Joseph Sutton [Tue, 19 Oct 2021 23:44:19 +0000 (12:44 +1300)]
tests/krb5: Allow creating machine accounts without a trailing dollar
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 19 Oct 2021 23:41:39 +0000 (12:41 +1300)]
tests/krb5: Allow specifying prefix or suffix for test account names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 19 Oct 2021 23:39:05 +0000 (12:39 +1300)]
tests/krb5: Decrease length of test account prefix
This allows us more room to test with different account names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Oct 2021 14:42:00 +0000 (16:42 +0200)]
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 8 Oct 2021 16:04:55 +0000 (18:04 +0200)]
selftest/Samba3: remove unused close(USERMAP); calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 4 Oct 2021 11:02:35 +0000 (13:02 +0200)]
waf: Allow building with MIT KRB5 >= 1.20
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 17 Oct 2021 22:55:14 +0000 (11:55 +1300)]
selftest: Improve error handling and perl style when setting up users in Samba4.pm
This catches errors and avoids using global varibles (the old
style file handles are global).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 18 Oct 2021 07:44:54 +0000 (20:44 +1300)]
selftest: Remove duplicate setup of $base_dn and $ldbmodify
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Douglas Bagnall [Thu, 19 Aug 2021 23:26:02 +0000 (11:26 +1200)]
pytest: s3_net_join: avoid name clash
The net_join test uses "NetJoinTest" (and doesn't properly clean up),
we must use a unique name for this test in s3_net_join.py.
[abartlet@samba.org The hilarious naming conventions come from a time when samba-tool
was known as "net" in the s4 branch]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 02:40:09 +0000 (15:40 +1300)]
selftest: krb5 account creation: clarify account type as an enum
This makes the code clearer with a symbolic constant rather
than a True/False boolean.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Douglas Bagnall [Thu, 5 Aug 2021 23:08:10 +0000 (11:08 +1200)]
pytest: dynamic tests optionally add __doc__
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 20 Sep 2021 04:27:40 +0000 (16:27 +1200)]
selftest: Increase account lockout windows to make test more realiable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Douglas Bagnall [Wed, 8 Sep 2021 05:01:26 +0000 (17:01 +1200)]
pytest/rodc_rwdc: try to avoid race.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Viktor Dukhovni [Wed, 10 Aug 2016 23:31:14 +0000 (23:31 +0000)]
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Commit
f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit
b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
Joseph Sutton [Mon, 18 Oct 2021 03:07:11 +0000 (16:07 +1300)]
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
Joseph Sutton [Mon, 18 Oct 2021 03:05:19 +0000 (16:05 +1300)]
tests/krb5: Ensure PAC is not present if expect_pac is false
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 18 Oct 2021 03:00:45 +0000 (16:00 +1300)]
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 18 Oct 2021 02:21:50 +0000 (15:21 +1300)]
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 16 Apr 2018 14:08:29 +0000 (16:08 +0200)]
netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore result
This is a low level function that should not ignore results.
If the caller doesn't care it's his choice.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 19 20:20:00 UTC 2021 on sn-devel-184
Stefan Metzmacher [Tue, 28 Sep 2021 20:24:32 +0000 (22:24 +0200)]
libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing algorithms
We can only assume that servers with support for AES-GMAC-128 signing
will except an SMB2 Cancel with ASYNC_ID and real MID.
This strategy is also used by Windows clients, because
some vendors don't cope otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14855
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 19 19:23:39 UTC 2021 on sn-devel-184
Martin Schwenke [Tue, 19 Oct 2021 00:00:22 +0000 (11:00 +1100)]
bootstrap: Debian 11 has liburing-dev
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872
Signed-off-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 19 09:14:10 UTC 2021 on sn-devel-184
Martin Schwenke [Thu, 14 Oct 2021 03:50:41 +0000 (14:50 +1100)]
bootstrap: Add Debian 11
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Oct 18 17:19:17 UTC 2021 on sn-devel-184
Joseph Sutton [Fri, 15 Oct 2021 01:29:26 +0000 (14:29 +1300)]
tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
Joseph Sutton [Fri, 15 Oct 2021 01:27:25 +0000 (14:27 +1300)]
tests/krb5: Add method to get the PAC from a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 15 Oct 2021 01:27:15 +0000 (14:27 +1300)]
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 15 Oct 2021 01:26:40 +0000 (14:26 +1300)]
tests/krb5: Allow get_tgt() to request including or omitting a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 14 Oct 2021 23:12:30 +0000 (12:12 +1300)]
heimdal:kdc: Fix ticket signing without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 15 Oct 2021 00:09:20 +0000 (13:09 +1300)]
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.
