The branch, master has been updated
via c01c206d765 s4:kdc: Add get_claims_set_for_principal()
via 21e0c258954 s4:kdc: Rename ‘claims_blob’ parameter to
‘claims_blob_out’
via 504a36f3208 s4:kdc: Rename get_claims_for_principal() to
get_claims_blob_for_principal()
via e6b78ef7f7e s4:kdc: Ensure that we don’t dereference a NULL pointer
via 58371c33e92 s4:kdc: Properly allocate claims set on a talloc context
via c6cd6b25ff1 s4:kdc: Remove ldb_context parameter as being no longer
needed
via 78fc6fbb61c s4:kdc: Have encode_claims_set return NTSTATUS
via 365455b6a14 s4:dsdb: Check for overflow in security_token_create()
via 479ebdd041a s4:dsdb: Make ‘sids’ parameter const
via 37c8c343286 s4:dsdb: Use uint32_t for ‘num_sids’
via c1061ae8a7b s4:kdc: Free error message returned by
krb5_get_error_message()
via 9d485b262a5 s4:kdc: Use common out path in
mit_samba_kpasswd_change_password()
via ab098c24314 s4:kdc: Inline samba_get_claims_blob()
via 63f798442ce s4:kdc: Don’t enforce a server authentication policy
for the krbtgt
via 914f1700991 s4:kdc: Switch to using samdb_result_dom_sid_buf()
via 7d6ebfe4e33 s4:kdc: Return krb5_error_code
via fc99b903463 s4:kdc: Make some functions static
via e67c0226183 s4:kdc: Return (possibly) more appropriate error codes
via e9e2dfa5352 s4:auth: Check return value of talloc_new()
via 45ca5e23b84 s4:auth: Fix leaks
via 18569f81c0b s4:auth: Add missing space to error message
via dadfc06ce1a s4:kdc: Use type bool for ‘is_tgs’
via 6e5e2f0b2cb s4:kdc: Erase key data
via 7dd13e8d8e6 s4:kdc: Ensure the value of h->len is accurate
via 7e496d774cd s4:kdc: Consistently zero HDB structures
via 75a1beeea85 s4:kdc: Fix leaks of sdb_entry’s members
via e5465872803 s4:kdc: Fail PAC checksum verification if the krbtgt
entry has no keys
via 406af84ba2d s4:kdc: Correctly report length of KDC packet
via bb78ad7bd97 s4:kdc: Use portable format specifier
via 0f127875c8f s4:kdc: Correct error message
via 84929c6855c s4:kdc: Return an error code if
sdb_entry_to_hdb_entry() fails
via 93c0f35521a s4:kdc: Fix code spelling
via a5129c07631 s4:kdc: Fix leaks
via e9c275b4e0d s4:kdc: Move calls to talloc_steal() out of the ‘out’
paths
via bf78c60368c s4:kdc: Remove unnecessary talloc context
via 902ed79b226 s4:kdc: Call krb5_free_principal() directly after
to-be-freed principal is used
via 79738178ec2 s4:kdc: Free samba_kdc_seq context on failure to
allocate memory
via bc1103e93b5 s4:kdc: Check return value from ldb_dn_get_linearized()
via 09e13845aec s4:kdc: Fix leak of sdb_entry
via 26e2e891d0c s4:kdc: Ensure we don’t increase the value of
entry->etypes->len
via 7cfddcbf3f0 s4:kdc: Check result of samdb_result_dom_sid()
via f34645b8f8c s4:kdc: Initialize entry->modified_by
via e035cfabc71 s4:kdc: Don’t log secret keys
via 0cf658cd10d s4:kdc: Don’t issue forwardable or proxiable tickets to
Protected Users
via 7026b08e23e tests/krb5: Test that neither forwardable nor proxiable
tickets are issued to Protected Users
via c9d6a3dd665 tests/krb5: Allow specifying KDC options when
requesting a TGT
via da89b86e528 tests/krb5: Allow specifying additional details for a
test account
via a5492d76d3b tests/krb5: Split out new AuthnPolicyBaseTests class
via 55c09c91eaa tests/krb5: Move some functions round to prepare for
splitting the class
via 942cc0b6267 tests/krb5: Keep claim types for subsequent tests
via f552933760d tests/krb5: Rename compatability_tests class
via 928f898e0a7 tests/krb5: Allow cached=True with an assigned silo or
policy
via 4c320f756d5 s4:kdc: Refer to correct function in error messages
via 7da7b81d4d2 s4:torture: Fix code spelling
via d1755501625 s4:rpc_server: Fix code spelling
via 2de67b71748 s4:kdc: Correct comments mentioning Heimdal
via 9fd501dfec2 s4:kdc: Remove unnecessary casts
via 0a202264d38 s4:dsdb: Access correct member of union
via 3e076b374b9 s4:dsdb: Remove unnecessary casts
via 939bd3d9a52 s4:auth: Fix code spelling
via 816ceb27edc s3:registry: Fix code spelling
via c68b8cf17c7 s3:lib: Use portable format specifiers
via 44df47712a5 librpc:ndr: Format sizes as ‘size_t’
via d35e7f10afe tsocket: Fix code spelling
via a643ac45c12 lib/replace: Ensure that __STDC_WANT_LIB_EXT1__ is set
to 1
via 5b3a8aa5446 lib:krb5_wrap: Remove unnecessary cast
via 578c1d39f5e ldb:ldb_sqlite3: Access correct member of union
via 993ff0353b8 ldb: Fix code spelling
via 830efcfe6b5 docs-xml: Fix code spelling
via 28b84ac6846 auth: Use portable format specifier
