Joseph Sutton [Mon, 6 Nov 2023 23:35:10 +0000 (12:35 +1300)]
python:tests: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 24 Nov 2023 01:46:56 +0000 (14:46 +1300)]
python:tests: Remove unnecessary f‐strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 22:39:47 +0000 (11:39 +1300)]
python: Add missing word to comment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 22:39:16 +0000 (11:39 +1300)]
python: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 16 Oct 2023 05:12:49 +0000 (18:12 +1300)]
gp: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 26 Nov 2023 23:57:30 +0000 (12:57 +1300)]
security.idl: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 22 Nov 2023 01:40:31 +0000 (14:40 +1300)]
librpc: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 22 Nov 2023 01:39:17 +0000 (14:39 +1300)]
librpc: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Nov 2023 19:18:49 +0000 (08:18 +1300)]
libcli/security: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Nov 2023 19:18:31 +0000 (08:18 +1300)]
libcli/security: Remove unused includes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 03:23:51 +0000 (16:23 +1300)]
util/data_blob: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 03:23:29 +0000 (16:23 +1300)]
util/data_blob: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Nov 2023 22:02:15 +0000 (11:02 +1300)]
util/charset: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 23:32:35 +0000 (12:32 +1300)]
lib/torture: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 14 Nov 2023 22:23:03 +0000 (11:23 +1300)]
talloc: Fix documentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 27 Nov 2023 06:41:13 +0000 (19:41 +1300)]
lib/fuzzing: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 4 Dec 2023 22:41:24 +0000 (11:41 +1300)]
ldb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 5 Dec 2023 02:36:37 +0000 (15:36 +1300)]
lib:crypto: Remove unused Rijndael cipher header
The corresponding code was removed with commit
11b3c6826d19d60937f75825075fc5eb67385e11.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 30 Nov 2023 03:20:02 +0000 (16:20 +1300)]
lib:crypto: Remove redundant array zeroing
The call to memset_s() was supposed to replace the use of
ZERO_ARRAY_LEN(), but somehow both lines have crept in.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 15 Nov 2023 21:46:09 +0000 (10:46 +1300)]
docs-xml: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 23:30:03 +0000 (12:30 +1300)]
ctdb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 23:29:15 +0000 (12:29 +1300)]
ctdb: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 9 Nov 2023 00:17:24 +0000 (13:17 +1300)]
buildtools: Update docstring to be more accurate
Some more possibilities for output files have been introduced since
commit
e916aff9e1d44c3599c30b9ea32d03921f6403f4.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 5 Dec 2023 02:47:23 +0000 (15:47 +1300)]
auth:gensec: Zero digest array in error case
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Dec 2023 00:00:34 +0000 (13:00 +1300)]
tests/ndr: Add tests for Group Key Distribution Service blobs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Nov 2023 04:08:58 +0000 (17:08 +1300)]
gkdi.idl: Add definitions for the Group Key Distribution Service
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 6 Dec 2023 03:07:54 +0000 (16:07 +1300)]
python:tests: Permit newer copyright notice
We can use an HTTPS URL (https://www.gnu.org/licenses/) now.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Dec 2023 07:48:34 +0000 (08:48 +0100)]
s3:utils: Fix setting the debug level
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 7 05:33:21 UTC 2023 on atb-devel-224
Andreas Schneider [Tue, 5 Dec 2023 14:46:48 +0000 (15:46 +0100)]
s3:tests: Add smbget test for smb://DOAMIN;user%password@server/share/file
This is supported according to the smbget manpage!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 7 Dec 2023 02:50:43 +0000 (15:50 +1300)]
pycredentials: Properly check type in creds.set_nt_hash() and samr.encrypt_samr_password()
We should not be just doing a talloc type check, we should check the python
type first.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 30 Nov 2023 09:54:07 +0000 (10:54 +0100)]
s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a local token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 1 08:06:44 UTC 2023 on atb-devel-224
Andreas Schneider [Fri, 8 Sep 2023 10:50:32 +0000 (12:50 +0200)]
s3:auth: Remove trailing white spaces from auth_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andreas Schneider [Mon, 4 Sep 2023 14:29:46 +0000 (16:29 +0200)]
selftest: Show that 'allow trusted domains = no' firewalls Unix User|Group
UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver)
REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andrew Bartlett [Wed, 29 Nov 2023 09:46:28 +0000 (22:46 +1300)]
third_party/heimdal: import lorikeet-heimdal-
202311290849 (commit
84fb4579594a5fd8f8462450777eb24d5832be07)
Some of our pending PRs for Heimdal were recently accepted,
