Günther Deschner [Tue, 19 Mar 2024 20:52:49 +0000 (21:52 +0100)]
s3-rpc_server: add rpcd_ceph_proxy binary
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Thu, 14 Mar 2024 17:25:13 +0000 (18:25 +0100)]
s3-rpc_server: add ceph_proxy server
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Thu, 14 Mar 2024 16:43:38 +0000 (17:43 +0100)]
s3-modules: add cephfs-proxy module
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Thu, 14 Mar 2024 16:43:04 +0000 (17:43 +0100)]
s3-librpc: add cephfs-proxy IDL
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Douglas Bagnall [Fri, 22 Mar 2024 19:27:41 +0000 (08:27 +1300)]
ndr: always attempt ACE coda pull if ACE type suggests a coda
We were skipping the pull in cases where the coda size was calculated
to be zero. This has the right result for empty conditional ACEs, but
not for Resource Attribute ACEs where the
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 coda was not intialised.
The situation is made a bit worse, because the function that
calculates the coda size (ndr_subcontext_size_of_ace_coda()) can
return zero in conditions that are not exactly errors, but in which
the would-be calculated value makes so little sense that zero is
thought to be a safer default.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15613
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 25 06:00:21 UTC 2024 on atb-devel-224
Volker Lendecke [Wed, 13 Mar 2024 15:19:48 +0000 (16:19 +0100)]
lib: Remove timeval_set()
We have the same function in tevent, no need to duplicate code. More lines just
due to clang-format.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 22 06:07:42 UTC 2024 on atb-devel-224
Volker Lendecke [Wed, 13 Mar 2024 15:07:00 +0000 (16:07 +0100)]
lib: Remove timeval_until()
We have the same function in tevent, no need to duplicate code.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 21 Mar 2024 01:48:34 +0000 (14:48 +1300)]
fuzz:fuzz_ndr_X: don't skip printing on push error
push should not have changed the struct, so it is valid to
try to print it also.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 27 Dec 2023 23:45:41 +0000 (12:45 +1300)]
ldb-samba: matching rules: notify of search failure in transitive filter
It can be very hard to known where transitive checks fail, and this
will help.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15515
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 28 Dec 2023 00:46:48 +0000 (13:46 +1300)]
fuzz:_conditional_ace_blob discards a const
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 20 Mar 2024 04:29:52 +0000 (17:29 +1300)]
fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail
This can legitimately fail, due to e.g. integers being interpreted as
local attributes due to their position (the original data is complete
nonsense, bravely decompiled by sddl_from_conditional_ace).
In the example found the original begins like
00000000 61 72 74 78 02 00 00 00 00 00 00 00 00 03 01 02 |artx............|
00000010 f7 ff ff ff ff ff ff ff 03 01 a1 02 00 3b 00 00 |.............;..|
00000020 00 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 |.........;......|
00000030 03 01 02 a5 ff ff ff ff ff ff ff 03 01 a1 02 78 |...............x|
00000040 00 00 00 00 00 00 00 03 01 85 02 00 3b 00 00 00 |............;...|
00000050 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 03 |........;.......|
00000060 01 02 a5 00 00 00 00 00 00 00 03 01 81 02 00 00 |................|
00000070 00 00 00 00 00 00 03 01 81 02 00 3b 00 00 00 00 |...........;....|
while the SDDL cycled version looks like
00000000 61 72 74 78 f8 04 00 00 00 30 00 30 00 f8 2e 00 |artx.....0.0....|
00000010 00 00 30 00 31 00 37 00 37 00 37 00 37 00 37 00 |..0.1.7.7.7.7.7.|
00000020 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 |7.7.7.7.7.7.7.7.|
00000030 37 00 37 00 37 00 37 00 37 00 37 00 36 00 37 00 |7.7.7.7.7.7.6.7.|
00000040 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 30 00 |......0.3.5.4.0.|
00000050 30 00 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 |0.......0.3.5.4.|
00000060 30 00 30 00 f8 2e 00 00 00 30 00 31 00 37 00 37 |0.0......0.1.7.7|
00000070 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 |.7.7.7.7.7.7.7.7|
and this new interpretation ends up being more than 10000 bytes long,
so the conversion fails.