via 329bfe47d9e auth: Remove unnecessary casts
from 57672e45e36 bootstrap: Install codespell
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c01c206d7652e5bc5d4134f786522a17729de403
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:54:52 2023 +1200
s4:kdc: Add get_claims_set_for_principal()
Add a new function, get_claims_set_for_principal(), that returns the
claims as a CLAIMS_SET structure rather than as a blob. To accommodate
this, move the call to encode_claims_set() out of get_all_claims() and
into get_claims_blob_for_principal().
Being able to get the unencoded claims will save us from having to
decode claims that we just needlessly encoded.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Mon Aug 14 05:51:45 UTC 2023 on atb-devel-224
commit 21e0c2589549daba3b0b211641c23ed0039adc30
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 12:21:16 2023 +1200
s4:kdc: Rename ‘claims_blob’ parameter to ‘claims_blob_out’
Just to make perfectly clear that it is an out parameter.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 504a36f3208e020e6959f272b472ce2b9366141e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 12:20:09 2023 +1200
s4:kdc: Rename get_claims_for_principal() to get_claims_blob_for_principal()
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e6b78ef7f7ef2d9fc16aee3f7edfc31163fdf284
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 12:15:05 2023 +1200
s4:kdc: Ensure that we don’t dereference a NULL pointer
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 58371c33e924ecb793f71871712025424f3e80b5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 12:10:46 2023 +1200
s4:kdc: Properly allocate claims set on a talloc context
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c6cd6b25ff1edf6b1983916087bef227ecb1a3cf
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 12:06:00 2023 +1200
s4:kdc: Remove ldb_context parameter as being no longer needed
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 78fc6fbb61c40efe6cd20b83270acb11348eb5aa
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 12:04:02 2023 +1200
s4:kdc: Have encode_claims_set return NTSTATUS
This change will simplify things later. Probably.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 365455b6a14b1f1e7e0b831ae28bb7996b5138a6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:36:04 2023 +1200
s4:dsdb: Check for overflow in security_token_create()
Overflow is unlikely ever to occur, but you never know.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 479ebdd041a0992e443f0590822eb57c8063157d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:35:43 2023 +1200
s4:dsdb: Make ‘sids’ parameter const
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 37c8c3432860f08f4324f3072d3804056a3db809
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:34:47 2023 +1200
s4:dsdb: Use uint32_t for ‘num_sids’
This matches the use of uint32_t for security_token::num_sids.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c1061ae8a7b99175ac13612f86156717f8c73284
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:25:08 2023 +1200
s4:kdc: Free error message returned by krb5_get_error_message()
Also check whether the message is NULL. Passing NULL to vasprintf() is
undefined behaviour.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9d485b262a57439dfba6deff5e8c4fb7023a5d1f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:23:10 2023 +1200
s4:kdc: Use common out path in mit_samba_kpasswd_change_password()
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ab098c24314eb2b0745f71af62d8c396e5f8e8bf
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:21:07 2023 +1200
s4:kdc: Inline samba_get_claims_blob()
Wrapping a function this simple doesn’t gain us very much.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 63f798442ce48c0b35ada165a1421f6ae7f0a640
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:15:56 2023 +1200
s4:kdc: Don’t enforce a server authentication policy for the krbtgt
As the server authentication policy will be non-NULL only for entries
looked up as servers, the krbtgt shouldn’t have an authentication policy
anyway. But we might as well be explicit.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 914f1700991cca15fe9fd3d9e3174b044963049c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:13:38 2023 +1200
s4:kdc: Switch to using samdb_result_dom_sid_buf()
This function doesn’t require a heap allocation.
