The branch, master has been updated via 6ee5c80ea96 s4:kdc: Add support for constructed claims (for authentication silos) via 420fae5dcbe s4:kdc: Make use of dsdb_search_one() via e1f8cb063dd s4:kdc: Don’t perform unnecessary search to get account objectClass via 10d6d77a272 s4:kdc: Have get_claims_for_principal() take the entire principal via 3d9863cfdc4 s4:kdc: Enforce TGT lifetime authentication policy via 1fdff371051 s4:kdc: Look up authentication policies for Kerberos clients and servers via f1212ffe4e4 s4:kdc: Make maximum lifetime and renew time signed via 9eaff7e852b s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag via eeebd488f2a third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0) via f547cf1db86 s4:kdc: Add helper functions for authentication policies via 633ebe1b3ef s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure via 8cc0b76509b s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure via 9ff7d6c5c55 s4:kdc: Add NTSTATUS strings to log messages via 32b49d8a56e lib:audit_logging: Fix typo in log message via d7b68236ecf lib:audit_logging: Add function to add a formatted time value to a JSON message via 0080148483c lib:audit_logging: Add function to add an optional boolean value to a JSON message via 4440f1db54b lib:audit_logging: Add function to add flags to a JSON message via 89d30cdfe16 s4:auth: Remove superfluous semicolon via 34080e8839a s4:auth: Fix leak via 263deae7e2b auth: Fix leaks via 1de2feef90c auth: Correct parameter order in header via 6d8a7e1655c s4:kdc: Fix diagnostic messages via ad14287dd7c s4:kdc: Fix error messages via 451f221bf35 s4:kdc: Check ldb_dn_new() return value via 8f7f55da1e4 s4:kdc: Remove double-free via 96a64b0522e s4:kdc: Remove double-free via 02e6970ad65 s4:kdc: Fix leaks via 2a9d057e828 s4:kdc: Make use of auth_generate_security_token() via 9aaedb152ca s4:auth: Fix typos via e2e752b5461 s4:auth: Split out new function to generate a security token via 024e5f7e92a auth: Remove unnecessary return statements via f948f9cb66f s3:utils: Fix typo via 798be592f90 s4:kdc: Fix debugging strings via 60803ea8c81 s4:kdc: Fix typos via bbdb3bf8a63 s4:kdc: Factor out PAC blob functions into new source file via 9a78a8b3f21 s4:kdc: Add missing includes and declarations via c782dd2ffea libcli: Add missing include via cdb1047bdc5 s4:kdc: Include missing headers via 12fd8274fff s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant via 84a7ae8e0c7 tests/krb5: Add tests for authentication policies via f9b666297cb tests/krb5: Allow specifying whether PA-DATA types are to be checked via 53b62429f89 tests/krb5: Allow server and workstation accounts to perform a SamLogon via c1ab6036bb0 tests/krb5: Allow specifying machine credentials to _test_samlogon() via 031f1c7632e tests/krb5: Rename ‘server’ to ‘dc_server’ via 78cca1411ff netlogon:schannel: Fix NULL pointer dereference via 3424c6d20fe tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data via 18b24f95728 tests/krb5: Improve edata checking via 3063abbfb0a tests/krb5: Remove unused import via 0d609ee5ed3 samba-tool domain: Clean up code via 56d98e974c3 samba-tool domain: Remove unused variables from e03e738dfc9 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6ee5c80ea9610adf4e4624d2e1953e3fc3e91b71 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Mar 28 15:10:50 2023 +1300 s4:kdc: Add support for constructed claims (for authentication silos) Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224 commit 420fae5dcbe886b7e66928e88d031c8569aacd5c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 17 12:02:47 2023 +1200 s4:kdc: Make use of dsdb_search_one() Ensure we get exactly one object back, or an error. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e1f8cb063ddc3753ab8673416fa70fa616138f30 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 17 12:07:44 2023 +1200 s4:kdc: Don’t perform unnecessary search to get account objectClass We now have this information in the ldb_message. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 10d6d77a2720577e51bc93c51c85261c1e3d37b8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 17 11:55:16 2023 +1200 s4:kdc: Have get_claims_for_principal() take the entire principal The ldb_message contains more information than just the DN, such as which authentication policy or silo is assigned. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3d9863cfdc443817b1fd7e25cb30b5363a47fa58 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 15:06:40 2023 +1200 s4:kdc: Enforce TGT lifetime authentication policy Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1fdff3710511c92bd103473e4c296c98f971dd13 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 15:06:40 2023 +1200 s4:kdc: Look up authentication policies for Kerberos clients and servers Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f1212ffe4e4e2c09b9e10e9b7fe5a152e6f7adf6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Apr 28 11:58:38 2023 +1200 s4:kdc: Make maximum lifetime and renew time signed This is now consistent with Heimdal, and with our usage of time_t elsewhere. NOTE: This commit finally works again! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9eaff7e852bc6cd6d6146d5cf3d6007c3119d5d6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 16 16:48:09 2023 +1200 s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag This corresponds with the HDB_F_ARMOR_PRINCIPAL flag in Heimdal, and indicates a lookup of an armor ticket client principal, rather than the principal of the main TGT. This helps us to determine whether an authentication policy will apply to a principal acting as a client, and hence whether we have to look up the policy in the database. NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit eeebd488f2a31482f2c47a1618513c937041c3ac Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 17 09:06:17 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f547cf1db865f93f634e561945da9da44c697f29 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 10:59:49 2023 +1200 s4:kdc: Add helper functions for authentication policies These functions are not yet used. They are arranged into two libraries: ‘authn_policy’, containing the core functions, and ‘authn_policy_util’, containing utility functions that can access the database. This separation is so that libraries depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions without introducing a dependency cycle. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 633ebe1b3efee4c61e1856cad5be5723010f9bd1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 10 14:54:21 2023 +1200 s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure Just copying the structure fields is prone to lead to use-after-frees if we access them after the original structure and its fields are freed. Instead, call authsam_shallow_copy_user_info_dc() to make the copy. This properly references the fields in the original structure so that they will not be freed until we are sure we have finished with them. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8cc0b76509b51bb57c2c527ea504812f8de06144 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 16 11:18:38 2023 +1200 s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9ff7d6c5c55ff562afbda7b4329c59c83d2933cf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 16 11:00:24 2023 +1200 s4:kdc: Add NTSTATUS strings to log messages Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 32b49d8a56e353d4f5b8b031aea75324056ba6ad Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 16 10:00:48 2023 +1200 lib:audit_logging: Fix typo in log message Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d7b68236ecf8692f276d63d29e475c3b1ddb290d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 16 09:57:12 2023 +1200 lib:audit_logging: Add function to add a formatted time value to a JSON message json_add_timestamp() is limited to adding a ‘timestamp’ field with the current time. The new function can add an arbitrary timestamp with an arbitrary field name. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0080148483c2972393d33bf1f2c7dbb248bbb9c0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 16 09:55:52 2023 +1200 lib:audit_logging: Add function to add an optional boolean value to a JSON message Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4440f1db54b7ad54b7a4920ac67236d1d8605353 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 16 09:53:02 2023 +1200 lib:audit_logging: Add function to add flags to a JSON message This replaces a couple of calls to snprintf() in log_authentication_event_json() and log_successful_authz_event_json() respectively. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 89d30cdfe164e441d0b565e02ea9422eaae789fb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 11 14:45:13 2023 +1200 s4:auth: Remove superfluous semicolon Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 34080e8839a998ed177526129049e0cf2a4bbaf6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 16 11:17:35 2023 +1200 s4:auth: Fix leak Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 263deae7e2b88ae35646426eb31c76a71623bf72 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 11 10:40:27 2023 +1200 auth: Fix leaks Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1de2feef90c44819f7d2c0a6f743310dca28c2e3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 10 13:00:08 2023 +1200 auth: Correct parameter order in header Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6d8a7e1655cf6d6c0030a71c01bf9f3e26e2b318 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 16:28:22 2023 +1200 s4:kdc: Fix diagnostic messages Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ad14287dd7c9bd586a1aff1a255c1f82753af2f2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 16:26:35 2023 +1200 s4:kdc: Fix error messages Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 451f221bf352f45d7bdc496ad80779a052a1157f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 16:23:17 2023 +1200 s4:kdc: Check ldb_dn_new() return value Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8f7f55da1e4f97245b4101ecb62e1b06a395a4ba Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 16:21:51 2023 +1200 s4:kdc: Remove double-free Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 96a64b0522e37a5b9fecaf99d34bec097a3304f3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 14:59:54 2023 +1200 s4:kdc: Remove double-free Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 02e6970ad65c1b1681d9581917130651d3431ede Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 14:53:33 2023 +1200 s4:kdc: Fix leaks Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2a9d057e8288d00dba9a2f0fe931f35dc370c26a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 14:41:30 2023 +1200 s4:kdc: Make use of auth_generate_security_token() We don’t need the whole session info structure to perform an access check. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9aaedb152ca2e4188b5329d6af1ffa91b97d1ffe Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 14:06:23 2023 +1200 s4:auth: Fix typos Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e2e752b5461ab3806d8ac9165ee82a77dff6a063 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 14:30:40 2023 +1200 s4:auth: Split out new function to generate a security token Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 024e5f7e92acd81a53e95b0652c08688e54d251a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 14:11:42 2023 +1200 auth: Remove unnecessary return statements Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f948f9cb66f07de66e0e7548a9a5c305d32da678 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 14:09:19 2023 +1200 s3:utils: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 798be592f90e47f71207bddefe77dfe84f82d903 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 12:42:54 2023 +1200 s4:kdc: Fix debugging strings Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 60803ea8c81486911caa079af22d43ebeb662c40 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 12:07:35 2023 +1200 s4:kdc: Fix typos Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bbdb3bf8a634c32f9d2c93d6b1c77eff194dabe6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 11:57:09 2023 +1200 s4:kdc: Factor out PAC blob functions into new source file pac-glue.c has become rather large, and can do without these PAC blob–handling functions. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9a78a8b3f21c934f736870b25065278545359d21 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 8 13:30:40 2023 +1200 s4:kdc: Add missing includes and declarations Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c782dd2ffea00bef7d218b5db8435e3205187097 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 8 13:25:34 2023 +1200 libcli: Add missing include Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cdb1047bdc5e6f7b9edd52e96dfdbb53e80e554e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 8 13:16:10 2023 +1200 s4:kdc: Include missing headers Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 12fd8274fff0bc9a3f098c3a481040ae6db999ee Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 8 12:58:46 2023 +1200 s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 84a7ae8e0c7730e03161d69b5ca55436cfc5b066 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 13:53:06 2023 +1200 tests/krb5: Add tests for authentication policies Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f9b666297cbbe5d475b570a9d268df1f3fce048e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 14:44:11 2023 +1200 tests/krb5: Allow specifying whether PA-DATA types are to be checked Not all tests are intended to test that the correct PA-DATA types are returned. This parameter allows us to skip checking for cases where we don’t care. View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 53b62429f894cc6d8689d38acc59e8d6ca4ddff9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 14:41:00 2023 +1200 tests/krb5: Allow server and workstation accounts to perform a SamLogon Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c1ab6036bb091dea69e8fce189c9badf10bdd753 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 