so this brings in a new update (mostly improved spelling).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 30 21:25:56 UTC 2023 on atb-devel-224
Andreas Schneider [Thu, 30 Nov 2023 07:32:45 +0000 (08:32 +0100)]
lib:crypto: Use bytearray macros
Do not use old macros which are not descriptive by the name.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Shachar Sharon [Thu, 16 Nov 2023 09:57:02 +0000 (11:57 +0200)]
vfs_ceph: call 'ceph_fgetxattr' only if valid fd
Align getxattr logic with the rest of xattr hooks: call ceph_fgetxattr
with appropriate io-fd when 'is_pathref' is false; otherwise, call
ceph_getxattr.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15440
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Nov 30 12:32:29 UTC 2023 on atb-devel-224
Andrew Bartlett [Thu, 30 Nov 2023 00:31:33 +0000 (13:31 +1300)]
python/samba/tests: Fix incorrect super-class in cred_opt.py setUp()
This will allow TEST_DEBUG_LEVEL to work in this test.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 30 02:03:05 UTC 2023 on atb-devel-224
Andrew Bartlett [Thu, 30 Nov 2023 00:28:56 +0000 (13:28 +1300)]
python/samba/tests: Fix incorrect superclass in test_min_domain_uid.py
This was not intentional as far as can be determined.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 30 Nov 2023 00:22:18 +0000 (13:22 +1300)]
python: Correct Python2 super() calls that called the wrong class
These changes have been checked as safe as skipping a superclass
has no actual impact.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Tue, 28 Nov 2023 03:38:22 +0000 (16:38 +1300)]
python: tests: update all super calls to python 3 style in tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Some python2 style super() calls remain due
to being an actual, even if reasonable, behaviour change]
Rob van der Linde [Tue, 28 Nov 2023 02:59:41 +0000 (15:59 +1300)]
python: get rid of pointless empty overridden methods
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 29 Nov 2023 21:37:13 +0000 (10:37 +1300)]
python: Use constants from hresult.h for python constants
This encourages us to keep a single source for constants.
In the future this should be a generated python file like for ntstatus.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Tue, 28 Nov 2023 02:13:21 +0000 (15:13 +1300)]
python: move HRES_SEC_* constants to samba module
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 29 Nov 2023 03:00:13 +0000 (16:00 +1300)]
python: tests: make HRES_SEC_E_* constant an int
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 28 Nov 2023 02:11:12 +0000 (15:11 +1300)]
python: PEP275: docstrings should always use double quotes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 28 Nov 2023 02:02:00 +0000 (15:02 +1300)]
python: fix missing colon around param in docstring
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 03:54:12 +0000 (16:54 +1300)]
lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 30 01:03:29 UTC 2023 on atb-devel-224
Joseph Sutton [Wed, 29 Nov 2023 02:46:30 +0000 (15:46 +1300)]
lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key()
Our code won’t use this, but NIST’s test vectors are based on handing a
fixed buffer to the key derivation function.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Nov 2023 23:44:10 +0000 (12:44 +1300)]
lib:crypto: Have samba_gnutls_sp800_108_derive_key() support various output key lengths
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Nov 2023 23:27:03 +0000 (12:27 +1300)]
lib:crypto: Clean up HMAC handle in one place
This is less error prone than having to ensure it’s cleaned up in every
error path.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Nov 2023 23:29:58 +0000 (12:29 +1300)]
lib:crypto: Add missing call to gnutls_hmac_deinit()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Nov 2023 23:28:10 +0000 (12:28 +1300)]
lib:crypto: Add common out path to samba_gnutls_sp800_108_derive_key()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Nov 2023 22:49:19 +0000 (11:49 +1300)]
lib:crypto: Split out core of samba_gnutls_sp800_108_derive_key()
We are going to need to alter the structure of this function a little
bit.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Nov 2023 22:00:57 +0000 (11:00 +1300)]
lib:crypto: Add tests for samba_gnutls_sp800_108_derive_key()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Nov 2023 22:36:57 +0000 (11:36 +1300)]
lib:crypto: Add samba_gnutls_sp800_108_derive_key()
Rename smb2_key_derivation() to samba_gnutls_sp800_108_derive_key() and
move it to GNUTLS_HELPERS.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Nov 2023 21:43:16 +0000 (10:43 +1300)]
lib:crypto: Remove unused variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Nov 2023 21:43:03 +0000 (10:43 +1300)]
lib:crypto: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:49:23 +0000 (19:49 +1300)]
libcli/smb: Add ‘algorithm’ parameter to smb2_key_derivation()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:40:41 +0000 (19:40 +1300)]