These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
Andrew Bartlett [Thu, 14 Oct 2021 19:22:17 +0000 (08:22 +1300)]
gitlab-ci: Do not download artifacts of unrelated builds
This needs: is overridden in many cases, but ensures none of the other
main jobs start until this build finishes. However this also
ensures we do not download artifacts from any build unless we
specifically depend on it, saving bandwidth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 14 Oct 2021 07:24:49 +0000 (20:24 +1300)]
gitlab-ci: Do not retry for job_execution_timeout
If we timeout, we should just stop at 2 hours, not waste 6 hours (3 x 2 hours).
This is for when the job runs long for any reason, currently the
reasons for a timeout are not transient, we need to either change
the timeout or fix the system. Likewise if the tests get into a loop
or deadlock we want to see that as a failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Jeremy Allison [Wed, 13 Oct 2021 16:46:07 +0000 (09:46 -0700)]
s3: smbspool. Remove last use of 'extern char **environ;'.
This should come from lib/replace/replace.h to cope with
system (MacOSX etc.) differences.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 14 19:51:59 UTC 2021 on sn-devel-184
Nicolas Williams [Mon, 11 Oct 2021 02:55:59 +0000 (21:55 -0500)]
krb5: Fix PAC signature leak affecting KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Cherry-picked from Heimdal commit
54581d2d52443a9a07ed5980df331f660b397dcf]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 03:08:39 +0000 (16:08 +1300)]
s4:kdc: Check ticket signature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 02:43:41 +0000 (15:43 +1300)]
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
This lets us call it from Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 11 Aug 2021 01:27:11 +0000 (13:27 +1200)]
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Luke Howard [Thu, 23 Sep 2021 07:51:51 +0000 (17:51 +1000)]
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris@gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Luke Howard [Thu, 23 Sep 2021 04:39:35 +0000 (14:39 +1000)]
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
3b0856cab2b25624deb1f6e0e67637ba96a647ac
- Renamed variable to avoid shadowing existing variable
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Luke Howard [Sun, 6 Jan 2019 06:54:58 +0000 (17:54 +1100)]
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Luke Howard [Fri, 17 Sep 2021 03:57:57 +0000 (13:57 +1000)]
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Isaac Boukris [Sun, 19 Sep 2021 12:16:58 +0000 (15:16 +0300)]
krb5: rework PAC validation loop
Avoid allocating the PAC on error.
Closes: #836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Cherry-picked from Heimdal commit
6df8be5091363a1c9a9165465ab8292f817bec81]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Isaac Boukris [Sun, 19 Sep 2021 12:04:14 +0000 (15:04 +0300)]
krb5: allow NULL parameter to krb5_pac_free()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Cherry-picked from Heimdal commit
b295167208a96e68515902138f6ce93972892ec5]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Isaac Boukris [Fri, 13 Aug 2021 09:44:37 +0000 (12:44 +0300)]
kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Isaac Boukris [Mon, 28 Dec 2020 20:07:10 +0000 (22:07 +0200)]
kdc: remove KRB5SignedPath, to be replaced with PAC
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
- Removed tests
- Removed auditing hook (only present in Heimdal master)
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 02:42:29 +0000 (15:42 +1300)]
s4/torture: Expect ticket checksum PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 6 Oct 2021 03:40:21 +0000 (16:40 +1300)]
s4:kdc: Fix debugging messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 03:06:58 +0000 (16:06 +1300)]
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 02:40:39 +0000 (15:40 +1300)]
tests/krb5: Fix duplicate account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 02:41:35 +0000 (15:41 +1300)]
tests/krb5: Allow bypassing cache when creating accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 23:07:40 +0000 (12:07 +1300)]
tests/krb5: Don't include empty AD-IF-RELEVANT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 30 Sep 2021 02:03:04 +0000 (15:03 +1300)]
tests/krb5: Add constrained delegation tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 6 Oct 2021 03:35:47 +0000 (16:35 +1300)]
tests/krb5: Verify tickets obtained with get_service_ticket()
We only require the ticket checksum with Heimdal, because MIT currently
doesn't add it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 5 Oct 2021 02:39:11 +0000 (15:39 +1300)]
tests/krb5: Require ticket checksums if decryption key is available
We perform this check conditionally, because MIT doesn't currently add
ticket checksums.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 14 Oct 2021 03:58:15 +0000 (16:58 +1300)]
tests/krb5: Add TKT_SIG_SUPPORT environment variable