We also check the result of the function, which we weren’t doing before.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7d6ebfe4e33d71546d3f8705be18f1224c3474a7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:08:57 2023 +1200
s4:kdc: Return krb5_error_code
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fc99b903463ce06e55c1a2993ad5a4da809099df
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:07:55 2023 +1200
s4:kdc: Make some functions static
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e67c0226183a9ef95ecb8ec8399f54650630806e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 10:02:28 2023 +1200
s4:kdc: Return (possibly) more appropriate error codes
This change ultimately won’t make much difference to responses, as
unrecognized codes are mapped to ERR_GENERIC in any case. But it might
provide some help for debugging.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e9e2dfa53528d475201df13afe8ab79f3ce4f5fb
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:57:11 2023 +1200
s4:auth: Check return value of talloc_new()
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 45ca5e23b84292f9854c6e1c86aafb2ef9425170
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:56:55 2023 +1200
s4:auth: Fix leaks
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 18569f81c0b1a425214784e0c0b0f26b732ba826
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:55:17 2023 +1200
s4:auth: Add missing space to error message
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit dadfc06ce1a11660b036cb47059720285441ad75
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:28:31 2023 +1200
s4:kdc: Use type bool for ‘is_tgs’
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6e5e2f0b2cb9fe4ac00c794dd9f80156ad0c4d50
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:58:31 2023 +1200
s4:kdc: Erase key data
If we’re going to zero the keys before freeing them, we might as well do
it properly.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7dd13e8d8e634af53186d400cd59de588b32bf22
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:52:13 2023 +1200
s4:kdc: Ensure the value of h->len is accurate
If we exited this function early due to an error, h->len would contain
the number of elements that *ought* to be in h->val, but not all of
those elements must have been initialized. Subsequently trying to free
this partially-uninitialized structure with free_Keys() could have bad
results.
Avoid this by ensuring that h->len accurately reports the actual number
of initialized elements.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7e496d774cd7264cf79e95ddc8d9e0e7bf45cb4b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:35:52 2023 +1200
s4:kdc: Consistently zero HDB structures
To these conversion functions we sometimes pass malloc-allocated HDB
structures, which we free afterwards if conversion fails. If parts of
these structures are still uninitialized when we try to free them, all
sorts of fun things can result.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 75a1beeea8593fa2c98f4d798ddbf28d743ad095
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:33:24 2023 +1200
s4:kdc: Fix leaks of sdb_entry’s members
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e54658728038dcb55ecfcc63cf48e211d73ee0cf
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:31:41 2023 +1200
s4:kdc: Fail PAC checksum verification if the krbtgt entry has no keys
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 406af84ba2d8c2bd46c0d0728fd64d00d1255bd6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:17:51 2023 +1200
s4:kdc: Correctly report length of KDC packet
If the data was received over TCP, it would have had four bytes
subtracted from its length already, in kdc_tcp_call_loop().
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit bb78ad7bd97855a50444a0b50376fbde11474586
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:17:06 2023 +1200
s4:kdc: Use portable format specifier
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0f127875c8f8d3bb3420c55a92646accbecc9e9b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:16:12 2023 +1200
s4:kdc: Correct error message
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 84929c6855cb2c243e04eea7276ec96e14bcad9a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:13:12 2023 +1200
s4:kdc: Return an error code if sdb_entry_to_hdb_entry() fails
This condition was written backwards — if samba_kdc_fetch() returned
zero, we would ignore any error code returned by
sdb_entry_to_hdb_entry().
