The branch, master has been updated via 9b0a71bd308 tests/auth_log: Refactor waitForMessages() to use nextMessage() via 67da91ef166 tests/auth_log: Add method to fetch the next relevant message from the messaging bus via 7c6dbe31950 tests/krb5: Test authentication with policy restrictions and a wrong password via a9534e7be08 tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies via 94e7a550db4 tests/krb5: Remove unneeded ‘dn’ parameter via 21d1f1ca996 s4:kdc: Fix typo via fb260e1f467 tests/krb5: Make use of KerberosCredentials.get_sid() via 490c451a797 tests/krb5: Keep track of account SIDs via 0ec229e7b93 tests/krb5: Fix overlong lines via 117bba98a11 tests/krb5: Add a couple of authentication policy tests via f1c24f4bc98 tests/krb5: Test authentication logging of TGT lifetimes via 9d8ee6a4222 tests/krb5: Cache created authentication policies via 01643b35273 tests/krb5: Keep track of the type of each created account via 359e820404e librpc/idl: Add authentication policy event IDs via b859b3b67d2 s4:kdc: Consolidate assignments to r->error_code and final_ret via 868e1146600 s4:kdc: Don’t log authentication failures as successes via d1fcecd1214 tests/auth_log: Properly expect authentication failures via 11671a743fe tests/auth_log: Make samba.tests.auth_log test executable via efb85e3d6dd s4/scripting/bin: Add NT_STATUS_OK to list of definitions via 7c66cd4dfde selftest: Remove duplicate knownfails via 60f76b9ec82 selftest: Fix typo via f8f0ee53548 param: Remove reference to unrecognized parameter ‘directory name cache size’ via 234be6b0dd8 samba-tool ou: Remove unused variables via d93e340b80e samba-tool ou: Remove unused import via 0743e11d465 samba-tool: Fix typo via 2eda24663f8 pyldb: Check for allocation failure in py_ldb_dn_get_parent() via 5905a63307f pyldb: Raise an exception if ldb_dn_get_parent() fails via 49592b80f75 selftest: Assert trust realm is not None via 97a5ee4bbb7 tests/auth_log: Factor out isRemote() via 1f74f9f366d python:safe_tarfile: Improve safe extract() via 431f7698e48 python:safe_tarfile: Implement safer extractall() via 8c90c66a9a4 python:safe_tarfile: Set extraction_filter for pythons providing it via ebaa0081625 python:tests: Adopt safe_tarfile for extraction_filter raises via 4952cb88e4c s4-server: Call dsdb_check_and_update_fl() during startup transaction. via c28e719bb0e selftest: Add unit tests of the DC startup FL check/update code via ae7f2b417b7 python/tests: Make helpful, stateless methods @classmethod and @staticmethod via b8a613b4b15 dsdb: Add routine to check the DB vs lp functional levels via 4919e8d8088 dsdb: Indicate in rootdse.c why samdb_ntds_settings_dn() is not used via 8e895fc5d62 selftest: Split up tests in dsdb.py to avoid creating a user when not required via f83baa2723f selftest: Specify that DCs prepared with prepare_dc_testenv() to be 2016 capable from 585e4cdd6c9 docs-xml: remove completely outdated Samba-Developers-Guide
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 9b0a71bd3085b7c67a72bf498870c69cf6b3baa5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 16:29:27 2023 +1200 tests/auth_log: Refactor waitForMessages() to use nextMessage() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Jun 14 23:55:42 UTC 2023 on atb-devel-224 commit 67da91ef1665a15d93233c5a74a63926f5a2ef7e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 16:30:30 2023 +1200 tests/auth_log: Add method to fetch the next relevant message from the messaging bus Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7c6dbe31950894c8092a100aeece238ae6f0c8ab Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 13 17:23:41 2023 +1200 tests/krb5: Test authentication with policy restrictions and a wrong password Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a9534e7be08a3a72593f34e10ed46d8062ddaf79 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 18 12:00:29 2023 +1200 tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 