This lets us indicate that service tickets should be issued with ticket
checksums in the PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 12 Oct 2021 23:26:22 +0000 (12:26 +1300)]
selftest/dbcheck: Fix up RODC one-way links
Test accounts were replicated to the RODC and then deleted, causing
state links to remain in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 5 Oct 2021 03:32:01 +0000 (16:32 +1300)]
tests/krb5: Fix sha1 checksum type
Previously, sha1 signatures were being designated as rsa-md5-des3
signatures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 5 Oct 2021 06:47:22 +0000 (19:47 +1300)]
tests/krb5: Provide clearer assertion messages for test failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 7 Oct 2021 22:48:41 +0000 (11:48 +1300)]
tests/krb5: Disable debugging output for tests
This reduces the time spent running the tests in a testenv.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 11 Oct 2021 01:49:34 +0000 (14:49 +1300)]
tests/krb5: Simplify padata checking
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 11 Oct 2021 01:48:03 +0000 (14:48 +1300)]
tests/krb5: Check logon name in PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 11 Oct 2021 01:45:45 +0000 (14:45 +1300)]
tests/krb5: Check padata types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 11 Oct 2021 22:34:59 +0000 (11:34 +1300)]
tests/krb5: Add environment variable to specify KDC FAST support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 11 Oct 2021 03:15:43 +0000 (16:15 +1300)]
tests/krb5: Fix padata checking at functional level 2003
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 11 Oct 2021 01:39:26 +0000 (14:39 +1300)]
tests/krb5: Clarify checksum type assertion message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 11 Oct 2021 01:37:03 +0000 (14:37 +1300)]
tests/krb5: Use correct principal name type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 14 Oct 2021 03:43:05 +0000 (16:43 +1300)]
tests/krb5: Add compatability tests for ticket checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 30 Sep 2021 03:53:35 +0000 (16:53 +1300)]
tests/krb5: Add parameter to enforce presence of ticket checksums
This allows existing tests to pass before this functionality is
implemented.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 03:52:01 +0000 (16:52 +1300)]
tests/krb5: Supply supported account enctypes in tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 03:48:50 +0000 (16:48 +1300)]
tests/krb5: Allow specifying options and expected flags when obtaining a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 03:41:23 +0000 (16:41 +1300)]
tests/krb5: Save account SPN
This is useful for testing delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 03:26:54 +0000 (16:26 +1300)]
tests/krb5: Check constrained delegation PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 03:15:26 +0000 (16:15 +1300)]
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 02:53:47 +0000 (15:53 +1300)]
heimdal:kdc: Only check for default salt for des-cbc-crc enctype
Previously, this algorithm was preferring RC4 over AES for machine
accounts in the preauth case. This is because AES keys for machine
accounts in Active Directory use a non-default salt, while RC4 keys do
not use a salt. To avoid this behaviour, only prefer keys with default
salt for the des-cbc-crc enctype.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 03:10:07 +0000 (16:10 +1300)]
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 02:48:58 +0000 (15:48 +1300)]
tests/krb5: Fix checking for presence of error data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 01:02:37 +0000 (14:02 +1300)]
tests/krb5: Remove unneeded parameters from ticket cache key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 00:03:49 +0000 (13:03 +1300)]
tests/krb5: Fix assertElementFlags()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 00:01:30 +0000 (13:01 +1300)]
tests/krb5: Make expected_sname checking more explicit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 23:16:58 +0000 (12:16 +1300)]
tests/krb5: Fix status code checking
The type used to encode the status code is actually KERB-ERROR-DATA,
rather than PA-DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 23:06:03 +0000 (12:06 +1300)]
tests/krb5: Fix handling authdata with missing PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 23:03:33 +0000 (12:03 +1300)]
tests/krb5: Allow excluding the PAC server checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 22:59:42 +0000 (11:59 +1300)]
tests/krb5: Fix checksum generation and verification
The KDC and server checksums may be generated using the same key, but
only the KDC checksum should have an RODCIdentifier. To fix this,
instead of overriding the existing methods, add additional ones for
RODC-specific signatures, so that both types of signatures can be
generated or verified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 22:56:21 +0000 (11:56 +1300)]
tests/krb5: Fix method for creating invalid length zeroed checksum
