Stefan Metzmacher [Wed, 18 Jan 2023 14:41:37 +0000 (15:41 +0100)]
tevent: version 0.15.0
- remove py2 ifdefs
- python: Safely clear structure members
- the tevent_thread_call_depth API is updated
in order to allow better tracing.
- add tevent_set_max_debug_level() only and don't
pass TEVENT_DEBUG_TRACE to tevent_debug() callbacks by default.
- Spelling fixes
- Make use of epoll_create1() for epoll backend
- Optimize overhead in the epoll backend
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 11 Nov 2022 21:25:34 +0000 (22:25 +0100)]
tevent: add tevent_common_fd_str() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 11 Jan 2023 07:21:47 +0000 (08:21 +0100)]
tevent: avoid calling epoll_update_event() again if epoll_check_reopen() already did it
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 11 Jan 2023 07:21:47 +0000 (08:21 +0100)]
tevent: let epoll_check_reopen() clear all events before reopening them
This is clearer for multiplexed fdes as it means both sides are
already cleared before we call epoll_update_event() again.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 20 Apr 2023 12:59:33 +0000 (12:59 +0000)]
tevent: avoid epoll_check_reopen() overhead unless required
The preparation, function call and cleanup for epoll_check_reopen()
is quite some overhead and not needed most of the time!
So check the pid in the caller avoids most of it.
Review with: git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 11 Nov 2022 21:25:34 +0000 (22:25 +0100)]
tevent: make use of TEVENT_DEBUG() when using TEVENT_DEBUG_TRACE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 11 Nov 2022 14:05:53 +0000 (15:05 +0100)]
tevent: add TEVENT_DEBUG() avoid argument overhead when log is not active...
It can be very costly to calculate the arguments passed to
tevent_debug(), just to drop the message within tevent_debug()
or the callback function.
So we add a way to avoid the overhead, it will be used in the
next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 11 Nov 2022 14:05:53 +0000 (15:05 +0100)]
tevent: introduce tevent_set_max_debug_level() (default TEVENT_DEBUG_WARNING)
Allow an application to decide which log levels it wants to get
in the callback function passed to tevent_set_debug().
By default TEVENT_DEBUG_WARNING is the maximal reported level
and TEVENT_DEBUG_TRACE message no longer reach the callback function
by default.
It seems Samba is the only consumer of tevent_set_debug(), so it
should not be a huge problem, as Samba only reports TEVENT_DEBUG_TRACE
message with log level 50 anyway. And future Samba versions will
call tevent_set_max_debug_level() if needed.
Note the change to tevent-0.14.1.sigs will be reverted
with the release of tevent 0.15.0.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 27 Jan 2023 11:12:45 +0000 (12:12 +0100)]
tevent: add fd_speed test
This is similar to the "context" test, but without signal handlers.
It also creates a constant load instead of being time limited,
which makes it useful to analyse using callgrind and other tools.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Pavel Filipenský [Tue, 2 May 2023 19:57:16 +0000 (21:57 +0200)]
tevent: Flow: add tevent_thread_call_depth_set_callback()
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 23 May 2023 04:39:06 +0000 (06:39 +0200)]
tevent: Flow: store cleanup function name in tevent_req
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Stefan Metzmacher [Tue, 23 May 2023 04:38:27 +0000 (06:38 +0200)]
tevent: Flow: store cancel function name in tevent_req
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Pavel Filipenský [Mon, 15 May 2023 10:57:09 +0000 (12:57 +0200)]
tevent: Flow: store trigger function name in tevent_queue_entry
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Mon, 24 Apr 2023 13:04:06 +0000 (15:04 +0200)]
tevent: Flow: store callback function name in tevent_req
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Sat, 18 Jun 2022 08:57:11 +0000 (10:57 +0200)]
tevent: Flow: pass function name to tevent_req_create()
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Fri, 28 Apr 2023 18:45:20 +0000 (20:45 +0200)]
tevent: Deprecate some tevent_thread_call_depth_*() functions
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Fri, 28 Apr 2023 18:13:29 +0000 (20:13 +0200)]
tevent: Move definition of _DEPRECATED_ to the top of tevent.h
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 19 May 2023 09:16:49 +0000 (11:16 +0200)]
s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Stefan Metzmacher [Mon, 24 Apr 2023 10:39:17 +0000 (12:39 +0200)]
tevent: add tevent_dlinklist.h as copy from lib/util/dlinklist.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 20 Apr 2023 14:35:25 +0000 (14:35 +0000)]
lib/util: dlinklist.h sync with LGPL copy from lib/ldb/include/dlinklist.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Mon, 30 Jan 2023 15:10:07 +0000 (16:10 +0100)]