94e7a550db47735581f58f6602c8d04b92b6489f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 11:26:25 2023 +1200 tests/krb5: Remove unneeded ‘dn’ parameter Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 21d1f1ca996c0d31992a6f5cca0c63068ae6e7f5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 15:51:09 2023 +1200 s4:kdc: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fb260e1f467fc8a53b5feea766a0b9dafd5f981b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 10:51:54 2023 +1200 tests/krb5: Make use of KerberosCredentials.get_sid() KerberosCredentials objects now keep track of their account’s SID, which removes the need to look it up with KDCBaseTest.get_objectSid(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 490c451a79711d4cd5f03e933786cf56f9d31db4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 11:21:43 2023 +1200 tests/krb5: Keep track of account SIDs This prevents having to look them up in the database when tests need them. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0ec229e7b939df13b81916b4f3e29d3d83665e46 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 10:59:41 2023 +1200 tests/krb5: Fix overlong lines Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 117bba98a119d57f7591e2fa0c776333288da063 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 10:58:12 2023 +1200 tests/krb5: Add a couple of authentication policy tests Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f1c24f4bc98213999c282fb318977a53e19c81fc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 11:02:28 2023 +1200 tests/krb5: Test authentication logging of TGT lifetimes It is useful to test a combination of device restrictions and TGT lifetime restrictions so that we can check what TGT lifetime values end up in the logs. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9d8ee6a422277da8145ca30cd76c9e74263f0b14 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 11:12:15 2023 +1200 tests/krb5: Cache created authentication policies View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 01643b35273ba77b927fa3f337acecde71bd5e62 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 11:13:00 2023 +1200 tests/krb5: Keep track of the type of each created account This allows us to determine which parts of an authentication policy apply to a particular account, which will be necessary to test audit logging. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 359e820404ed43530aea1d94531ed0ff1d51c45b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 11:28:40 2023 +1200 librpc/idl: Add authentication policy event IDs Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b859b3b67d29c04158ddda541b4e4f7fac7188de Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 11:37:03 2023 +1200 s4:kdc: Consolidate assignments to r->error_code and final_ret This makes it clearer that we are assigning a value to both together. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 868e114660026a5dd972a583f7610e4f20c54247 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 11:58:13 2023 +1200 s4:kdc: Don’t log authentication failures as successes If a client was authorized, we would ignore the Kerberos error code and just log the return value of authsam_logon_success_accounting(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d1fcecd1214eba0dc8bcaca72cc889d209b7f716 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 15:28:39 2023 +1200 tests/auth_log: Properly expect authentication failures These authentications are actually failing (due to RESPONSE_TOO_BIG errors), but our authentication logging infrastructure hides this. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 11671a743fe914a0abbee2326cbd8df359d50beb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 13:47:20 2023 +1200 tests/auth_log: Make samba.tests.auth_log test executable Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit efb85e3d6dd976deb89a46089a5556b846c478d9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri May 26 15:14:22 2023 +1200 s4/scripting/bin: Add NT_STATUS_OK to list of definitions Add NT_STATUS_OK to our pre-generated list of status codes. Ensure it goes first in the list to ensure that code that previously found this error code in ‘special_errs’ maintains the same behaviour by falling back to ‘nt_errs’. This makes NT_STATUS_OK available to Python code using the ‘ntstatus’ module. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7c66cd4dfde03bf4a246b32aa347a4020d24b00d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 13:40:50 2023 +1200 selftest: Remove duplicate knownfails Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 60f76b9ec82af634601fa1e9a608f0cf077e49c3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 8 16:17:30 2023 +1200 selftest: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f8f0ee5354895a45160dd699fd1e125355ac8b58 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 15:06:08 2023 +1200 param: Remove reference to unrecognized parameter ‘directory name cache size’ This parameter was removed in commit c37d6be2db8ee30d632275e7b1c156a8b5d791a7. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 234be6b0dd8eb3f028cf1d5a1a2be6ee6e7062f6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 8 13:46:05 2023 +1200 samba-tool ou: Remove unused variables Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d93e340b80e6a4db3f3f7167b2a4df049e49068d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 8 13:45:17 2023 +1200 samba-tool ou: Remove unused import Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0743e11d4658b3efe6687b20d6d424de70368999 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 8 13:44:59 2023 +1200 samba-tool: Fix typo Found by Rob van der Linde <r...@catalyst.net.nz>. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2eda24663f8b9d6d03bffe96785518d16d06ae6e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 10:07:56 2023 +1200 pyldb: Check for allocation failure in py_ldb_dn_get_parent() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5905a63307fd48d8c316178b92b9027165901048 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 6 13:56:32 2023 +1200 pyldb: Raise an exception if ldb_dn_get_parent() fails Such a failure could be caused by situations other than memory errors, but a simple indication of failure is all that ldb_dn_get_parent() gives us to work with. We keep the old behaviour of returning None if the DN has no components, which an existing test (ldb.python.api.DnTests.test_parent_nonexistent) expects. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 49592b80f751e3ff19b5b86ae0a7841fabfb8cf1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri May 26 10:10:02 2023 +1200 selftest: Assert trust realm is not None This is consistent with the other tests in this file. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 97a5ee4bbb7971ee98c0a8cf314cd39f655f2182 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 24 10:31:53 2023 +1200 tests/auth_log: Factor out isRemote() This makes waitForMessages() easier to read. View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1f74f9f366d7f107a89220a4a5951bc4daf18025 Author: Andreas Schneider <a...@samba.org> Date: Tue Jun 6 15:38:12 2023 +0200 python:safe_tarfile: Improve safe extract() This also checks for symlinks and hardlinks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 431f7698e48387413aac586c7a939a1682464681 Author: Andreas Schneider <a...@samba.org> Date: Tue Jun 6 15:30:20 2023 +0200 python:safe_tarfile: Implement safer extractall() This also checks for symlinks and hardlinks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 8c90c66a9a409d807dad56822540509c9813425b Author: Andreas Schneider <a...@samba.org> Date: Tue Jun 6 15:29:06 2023 +0200 python:safe_tarfile: Set extraction_filter for pythons providing it It should be available for Python >= 3.11.4 but also has been backported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit ebaa00816259cbae5c45ebf0ba5fb260b09e4695 Author: Andreas Schneider <a...