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 93c0f35521a420f65b59d2ce7f9f99e3a1b21104
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:12:13 2023 +1200
s4:kdc: Fix code spelling
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a5129c076319ec5577fb196102a9349fb105d70e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 16:07:17 2023 +1200
s4:kdc: Fix leaks
Use a temporary context to allocate these variables. Each variable that
needs to be transferred to the caller is stolen onto an appropriate
talloc context just prior to the function’s returning.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e9c275b4e0d6a69649f4b6e9cf1e587565400aff
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 15:25:50 2023 +1200
s4:kdc: Move calls to talloc_steal() out of the ‘out’ paths
This simplifies the ‘out’ paths.
Every code path that reaches ‘out’ via a goto ensures that ‘ret’ is set
to a nonzero value.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit bf78c60368ca03cbf18ab3254747dcdb206ff7fb
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 15:57:43 2023 +1200
s4:kdc: Remove unnecessary talloc context
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 902ed79b226689bee7af3adb6459f38a22994d1e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 15:55:53 2023 +1200
s4:kdc: Call krb5_free_principal() directly after to-be-freed principal is
used
This simplifies the ‘out’ path.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 79738178ec2b18b1bca05b8eef37ce42d767a10c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 15:54:21 2023 +1200
s4:kdc: Free samba_kdc_seq context on failure to allocate memory
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit bc1103e93b5af364f3f61c6e9729cda18500bd44
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 15:53:23 2023 +1200
s4:kdc: Check return value from ldb_dn_get_linearized()
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 09e13845aecb6b7e6e23a2ea4c8fccb8fe2a86f6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 15:11:51 2023 +1200
s4:kdc: Fix leak of sdb_entry
We should take the common ‘out’ path to ensure that we call
sdb_entry_free() on the entry.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 26e2e891d0cebd68555cf17df2e6bd9b819b606a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 14:48:04 2023 +1200
s4:kdc: Ensure we don’t increase the value of entry->etypes->len
The value of entry->etypes->len ought to be equal to that of
entry->keys.len, and so should be nonzero. But it’s safer not to rely on
that assumption.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7cfddcbf3f02c8f2f18c527aba06cacdf6e499b0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 14:46:34 2023 +1200
s4:kdc: Check result of samdb_result_dom_sid()
We must not pass a NULL pointer into dom_sid_split_rid().
While we’re at it, switch to using samdb_result_dom_sid_buf(), which
doesn’t require a heap allocation.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f34645b8f8ce55d3da0c5c0993970156c9441265
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 14:37:34 2023 +1200
s4:kdc: Initialize entry->modified_by
If smb_krb5_make_principal() fails without setting the principal,
sdb_entry_free() will try to free whatever memory the uninitialized
member points to.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e035cfabc713c0a47f273fa61ab199ed0b563d98
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 14:27:55 2023 +1200
s4:kdc: Don’t log secret keys
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0cf658cd10d3a2cee429615f3c01bb6bd4bd4ddb
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 10:47:08 2023 +1200
s4:kdc: Don’t issue forwardable or proxiable tickets to Protected Users
If an authentication policy enforces a maximum TGT lifetime for a
Protected User, that limit should stand in place of the four-hour limit
usually applied to Protected Users; we should nevertheless continue to
ensure that forwardable or proxiable tickets are not issued to such
users.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7026b08e23e2b64b1cbbaa2b95a14b6b4350cef0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 11:05:05 2023 +1200
tests/krb5: Test that neither forwardable nor proxiable tickets are issued
to Protected Users
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c9d6a3dd66501187f5f7094bdee67a5a6bb764a8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:42:25 2023 +1200