ldb: clarify LGPL scope of include/dlinklist.h
Removing the explicit notice about ldb in order to
have the same content in all copies of dlinklist.h
in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Mon, 30 Jan 2023 15:10:07 +0000 (16:10 +0100)]
ldb: remove trailing whitespaces from include/dlinklist.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Dmitry Antipov [Fri, 7 Apr 2023 11:47:15 +0000 (14:47 +0300)]
tevent: rely on epoll_create1() for epoll interface
Prefer epoll_create1(2) over epoll_create(2) and
always require the former to use epoll(7) interface,
thus saving extra fcntl(2) call to set FD_CLOEXEC.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Dmitry Antipov [Fri, 7 Apr 2023 11:42:10 +0000 (14:42 +0300)]
lib:replace: rely on epoll_create1() for epoll interface
Prefer epoll_create1(2) over epoll_create(2) and
always require the former to use epoll(7) interface.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 18 Jul 2023 09:39:38 +0000 (11:39 +0200)]
tdb: release 1.4.9
* Remove remaining, but broken python2 support
* Spelling fixes
* python: Safely clear structure members
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 18 Jul 2023 09:39:38 +0000 (11:39 +0200)]
talloc: release 2.4.1
* Remove remaining, but broken python2 support
* Spelling fixes
* Remove unneeded va_copy()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Rob van der Linde [Wed, 12 Jul 2023 12:42:56 +0000 (00:42 +1200)]
netcmd: sites: add sites and subnet list and view commands to manpage
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 19 04:29:15 UTC 2023 on atb-devel-224
Rob van der Linde [Wed, 12 Jul 2023 12:42:03 +0000 (00:42 +1200)]
netcmd: sites: add missing subnet commands to samba-tool manpage
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Wed, 5 Jul 2023 05:40:48 +0000 (17:40 +1200)]
netcmd: sites: tests for list and view sites and subnet
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Tue, 4 Jul 2023 10:02:01 +0000 (22:02 +1200)]
netcmd: sites: make use of ldb_connect from base class
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Tue, 4 Jul 2023 09:47:46 +0000 (21:47 +1200)]
netcmd: add list and view commands for sites and subnets
* samba-tool sites list
* samba-tool sites view
* samba-tool sites subnet list
* samba-tool sites subnet view
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Tue, 4 Jul 2023 09:34:38 +0000 (21:34 +1200)]
netcmd: add Subnet and Site models
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 17 Jul 2023 22:29:50 +0000 (10:29 +1200)]
WHATSNEW: Update minimum GnuTLS version
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Tue, 18 Jul 2023 00:54:40 +0000 (12:54 +1200)]
lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds
If this patch is applied, and an environment variable is set, all
access_check calls will be recorded as seeds for
fuzz_security_token_vs_descriptor. See the patch for details.
You probably will never want to apply this patch, but it is here just
in case.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 17 Jul 2023 20:56:40 +0000 (08:56 +1200)]
lib/fuzzing: adapt fuzz_sddl_access_check for AD variant
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 17 Jul 2023 04:20:58 +0000 (16:20 +1200)]
lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant
This of course doesn't exercise the object tree or default SID code,
but it still covers a lot to the *_ds access_check functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 15 Jul 2023 10:49:22 +0000 (22:49 +1200)]
lib/fuzzing: add fuzzer for arbitrary token/sd access checks
The token and descriptor are stored in NDR format; for this purpose we
add a new IDL struct containing this pair (along with a desired access
mask).
An upcoming commit will show how to collect seeds for this fuzzer.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Jul 2023 01:03:53 +0000 (13:03 +1200)]
lib/fuzzing: add fuzz_sddl_access_check
This fuzzer parses SDDL into a security descriptor and runs an access
check on it using a known security token. This is purely for crash
detection -- we don't know enough to assert whether the check should
succeed or not.
The seed strings used are compatible with those of fuzz_sddl_parse --
anything found by fuzz_sddl_parse is worth trying as a seed here, and
vice versa.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 22 Jul 2015 10:44:32 +0000 (12:44 +0200)]
s4:provision: use better values for operatingSystem[Version]
Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.
So we better use a value matching the dc functional level.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 18 Jul 2023 15:17:21 +0000 (17:17 +0200)]
s4:pydsdb: add dc_operatingSystemVersion() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2023 12:18:14 +0000 (14:18 +0200)]
s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version]
Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.
