Stefan Metzmacher [Thu, 7 Mar 2024 12:50:39 +0000 (13:50 +0100)]
s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache for 'net'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 12:41:51 +0000 (13:41 +0100)]
s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as we already passed cli_credentials
c->opt_kerberos is derived from c->creds...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 15:59:00 +0000 (17:59 +0200)]
s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:40:48 +0000 (17:40 +0100)]
s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:38:25 +0000 (17:38 +0100)]
s3:lib/netapi: add libnetapi_get_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:21:02 +0000 (17:21 +0100)]
libgpo/pygpo: make use of ads_connect_{creds,machine}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 16:58:27 +0000 (18:58 +0200)]
s3:printing: make use of ads_connect_machine()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 16:53:03 +0000 (18:53 +0200)]
s3:libads: add ads_connect_machine() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 15:51:57 +0000 (17:51 +0200)]
s3:libads: add ads_simple_creds() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 16:43:00 +0000 (18:43 +0200)]
s3:libads: make use of ads_connect_simple_anon() in ldap.c where possible
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 28 Apr 2022 16:38:17 +0000 (18:38 +0200)]
s3:libads: add ads_connect_simple_anon() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 11:03:05 +0000 (12:03 +0100)]
lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sat, 11 May 2024 00:38:21 +0000 (02:38 +0200)]
s3:utils: let net_update_dns_internal() set status before goto done in all cases
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:59:09 +0000 (09:59 +0100)]
s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:53:04 +0000 (09:53 +0100)]
s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:44:54 +0000 (09:44 +0100)]
s3:winbindd: make use of samba_sockaddr to avoid compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:44:19 +0000 (09:44 +0100)]
s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 08:23:17 +0000 (09:23 +0100)]
s3:winbindd: make winbindd_get_trust_credentials() public
We'll use it outside of winbindd_cm.c soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 6 Mar 2024 09:13:11 +0000 (10:13 +0100)]
s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds
This reconnect is only useful for long running connections (e.g. in winbindd)
and there we'll make use of it...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 27 Apr 2022 11:11:26 +0000 (13:11 +0200)]
s3:libads: add ads_connect_creds() helper
In future ads_connect_creds() will be used by callers directly instead
of using ads_connect().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 26 Feb 2024 20:02:08 +0000 (21:02 +0100)]
s3:libads: fix compiler warning in ads_mod_ber()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 12:49:08 +0000 (13:49 +0100)]
s3:libads: move ads->auth.time_offset to ads->config.time_offset
There's no reason to pass the LDAP servers time to the kerberos
libraries, as we may talk to a KDC different than the LDAP server!
Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and
retries with the time from the krb-error.
MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response
in order to use the KDCs time.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 12:03:46 +0000 (13:03 +0100)]
s3:libads: we only need to gensec_expire_time()...
The lifetime of a service ticket is never longer than
the lifetime of the TGT...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 11:52:14 +0000 (12:52 +0100)]
s3:libads: remove unused ads->auth.renewable
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 12:22:37 +0000 (13:22 +0100)]
s3:winbindd: remove useless 'renewable' argument to ads_cached_connection_connect()
There's really no need to get a reneable ticket for an ldap connection,
we currently always do a kinit for each connection anyway.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 29 Feb 2024 13:50:31 +0000 (14:50 +0100)]
s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp
For now we still do the ads_kinit_password() in ads_legacy_creds()
for callers that rely on the global krb5ccache to be filled.
E.g. the dns update code and the kpasswd code.
But at least ads_connect_internal() and ads_sasl_spnego_bind()
will allow to do the kinit in the gensec layer only if needed...