tests/krb5: Allow specifying KDC options when requesting a TGT
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit da89b86e528273b6a99295878f69b2b222487235
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:41:08 2023 +1200
tests/krb5: Allow specifying additional details for a test account
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a5492d76d3b0d9f0fb2f5dd199e21cbdd96f6071
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:39:27 2023 +1200
tests/krb5: Split out new AuthnPolicyBaseTests class
This class provides a useful base for other tests to build upon.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 55c09c91eaa47ea75e7f77c3a46d6391f3923734
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:37:32 2023 +1200
tests/krb5: Move some functions round to prepare for splitting the class
No effective code change.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 942cc0b6267f54fb4f35c588ac4b105b625787dd
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jul 31 12:29:26 2023 +1200
tests/krb5: Keep claim types for subsequent tests
We want to be able to reuse them across several tests.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f552933760d2f2d0ddb2edff9c336b71bb765e9f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jul 18 16:05:25 2023 +1200
tests/krb5: Rename compatability_tests class
We should not have two unrelated classes both named SimpleKerberosTests.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 928f898e0a7cbb97993d0c4f4e3f9495c2b62bec
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jul 18 15:55:10 2023 +1200
tests/krb5: Allow cached=True with an assigned silo or policy
We might want to create an account with an assigned silo or policy in
setUp() or setUpClass() to be reused in subsequent tests.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4c320f756d58c684302456af8c59500aca845155
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:33:41 2023 +1200
s4:kdc: Refer to correct function in error messages
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7da7b81d4d2a866af5eef42d2a4d1752cd79288d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 2 14:52:13 2023 +1200
s4:torture: Fix code spelling
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d1755501625614e4d5228f3cd09d9161bfb6ee52
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 16:04:03 2023 +1200
s4:rpc_server: Fix code spelling
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2de67b7174813eb394952ceed386171340fe3757
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 16:13:20 2023 +1200
s4:kdc: Correct comments mentioning Heimdal
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9fd501dfec22769813c087cd7680e353b730988c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 16:54:38 2023 +1200
s4:kdc: Remove unnecessary casts
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0a202264d388a74cd7630767de7b02b17949f651
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 2 15:32:05 2023 +1200
s4:dsdb: Access correct member of union
Accessing the wrong member of a union invokes undefined behaviour.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3e076b374b9a53587094a821748ee344bf4764c5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 16:54:24 2023 +1200
s4:dsdb: Remove unnecessary casts
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 939bd3d9a5219b326e7d895f302a829d035baf79
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Aug 8 12:38:39 2023 +1200
s4:auth: Fix code spelling
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 816ceb27edcaf705d276f84c787665459cfdba32
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Aug 8 12:41:28 2023 +1200
s3:registry: Fix code spelling
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c68b8cf17c731dca1dce99830c19b389f5806737
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 10:01:33 2023 +1200
s3:lib: Use portable format specifiers
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 44df47712a53618a6c9874eb45737b45582b6335
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 11 09:54:02 2023 +1200
librpc:ndr: Format sizes as ‘size_t’
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d35e7f10afedba0fc0a507962b6b52e542a51904
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 16:03:45 2023 +1200
tsocket: Fix code spelling