So we better use a value matching the dc functional level.
While we also fixed operatingSystem[Version] at provision time,
we do it also in dsdb_check_and_update_fl() in order to
handle old provisions and systems joined to an existing domain.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 18 Jul 2023 09:01:31 +0000 (11:01 +0200)]
upgradeprovision: handle operatingSystem similar to operatingSystemVersion
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 18 Jul 2023 09:00:56 +0000 (11:00 +0200)]
ldapcmp: also ignore operatingSystem similar to operatingSystemVersion
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 20 Dec 2021 19:53:35 +0000 (20:53 +0100)]
netlogon.idl: add some comments to netr_OsVersionInfoEx
[MS-RPRN] 7 Appendix B: Product Behavior contains information
about the products and their announced versions.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 5 Jul 2023 04:21:07 +0000 (16:21 +1200)]
third_party/heimdal: Import lorikeet-heimdal-
202307050413 (commit
e0597fe1d01b109e64d9c2a5bcada664ac199498)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 19 02:41:25 UTC 2023 on atb-devel-224
Joseph Sutton [Mon, 3 Jul 2023 02:31:03 +0000 (14:31 +1200)]
tests/krb5: Add a test for PK-INIT with a revoked certificate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 5 Jul 2023 04:12:42 +0000 (16:12 +1200)]
tests/krb5: Allow passing a pre-created certificate into _pkinit_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 5 Jul 2023 00:55:41 +0000 (12:55 +1200)]
tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key
These are useful to keep around for other purposes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 5 Jul 2023 00:53:45 +0000 (12:53 +1200)]
tests/krb5: Factor out a method to fetch the CA certificate and private key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 5 Jul 2023 00:43:52 +0000 (12:43 +1200)]
tests/krb5: Factor out a method to create a certificate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 26 Jun 2023 01:07:44 +0000 (13:07 +1200)]
s4:kdc: Add auth_data_reqd flag to SDBFlags
This is to adapt to Heimdal:
commit
3c4548025c0a239ff580e7974939185eadf1856b
Author: Nicolas Williams <nico@twosigma.com>
Date: Sun Jun 4 22:54:03 2023 -0500
hdb: Add auth-data-reqd flag
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 22 Jun 2023 04:46:09 +0000 (16:46 +1200)]
third_party/heimdal_build: Make Heimdal version strings const
This is to adapt to Heimdal:
commit
997916e3f67d70bb52674829615c50455918fbb3
Author: Taylor R Campbell <campbell+heimdal@mumble.net>
Date: Sun May 28 20:34:34 2023 +0000
krb5: Make heimdal_version and heimdal_long_version const.
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 4 Jul 2023 03:16:27 +0000 (15:16 +1200)]
third_party/heimdal: Import lorikeet-heimdal-
202307040259 (commit
33d117b8a9c11714ef709e63a005d87e34b9bfde)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 4 Jul 2023 03:28:04 +0000 (15:28 +1200)]
tests/krb5: Test Windows 2000 variant of PK-INIT
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 4 Jul 2023 03:40:31 +0000 (15:40 +1200)]
tests/krb5: Add ASN.1 definitions for Windows 2000 PK-INIT
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 3 Jul 2023 04:34:11 +0000 (16:34 +1200)]
tests/krb5: Add tests for PK-INIT Freshness Extension (RFC 8070)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 3 Jul 2023 04:43:37 +0000 (16:43 +1200)]
tests/krb5: Remove unused methods
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 3 Jul 2023 02:46:23 +0000 (14:46 +1200)]
tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer
When PK-INIT is performed, check that the buffer is as expected and
contains the correct NT hash.
The PK-INIT tests now pass against Windows Server 2019.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14985
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 3 Jul 2023 02:43:10 +0000 (14:43 +1200)]
tests/krb5: Add PK-INIT testing framework
To run these tests standalone, you will need the certificate and private
key of the Certificate Authority. These can be specified together in the
same file with the environment variable CA_CERT, or the private key may
be specified in its own file with CA_PRIVATE_KEY.
If either of these files are encrypted, you can specify the password in
the environment variable CA_PASS.
These tests create a new certificate for the user account, signed with
the private key of the Certificate Authority. We negotiate the reply key
with either of the public-key and Diffie-Hellman PK-INIT variants, and
use the reply key to decrypt the enc-part in the response. We also check
that the KDC’s signatures are valid.
Most of the failures with the Heimdal KDC are due to the wrong nonce
being returned in the reply compared to Windows, which issue is simple
enough to correct.