We'll remove ads_legacy_creds() during the following commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 13 Mar 2024 15:53:44 +0000 (16:53 +0100)]
testprogs/blackbox: add better testnames in test_weak_disable_ntlmssp_ldap.sh
This makes it easier to adjust the expected output when it changes in
the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 29 Feb 2024 13:08:55 +0000 (14:08 +0100)]
s3:net_ads: make use of ads_connect_cldap_only() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password()
We don't need a real ldap connection here.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:48:34 +0000 (17:48 +0100)]
s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:47:37 +0000 (17:47 +0100)]
s3:net_ads: make use of ads_connect_cldap_only() in net_ads_check_int()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:46:10 +0000 (17:46 +0100)]
s3:libsmb: make use of ads_connect_cldap_only()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 16:45:35 +0000 (17:45 +0100)]
s3:libads: add ads_connect_cldap_only() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 08:56:00 +0000 (09:56 +0100)]
s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for ADS_AUTH_ANON_BIND
For anonymous binds we don't need a krb5.conf.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 08:56:00 +0000 (09:56 +0100)]
s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf
That's better then using !ADS_AUTH_NO_BIND. And it allows callers
to be more flexible in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 27 Apr 2022 11:11:26 +0000 (13:11 +0200)]
s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 27 Apr 2022 10:45:04 +0000 (12:45 +0200)]
s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name()
We should only operate on the creds structure and
avoid using ads->auth.{user_name,realm}.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 27 Apr 2022 11:39:11 +0000 (13:39 +0200)]
s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end
In future we'll pass in creds from the caller, so we better
restore the original krb5_state at the end of ads_sasl_spnego_bind().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 27 Apr 2022 10:32:30 +0000 (12:32 +0200)]
s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state()
We should only operate on the creds structure and avoid ads->auth.flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 25 Apr 2022 16:08:33 +0000 (18:08 +0200)]
s3:libads: split out ads_legacy_creds()
This is just a temporary change until the highlevel caller
will pass in a cli_credentials structure and we'll get rid of
ads->auth.{user_name,realm,password}.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 28 Feb 2024 16:31:23 +0000 (17:31 +0100)]
s3:libads: remove unused LIBADS_CCACHE_NAME define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 24 Apr 2024 07:59:53 +0000 (09:59 +0200)]
s3:libads: make use of talloc_stackframe() in ads_setup_tls_wrapping()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 29 Feb 2024 13:27:36 +0000 (14:27 +0100)]
s3:libsmb: remove unused cli_session_creds_prepare_krb5()
Kinit will be done within gensec if required.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 13:23:13 +0000 (15:23 +0200)]
s3:gse: get an explicit ccache_name from creds and kinit if required
This means we may call kinit multiple times for now,
but we'll remove the kinit from the callers soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Fri, 26 Apr 2024 08:49:33 +0000 (10:49 +0200)]
s3:gse: Pass down the mech to gse_context_init()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 25 Apr 2024 13:51:40 +0000 (15:51 +0200)]
s3:gse: Implement gensec_gse_security_by_oid()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Fri, 26 Apr 2024 08:54:47 +0000 (10:54 +0200)]
s3:gse: Use smb_gss_mech_import_cred() in gse_init_server()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Fri, 26 Apr 2024 08:40:13 +0000 (10:40 +0200)]
lib:krb5_wrap: Implement smb_gss_mech_import_cred()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 12 Mar 2024 10:51:25 +0000 (11:51 +0100)]
s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 6 Mar 2024 22:05:00 +0000 (23:05 +0100)]
s3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password
This happened implicitly as the gse_krb5 module always used the default
krb5 ccache, but that will change soon.
If kerberos is requested without a fallback to ntlm AND
the caller doesn't provide a password we'll use the
default ccache. This will keep our the following tests
happy once the gse_krb5 module changes the behavior:
samba3.blackbox.krbsmbspool
samba3.blackbox.smbget
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 6 Mar 2024 20:55:24 +0000 (21:55 +0100)]
s3:ntlm_auth: explicitly include default krb5 ccache if no explicit username/password are given
Before this silently happened because the gse_krb5 module just used the
default ccache, but that will change soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 13 Mar 2024 09:49:55 +0000 (10:49 +0100)]
tests/ntlm_auth: Do not set a client_password
This fixes test_ntlmssp_gss_spnego_cached_creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 7 Mar 2024 16:59:02 +0000 (17:59 +0100)]
tests/ntlm_auth_krb5: don't test that a krb5ccache work with an explicit username
This test is useless and won't work anymore in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 8 Mar 2024 11:57:06 +0000 (12:57 +0100)]
blackbox/test_kinit.sh: verify that --use-krb5-ccache= works without KRB5CCNAME
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sat, 11 May 2024 00:38:21 +0000 (02:38 +0200)]
s3:libads: don't allow ads_kdestroy(NULL) anymore
This should not happen, if we ever need that behaviour
we should add an ads_kdestroy_default() helper.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 14 May 2024 07:02:07 +0000 (09:02 +0200)]
s3:winbindd: don't use ads_kdestroy(NULL) in winbindd_raw_kerberos_login()
This fixes a problem introduced in the commit:
commit
e6c693b705686a590d2fa8f434ff015d8926a349
Author: Stefan Metzmacher <metze@samba.org>
Date: Wed Feb 28 17:28:43 2024 +0100
s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache
It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().
...
Before that commit cc was never NULL as generate_krb5_ccache()
returned "MEMORY:winbindd_pam_ccache" as fallback.