@samba.org> Date: Tue Jun 6 16:06:57 2023 +0200 python:tests: Adopt safe_tarfile for extraction_filter raises BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 4952cb88e4c4c52a30d1eea3a15fad5f6d45c314 Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 31 14:38:02 2023 +1200 s4-server: Call dsdb_check_and_update_fl() during startup transaction. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit c28e719bb0e122fa330ae3b15d954e3438a428bb Author: Andrew Bartlett <abart...@samba.org> Date: Fri Jun 9 09:17:39 2023 +1200 selftest: Add unit tests of the DC startup FL check/update code Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit ae7f2b417b74f12d6d5e09669b4a56b19a453015 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jun 15 10:49:32 2023 +1200 python/tests: Make helpful, stateless methods @classmethod and @staticmethod This allows them to be used in setUpClass in tests. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit b8a613b4b151b4142595f285e81109257738954f Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 31 14:33:08 2023 +1200 dsdb: Add routine to check the DB vs lp functional levels This will be called at server startup (as well as from Python tests) Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 4919e8d8088d80a8a708df5033b22a07eab6f03b Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 31 14:29:57 2023 +1200 dsdb: Indicate in rootdse.c why samdb_ntds_settings_dn() is not used Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 8e895fc5d62278706b61bf1f6cd207947d778ba4 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jun 1 16:04:57 2023 +1200 selftest: Split up tests in dsdb.py to avoid creating a user when not required Creating a user is CPU intensive, particularly when a password is set so avoid doing so if not required. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit f83baa2723fed4284f39ff5590523fb4b283ad10 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Jun 13 13:33:10 2023 +1200 selftest: Specify that DCs prepared with prepare_dc_testenv() to be 2016 capable This allows the backup/restore process to pass once the DC startup code confirms what DC level the domain functional level in the DB is expecting. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/samba-tool.8.xml | 2 +- lib/ldb/pyldb.c | 15 +- lib/param/loadparm.c | 2 - libcli/util/nterr.c | 1 - libcli/util/ntstatus.h | 2 - librpc/idl/windows_event_ids.idl | 10 + python/samba/netcmd/ou.py | 6 +- python/samba/safe_tarfile.py | 73 ++- python/samba/tests/__init__.py | 8 +- python/samba/tests/auth_log.py | 31 +- python/samba/tests/auth_log_base.py | 91 ++- python/samba/tests/dsdb.py | 77 ++- python/samba/tests/getdcname.py | 3 +- python/samba/tests/krb5/alias_tests.py | 2 +- python/samba/tests/krb5/authn_policy_tests.py | 620 +++++++++++++-------- python/samba/tests/krb5/claims_tests.py | 10 +- python/samba/tests/krb5/device_tests.py | 4 +- python/samba/tests/krb5/group_tests.py | 8 +- python/samba/tests/krb5/kdc_base_test.py | 66 ++- python/samba/tests/krb5/kdc_tgs_tests.py | 32 +- python/samba/tests/krb5/kpasswd_tests.py | 18 +- .../krb5/ms_kile_client_principal_lookup_tests.py | 21 +- python/samba/tests/krb5/raw_testcase.py | 14 + python/samba/tests/krb5/s4u_tests.py | 10 +- python/samba/tests/safe_tarfile.py | 27 +- python/samba/tests/samba_startup_fl_change.py | 181 ++++++ selftest/knownfail_heimdal_kdc | 4 + selftest/knownfail_mit_kdc | 7 +- selftest/knownfail_mit_kdc_1_20 | 5 + selftest/target/Samba4.pm | 7 +- source4/dsdb/common/util.c | 117 ++++ source4/dsdb/pydsdb.c | 38 ++ source4/dsdb/samdb/ldb_modules/rootdse.c | 10 +- source4/kdc/hdb-samba4.c | 24 +- source4/samba/server.c | 16 +- source4/scripting/bin/gen_ntstatus.py | 11 +- source4/selftest/tests.py | 1 + 37 files changed, 1159 insertions(+), 415 deletions(-) mode change 100644 => 100755 python/samba/tests/auth_log.py create mode 100644 