An example command line for manual testing against Windows:
SMB_CONF_PATH=ad_dc.conf KRB5_CONFIG=krb5.conf SERVICE_USERNAME=win2k19-dc.example.com ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass ADMIN_KVNO=1 FOR_USER=Administrator USERNAME=Administrator PASSWORD=locDCpass DC_SERVER=win2k19-dc.example.com SERVER=win2k19-dc.example.com DOMAIN=example REALM=example.com PYTHONPATH=bin/python STRICT_CHECKING=1 FAST_SUPPORT=1 CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 TKT_SIG_SUPPORT=1 FULL_SIG_SUPPORT=1 GNUTLS_PBKDF2_SUPPORT=1 EXPECT_PAC=1 EXPECT_EXTRA_PAC_BUFFERS=1 CHECK_CNAME=1 CHECK_PADATA=1 KADMIN_IS_TGS=0 FORCED_RC4=1 DEFAULT_ETYPES=36 CA_CERT=./win2k19-ca.pfx CA_PASS=1234 python3 python/samba/tests/krb5/pkinit_tests.py
To set up windows for this I first installed an Certificate Authority with an Enterprise CA.
Then I exported the private key and certificate of the CA:
1. go into the Certification Authority snap-in for the relevant computer,
2. right-clicking the CA
3. clicking ‘All Tasks’ → ‘Back up CA...’
4. and exporting the private key and CA certificate.
(I downloaded the resulting file via smbclient).
After setting up an Enterprise CA, I also needed to edit the domain
controller GPO to enable auto-enrollment, otherwise Windows would
refuse to accept as legitimate any certificates provided by the client.
That can be done by first enabling the policy:
‘Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client — Auto-Enrollment’,
and then ticking both ‘Renew expired certificates…’ and ‘Update certificates…’)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 3 Jul 2023 02:49:03 +0000 (14:49 +1200)]
tests/krb5: Allow KerberosCredentials to have associated RSA private key
This is needed for PK-INIT testing.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 3 Jul 2023 02:49:43 +0000 (14:49 +1200)]
tests/krb5: Add helper methods for PK-INIT testing
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 3 Jul 2023 02:41:55 +0000 (14:41 +1200)]
tests/krb5: Refactor encryption type selection
Add and use some methods to calculate the highest supported AES and RC4
encryption types, respectively.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 21 Jun 2023 00:16:53 +0000 (12:16 +1200)]
tests/krb5: Add PK-INIT ASN1 definitions and include licence
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 20 Jun 2023 23:16:32 +0000 (11:16 +1200)]
tests/krb5: Add PKINIT pre-authentication types
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 20 Jun 2023 23:13:46 +0000 (11:13 +1200)]
tests/krb5: Add PKINIT typed data errors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 20 Jun 2023 23:11:12 +0000 (11:11 +1200)]
tests/krb5: Add PKINIT error codes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 22 Jun 2023 04:21:17 +0000 (16:21 +1200)]
s4:kdc: Fix wrong debug message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 21 Jun 2023 04:42:29 +0000 (16:42 +1200)]
tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 07:09:48 +0000 (09:09 +0200)]
s3:nmbd: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 17 12:41:21 UTC 2023 on atb-devel-224
Andreas Schneider [Thu, 13 Jul 2023 07:10:07 +0000 (09:10 +0200)]
s3:nmbd: Fix trailing white spaces in nmbd_incomingrequests.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 07:08:32 +0000 (09:08 +0200)]
s3:nmbd: Fix trailing white spaces in nmbd_incomingdgrams.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 07:08:01 +0000 (09:08 +0200)]
s3:nmbd: Fix trailing white spaces in nmbd.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 06:52:45 +0000 (08:52 +0200)]
s3:modules: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 07:03:18 +0000 (09:03 +0200)]
s3:modules: Remove fruit:ressource option with incorrect spelling
The plan was to remove it in 4.7. I think it is safe to remove it with
4.19.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 06:55:31 +0000 (08:55 +0200)]
s3:modules: Remove trailing white spaces of README.nfs4acls.txt
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 06:53:26 +0000 (08:53 +0200)]
s3:modules: Remove trailing white spaces of vfs_hpuxacl.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 06:50:21 +0000 (08:50 +0200)]
s3:locking: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 06:47:11 +0000 (08:47 +0200)]
s3:librpc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 06:46:20 +0000 (08:46 +0200)]
wscript: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 05:52:02 +0000 (07:52 +0200)]
examples: Remove outdated validchars
I don't think we even look into this anymore and have other tests in
place.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 13 Jul 2023 05:44:44 +0000 (07:44 +0200)]
example: Remove outdated config files from tridge
I don't think he still runs Windows 95 ...