Previously the base class method was being used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 22:54:49 +0000 (11:54 +1300)]
tests/krb5: Introduce helper method for creating invalid length checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 22:52:17 +0000 (11:52 +1300)]
tests/krb5: Add assertion to make failures clearer
These failures may occur if tests are not run against an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 22:50:36 +0000 (11:50 +1300)]
tests/krb5: Allow created accounts to use resource-based constrained delegation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 22:47:39 +0000 (11:47 +1300)]
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
This helps to distinguish resourced-based and non-resource-based
constrained delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 21:54:33 +0000 (10:54 +1300)]
tests/krb5: Fix PA-PAC-OPTIONS checking
Make the check work correctly if bits other than the claims bit are
specified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 21:51:01 +0000 (10:51 +1300)]
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
These padata were not being sent if other FAST padata was not specified.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 22:23:17 +0000 (11:23 +1300)]
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 22:16:51 +0000 (11:16 +1300)]
tests/krb5: Remove unused parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 22:16:24 +0000 (11:16 +1300)]
tests/krb5: Rename method parameter
For class methods, the name given to the first parameter is generally 'cls'
rather than 'self'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Martin Schwenke [Thu, 14 Oct 2021 00:08:38 +0000 (11:08 +1100)]
debug: Optimise construction of msg_no_nl
If it isn't used then it isn't copied.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct 14 11:10:40 UTC 2021 on sn-devel-184
Martin Schwenke [Thu, 14 Oct 2021 00:00:20 +0000 (11:00 +1100)]
debug: Move msg_no_nl to state
This enables an optimisation.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Martin Schwenke [Wed, 13 Oct 2021 09:40:34 +0000 (20:40 +1100)]
debug: Optimise early return when header string buffer is full
The existing check is for truncation, not whether the buffer is full.
However, if the buffer is full (i.e. hs_len == sizeof(header_str) - 1)
then there's no use trying subsequent snprintf() calls because there
will be one byte available that already contains the NUL-terminator.
A subsequent call will just do a no-op truncation.
Check for full buffer instead.
This might be confusing because it isn't the standard check that is
done after snprintf() calls. Is it worth it for a rare corner case?
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Martin Schwenke [Wed, 13 Oct 2021 01:06:13 +0000 (12:06 +1100)]
debug: Optimise to avoid walking the header string
strlcat() needs to walk to the end of its first argument. However,
but the length of state.header_str is already known, so optimise by
manually appending the extra characters if they will fit.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Martin Schwenke [Thu, 23 Sep 2021 08:13:30 +0000 (18:13 +1000)]
debug: Optimise construction of header_str_no_nl
If it isn't used then it isn't copied.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Martin Schwenke [Wed, 6 Oct 2021 12:02:10 +0000 (23:02 +1100)]
debug: Rename variable for consistency
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Martin Schwenke [Fri, 2 Dec 2016 05:37:47 +0000 (16:37 +1100)]
debug: Push message length argument down to backend log functions
Optimise because length is now available.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Martin Schwenke [Fri, 2 Dec 2016 05:29:56 +0000 (16:29 +1100)]
debug: Add length argument to Debug1()
This the first step in avoiding potentially repeated length
calculations in the backends. The length is known at call time for
most usual callers, so pass it down.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Martin Schwenke [Sat, 3 Dec 2016 01:27:47 +0000 (12:27 +1100)]
debug: Avoid debug header being separated from debug text
Currently the file backend can produce something like:
HEADER1 HEADER2 TEXT2
TEXT1
when different processes try to log at the same time.
Avoid this by writing the header and text at the same time using
writev(). This means that the header always has to be written by the
backend, so update all backends to do this.
The non-file backends should behave as before when they were invoked
separately to render the header. It might be possible to optimise
some of them (e.g. via sd_journal_sendv) but this requires more
investigation (e.g. sd_journal_sendv()'s handling of newlines) and is
beyond the scope of this change.
state.header_str_no_nl takes the place of msg_no_nl for the header,
since some of the backends need the no-newline version. It is handled
the same was as msg_no_nl: produce the no_nl version exactly once,
whether or not it is needed, since this is better than repeating it in
several backends.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>