python/samba/tests/samba_startup_fl_change.py Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 0834f606659..910d9093771 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -1546,7 +1546,7 @@ <varlistentry> <term>--force-subtree-delete</term> <listitem><para> - Delete organizational unit and all children reclusively. + Delete organizational unit and all children recursively. </para></listitem> </varlistentry> </variablelist> diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index 544d5672983..8981e5ea45c 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -608,12 +608,23 @@ static PyObject *py_ldb_dn_get_parent(PyLdbDnObject *self, struct ldb_dn *dn = pyldb_Dn_AS_DN((PyObject *)self); struct ldb_dn *parent; PyLdbDnObject *py_ret; - TALLOC_CTX *mem_ctx = talloc_new(NULL); + TALLOC_CTX *mem_ctx = NULL; + + if (ldb_dn_get_comp_num(dn) < 1) { + Py_RETURN_NONE; + } + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } parent = ldb_dn_get_parent(mem_ctx, dn); if (parent == NULL) { + PyErr_NoMemory(); talloc_free(mem_ctx); - Py_RETURN_NONE; + return NULL; } py_ret = (PyLdbDnObject *)PyLdbDn.tp_alloc(&PyLdbDn, 0); diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 65e3fa06da4..447087911b5 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3048,8 +3048,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "lock spin time", "200"); - lpcfg_do_global_parameter(lp_ctx, "directory name cache size", "100"); - lpcfg_do_global_parameter(lp_ctx, "nmbd bind explicit broadcast", "yes"); lpcfg_do_global_parameter(lp_ctx, "init logon delay", "100"); diff --git a/libcli/util/nterr.c b/libcli/util/nterr.c index 3bca6da1b55..0a57a8fd28e 100644 --- a/libcli/util/nterr.c +++ b/libcli/util/nterr.c @@ -45,7 +45,6 @@ typedef struct * same table as the other ones. */ static const nt_err_code_struct special_errs[] = { - { "NT_STATUS_OK", NT_STATUS_OK }, { "STATUS_NO_MORE_FILES", STATUS_NO_MORE_FILES }, { "STATUS_INVALID_EA_NAME", STATUS_INVALID_EA_NAME }, { "STATUS_BUFFER_OVERFLOW", STATUS_BUFFER_OVERFLOW }, diff --git a/libcli/util/ntstatus.h b/libcli/util/ntstatus.h index 2aaee5dcc4d..9a1d1fd855a 100644 --- a/libcli/util/ntstatus.h +++ b/libcli/util/ntstatus.h @@ -51,8 +51,6 @@ typedef uint32_t NTSTATUS; #define NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP NT_STATUS(0xC05D0000) /* Other error codes that aren't in the list we use */ -#define NT_STATUS_OK NT_STATUS_SUCCESS - #define STATUS_MORE_ENTRIES NT_STATUS_MORE_ENTRIES #define STATUS_BUFFER_OVERFLOW NT_STATUS_BUFFER_OVERFLOW #define STATUS_NO_MORE_FILES NT_STATUS_NO_MORE_FILES diff --git a/librpc/idl/windows_event_ids.idl b/librpc/idl/windows_event_ids.idl index 240ad9e56ff..f482800d897 100644 --- a/librpc/idl/windows_event_ids.idl +++ b/librpc/idl/windows_event_ids.idl @@ -28,6 +28,16 @@ interface windows_events EVT_ID_USER_REMOVED_FROM_UNIVERSAL_GROUP = 4762 } event_id_type; + /* See https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos#BKMK_ErrorandEvents */ + typedef [v1_enum,public] enum { + AUTH_EVT_ID_NONE = 0, + AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION = 101, + AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION = 105, + AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT = 305, + AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION = 106, + AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT = 306 + } auth_event_id_type; + typedef [v1_enum,public] enum { EVT_LOGON_INTERACTIVE = 2, EVT_LOGON_NETWORK = 3, diff --git a/python/samba/netcmd/ou.py b/python/samba/netcmd/ou.py index d83920d9862..ce068716a01 100644 --- a/python/samba/netcmd/ou.py +++ b/python/samba/netcmd/ou.py @@ -27,7 +27,6 @@ from samba.netcmd import ( SuperCommand, ) from samba.samdb import SamDB -from samba import dsdb from operator import attrgetter @@ -67,7 +66,6 @@ class cmd_rename(Command): creds = credopts.get_credentials(lp, fallback_machine=True) samdb = SamDB(url=H, session_info=system_session(), credentials=creds, lp=lp) - domain_dn = ldb.Dn(samdb, samdb.domain_dn()) try: full_old_ou_dn = samdb.normalize_dn_in_domain(old_ou_dn) @@ -133,7 +131,6 @@ class cmd_move(Command): samdb = SamDB(url=H, session_info=system_session(), credentials=creds, lp=lp) - domain_dn = ldb.Dn(samdb, samdb.domain_dn()) try: full_old_ou_dn = samdb.normalize_dn_in_domain(old_ou_dn) except Exception as e: @@ -361,7 +358,7 @@ class cmd_delete(Command): type=str, metavar="URL", dest="H"), Option("--force-subtree-delete", dest="force_subtree_delete", default=False, action='store_true', - help="Delete organizational unit and all children reclusively"), + help="Delete organizational unit and all children recursively"), ] takes_args = ["ou_dn"] @@ -377,7 +374,6 @@ class cmd_delete(Command): creds = credopts.get_credentials(lp, fallback_machine=True) samdb = SamDB(url=H, session_info=system_session(), credentials=creds, lp=lp) - domain_dn = ldb.Dn(samdb, samdb.domain_dn()) try: full_ou_dn = samdb.normalize_dn_in_domain(ou_dn) diff --git a/python/samba/safe_tarfile.py b/python/samba/safe_tarfile.py index cc19770d73f..7a2b0382a79 100644 --- a/python/samba/safe_tarfile.py +++ b/python/samba/safe_tarfile.py @@ -15,6 +15,9 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. +import os +import tarfile +from pathlib import Path from tarfile import ExtractError, TarInfo, TarFile as UnsafeTarFile @@ -24,20 +27,68 @@ class TarFile(UnsafeTarFile): using '../../'. """ - def extract(self, member, path="", set_attrs=True, *, numeric_owner=False): - if isinstance(member, TarInfo): - name = member.name - else: - name = member + try: + # New in version 3.11.4 (also has been backported) + # https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extraction_filter + # https://peps.python.org/pep-0706/ + extraction_filter = staticmethod(tarfile.data_filter) + except AttributeError: + def extract(self, member, path="", set_attrs=True, *, + numeric_owner=False): + self._safetarfile_check() + super().extract(member, path, set_attrs=set_attrs, + numeric_owner=numeric_owner) - if '../' in name: - raise ExtractError(f"'../' is not allowed in path '{name}'") + def extractall(self, path, members=None, *, numeric_owner=False): + self._safetarfile_check() + super().extractall(path, members, + numeric_owner=numeric_owner) - if name.startswith('/'): - raise ExtractError(f"path '{name}' should not start with '/'") + def _safetarfile_check(self): + for tarinfo in self.__iter__(): + if self._is_traversal_attempt(tarinfo=tarinfo): + raise ExtractError( + "Attempted directory traversal for " + f"member: {tarinfo.name}") + if self._is_unsafe_symlink(tarinfo=tarinfo): + raise ExtractError( + "Attempted directory traversal via symlink for " + f"member: {tarinfo.linkname}") + if self._is_unsafe_link(tarinfo=tarinfo): + raise ExtractError( + "Attempted directory traversal via link for " + f"member: {tarinfo.linkname}") - super().extract(member, path, set_attrs=set_attrs, - numeric_owner=numeric_owner) + def _resolve_path(self, path): + return os.path.realpath(os.path.abspath(path)) + + def _is_path_in_dir(self, path, basedir): + return self._resolve_path(os.path.join(basedir, + path)).startswith(basedir) + + def _is_traversal_attempt(self, tarinfo): + if (tarinfo.name.startswith(os.sep) + or ".." + os.sep in tarinfo.name): + return True + return False + + def _is_unsafe_symlink(self, tarinfo): + if tarinfo.issym(): + symlink_file = Path( + os.path.normpath(os.path.join(os.getcwd(), + tarinfo.linkname))) + if not self._is_path_in_dir(symlink_file, os.getcwd()): + return True + return False + + def _is_unsafe_link(self, tarinfo): + if tarinfo.islnk(): + link_file = Path( + os.path.normpath(os.path.join(os.getcwd(), + tarinfo.linkname))) + if not self._is_path_in_dir(link_file, os.getcwd()): + return True + return False open = TarFile.open diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py index 101f5922a22..f117d0b1341 100644 --- a/python/samba/tests/__init__.py +++ b/python/samba/tests/__init__.py @@ -393,7 +393,8 @@ class BlackboxProcessError(Exception): class BlackboxTestCase(TestCaseInTempDir): """Base test case for blackbox tests.""" - def _make_cmdline(self, line): + @staticmethod + def _make_cmdline(line): """Expand the called script into a fully resolved path in the bin directory.""" if isinstance(line, list): @@ -458,8 +459,9 @@ class BlackboxTestCase(TestCaseInTempDir): # where ret is the return code # stdout is a string containing the commands stdout # stderr is a string containing the commands stderr - def run_command(self, line): - line = self._make_cmdline(line) + @classmethod + def run_command(cls, line): + line = cls._make_cmdline(line) use_shell = not isinstance(line, list) p = subprocess.Popen(line, stdout=subprocess.PIPE, diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py old mode 100644 new mode 100755 index 8f9f487f82a..98ab4603f98 --- a/python/samba/tests/auth_log.py +++ b/python/samba/tests/auth_log.py @@ -1,3 +1,4 @@ +#!/usr/bin/env python3 # Unix SMB/CIFS implementation. # Copyright (C) Andrew Bartlett <abart...@samba.org> 2017 # @@ -17,6 +18,11 @@ """Tests for the Auth and AuthZ logging. """ + +import sys + +sys.path.insert(0, 'bin/python') + import samba.tests from samba.dcerpc import srvsvc, dnsserver import os @@ -170,13 +176,14 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): # returning message too big, msg = messages[0] self.assertEqual("Authentication", msg["type"]) - self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"]) + self.assertEqual("NT_STATUS_PROTOCOL_UNREACHABLE", # RESPONSE_TOO_BIG + msg["Authentication"]["status"]) self.assertEqual("Kerberos KDC", msg["Authentication"]["serviceDescription"]) self.assertEqual(authTypes[1], msg["Authentication"]["authDescription"]) self.assertEqual( - EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) + EVT_ID_UNSUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) self.assertEqual( EVT_LOGON_NETWORK, msg["Authentication"]["logonType"]) @@ -366,13 +373,14 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): # Check the second message it should be an Authentication msg = messages[1] self.assertEqual("Authentication", msg["type"]) - self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"]) + self.assertEqual("NT_STATUS_PROTOCOL_UNREACHABLE", # RESPONSE_TOO_BIG + msg["Authentication"]["status"]) self.assertEqual("Kerberos KDC", msg["Authentication"]["serviceDescription"]) self.assertEqual(authTypes[2], msg["Authentication"]["authDescription"]) self.assertEqual( - EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) + EVT_ID_UNSUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) self.assertEqual( EVT_LOGON_NETWORK, msg["Authentication"]["logonType"]) @@ -485,14 +493,15 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): # Check the first message it should be an Authentication msg = messages[0] self.assertEqual("Authentication", msg["type"]) - self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"]) + self.assertEqual("NT_STATUS_PROTOCOL_UNREACHABLE", # RESPONSE_TOO_BIG + msg["Authentication"]["status"]) self.assertEqual("Kerberos KDC", msg["Authentication"]["serviceDescription"]) self.assertEqual("ENC-TS Pre-authentication", msg["Authentication"]["authDescription"]) self.assertTrue(msg["Authentication"]["duration"] > 0) self.assertEqual( - EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) + EVT_ID_UNSUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) self.assertEqual( EVT_LOGON_NETWORK, msg["Authentication"]["logonType"]) @@ -729,12 +738,13 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): # Check the first message it should be an Authentication msg = messages[0] self.assertEqual("Authentication", msg["type"]) - self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"]) + self.assertEqual("NT_STATUS_PROTOCOL_UNREACHABLE", # RESPONSE_TOO_BIG + msg["Authentication"]["status"]) self.assertEqual("Kerberos KDC", msg["Authentication"]["serviceDescription"]) self.assertEqual("ENC-TS