The SDDL ends up looking like this:
(((((((((((00) || (
01777777777777777777767)) || (035400)) || \
(((((((((((((((((((((((((((((((((((035400) || (
01777777777777777777645)) \
>= 0170) || (035400)) || (((((((((((((((((((((((((((((((035400 != 0245)
[...]
where all the octal digits on the left hand side of operators are
UTF-16 strings.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65322
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 3 Jan 2024 22:06:46 +0000 (11:06 +1300)]
fuzzing: fuzz_ndr_X ndr_print does printing
By printing into a buffer, we might notice some errors.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 2 May 2023 03:42:24 +0000 (15:42 +1200)]
tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15607
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 21 04:19:18 UTC 2024 on atb-devel-224
Jo Sutton [Mon, 11 Mar 2024 22:08:30 +0000 (11:08 +1300)]
s4:auth: Update error messages
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 11 Mar 2024 22:08:14 +0000 (11:08 +1300)]
auth:credentials: Remove unused include
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 11 Mar 2024 22:07:56 +0000 (11:07 +1300)]
auth:credentials: Remove trailing line
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 8 Mar 2024 03:34:49 +0000 (16:34 +1300)]
tests/krb5: Allow specifying SamDB to use when creating an account
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 00:38:10 +0000 (13:38 +1300)]
python:tests: Do not have current_time() and current_nt_time() implicitly include clock skew
This is just too error‐prone.
current_gkid() will still continue to return the next GKID if it’s
within clock skew.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 7 Mar 2024 04:14:24 +0000 (17:14 +1300)]
python: Correct time conversion function name
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 23:37:11 +0000 (12:37 +1300)]
s4:libnet: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 23:32:16 +0000 (12:32 +1300)]
python: Type ‘format’ parameter as optional
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 23:31:27 +0000 (12:31 +1300)]
python: Correctly qualify strptime()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 00:38:29 +0000 (13:38 +1300)]
python:tests: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 14 Mar 2024 02:14:55 +0000 (15:14 +1300)]
s4:auth: Allocate strings on shorter‐lived memory context
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 12 Mar 2024 21:12:33 +0000 (10:12 +1300)]
python:tests: Simplify expression
‘not keytab_bytes’ is shorter and equivalent.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 12 Mar 2024 03:24:59 +0000 (16:24 +1300)]
python:tests: Use Managed Service Accounts well‐known GUID
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 12 Mar 2024 03:02:45 +0000 (16:02 +1300)]
s4:auth: Fix grammar in error message
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Tue, 19 Mar 2024 21:00:11 +0000 (22:00 +0100)]
pidl: add "return ENOTSUP" for int return type in s3 template
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 21 00:45:29 UTC 2024 on atb-devel-224
Günther Deschner [Tue, 19 Mar 2024 17:24:13 +0000 (18:24 +0100)]
pidl: fix trailing double-quote on last line of s3 server stubs
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Thu, 14 Mar 2024 14:22:25 +0000 (15:22 +0100)]
s3-librpc: merge two PIDL lists
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 15 Mar 2024 10:29:34 +0000 (23:29 +1300)]
ldb_dn: make LDB_FREE, TALLOC_FREE
This LDB_FREE() seems to predate TALLOC_FREE(), and was identical
until TALLOC_FREE was optimised to avoid calling talloc_free(NULL) in
b9fcfc6399eab750880ee0b9806311dd351a8ff6.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 15 Mar 2024 02:47:55 +0000 (15:47 +1300)]
pyldb: ldb_msg_richcmp: avoid one intransitive compare
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 15 Mar 2024 02:03:44 +0000 (15:03 +1300)]
ldb:ldb_dn: use safe transitive comparison in ldb_dn_compare()
The comparison we make is unconventional, and makes no difference in
normal usage, where we just want to know whether two DNs are the same
