Jo Sutton [Fri, 19 Apr 2024 02:16:03 +0000 (14:16 +1200)]
tests/krb5: Test retrieving a denied gMSA password over an unsealed connection
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 03:13:45 +0000 (15:13 +1200)]
s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 01:21:10 +0000 (13:21 +1200)]
s4:dsdb:tests: Make use of ‘ldb’ parameter
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 00:19:12 +0000 (12:19 +1200)]
lib:crypto: Add more unit tests for GKDI functions
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Sun, 14 Apr 2024 23:42:50 +0000 (11:42 +1200)]
s4:dsdb: Make use of DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 04:24:43 +0000 (16:24 +1200)]
s4:dsdb: Implement DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
View with ‘git show -b’.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 11 Apr 2024 05:17:54 +0000 (17:17 +1200)]
s4:kdc: Correctly extract older NT hash
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 04:01:44 +0000 (16:01 +1200)]
tests/krb5: Note that lockout tests use password checks
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 11 Apr 2024 04:31:51 +0000 (16:31 +1200)]
tests/krb5: Fix malapropism
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 10 Apr 2024 00:01:09 +0000 (12:01 +1200)]
s4:kdc: Remove unnecessary cast
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 23:53:43 +0000 (11:53 +1200)]
pyglue: Remove unnecessary declaration
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 03:07:23 +0000 (15:07 +1200)]
s4:kdc: Fix grammar
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 02:31:11 +0000 (14:31 +1200)]
auth:credentials: Remove unnecessary declaration
This declaration is a hold‐over from the Python 2 module initialization
pattern.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 8 Apr 2024 05:29:40 +0000 (17:29 +1200)]
auth:credentials: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 23:33:33 +0000 (12:33 +1300)]
python: Reformat code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 5 Mar 2024 03:18:34 +0000 (16:18 +1300)]
s4-gmsa: Do not attempt password set on remote LDAP connections
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 13 Feb 2024 03:09:57 +0000 (16:09 +1300)]
s4:dsdb: Add dsdb_update_gmsa_keys()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 17 Apr 2024 01:27:19 +0000 (13:27 +1200)]
s4:dsdb: Move the responsibility for determining whether an account is a gMSA out of gmsa_recalculate_managed_pwd()
and into its callers.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 11 Apr 2024 08:15:07 +0000 (20:15 +1200)]
s4:dsdb: Indicate to the LDAP server physical passwords that need to be refreshed
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:03:36 +0000 (14:03 +1200)]
s4:dsdb: Store found managed password ID as part of gMSA update structure
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:03:05 +0000 (14:03 +1200)]
s4:dsdb: Store account DN as part of gMSA update structure
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:00:44 +0000 (14:00 +1200)]
s4:dsdb: Only reuse the current password ID as the previous password ID when appropriate
This should already be the case given the current logic, but let’s make
it explicit.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 01:58:15 +0000 (13:58 +1200)]
s4:dsdb: Add a note that administrators should not set the clock too far in the future
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 01:49:04 +0000 (13:49 +1200)]
s4:dsdb: No longer pass DSDB_SEARCH_ONE_ONLY flag to dsdb_search_dn()
As dsdb_search_dn() ignores this flag, passing it in doesn’t achieve
anything.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 04:28:55 +0000 (16:28 +1200)]
s4:dsdb: Explicitly return success error code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 17 Apr 2024 22:13:04 +0000 (10:13 +1200)]
tests/krb5: Add tests that gMSA keys are updated in the database when appropriate
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 00:59:52 +0000 (12:59 +1200)]
tests/krb5: Import MAX_CLOCK_SKEW more directly
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 00:58:36 +0000 (12:58 +1200)]
tests/krb5: Extract method to unpack supplementalCredentials blob
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 00:57:50 +0000 (12:57 +1200)]
tests/krb5: Skip loop iteration if attribute has no values
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 18 Apr 2024 00:47:28 +0000 (12:47 +1200)]
ldb: Check result of py_ldb_msg_keys()
Passing NULL into PyObject_GetIter() can cause a segmentation fault.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Martin Schwenke [Thu, 18 Apr 2024 04:13:11 +0000 (14:13 +1000)]
ctdb-scripts: Do not de-duplicate the interfaces list
Using xargs with sort -u to de-duplicate this list was my idea and
causes a couple of things to go wrong. The use of xargs causes
double-quotes to be lost. The resulting $public_ifaces value also
contains newlines. The newlines could be removed with an additional
xargs at the end of the pipeline... but that would add an extra level
of quote stripping.
