:kdc: Fix error messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:23:17 +0000 (16:23 +1200)]
s4:kdc: Check ldb_dn_new() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:21:51 +0000 (16:21 +1200)]
s4:kdc: Remove double-free
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:59:54 +0000 (14:59 +1200)]
s4:kdc: Remove double-free
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:53:33 +0000 (14:53 +1200)]
s4:kdc: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:41:30 +0000 (14:41 +1200)]
s4:kdc: Make use of auth_generate_security_token()
We don’t need the whole session info structure to perform an access
check.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:06:23 +0000 (14:06 +1200)]
s4:auth: Fix typos
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:30:40 +0000 (14:30 +1200)]
s4:auth: Split out new function to generate a security token
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:11:42 +0000 (14:11 +1200)]
auth: Remove unnecessary return statements
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:09:19 +0000 (14:09 +1200)]
s3:utils: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 00:42:54 +0000 (12:42 +1200)]
s4:kdc: Fix debugging strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 00:07:35 +0000 (12:07 +1200)]
s4:kdc: Fix typos
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 23:57:09 +0000 (11:57 +1200)]
s4:kdc: Factor out PAC blob functions into new source file
pac-glue.c has become rather large, and can do without these PAC
blob–handling functions.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 01:30:40 +0000 (13:30 +1200)]
s4:kdc: Add missing includes and declarations
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 01:25:34 +0000 (13:25 +1200)]
libcli: Add missing include
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 01:16:10 +0000 (13:16 +1200)]
s4:kdc: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 00:58:46 +0000 (12:58 +1200)]
s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 01:53:06 +0000 (13:53 +1200)]
tests/krb5: Add tests for authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 02:44:11 +0000 (14:44 +1200)]
tests/krb5: Allow specifying whether PA-DATA types are to be checked
Not all tests are intended to test that the correct PA-DATA types are
returned. This parameter allows us to skip checking for cases where we
don’t care.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 02:41:00 +0000 (14:41 +1200)]
tests/krb5: Allow server and workstation accounts to perform a SamLogon
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 02:40:21 +0000 (14:40 +1200)]
tests/krb5: Allow specifying machine credentials to _test_samlogon()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 01:55:31 +0000 (13:55 +1200)]
tests/krb5: Rename ‘server’ to ‘dc_server’
This makes it more clear that this is in fact the DC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 2 May 2023 02:48:25 +0000 (14:48 +1200)]
netlogon:schannel: Fix NULL pointer dereference
We should not pass a NULL pointer into netlogon_creds_client_init().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 1 Dec 2022 02:35:56 +0000 (15:35 +1300)]
tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data
Certain clients rely on this behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
git.samba.org / bbaumbach / samba-autobuild / .git / log