or not. But with over 100 callers, it is possible that something
somewhere is attempting a sort.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 14 Mar 2024 03:36:07 +0000 (16:36 +1300)]
pyldb: add a FIXME for a non-transitive compare
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 14 Mar 2024 23:12:26 +0000 (12:12 +1300)]
pyldb_utils: pyldb_Object_AsDn() sets TypeError more often
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 7 Mar 2024 09:29:10 +0000 (22:29 +1300)]
ldb:pyldb.h: include some headers that are used
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 19 Mar 2024 23:18:12 +0000 (12:18 +1300)]
lib/ldb: don't allow repeated connections
In the best case, this would have leaked.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 6 Mar 2024 22:09:39 +0000 (11:09 +1300)]
ldb:pytests: test duplicate connections fail
(they don't yet).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 6 Mar 2024 22:07:20 +0000 (11:07 +1300)]
ldb-samba:ldb_wrap: don't crash if "ldb_url" opaque is unset
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 5 Mar 2024 23:57:15 +0000 (23:57 +0000)]
pyldb: py_ldb_init() uses py_ldb_connect() for connecting
To avoid all the same logic, subtly different.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 7 Mar 2024 22:02:23 +0000 (11:02 +1300)]
pyldb: catch errors in ldb_db_get_casefold
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 14 Mar 2024 01:48:23 +0000 (14:48 +1300)]
pytest:segfault: do not assume PLEASE_NO_GDB_BACKTRACE var is unset
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 6 Mar 2024 22:05:55 +0000 (11:05 +1300)]
pytest:segfault: prevent @no_gdb_backtrace smearing on exception
It is OK for one of these tests to raise an exception -- that is often
the only reasonable thing to do when you'd otherwise crash -- but the
@no_gdb_backtrace decorator would not clean up in that case, leading to
no gdb backtraces for all subsequent tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 3 Dec 2023 21:34:57 +0000 (10:34 +1300)]
selftest: Run samba.tests.segfault with TALLOC_FREE_FILL
This helps make use-after-free testing reliable.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Thu, 14 Mar 2024 01:15:47 +0000 (14:15 +1300)]
py:samdb: make SamDB.__str__ show the URL and ID
Getting the right samdb is going to matter more, so it is useful for
debugging to see which is which.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 12 Mar 2024 23:25:40 +0000 (12:25 +1300)]
selftest/gdb_backtrace: print `info threads` and some signpost headers
Search for '###'.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 7 Mar 2024 10:13:56 +0000 (23:13 +1300)]
selftest/gdb_backtrace: avoid printing backtrace twice with 1 thread
We call 'thread apply all bt full' in case there are interesting
things going on in other threads, but often there are no other threads
and it only serves to repeat the original trace (and very slowly, for
some reason).
The $_inferior_thread_count convenience variable is new in gdb 13.1
(2022-ish) so we init-if-undefined it to default to the old behaviour.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 7 Mar 2024 09:30:24 +0000 (22:30 +1300)]
selftest/gdb_backtrace: print python traceback if available
If a program happens to have 'PyList_New' defined but is not a python
script, gdb will print
> Undefined command: "py-bt". Try "help".
and probably stop. This happens after the C backtraces have been
printed, so nothing is lost.
The traceback is printed twice -- once in conventional Python style
for clarity, and once with extra "full" information.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 29 Feb 2024 22:22:03 +0000 (11:22 +1300)]
tests: gmsa blackbox tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224
Rob van der Linde [Wed, 6 Mar 2024 03:52:53 +0000 (16:52 +1300)]
tests: models: test additional Computer constructor cases
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 6 Mar 2024 03:49:21 +0000 (16:49 +1300)]
tests: models: fix username should be account_name
The reason this didn't fail, is because it doesn't save the Computers.