14:40:21 2023 +1200 tests/krb5: Allow specifying machine credentials to _test_samlogon() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 031f1c7632e32b52b686a11c1f587cd13da2d3ab Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 13:55:31 2023 +1200 tests/krb5: Rename ‘server’ to ‘dc_server’ This makes it more clear that this is in fact the DC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 78cca1411ff510f06f6665ccc32f2808e18f02cc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 2 14:48:25 2023 +1200 netlogon:schannel: Fix NULL pointer dereference We should not pass a NULL pointer into netlogon_creds_client_init(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3424c6d20fe32f7821ccd61b385189ef271e68ab Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 1 15:35:56 2022 +1300 tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data Certain clients rely on this behaviour. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 18b24f9572877b295a863432daaf458eb72562d0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 14:55:36 2023 +1200 tests/krb5: Improve edata checking Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA and fall back to METHOD_DATA if that fails. The environment variable EXPECT_NT_STATUS indicates that the KDC supports returning a status code in the e-data field. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3063abbfb0aaee65b80bd185d66923c148a861b4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Apr 27 16:22:38 2023 +1200 tests/krb5: Remove unused import Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0d609ee5ed33f01cbb35baae61adf1f19d804fa6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Feb 13 14:53:42 2023 +1300 samba-tool domain: Clean up code Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 56d98e974c39e640ef2aa3da1d3d2ea9980c677a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Feb 13 14:53:19 2023 +1300 samba-tool domain: Remove unused variables Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/auth_log.c | 22 +- auth/auth_sam_reply.c | 77 +- auth/common_auth.h | 2 +- lib/audit_logging/audit_logging.c | 157 +- lib/audit_logging/audit_logging.h | 8 + libcli/util/ntstatus.h | 2 + python/samba/functional_level.py | 2 +- python/samba/netcmd/domain/dcpromo.py | 1 - python/samba/netcmd/domain/demote.py | 6 +- python/samba/netcmd/domain/provision.py | 6 +- python/samba/netcmd/domain/trust.py | 48 +- python/samba/tests/krb5/authn_policy_tests.py | 6589 +++++++++++++++++++++++++ python/samba/tests/krb5/kdc_base_test.py | 29 +- python/samba/tests/krb5/kdc_tgs_tests.py | 18 +- python/samba/tests/krb5/lockout_tests.py | 105 +- python/samba/tests/krb5/raw_testcase.py | 183 +- python/samba/tests/krb5/rfc4120_constants.py | 1 + python/samba/tests/krb5/s4u_tests.py | 6 + python/samba/tests/usage.py | 1 + selftest/knownfail.d/constructed-claims | 1 - selftest/knownfail_heimdal_kdc | 70 + selftest/knownfail_mit_kdc | 114 + source3/utils/ntlm_auth.c | 2 +- source4/auth/auth.h | 3 + source4/auth/ntlm/auth.c | 4 +- source4/auth/sam.c | 87 +- source4/auth/session.c | 120 +- source4/auth/session.h | 10 +- source4/auth/system_session.c | 2 +- source4/kdc/ad_claims.c | 233 +- source4/kdc/ad_claims.h | 2 +- source4/kdc/authn_policy.c | 85 + source4/kdc/authn_policy.h | 44 + source4/kdc/authn_policy_impl.h | 55 + source4/kdc/authn_policy_util.c | 774 +++ source4/kdc/authn_policy_util.h | 90 + source4/kdc/db-glue.c | 130 +- source4/kdc/hdb-samba4.c | 6 +- source4/kdc/mit_samba.c | 8 +- source4/kdc/pac-blobs.c | 250 + source4/kdc/pac-blobs.h | 89 + source4/kdc/pac-glue.c | 326 +- source4/kdc/pac-glue.h | 12 +- source4/kdc/samba_kdc.h | 6 + source4/kdc/sdb.h | 12 +- source4/kdc/sdb_to_hdb.c | 4 +- source4/kdc/wdc-samba4.c | 8 +- source4/kdc/wscript_build | 18 +- source4/librpc/rpc/dcerpc_schannel.c | 3 + source4/selftest/tests.py | 6 + third_party/heimdal/kdc/fast.c | 5 +- third_party/heimdal/kdc/kerberos5.c | 15 +- third_party/heimdal/kdc/krb5tgs.c | 2 +- third_party/heimdal/kuser/kinit.c | 20 +- third_party/heimdal/lib/hdb/hdb.asn1 | 4 +- third_party/heimdal/lib/hdb/hdb.h | 1 + 56 files changed, 9239 insertions(+), 645 deletions(-) create mode 100755 python/samba/tests/krb5/authn_policy_tests.py delete mode 100644 selftest/knownfail.d/constructed-claims create mode 100644 source4/kdc/authn_policy.c create mode 100644 source4/kdc/authn_policy.h create mode 100644 source4/kdc/authn_policy_impl.h create mode 100644 source4/kdc/authn_policy_util.c create mode 100644 source4/kdc/authn_policy_util.h create mode 100644 source4/kdc/pac-blobs.c create mode 100644 source4/kdc/pac-blobs.h Changeset truncated at 500 lines: diff --git a/auth/auth_log.c b/auth/auth_log.c index cf1f9109c74..c0506823008 