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a643ac45c12d36e6f4a8ec6699ca0456aaf245a6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 14:08:22 2023 +1200
lib/replace: Ensure that __STDC_WANT_LIB_EXT1__ is set to 1
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5b3a8aa54463b9ce762f501dc571622e04af584a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 16:51:05 2023 +1200
lib:krb5_wrap: Remove unnecessary cast
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 578c1d39f5eefd75df00ad087a3a231e9b99f448
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 2 15:31:29 2023 +1200
ldb:ldb_sqlite3: Access correct member of union
Accessing the wrong member of a union invokes undefined behaviour.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 993ff0353b867ddf886dbdc80cfd68c99d2d3d5c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 16:03:32 2023 +1200
ldb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 830efcfe6b54783c6ebac8449121a1a6b7bf1249
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 16:03:12 2023 +1200
docs-xml: Fix code spelling
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 28b84ac68460d5352b47063438d498832efd9500
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 10 11:29:52 2023 +1200
auth: Use portable format specifier
Also, correctly format the value as unsigned.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 329bfe47d9e59323ef5ec0fae014939a5ae5f440
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Aug 9 16:50:44 2023 +1200
auth: Remove unnecessary casts
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_ntlm.c | 4 +-
auth/kerberos/kerberos_pac.c | 4 +-
docs-xml/smbdotconf/security/ntlmauth.xml | 4 +-
lib/krb5_wrap/krb5_samba.c | 2 +-
lib/ldb/include/ldb.h | 10 +-
lib/ldb/ldb_sqlite3/ldb_sqlite3.c | 12 +-
lib/replace/replace.h | 2 +-
lib/tsocket/tsocket.h | 14 +-
librpc/ndr/libndr.h | 4 +-
python/samba/tests/krb5/authn_policy_tests.py | 429 +++++++++++++++----------
python/samba/tests/krb5/compatability_tests.py | 4 +-
python/samba/tests/krb5/kdc_base_test.py | 4 +-
selftest/knownfail_heimdal_kdc | 7 +-
selftest/knownfail_mit_kdc | 2 +-
selftest/knownfail_mit_kdc_1_20 | 7 +-
source3/lib/sysquotas.c | 24 +-
source3/registry/reg_parse_internal.h | 2 +-
source4/auth/kerberos/kerberos_pac.c | 4 +-
source4/auth/system_session.c | 8 +
source4/dsdb/common/util.c | 6 +-
source4/dsdb/samdb/ldb_modules/acl_read.c | 19 +-
source4/dsdb/samdb/ldb_modules/anr.c | 6 +-
source4/dsdb/samdb/ldb_modules/operational.c | 6 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 4 +-
source4/dsdb/samdb/ldb_modules/resolve_oids.c | 14 +-
source4/dsdb/samdb/samdb.c | 12 +-
source4/dsdb/schema/schema_syntax.c | 6 +-
source4/kdc/ad_claims.c | 131 +++++---
source4/kdc/ad_claims.h | 15 +-
source4/kdc/db-glue.c | 121 +++----
source4/kdc/hdb-samba4.c | 4 +-
source4/kdc/kdc-heimdal.c | 4 +-
source4/kdc/kdc-server.c | 4 +-
source4/kdc/kpasswd-service-heimdal.c | 8 +-
source4/kdc/kpasswd-service-mit.c | 6 +-
source4/kdc/mit_kdc_irpc.c | 1 +
source4/kdc/mit_samba.c | 16 +-
source4/kdc/pac-glue.c | 116 +++----
source4/kdc/pac-glue.h | 20 --
source4/kdc/sdb.c | 8 +
source4/kdc/sdb_to_hdb.c | 13 +-
source4/kdc/sdb_to_kdb.c | 2 +-
source4/kdc/wdc-samba4.c | 14 +-
source4/rpc_server/dcerpc_server.c | 2 +-
source4/torture/basic/denytest.c | 2 +-
45 files changed, 643 insertions(+), 464 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_ntlm.c
b/auth/credentials/credentials_ntlm.c
index f30abc74fb0..a018be14c56 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -374,7 +374,7 @@ _PUBLIC_ bool cli_credentials_set_utf16_password(struct
cli_credentials *cred,
CH_UTF16MUNGED, CH_UTF8,
password_utf16->data,
password_utf16->length,
- (void *)&password_talloc,
+ &password_talloc,
&password_len);
if (!ok) {
TALLOC_FREE(nt_hash);
@@ -424,7 +424,7 @@ _PUBLIC_ bool cli_credentials_set_old_utf16_password(struct
cli_credentials *cre
CH_UTF16MUNGED, CH_UTF8,
password_utf16->data,
password_utf16->length,
- (void *)&password_talloc,
+ &password_talloc,
&password_len);
if (!ok) {
TALLOC_FREE(nt_hash);
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index b914075d85c..8d3b467622d 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -62,8 +62,8 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
/* ok */
break;
default:
- DEBUG(2,("check_pac_checksum: Checksum Type %d is not
supported\n",
- (int)sig->type));