libcli/auth: Return more consistent status code on gnutls HMAC failure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:40:05 +0000 (19:40 +1300)]
auth/gensec: Return more consistent status codes on gnutls hashing failure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:28:16 +0000 (19:28 +1300)]
s4:utils: Use correct enumeration constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:27:56 +0000 (19:27 +1300)]
s4:utils: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:27:27 +0000 (19:27 +1300)]
s4:libcli: Call correct function to get HMAC output length
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:26:53 +0000 (19:26 +1300)]
s4:libcli: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:26:16 +0000 (19:26 +1300)]
libcli/smb: Call correct function to get HMAC output length
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:24:51 +0000 (19:24 +1300)]
libcli/auth: Call correct function to get HMAC output length
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 06:24:27 +0000 (19:24 +1300)]
libcli/auth: Use correct enumeration constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 23 Nov 2023 03:54:15 +0000 (16:54 +1300)]
libcli/smb: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 20 Nov 2023 20:43:47 +0000 (09:43 +1300)]
selftest: Remove knownfail entries for non‐existent tests
The corresponding tests were removed in commit
938afb8b28973b0065cc3509b70ebe3f6986de47.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 27 Nov 2023 07:25:20 +0000 (20:25 +1300)]
librpc:ndr: Use correct libndr flags type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 27 Nov 2023 07:24:57 +0000 (20:24 +1300)]
librpc:ndr: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 27 Nov 2023 01:41:25 +0000 (14:41 +1300)]
docs-xml: Add missing closing parenthesis
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 26 Nov 2023 23:58:05 +0000 (12:58 +1300)]
pidl: Make sure to cast whole expressions
$cvar could be an expression such as ‘1 << 10’. In such cases this cast
presumably was intended to apply to the entire expression, not just to
the ‘1’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 26 Nov 2023 23:55:51 +0000 (12:55 +1300)]
conditional_ace.idl: Fix undefined shift
If ‘int’ is a 32‐bit type, then 1 << 31 cannot be represented in an
‘int’, and this shift will invoke undefined behaviour.
We have got away with this so far because of a Pidl bug that changed the
expression to ‘(uint32_t)1 << 31’, which is valid. But that bug is about
to be fixed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 22 Nov 2023 02:54:50 +0000 (15:54 +1300)]
pidl: Fix subscripts of dereferenced arrays
Pidl will generate code like the following:
py_out_2 = PyLong_FromLong((uint16_t)*r->out.out[out_cntr_2]);
As the array subscripting operator has a higher precedence than the
indirection (derference) operator, the argument will be evaluated as
(uint16_t)*(r->out.out[out_cntr_2]), which is wrong.
Fix Pidl to generate the following code instead:
py_out_2 = PyLong_FromLong((uint16_t)(*r->out.out)[out_cntr_2]);
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 22 Nov 2023 02:24:55 +0000 (15:24 +1300)]
pidl: Remove unneeded casts
_pytalloc_get_ptr() returns ‘void *’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 19 Nov 2023 18:51:43 +0000 (07:51 +1300)]
pidl: Fix grammar in warning message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Nov 2023 22:39:36 +0000 (11:39 +1300)]
pidl: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 19 Nov 2023 18:51:25 +0000 (07:51 +1300)]
pidl: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 22 Nov 2023 12:21:38 +0000 (13:21 +0100)]
third_party: Update waf to version 2.0.26
https://gitlab.com/ita1024/waf/-/blob/waf-2.0.26/ChangeLog
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 29 10:47:00 UTC 2023 on atb-devel-224
Rob van der Linde [Tue, 28 Nov 2023 00:05:33 +0000 (13:05 +1300)]
tests: claims blackbox: add device and server silo restrictions test
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 29 04:15:27 UTC 2023 on atb-devel-224
Rob van der Linde [Tue, 28 Nov 2023 22:37:42 +0000 (11:37 +1300)]
python: tests: claims blackbox tests use ntstatus constants
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Mon, 27 Nov 2023 23:46:53 +0000 (12:46 +1300)]
tests: claims blackbox: use raw strings rather than escaping \
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Tue, 21 Nov 2023 03:27:09 +0000 (16:27 +1300)]
tests: claims: blackbox device tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Tue, 28 Nov 2023 04:07:15 +0000 (17:07 +1300)]
selftest: Run samba.tests.gensec in an enviroment build also with MIT Krb5
We would like confidence that the FAST hooks work with both implementations.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Nov 2023 01:12:19 +0000 (14:12 +1300)]
s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 19 Nov 2023 23:17:57 +0000 (12:17 +1300)]
python/tests: Add test for creds.set_krb5_fast_credentials()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 19 Nov 2023 23:42:15 +0000 (12:42 +1300)]
python/tests: Lock in key-word arguments as key-word only in samba.tests.gssapi