I have unsuccessfully tried to find an alternative, but still elegant,
command pipeline that de-duplicates the list, while maintaining
quoting.
So, just drop the de-duplication.
This might make interface_ifindex_exists_with_options() slightly less
efficient. However, that function walks the whole list, only
terminating early when a match is found on both interface and options,
so at least it will be correct.
Include an extra testcase.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Apr 18 09:08:34 UTC 2024 on atb-devel-224
Andreas Schneider [Mon, 15 Apr 2024 05:32:02 +0000 (07:32 +0200)]
python: Fix NtVer check for site_dn_for_machine()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 17 19:32:11 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 12 Mar 2024 14:06:33 +0000 (15:06 +0100)]
lib: Remove an obsolete comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 09:01:34 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 13 Feb 2024 12:05:42 +0000 (13:05 +0100)]
smbd: Remove sconn->using_smb2
We have the same information available via conn_using_smb2()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Tue, 13 Feb 2024 11:28:06 +0000 (12:28 +0100)]
smbd: Add conn_using_smb2()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Tue, 13 Feb 2024 11:56:17 +0000 (12:56 +0100)]
smbd: Change protocol selection to not use "sconn->using_smb2"
To me this is pretty confusing, it seems to overload this struct
element.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Thu, 29 Feb 2024 15:11:16 +0000 (16:11 +0100)]
ctdb: Modernize a few DEBUGs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 00:54:55 UTC 2024 on atb-devel-224
Volker Lendecke [Fri, 1 Mar 2024 20:19:51 +0000 (21:19 +0100)]
ctdb: Remove common/line.[ch]
This was an implementation of getline(3), use that instead.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Fri, 1 Mar 2024 20:16:57 +0000 (21:16 +0100)]
ctdb: Use stdio's getline() in ctdb_connection_list_read()
This is the only user of common/line.[ch], which can go next.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:11:11 +0000 (13:11 +0200)]
lib: Use fdopen_keepfd()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:08:06 +0000 (13:08 +0200)]
rpc_server3: Use fdopen_keepfd()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:07:56 +0000 (13:07 +0200)]
lib: Add fdopen_keepfd()
Capture the dup/fdopen pattern
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:02:39 +0000 (13:02 +0200)]
lib: Give lib/util/util_file.c its own header file
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Vinit Agnihotri [Tue, 30 Jan 2024 09:50:20 +0000 (01:50 -0800)]
ctdb-scripts: Add options to generate smb.conf interfaces include file
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 30 Jan 2024 09:25:37 +0000 (01:25 -0800)]
ctdb-scripts: Rename and relocate function get_all_interfaces()
get_all_interfaces() functions gets all names for all public interfaces.
However name is misleading. Thus renamed it to get_public_ifaces() and
moved it under functions.
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 11:03:25 +0000 (03:03 -0800)]
smbd-server: Process ip add/drop events for options:dynamic only
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 10:32:23 +0000 (02:32 -0800)]
lib-interface: Change API for interface 'options'
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 10:15:11 +0000 (02:15 -0800)]
lib-interface: Add parsing for interface 'options'
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 10:27:04 +0000 (02:27 -0800)]
lib-interface: Add extra parameter 'options' to interface definition
Signed-off-by: Vinit Agnihotri<vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 11:16:49 +0000 (03:16 -0800)]
param: Add additional key 'options' for interfaces
The key 'options' specifies if server should spawn/kill listning sockets
in event of add/dropped ip addresses on specified interface.