This gets fixed in the next commit.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 5 Mar 2024 03:39:33 +0000 (16:39 +1300)]
tests: user: create gmsa with models
It was fetching the GMSA with the models straight after creating it anyway.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 5 Mar 2024 03:20:52 +0000 (16:20 +1300)]
tests: user: fix PEP8 spacing around operator
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 4 Mar 2024 23:14:06 +0000 (12:14 +1300)]
tests: user: gmsa dNSHostName is a required field
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 28 Feb 2024 04:00:24 +0000 (17:00 +1300)]
tests: samdb: Make use of the domain_sid property
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 19 Mar 2024 20:50:49 +0000 (09:50 +1300)]
python: fix json encoder should handle Exception
This happens if --json is used and a CommandError is raised, so will affect other commands too where --json is used.
This happens in the print_json_status method.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 13 Mar 2024 10:07:52 +0000 (23:07 +1300)]
python: models: add Container model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 13 Mar 2024 09:20:39 +0000 (22:20 +1300)]
python: models: add kwargs to __json__ and as_dict methods
Allows passing arguments through
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 13 Mar 2024 07:59:27 +0000 (20:59 +1300)]
python: pep8: fix import sorting after move
Only touch files where samba.domain.models import was moved
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 12 Mar 2024 03:47:58 +0000 (16:47 +1300)]
python: move models out of the netcmd package
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 12 Mar 2024 03:28:07 +0000 (16:28 +1300)]
python: create domain module to move models into
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 12 Mar 2024 00:06:31 +0000 (13:06 +1300)]
netcmd: gmsa: show viewers also works if SID is not found
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:40:12 +0000 (12:40 +1300)]
netcmd: gmsa: add and remove don't fetch trustee if it is a SID
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:38:13 +0000 (12:38 +1300)]
netcmd: gmsa: add_trustee and remove_trustee change argument to sid
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:33:30 +0000 (12:33 +1300)]
netcmd: gmsa: fix typo if trustee is not found
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 4 Mar 2024 23:04:49 +0000 (12:04 +1300)]
netcmd: gmsa: create should allow custom SDDL
gMSA update already supported it but not create
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 6 Mar 2024 03:47:29 +0000 (16:47 +1300)]
netcmd: models: improve Computer constructor adding "$" handling
In some cases the previous code would end up creating computers where the account name ended on double "$"
Rewrote constructor to handle more cases, for example only an account name is provided, only a name is provided, or both.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:13:09 +0000 (12:13 +1300)]
netcmd: models: allow scope to be overridden in query
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:23:36 +0000 (12:23 +1300)]
netcmd: models: add User.get_sid_for_principal helper
Unlike User.find, this will not fetch the User if an SID is provided.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 5 Mar 2024 02:30:47 +0000 (15:30 +1300)]
netcmd: models: User.find also tries object_sid
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 28 Feb 2024 03:59:06 +0000 (16:59 +1300)]
python: samdb: Make connecting_user_sid a property
This is following the same design as other similar properties like samdb.domain_sid, only it doesn't need a setter.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 28 Feb 2024 03:57:40 +0000 (16:57 +1300)]
python: samdb: Move get_connecting_user_sid to samdb
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 17 Mar 2024 10:08:23 +0000 (23:08 +1300)]
libcli/security: check again for NULL values
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224
Douglas Bagnall [Sun, 17 Mar 2024 10:07:17 +0000 (23:07 +1300)]
libcli/security: claims_conversions: check for NULL in claims array
If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.