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Nov 2023 00:02:21 +0000 (13:02 +1300)]
python/tests: Import samba.gensec, not gensec
This allows this function to be used by gensec.py (a test) without collision.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 19 Nov 2023 23:16:04 +0000 (12:16 +1300)]
auth/credentials: Add Python bindings for association of a connection for FAST
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 17 Nov 2023 04:41:53 +0000 (17:41 +1300)]
auth/credentials: Add API to allow requesting a Kerberos ticket to be protected with FAST
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Tue, 28 Nov 2023 00:51:07 +0000 (13:51 +1300)]
build: Add build time detection for the MIT FAST ccache API
This will allow us to link against an older system Heimdal.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 29 Nov 2023 01:16:16 +0000 (14:16 +1300)]
third_party/heimdal: Provide krb5_init_creds_opt_set_fast_ccache() and krb5_init_creds_opt_set_fast_flags() (import lorikeet-heimdal-
202311290114 (commit
4c8517e161396330c76240bf09609a0dd5f9ea20))
It is easier for external callers to manipulate the krb5_get_init_creds_opt
(via the helpers) as this is passed down from higher up than the krb5_init_creds_context.
And just as importantly, alignment with MIT makes end-user callers happier.
Finally, this resolves the ambiguity as to which layer owns the
krb5_ccache, because now we match the MIT behaviour the init_creds code
re-opens a private copy inside libkrb5, meaning the caller closes the
cache it opened, rather than handing it over to the library.
(The unrelated changes are fixes to the test_pac test, also included in this import,
but in distinct lorikeet-heimdal commits, to allow it to compile)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Douglas Bagnall [Fri, 24 Nov 2023 23:55:09 +0000 (12:55 +1300)]
libcli/security: note suboptimality of conditional ACE Contains operators
The Contains and Any_of operators could use a sorted comparison like
compare_composites_via_sort(), rather than O(n²) nested loops. But
that would involve amount of quite fiddly work that I am not starting
on now.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224
Douglas Bagnall [Thu, 23 Nov 2023 00:03:15 +0000 (13:03 +1300)]
libcli/security: comparability check: claim members are of one type
We know from the way claims are defined, and from the code that checks
sortedness and sets the flag.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 23 Nov 2023 00:01:49 +0000 (13:01 +1300)]
libcli/security: shift comparability check to shortcut exits
The ordinary comparison path, using the sorted arrays, already implicitly
checks for comparability. We only need this when we're leaving early.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 22 Nov 2023 23:47:45 +0000 (12:47 +1300)]
libcli/security: add shortcuts for conditional ACE compare
If the number of members does not match in certain ways we can
say the sets are not equal without comparing the members.
We first need to check for comparability, though, so that we can return
an error if things aren't comparable.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 10 Nov 2023 03:27:45 +0000 (16:27 +1300)]
libcli/security: improve conditional ACE composite comparison
We had the comparison method wrong. Composites are compared as sets or
flabby sets, depending on their origin. Until now we compared them as
something a bit like sets, but not quite, in a maximally inefficient way.
Claims are always sets, and the left hand side is always a claim, but
literal composites on the right hand side can be multi-sets
(containing duplicate values). When it comes to comparison, composites
are reduced down to sets. To do the comparison we sort each side and
compare in order.
The fact that either side might ask for case-sensitive comparison (if
it is a claim) is an interesting complication.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 17 Nov 2023 00:58:12 +0000 (13:58 +1300)]
libcli/security: separate out claim_v1_to_ace_composite_unchecked()
For SDDL Resource ACE conversions we don't want to check too much
claim validity so that a semi-invalid ACE can round-trip through
deserialisation and serialisation. This is because Windows allows it,
but also because if the check puts the values in a sorted order that
makes the round-trip less round (that is, the return string is
semantically the same but possibly different in byte order).
The validity we're talking about is mostly uniqueness. For example
`S:(RA;;;;;WD;("foo",TU,0,7,5,7))` has two 7s, and that would be
invalid as a claim, but this is not checked while in ACE form.
On the other hand `S:(RA;;;;;WD;("foo",TU,0,3,2))` is valid, but the
return string will have 3 and 2 reversed when the check is made. We
prefer the ACE to stay the same while it is just being an ACE.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 Nov 2023 23:01:15 +0000 (12:01 +1300)]
libcli/security: avoid leak on SDDL encode failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>