So we called ads_kdestroy("MEMORY:winbindd_pam_ccache").
Now we have cc == NULL if user_ccache_file == NULL.
and kerberos_return_pac() uses smb_krb5_cc_new_unique_memory()
and krb5_cc_destroy() internally.
It means unless user_ccache_file != NULL we should not
call ads_kdestroy(cc) as cc is NULL and means we would destroy
any global default krb5 ccache.
Review with: git show -U25
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 7 May 2024 14:53:24 +0000 (14:53 +0000)]
s3:libsmb: allow store_cldap_reply() to work with a ipv6 response
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224
Earl Chew [Sat, 16 Dec 2023 16:48:36 +0000 (08:48 -0800)]
Combine ICU libraries icu-i18n and icu-uc into a single dependency
Rather than probing for icu-i18n, icu-uc, and icudata libraries
separately, only probe for icu-i18n, and icu-uc, as direct dependencies
This avoids overlinking with icudata, and allows the package
to build even when ICU is not installed as a system library.
RN: Only use icu-i18n and icu-uc to express ICU dependency
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623
Signed-off-by: Earl Chew <earl_chew@yahoo.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Earl Chew [Sun, 17 Dec 2023 01:47:09 +0000 (17:47 -0800)]
Improve CHECK_LIB interaction with CHECK_PKG
When checking for shared libraries, only name the target library
if it was not previously discoverd by pkg-config --libs and now
available from uselib_store. This avoids using both sources of
information which results in the library being named twice on
the command line.
Once the library is confirmed by CHECK_LIB, append the library if
not already present, to avoid dropping libraries that were
previously discovered by CHECK_PKG.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623
Signed-off-by: Earl Chew <earl_chew@yahoo.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Earl Chew [Sun, 17 Dec 2023 16:37:33 +0000 (08:37 -0800)]
Augment library_flags() to return libraries
Extend library_flags() to return the libraries provided by
pkg-config --libs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623
Signed-off-by: Earl Chew <earl_chew@yahoo.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Tue, 30 Apr 2024 11:54:13 +0000 (23:54 +1200)]
selftest: add test for User.get_primary_group method
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Tue, 30 Apr 2024 11:43:30 +0000 (23:43 +1200)]
python: models: add get_primary_group method to User model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Tue, 30 Apr 2024 11:42:05 +0000 (23:42 +1200)]
python: models: rename argument ldb to samdb
This argument is actually an instance of SamDB (which inherits from Ldb).
This should have been called samdb.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Stefan Metzmacher [Wed, 8 May 2024 16:03:54 +0000 (18:03 +0200)]
tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative
This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 8 May 2024 14:12:06 +0000 (16:12 +0200)]
.gitlab-ci-main.yml: debug kernel details of the current runner
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 4 May 2024 01:40:35 +0000 (13:40 +1200)]
ldb-samba: ldif_read_objectSid avoids VLA
I don't think this variable length array is any trouble, but people
complain about them (e.g. https://nullprogram.com/blog/2019/10/27/)
because they make things more complex at run-time, and this is a
somewhat performance sensitive path.
DOM_SID_STR_BUFLEN + 1 is 191 -- if that stack allocation is going to
cause trouble, then so was the VLA <= that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 8 00:26:42 UTC 2024 on atb-devel-224
Douglas Bagnall [Sat, 4 May 2024 01:32:39 +0000 (13:32 +1200)]
ldb-samba: ldif_read_objectSid() short-circuits without 'S'
This avoids a memcpy, and level 3 debug verbosity from
dom_sid_parse_endp().
In other places we have something like `|| in->data[1] != '-'`, but
that is not useful here -- the value is either a string SID, or a
binary SID that starts with '\1', or some awful value that we *do*
want to get messages about.
This replaces the work of ldif_comparision_objectSid_isString().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 1 May 2024 05:16:38 +0000 (17:16 +1200)]
lib/fuzzing: add fuzz_stable_sort_r_unstable
This should find out how well stable_sort copes with an unstable
non-transitive comparison function.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 30 Apr 2024 00:41:25 +0000 (12:41 +1200)]
ldb: note a transitivity problem in ldb_comparison_fold
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 26 Apr 2024 03:58:44 +0000 (15:58 +1200)]
ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold
If two strings are invalid UTF-8, the string is first compared with
memcmp(), which compares as unsigned char.
If the strings are of different lengths and one is a substring of the
other, the memcmp() returns 0 and a second comparison is made which
assumes the next character in the shorter string is '\0' -- but this
comparison was done using SIGNED chars (on most systems). That leads
to non-transitive comparisons.