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -149,7 +149,6 @@ static void log_authentication_event_json( { struct json_object wrapper = json_empty_object; struct json_object authentication = json_empty_object; - char negotiate_flags[11]; char logon_id[19]; int rc = 0; const char *clientDomain = ui->orig_client.domain_name ? @@ -257,12 +256,9 @@ static void log_authentication_event_json( if (rc != 0) { goto failure; } - snprintf(negotiate_flags, - sizeof( negotiate_flags), - "0x%08X", - ui->netlogon_trust_account.negotiate_flags); - rc = json_add_string( - &authentication, "netlogonNegotiateFlags", negotiate_flags); + rc = json_add_flags32( + &authentication, "netlogonNegotiateFlags", + ui->netlogon_trust_account.negotiate_flags); if (rc != 0) { goto failure; } @@ -368,7 +364,6 @@ static void log_successful_authz_event_json( { struct json_object wrapper = json_empty_object; struct json_object authorization = json_empty_object; - char account_flags[11]; int rc = 0; authorization = json_new_object(); @@ -426,12 +421,7 @@ static void log_successful_authz_event_json( if (rc != 0) { goto failure; } - - snprintf(account_flags, - sizeof(account_flags), - "0x%08X", - session_info->info->acct_flags); - rc = json_add_string(&authorization, "accountFlags", account_flags); + rc = json_add_flags32(&authorization, "accountFlags", session_info->info->acct_flags); if (rc != 0) { goto failure; } @@ -491,8 +481,6 @@ static void log_no_json(struct imessaging_context *msg_ctx, "compiled with jansson\n"); } } - - return; } static void log_authentication_event_json( @@ -508,7 +496,6 @@ static void log_authentication_event_json( int debug_level) { log_no_json(msg_ctx, lp_ctx); - return; } static void log_successful_authz_event_json( @@ -523,7 +510,6 @@ static void log_successful_authz_event_json( int debug_level) { log_no_json(msg_ctx, lp_ctx); - return; } #endif diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 8e0089eb8d1..8825ae8f83d 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -516,43 +516,69 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, struct auth_user_info *info; info = talloc_zero(mem_ctx, struct auth_user_info); - NT_STATUS_HAVE_NO_MEMORY(info); + if (info == NULL) { + return NT_STATUS_NO_MEMORY; + } if (base->account_name.string) { info->account_name = talloc_strdup(info, base->account_name.string); } else { info->account_name = talloc_strdup(info, account_name); } - NT_STATUS_HAVE_NO_MEMORY(info->account_name); + if (info->account_name == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } if (base->logon_domain.string) { info->domain_name = talloc_strdup(info, base->logon_domain.string); - NT_STATUS_HAVE_NO_MEMORY(info->domain_name); + if (info->domain_name == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } } if (base->full_name.string) { info->full_name = talloc_strdup(info, base->full_name.string); - NT_STATUS_HAVE_NO_MEMORY(info->full_name); + if (info->full_name == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } } if (base->logon_script.string) { info->logon_script = talloc_strdup(info, base->logon_script.string); - NT_STATUS_HAVE_NO_MEMORY(info->logon_script); + if (info->logon_script == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } } if (base->profile_path.string) { info->profile_path = talloc_strdup(info, base->profile_path.string); - NT_STATUS_HAVE_NO_MEMORY(info->profile_path); + if (info->profile_path == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } } if (base->home_directory.string) { info->home_directory = talloc_strdup(info, base->home_directory.string); - NT_STATUS_HAVE_NO_MEMORY(info->home_directory); + if (info->home_directory == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } } if (base->home_drive.string) { info->home_drive = talloc_strdup(info, base->home_drive.string); - NT_STATUS_HAVE_NO_MEMORY(info->home_drive); + if (info->home_drive == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } } if (base->logon_server.string) { info->logon_server = talloc_strdup(info, base->logon_server.string); - NT_STATUS_HAVE_NO_MEMORY(info->logon_server); + if (info->logon_server == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } } info->last_logon = base->logon_time; info->last_logoff = base->logoff_time; @@ -661,7 +687,9 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, } user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc); + if (user_info_dc == NULL) { + return NT_STATUS_NO_MEMORY; + } /* Here is where we should check the list of @@ -670,28 +698,35 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, */ if (!base->domain_sid) { DEBUG(0, ("Cannot operate on a Netlogon Validation without a domain SID")); + talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } /* The