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Thu, 29 Feb 2024 08:52:08 +0000 (00:52 -0800)]
smbd-server: Use MSG_SMB_IP_DROPPED
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Thu, 29 Feb 2024 06:22:38 +0000 (22:22 -0800)]
messaging: Add new SMBD message
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Wed, 28 Feb 2024 11:56:23 +0000 (03:56 -0800)]
smbd-server: Handle ip drop event and close listening socket
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Wed, 21 Feb 2024 05:49:34 +0000 (21:49 -0800)]
smbd-server: Open socket for additional ip address
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 20 Feb 2024 10:40:13 +0000 (02:40 -0800)]
lib-interface: Add new API to validate interface info for given interface index
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Thu, 15 Feb 2024 13:23:37 +0000 (05:23 -0800)]
lib-addrchange: Change API to fill up if_index value from netlink msg
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 13 Feb 2024 11:30:50 +0000 (03:30 -0800)]
smbd-server: Set event callback for interface change notification
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Thu, 7 Mar 2024 23:41:11 +0000 (16:41 -0700)]
docs: Document new tdbdump -x option
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Tue Apr 16 18:37:17 UTC 2024 on atb-devel-224
Christof Schmitt [Fri, 12 Apr 2024 22:48:02 +0000 (15:48 -0700)]
tdb: Add test for tdbdump -x
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Thu, 7 Mar 2024 23:38:53 +0000 (16:38 -0700)]
tdb: Add tdbdump option to output all data as hex values
This can be useful for debugging tdb databases, the hex output of the
key can be used for "net tdb" or ctdb commands.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Fri, 12 Apr 2024 22:44:38 +0000 (15:44 -0700)]
tdb: Add test for tdbdump command
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Fri, 12 Apr 2024 22:22:06 +0000 (15:22 -0700)]
tdb: Return failure as exit status from test_tdbbackup.sh
When this test is called from wscript, only the exit code is checked.
Track failures and return as non-zero exit code.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Shaleen Bathla [Wed, 10 Apr 2024 13:01:39 +0000 (18:31 +0530)]
s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs
Add missing free for entry variable and its members : key and principal
Found definite memory leaks via valgrind as shown below.
Leak 1 :
==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 432 of 433
==1686== at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686== by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101)
==1686== by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500)
==1686== by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686== by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686== by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
==1686== by 0x127F45: process_request_send (winbindd.c:502)
==1686== by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686== by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686== by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686== by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686== by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686== by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686== by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686== by 0x1232F3: main (winbindd.c:1718)
Leak 2 :
==1686== at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686== by 0x62255E4: krb5_copy_principal (copy_princ.c:38)
==1686== by 0x621D003: krb5_mkt_get_next (kt_memory.c:503)
==1686== by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686== by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686== by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
==1686== by 0x127F45: process_request_send (winbindd.c:502)
==1686== by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686== by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686== by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686== by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686== by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686== by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686== by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686== by 0x1232F3: main (winbindd.c:1718)
Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224
Jo Sutton [Tue, 13 Feb 2024 02:45:21 +0000 (15:45 +1300)]
s4:dsdb: Implement msDS-ManagedPassword attribute
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224
Jo Sutton [Tue, 9 Apr 2024 04:15:48 +0000 (16:15 +1200)]
s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 02:09:17 +0000 (14:09 +1200)]
python:tests: Catch failures to authenticate with gMSA managed passwords
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 01:55:58 +0000 (13:55 +1200)]
selftest: Expand out knownfails for gMSA getpassword tests
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 5 Apr 2024 00:23:18 +0000 (13:23 +1300)]
s4:dsdb: Set up passwords and password IDs of new gMSAs
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 13 Feb 2024 03:09:57 +0000 (16:09 +1300)]
s4:dsdb: Add functions for Group Managed Service Accounts implementation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 00:15:00 +0000 (12:15 +1200)]
s4:dsdb: Factor out a function to remove all password related attributes
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 1 Apr 2024 21:33:27 +0000 (10:33 +1300)]
lib:crypto: Reformat source code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 5 Apr 2024 00:44:08 +0000 (13:44 +1300)]
tests/krb5: Add tests for gMSAs
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 5 Apr 2024 00:43:46 +0000 (13:43 +1300)]