Pre-authentication", msg["Authentication"]["authDescription"]) - self.assertEqual(EVT_ID_SUCCESSFUL_LOGON, + self.assertEqual(EVT_ID_UNSUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) self.assertEqual(EVT_LOGON_NETWORK, msg["Authentication"]["logonType"]) @@ -1475,3 +1485,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): self.assertEqual("schannel", msg["Authorization"]["authType"]) self.assertEqual("SEAL", msg["Authorization"]["transportProtection"]) self.assertTrue(self.is_guid(msg["Authorization"]["sessionId"])) + + +if __name__ == '__main__': + import unittest + unittest.main() diff --git a/python/samba/tests/auth_log_base.py b/python/samba/tests/auth_log_base.py index 586719980cb..a9b2b3fa06b 100644 --- a/python/samba/tests/auth_log_base.py +++ b/python/samba/tests/auth_log_base.py @@ -28,6 +28,10 @@ import os import re +class NoMessageException(Exception): + pass + + class AuthLogTestBase(samba.tests.TestCase): @classmethod @@ -83,49 +87,76 @@ class AuthLogTestBase(samba.tests.TestCase): super(AuthLogTestBase, self).setUp() type(self).discardMessages() + def isRemote(self, message): + if self.remoteAddress is None: + return True + + supported_types = { + "Authentication", + "Authorization", + } + message_type = message["type"] + if message_type in supported_types: + remote = message[message_type]["remoteAddress"] + else: + return False + + try: + addr = remote.split(":") + return addr[1] == self.remoteAddress + except IndexError: + return False + def waitForMessages(self, isLastExpectedMessage, connection=None): """Wait for all the expected messages to arrive The connection is passed through to keep the connection alive until all the logging messages have been received. """ - def completed(messages): - for message in messages: - if isRemote(message) and isLastExpectedMessage(message): - return True - return False + messages = [] + while True: + try: + msg = self.nextMessage() + except NoMessageException: + return [] - def isRemote(message): - if self.remoteAddress is None: - return True + messages.append(msg) + if isLastExpectedMessage(msg): + return messages - supported_types = { - "Authentication", - "Authorization", - } - message_type = message["type"] - if message_type in supported_types: - remote = message[message_type]["remoteAddress"] - else: + def nextMessage(self, msgFilter=None): + """Return the next relevant message, or throw a NoMessageException.""" + def is_relevant(msg): + if not self.isRemote(msg): return False - try: - addr = remote.split(":") - return addr[1] == self.remoteAddress - except IndexError: - return False + if msgFilter is None: + return True - self.connection = connection + return msgFilter(msg) - start_time = time.time() - while not completed(self.context["messages"]): - self.msg_ctx.loop_once(0.1) - if time.time() - start_time > 1: - self.connection = None - return [] + messages = self.context['messages'] + + while True: + timeout = 2 + until = time.time() + timeout + + while not messages: + # Fetch a new message from the messaging bus. + + current = time.time() + if until < current: + break + + self.msg_ctx.loop_once(until - current) + + if not messages: + raise NoMessageException('timed out looking for a message') - self.connection = None - return list(filter(isRemote, self.context["messages"])) + # Grab the next message from the queue. + msg = messages.pop(0) + if is_relevant(msg): + return msg # Discard any previously queued messages. @classmethod diff --git a/python/samba/tests/dsdb.py b/python/samba/tests/dsdb.py index 6c52994ece7..59d946cd6a6 100644 --- a/python/samba/tests/dsdb.py +++ b/python/samba/tests/dsdb.py @@ -24,17 +24,18 @@ from samba.tests import TestCase from samba.tests import delete_force from samba.ndr import ndr_unpack, ndr_pack from samba.dcerpc import drsblobs, security, misc -from samba import dsdb +from samba.param import LoadParm +from samba import dsdb, functional_level -- Samba Shared Repository