IDL layer would be a better place to check this, but to * guard the integer addition below, we double-check */ if (base->groups.count > 65535) { + talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } user_info_dc->num_sids = PRIMARY_SIDS_COUNT; user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr, user_info_dc->num_sids + base->groups.count); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); + if (user_info_dc->sids == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *base->domain_sid; if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, base->rid)) { + talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS; user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *base->domain_sid; if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, base->primary_gid)) { + talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } /* @@ -705,6 +740,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, for (i = 0; i < base->groups.count; i++) { user_info_dc->sids[user_info_dc->num_sids].sid = *base->domain_sid; if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid, base->groups.rids[i].rid)) { + talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } user_info_dc->sids[user_info_dc->num_sids].attrs = base->groups.rids[i].attributes; @@ -722,6 +758,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, * guard the integer addition below, we double-check */ if (sidcount > UINT16_MAX) { + talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } @@ -733,6 +770,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, dgrps = talloc_realloc(user_info_dc, dgrps, struct auth_SidAttr, dgrps_count); if (dgrps == NULL) { + talloc_free(user_info_dc); return NT_STATUS_NO_MEMORY; } @@ -751,6 +789,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, status = make_user_info_SamBaseInfo(user_info_dc, account_name, base, authenticated, &user_info_dc->info); if (!NT_STATUS_IS_OK(status)) { + talloc_free(user_info_dc); return status; } @@ -758,6 +797,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, user_info_dc->info->dns_domain_name = talloc_strdup(user_info_dc->info, dns_domainname); if (user_info_dc->info->dns_domain_name == NULL) { + talloc_free(user_info_dc); return NT_STATUS_NO_MEMORY; } } @@ -766,6 +806,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, user_info_dc->info->user_principal_name = talloc_strdup(user_info_dc->info, principal); if (user_info_dc->info->user_principal_name == NULL) { + talloc_free(user_info_dc); return NT_STATUS_NO_MEMORY; } } @@ -776,14 +817,20 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, user_info_dc->user_session_key = data_blob(NULL, 0); } else { user_info_dc->user_session_key = data_blob_talloc(user_info_dc, base->key.key, sizeof(base->key.key)); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data); + if (user_info_dc->user_session_key.data == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } } if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) { user_info_dc->lm_session_key = data_blob(NULL, 0); } else { user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, base->LMSessKey.key, sizeof(base->LMSessKey.key)); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data); + if (user_info_dc->lm_session_key.data == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } } *_user_info_dc = user_info_dc; @@ -832,6 +879,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, break; default: DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion); + talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } } @@ -870,6 +918,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid, rg->groups.rids[i].rid); if (!ok) { + talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } user_info_dc->sids[user_info_dc->num_sids].attrs = rg->groups.rids[i].attributes; @@ -883,6 +932,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, talloc_strdup(user_info_dc->info, pac_upn_dns_info->upn_name); if (user_info_dc->info->user_principal_name == NULL) { + talloc_free(user_info_dc); return NT_STATUS_NO_MEMORY; } } @@ -891,6 +941,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, talloc_strdup(user_info_dc->info, pac_upn_dns_info->dns_domain_name); if (user_info_dc->info->dns_domain_name == NULL) { + talloc_free(user_info_dc); return NT_STATUS_NO_MEMORY; } diff --git a/auth/common_auth.h b/auth/common_auth.h index 691c6359ac4..756ad3a366d 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -182,8 +182,8 @@ void log_authentication_event(struct imessaging_context *msg_ctx, const struct timeval *start_time, const struct auth_usersupplied_info *ui, NTSTATUS status, - const char *account_name, const char *domain_name, + const char *account_name, struct dom_sid *sid); /* diff --git a/lib/audit_logging/audit_logging.c b/lib/audit_logging/audit_logging.c index 671653fdcef..038012f4668 100644 --- a/lib/audit_logging/audit_logging.c +++ b/lib/audit_logging/audit_logging.c @@ -450,6 +450,50 @@ int json_add_bool(struct json_object *object, return ret; } +/* + * @brief Add an optional boolean value to a JSON object. + * + * Add an optional boolean value named 'name' to the json object. + * + * @param object the JSON object to be updated. + * @param name the name. + * @param value the value. + * + * @return 0 the operation was successful + * -1 the operation failed + * + */ +int json_add_optional_bool(struct json_object *object, + const char *name, + const bool *value) +{ + int ret = 0; + + if (json_is_invalid(object)) { + DBG_ERR("Unable to add boolean [%s] value [%d], " + "target object is invalid\n", + name, + *value); + return JSON_ERROR; + } + + if (value != NULL) { + ret = json_object_set_new(object->root, name, json_boolean(*value)); + if (ret != 0) { + DBG_ERR("Unable to add boolean [%s] value [%d]\n", name, *value); + return ret; + } + } else { + ret = json_object_set_new(object->root, name, json_null()); + if (ret != 0) { + DBG_ERR("Unable to add null boolean [%s]\n", name); + return ret; + } + } + + return ret; +} + /* * @brief Add a string value to a JSON object. * @@ -686,37 +730,28 @@ int json_add_version(struct json_object *object, int major, int minor) /* * @brief add an ISO 8601 timestamp to the object. * - * Add the current date and time as a timestamp in ISO 8601 format - * to a JSON object + * Add a date and time as a timestamp in ISO 8601 format to a JSON object * - * "timestamp":"2017-03-06T17:18:04.455081+1300" + * "time":"2017-03-06T17:18:04.455081+1300" * * * @param object the JSON object to be updated. + * @param name the name. + * @param time the value to set. * * @return 0 the operation was successful * -1 the operation failed */ -int json_add_timestamp(struct json_object *object) +int json_add_time(struct json_object *object, const char *name, const struct timeval tv) { char buffer[40]; /* formatted time less usec and timezone */ char timestamp[65]; /* the formatted ISO 8601 time stamp */ char tz[10]; /* formatted time zone */ struct tm* tm_info; /* current local time */ - struct timeval tv; /* current system time */ - int r; /* response code from gettimeofday */ int ret; /* return code from json operations */ if (json_is_invalid(object)) { - DBG_ERR("Unable to add time stamp, target object is invalid\n"); - return JSON_ERROR; - } - - r = gettimeofday(&tv, NULL); - if (r) { - DBG_ERR("Unable to get time of day: (%d) %s\n", - errno, - strerror(errno)); + DBG_ERR("Unable to add time, target object is invalid\n"); return JSON_ERROR; } @@ -735,13 +770,48 @@ int json_add_timestamp(struct json_object *object) buffer, tv.tv_usec, tz); - ret = json_add_string(object, "timestamp", timestamp); + ret = json_add_string(object, name, timestamp); if (ret != 0) { - DBG_ERR("Unable to add time stamp to JSON object\n"); + DBG_ERR("Unable to add time to JSON object\n"); } return ret; } +/* + * @brief add an ISO 8601 timestamp to the object. + * + * Add the current date and time as a timestamp in ISO 8601 format + * to a JSON object + * + * "timestamp":"2017-03-06T17:18:04.455081+1300" + * + * + * @param object the JSON object to be updated. + * + * @return 0 the operation was successful + * -1 the operation failed + */ +int json_add_timestamp(struct json_object *object) +{ + struct timeval tv; /* current system time */ + int r; /* response code from gettimeofday */ + + if (json_is_invalid(object)) { + DBG_ERR("Unable to add time stamp, target object is invalid\n"); + return JSON_ERROR; + } + + r = gettimeofday(&tv, NULL); + if (r) { + DBG_ERR("Unable to get time of day: (%d) %s\n", + errno, + strerror(errno)); + return JSON_ERROR; + } + + return json_add_time(object, "timestamp", tv); +} + /* *@brief Add a tsocket_address to a JSON object * @@ -898,7 +968,7 @@ int json_add_guid(struct json_object *object, guid_str = GUID_buf_string(guid, &guid_buff); ret = json_add_string(object, name, guid_str); if (ret != 0) { - DBG_ERR("Unable to guid GUID [%s] value [%s]\n", + DBG_ERR("Unable to add GUID [%s] value [%s]\n", name, guid_str); return ret; @@ -907,6 +977,57 @@ int json_add_guid(struct json_object *object, return ret; } +/* + * @brief Add a hex-formatted string representation of a 32-bit integer to a + * json object. + * + * Add a hex-formatted string representation of a 32-bit flags integer to the + * object. + * + * "accountFlags":"0x12345678" + * + * + * @param object the JSON object to be updated. + * @param name the name. + * @param flags the flags. + * -- Samba Shared Repository