There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 14 Mar 2024 03:55:19 +0000 (16:55 +1300)]
s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()
Previously any errors noticed during the main loop would be ignored.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224
Andrew Bartlett [Thu, 7 Mar 2024 01:53:53 +0000 (14:53 +1300)]
samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export
Since
87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has
silently unlinked the given target file. Instead, the administrator now needs
to specify a file that does not exist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 04:48:09 +0000 (17:48 +1300)]
s4-libnet: Prepare for a "rolling update" keytab export
This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 04:43:47 +0000 (17:43 +1300)]
s4-auth/kerberos: Do not add true duplicates to exported keytab
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Fri, 8 Mar 2024 03:23:01 +0000 (16:23 +1300)]
selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 7 Mar 2024 03:12:56 +0000 (16:12 +1300)]
selftest: Add tests for "samba-tool domain exportkeytab" with existing files"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Sun, 10 Mar 2024 22:14:17 +0000 (11:14 +1300)]
samba-tool domain exportkeytab: Raise a proper CommandError
This avoids giving just a backtrace for things like exporting a keytab
to an existing file.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 7 Mar 2024 02:34:37 +0000 (15:34 +1300)]
s4-libnet: Raise NTSTATUSError not RuntimeError in keytab export
We should never raise RuntimeError if we have a better option.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 22:59:21 +0000 (11:59 +1300)]
samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab"
This will keep stale keys in the keytab, which may be useful for wireshark
but is not correct if the keytab is used for accepting Kerberos tickets,
as tickets encrypted with old passwords would still be accepted.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 04:42:01 +0000 (17:42 +1300)]
lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry()
The two callers of this function want two very different things, the
common point was wanting to call smb_krb5_kt_seek_and_delete_old_entries()
however this is now done earlier in sdb_kt_copy() with
smb_krb5_remove_obsolete_keytab_entries() or an unlink() in
libnet_export_keytab().
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 02:30:53 +0000 (15:30 +1300)]
lib/krb5_wrap: Rename confusing add_salt parameter to smb_krb5_kt_add_entry()
This just adds the key directly, it is not related to if salting is used or not.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 22 Feb 2024 04:29:07 +0000 (17:29 +1300)]
python/tests: Add test that gMSA keytab export works and matches direct keytab export
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Fri, 2 Feb 2024 01:41:52 +0000 (14:41 +1300)]
s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber is wrong
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Fri, 2 Feb 2024 01:40:24 +0000 (14:40 +1300)]
auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords()
This is unused in Samba currently, but is a subtle race that will be difficult
to debug if this is ever used, so this makes things easier for some future
developer.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 20 Dec 2023 05:10:45 +0000 (18:10 +1300)]
s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 21 Dec 2023 23:09:45 +0000 (12:09 +1300)]
s4-kdc: Prepare for gMSA support by recording it on the entry
This will allow the "samba-tool domain exportkeytab" code to do special gMSA
processing and in the future will allow the KDC to know it needs to check
if the keys in the DB need refreshing.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 21 Dec 2023 01:04:23 +0000 (14:04 +1300)]
auth/credentials: Allow generation of old Kerberos keys also
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 21 Dec 2023 09:25:25 +0000 (22:25 +1300)]
auth/credentials: Make cli_credentials_get_aes256_key into generic key access
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 21 Dec 2023 01:06:26 +0000 (14:06 +1300)]
auth/credentials: Add hook to set credentials from msDS-ManagedPassword blob
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 20 Dec 2023 20:01:36 +0000 (09:01 +1300)]
s4-libnet: Pass the full struct smb_krb5_context to sdb_kt_copy()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 20 Dec 2023 23:00:46 +0000 (12:00 +1300)]
auth/credentials: Dynamically calculate the salt principal (unless speccified)
This helps pull the salt principal calculation into a single spot.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 20 Dec 2023 09:55:07 +0000 (22:55 +1300)]
auth/credentials: Use salt on credentials object for Creds.get_aes256_key()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 21 Dec 2023 09:04:17 +0000 (22:04 +1300)]
auth/credentials: Add bindings for getting and setting the salt principal
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Tue, 19 Dec 2023 22:53:06 +0000 (11:53 +1300)]
s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA
Only gMSA accounts, and only for authoriszed users, can export be exported without
local sam.ldb access.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Tue, 19 Dec 2023 22:18:13 +0000 (11:18 +1300)]
Make "samba-tool domain exportkeytab" prune old keys
This slowly prepares this to be an update tool, not just a one-off export tool
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Tue, 19 Dec 2023 22:08:57 +0000 (11:08 +1300)]
s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>