python:nt_time: Add NT_TIME_MAX constant
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 5 Apr 2024 00:43:30 +0000 (13:43 +1300)]
python:gkdi: Reformat code with ‘ruff’
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 5 Apr 2024 00:43:15 +0000 (13:43 +1300)]
python:gkdi: Add Gkdi.from_key_envelope() method
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 5 Apr 2024 00:42:31 +0000 (13:42 +1300)]
python:gkdi: Add notes on GKDI time periods
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 1 Apr 2024 22:15:08 +0000 (11:15 +1300)]
tests/gkdi: Change ‘current_gkid’ parameter to ‘current_time’
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 1 Apr 2024 22:13:37 +0000 (11:13 +1300)]
tests/gkdi: Remove implicit clock skew offset
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 26 Mar 2024 03:25:31 +0000 (16:25 +1300)]
tests/gkdi: Allow current time to be overridden
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 19 Mar 2024 01:27:00 +0000 (14:27 +1300)]
tests/krb5: Make use of ‘expect_edata’ parameter
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 21 Mar 2024 23:32:46 +0000 (12:32 +1300)]
tests/krb5: Remove unused variable
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 21 Mar 2024 23:32:25 +0000 (12:32 +1300)]
tests/krb5: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 21 Mar 2024 23:31:38 +0000 (12:31 +1300)]
tests/krb5: Remove unused import
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 02:15:51 +0000 (14:15 +1200)]
python:tests: Fix typo
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 00:38:10 +0000 (13:38 +1300)]
python:tests: Reformat code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 03:39:43 +0000 (15:39 +1200)]
python:tests: Fix set declaration
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 03:31:15 +0000 (15:31 +1200)]
python:tests: Replace deprecated method assertRaisesRegexp()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:28:43 +0000 (14:28 +1200)]
s4:ldap_server: Consider ldapi connections to be encrypted
Modifications to unicodePwd require an encrypted connection. This change
allows unicodePwd to be modified over an ldapi connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:28:21 +0000 (14:28 +1200)]
s4:ldap_server: Store whether an LDAP connection is over ldapi
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:27:41 +0000 (14:27 +1200)]
s4:ldap_server: Add copy of non‐privileged ops specifically for ldapi connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:31:11 +0000 (14:31 +1200)]
s4:ldap_server: Rename privileged ops to indicate they are used for ldapi
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:17:33 +0000 (14:17 +1200)]
s4:ldap_server: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:17:02 +0000 (14:17 +1200)]
s4:ldap_server: Remove trailing whitespace
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 11 Apr 2024 04:26:49 +0000 (16:26 +1200)]
selftest: Move some KDS root key tests around to prepare for gMSA server side
Once we have a gMSA server side the impact of deleting root keys becomes real
and so we must do this in a quiet place where it can not impact on other things.
Likewise, we want the samba.tests.dsdb_quiet_provision_tests tests to run
somewhere that is not doing other things, so we can see what a bare provision
will do. We must not allow test ordering inside the file to cause tests that
create root keys to run before checking if provision created a usable root key.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 11 Apr 2024 02:33:16 +0000 (14:33 +1200)]
selftest: Remove duplicate setup of "spn/upn namespaces" in the customdc testenv
The call to $self->setup_namespaces() was allways in error, as the design
is to have the in the state that it was backed up in, but before commit
08be28241b808845c4b51a4c47765a9416ca3aa7 the error return was not
checked and so this was harmless.
The customdc environment is not tested in selftest currently, as
it is intended to be used for manual testing of domains from backup
files not as an automatically constructed environment.
This makes:
BACKUP_FILE=samba-backup-2024-04-11T14-10-20.437096.tar.bz2 SELFTEST_TESTENV=customdc make testenv
work again.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andreas Schneider [Thu, 11 Apr 2024 08:29:18 +0000 (10:29 +0200)]
s3:auth: Add support standalone server with MIT Keberos 1.21
This adds support for MIT Kerberos minimal PAC. Tickets from pure
Kerberos realms with MIT Kerberos 1.21 or newer will always include a
minimal PAC. The PAC include the checksum buffers and a logon_name PAC
buffer.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 11 Apr 2024 08:21:16 +0000 (10:21 +0200)]
s3:auth: Split auth3_generate_session_info_pac() into functions
This gets rid of the multiple goto and just have a single destructor
goto.
Best view this commit with `git show -b <sha> --color-moved=zebra`
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 12:36:32 +0000 (14:36 +0200)]
s3:auth: Re-format auth3_generate_session_info_pac()
This is in preparation to split up the function into several functions.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 15 Mar 2024 11:41:19 +0000 (12:41 +0100)]
s3:auth: Remove trailing spaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pavel Filipenský [Thu, 11 Apr 2024 11:01:28 +0000 (13:01 +0200)]
smbdotconf: Enable "winbind debug traceid" by default
The traceid debug header field is a useful feature, let's make it
default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15631
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Apr 15 18:47:41 UTC 2024 on atb-devel-224