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 15 Jul 2023 14:11:48 +0000 (16:11 +0200)]
s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.
Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
Stefan Metzmacher [Sat, 15 Jul 2023 14:11:48 +0000 (16:11 +0200)]
s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.
Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 15 Jul 2023 15:25:05 +0000 (17:25 +0200)]
s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 15 Jul 2023 15:20:32 +0000 (17:20 +0200)]
netlogon.idl: add support for netr_LogonGetCapabilities response level 2
We don't have any documentation about this yet, but tests against
a Windows Server 2022 patched with KB5028166 revealed that
the response for query_level=2 is exactly the same as
for querey_level=1.
Until we know the reason for query_level=2 we won't
use it as client nor support it in the server, but
we want ndrdump to work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 5 Jul 2023 09:26:30 +0000 (11:26 +0200)]
s3:libsmb: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 13 06:34:01 UTC 2023 on atb-devel-224
Andreas Schneider [Wed, 5 Jul 2023 09:21:39 +0000 (11:21 +0200)]
s3:libads: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Andreas Schneider [Wed, 5 Jul 2023 09:16:18 +0000 (11:16 +0200)]
s3:lib: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Andreas Schneider [Wed, 5 Jul 2023 09:10:23 +0000 (11:10 +0200)]
s3:include: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Andreas Schneider [Wed, 5 Jul 2023 09:11:20 +0000 (11:11 +0200)]
s3:include: Remove trailing whitepaces in MacExtensions.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Andreas Schneider [Wed, 5 Jul 2023 09:07:52 +0000 (11:07 +0200)]
python:tests: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Andreas Schneider [Wed, 5 Jul 2023 09:05:09 +0000 (11:05 +0200)]
python: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Andreas Schneider [Wed, 5 Jul 2023 09:02:04 +0000 (11:02 +0200)]
examples: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Andreas Schneider [Wed, 5 Jul 2023 09:01:25 +0000 (11:01 +0200)]
examples: Make codespell happy
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Douglas Bagnall [Fri, 7 Jul 2023 00:50:13 +0000 (12:50 +1200)]
configure: ensure sizeof(int) >= 4
There are multiple places we make this assumption. For example, in
source3/lib/tldap.c, we have this line
if (ld->msgid ==
2147483647) {
where ld->msgid is an int. And in librpc/idl/security.idl we have
several lines like:
const int SEC_MASK_GENERIC = 0xF0000000;
In lib/replace/inet_pton.c and inet_ntop.c we have
/*
* WARNING: Don't even consider trying to compile this on a system where
* sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX.
*/
but no attempt to enforce that as far as I can see, until now.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 11 22:44:15 UTC 2023 on atb-devel-224
Martin Schwenke [Tue, 4 Jul 2023 00:49:39 +0000 (10:49 +1000)]
docs-xml: Fix script idmap backend documentation
This was clearly copied from the tdb2 backend and incompletely edited.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Jul 10 23:47:12 UTC 2023 on atb-devel-224
Martin Schwenke [Tue, 4 Jul 2023 00:51:59 +0000 (10:51 +1000)]
docs-xml: Tweak autorid idmap backend documentation
The name of the placeholder is misleading. It certainly isn't per
domain, so we might as well indicate that it is per range.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Martin Schwenke [Tue, 4 Jul 2023 00:55:19 +0000 (10:55 +1000)]
docs-xml: Fix rid idmap backend documentation
The statement just above the example says the example demonstrates the
use of the base_rid parameter. It doesn't, so fix this.
Also fix a typo.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Ralph Boehme [Mon, 10 Jul 2023 14:34:23 +0000 (16:34 +0200)]
smbd: don't leak the fsp if close_file_smb() fails
This can happen if DELETE-ON-CLOSE is set, but the deletion fails for some
reason.
The bug was introduced by
1808e5c133474eabc9d3cf91c2a92ec4d92d9fdd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15417
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 10 21:32:32 UTC 2023 on atb-devel-224
Martin Schwenke [Thu, 15 Jun 2023 00:31:07 +0000 (10:31 +1000)]
ctdb-server: Avoid logging a count of 0 resent calls
This fixes a little thinko in commit
80de84d36e9c29d9506976f991560fb5dde99471, where this was overlooked.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Jul 10 15:15:06 UTC 2023 on atb-devel-224