Consider the strings {"a\xff", "a", "ab\xff"} under that system.
"a\xff" < "a", because (char)0xff == -1.
"ab\xff" > "a", because 'b' == 98.
"ab\xff" < "a\xff", because memcmp("ab\xff", "a\xff", 2) avoiding the
signed char tiebreaker.
(Before
c49c48afe09a1a78989628bbffd49dd3efc154dd, the final character
might br arbitrarily cast into another character -- in latin-1, for
example, the 0xff here would have been seen as 'ÿ', which would be
uppercased to 'Ÿ', which is U+0178, which would be truncated to
'\x78', a positive char.
On the other hand e.g. 0xfe, 'þ', would have mapped to 0xde, 'Þ',
remaining negative).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 01:21:25 +0000 (13:21 +1200)]
ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 17 Apr 2024 13:49:11 +0000 (01:49 +1200)]
ldb-samba: remove unused ldif_comparision_objectSid_isString()
This is unused because it does things badly, by just guessing and
not allowing valid sids that start with "s-". All the places that used
to use it were calling ldif_read_objectSid() or similar which correctly
check for string SIDs by actually trying to parse them. That begins
with looking for the "S-"/"s-", so this shortcut is not saving any real
work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 17 Apr 2024 13:44:03 +0000 (01:44 +1200)]
ldb-samba: simplify extended_dn_read_SID()
This will allow the reading of SIDs that start with "s-", which
Windows allows, and we allow elsewhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 17 Apr 2024 13:42:27 +0000 (01:42 +1200)]
ldb-samba: simplify ldif_canonicalise_objectSid()
ldif_comparision_objectSid_isString() is doing not useful or accurate,
and ldif_read_objectSid() checks properly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 17 Apr 2024 12:38:17 +0000 (00:38 +1200)]
ldb-samba: simplify ldif_comparison_objectSid()
The ldif_comparision_objectSid_isString() call is both wrong
(disallowing "s-") and redundant, because ldif_read_objectSid() calls
dom_sid_parse(), which does the check properly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 2 May 2024 23:29:31 +0000 (11:29 +1200)]
pytest: sid_strings: Samba DN object refuses sub-auth overflow
We were mistakenly asserting something that did not happen with
Windows, because Samba already won't parse the DN string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 2 May 2024 23:24:02 +0000 (11:24 +1200)]
pytest: sid_strings: adjust to match Windows 2016
9 hex-digit subauths like '0xABCDef123' will not fit in 32 bits, so
should be rejected on parsing.
In other situations, such as defaultSecurityDescriptor, overflowing
SID subauths on Windows will saturate to 0xffffffff, resulting in a
valid but probably meaningless SID. It is possible that in previous
testing we saw that here, but it is more likely I got confused. In any
case, now I see them being rejected, and that is good.
The saturating defaultSecurityDescriptor case is tested in
SidStringBehavioursThatWindowsAllows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 2 May 2024 23:19:16 +0000 (11:19 +1200)]
pytest: sid_strings: Windows does allow lowercase s-1-... SIDs
And so should we.
Right now, these tests won't pass against Windows because they rely on
ldb pre-parsing of the SIDs, so they fail before Windows gets to see
them. Running them against Windows looks something like this, BTW:
SAMBA_SID_STRINGS_SKIP_LOCAL=1 \
SMB_CONF_PATH=st/ad_dc/etc/smb.conf \
PYTHONPATH=bin/default/python \
DC_SERVER=192.168.122.126 \
DC_USERNAME=Administrator DC_PASSWORD='xxx' \
python3 python/samba/tests/sid_strings.py
When things are right, the only failing tests should be from the
SidStringBehavioursThatSambaPrefers suite.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 2 May 2024 02:24:18 +0000 (14:24 +1200)]
pytest: sid_strings: use more reliable well known SID
It seems as if the well-known SID S-1-5-32-579
(DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS) is
not always present -- specifically, it was not there on the
Windows machine used to develop these tests, but it is there on
the one I am now using.
S-1-5-32-545 (DOMAIN_ALIAS_RID_USERS) is surely going to exist,
so we use that instead.
That changes some of the assertions, making some NO_SUCH_OBJECTs
into successes.
For these tests we are only interested in the parsing of the SIDs, not
their meaning, so it's OK to change it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 13 Apr 2024 10:39:49 +0000 (22:39 +1200)]
ldb-samba: ldif_write_schemaInfo() uses correct size
repsFromToBlob is much bigger, so this only meant we briefly allocated
more than we needed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 13 Apr 2024 05:53:24 +0000 (17:53 +1200)]
lib:util: codepoint_cmpi: be transitive and case-insensitive
the less/greater conparisons were not case-sensitive, which made the whole
function non-transitive.
I think codepoint_cmpi() is currently only used for equality tests, so
nothing will change.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 13 Apr 2024 05:07:20 +0000 (17:07 +1200)]
lib:util:tests: more tests for codepoint_cmpi
is codepoint_cmpi as case-insensitive as it claims when it comes to
inequalities? (no, it is not!).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 12 Apr 2024 08:28:04 +0000 (20:28 +1200)]
s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
No change at all in the result, just saving lines and branches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 12 Apr 2024 06:33:47 +0000 (18:33 +1200)]
s4:rpc_srv:getncchanges: USN sort uses qsort() instead of ldb_qsort()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 12 Apr 2024 06:32:42 +0000 (18:32 +1200)]
s4:rpc_srv:getncchanges: 4.5 anc emulation uses qsort(), not ldb_qsort()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 12 Apr 2024 06:11:47 +0000 (18:11 +1200)]
s4:dsdb:mod: repl_md: make message_sort transitive
Before we had (with a TODO of regret):
if (!a1 || !a2) {
return strcasecmp(e1->name, e2->name);
}
so, given {name:"A", id 2}, {name:"B", NO id}, {name:"C", id 1},
A < B by name
B < C by name
A > C by id
Now the sort order is always A > C > B.
This sort could have caused mysterious crashes in repl_meta_data if
the schema is out of sync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 12 Apr 2024 06:11:12 +0000 (18:11 +1200)]
ldb:tools: ldbsearch doesn't need ldb_qsort()
When the opaque context blob is not used, we might as well
use a real qsort().
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 1 May 2024 04:26:14 +0000 (16:26 +1200)]
s4:dsdb:util_trusts: simplify the NULL case in dns_cmp
In this comparison function a NULL string is treated as the ancestor
of all names, but you need to look hard to see that.
By pulling the logic for NULLs to the front, hopefully we have to look
less hard.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 12 Apr 2024 09:28:31 +0000 (21:28 +1200)]
s4:dsdb:util_trusts: describe dns_cmp return values
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 16 Apr 2024 11:31:45 +0000 (23:31 +1200)]
ldb:tests: add a test for dotted i uppercase
This didn't fail in the tr_TR locale before recent changes for
https://bugzilla.samba.org/show_bug.cgi?id=15637, because this is a
different casefold codepath. But it could fail if that other path goes
wrong, so we might as well have the test.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 26 Apr 2024 03:24:47 +0000 (15:24 +1200)]
ldb: avoid NULL deref in ldb_db_compare
This also sorts NULLs after invalid DNs, which matches the comment
above.
CID
1596622.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 7 May 2024 10:32:08 +0000 (22:32 +1200)]
.gitlab-ci: Remove tags no longer provided by gitlab.com
GitLab.com removed a number of tags from their hosted
runners and this meant our CI was being redirected to
our private runners at a larger cost to the Samba Team.
The new infrastructure is much larger than when we last
selected runners so we can just use the default, even for
the code coverage build.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15638
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 7 13:40:55 UTC 2024 on atb-devel-224
Stefan Metzmacher [Thu, 7 Mar 2024 14:31:39 +0000 (15:31 +0100)]
s3:libsmb: let cli_session_creds_init() keep the value from 'client use kerberos'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 7 12:33:29 UTC 2024 on atb-devel-224
Stefan Metzmacher [Wed, 28 Feb 2024 16:28:43 +0000 (17:28 +0100)]
s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache
It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 28 Feb 2024 16:27:39 +0000 (17:27 +0100)]
s3:libads: use smb_krb5_cc_new_unique_memory() in kerberos_return_pac()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:38:42 +0000 (16:38 +0100)]
auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_new_ccache()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:21:02 +0000 (16:21 +0100)]
auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_shallow_ccache()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:19:58 +0000 (16:19 +0100)]
auth/credentials: use smb_krb5_cc_new_unique_memory() in smb_gss_krb5_copy_ccache()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 14:49:09 +0000 (15:49 +0100)]
auth/credentials: use smb_krb5_cc_new_unique_memory() in krb5_cc_remove_cred_wrap()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 14:47:15 +0000 (15:47 +0100)]
lib/krb5_wrap: make use of smb_krb5_cc_new_unique_memory() in smb_krb5_kinit_s4u2_ccache()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 14:42:37 +0000 (15:42 +0100)]
lib/krb5_wrap: add smb_krb5_cc_new_unique_memory()
This generates a memory credential cache that is
not visible to a (the default) credential cache collection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>