+ DEBUG(2,("check_pac_checksum: Checksum Type %"PRIu32" is not
supported\n",
+ sig->type));
return EINVAL;
}
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml
b/docs-xml/smbdotconf/security/ntlmauth.xml
index d7c84ccaf85..7ea38a4e0d8 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -16,7 +16,7 @@
authentication will still be forwarded to and NTLM authentication
accepted against any domain we are joined to, and any trusted
domain, even if disabled or if NTLMv2-only is enforced here. To
- control NTLM authentiation for domain users, this must option must
+ control NTLM authentication for domain users, this option must
be configured on each DC.</para>
<para>By default with <command moreinfo="none">ntlm auth</command> set to
@@ -33,7 +33,7 @@
<para><constant>ntlmv1-permitted</constant>
(alias <constant>yes</constant>) - Allow NTLMv1 and above for all
clients.</para>
- <para>This is the required setting for to enable the <parameter
+ <para>This is the required setting to enable the <parameter
moreinfo="none">lanman auth</parameter> parameter.</para>
</listitem>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 9488fcde7e2..18230603b29 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -323,7 +323,7 @@ int smb_krb5_create_key_from_string(krb5_context context,
ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE,
password->data, password->length,
- (void **)&utf16, &utf16_size);
+ &utf16, &utf16_size);
if (!ok) {
if (errno == 0) {
errno = EINVAL;
diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h
index 8bebd9fce1b..154671bc3a6 100644
--- a/lib/ldb/include/ldb.h
+++ b/lib/ldb/include/ldb.h
@@ -1559,7 +1559,7 @@ void ldb_set_utf8_default(struct ldb_context *ldb);
\brief Casefold a string
Note that the callback needs to be ASCII compatible. So first ASCII needs
- to be handle before any UTF-8. This is needed to avoid issues with dottet
+ to be handle before any UTF-8. This is needed to avoid issues with dotted
languages.
\param ldb the ldb context
@@ -1776,7 +1776,7 @@ char *ldb_ldif_message_string(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
'const char * const *' within the LDB_SECRET_ATTRIBUTE_LIST
opaque set on the ldb
- \sa ldb_ldif_message_string for an exact representiation of the
+ \sa ldb_ldif_message_string for an exact representation of the
message as LDIF
*/
char *ldb_ldif_message_redacted_string(struct ldb_context *ldb,
@@ -1856,7 +1856,7 @@ int ldb_dn_extended_add_syntax(struct ldb_context *ldb,
\param mem_ctx TALLOC context to return resulting ldb_dn structure on
\param dn The new DN
- \note The DN will not be parsed at this time. Use ldb_dn_validate to tell
if the DN is syntacticly correct
+ \note The DN will not be parsed at this time. Use ldb_dn_validate to tell
if the DN is syntactically correct
*/
struct ldb_dn *ldb_dn_new(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, const
char *dn);
@@ -1876,7 +1876,7 @@ struct ldb_dn *ldb_dn_new_fmt(TALLOC_CTX *mem_ctx, struct
ldb_context *ldb, cons
\param mem_ctx TALLOC context to return resulting ldb_dn structure on
\param dn The new DN
- \note The DN will not be parsed at this time. Use ldb_dn_validate to tell
if the DN is syntacticly correct
+ \note The DN will not be parsed at this time. Use ldb_dn_validate to tell
if the DN is syntactically correct
*/
struct ldb_dn *ldb_dn_from_ldb_val(TALLOC_CTX *mem_ctx, struct ldb_context
*ldb, const struct ldb_val *strdn);
@@ -2196,7 +2196,7 @@ int ldb_set_debug(struct ldb_context *ldb,
/**
this allows the user to set custom utf8 function for error reporting. make
- sure it is able to handle ASCII first, so it prevents issues with dottet
+ sure it is able to handle ASCII first, so it prevents issues with dotted
languages.
*/
void ldb_set_utf8_fns(struct ldb_context *ldb,
diff --git a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
index 110fe2a98d4..26c7023be17 100644
--- a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
+++ b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
@@ -380,12 +380,12 @@ static char *parsetree_to_sql(struct ldb_module *module,
value.data);
case LDB_OP_GREATER:
- attr = ldb_attr_casefold(mem_ctx, t->u.equality.attr);
+ attr = ldb_attr_casefold(mem_ctx, t->u.comparison.attr);
if (attr == NULL) return NULL;
a = ldb_schema_attribute_by_name(ldb, attr);
/* Get a canonicalised copy of the data */
- a->syntax->canonicalise_fn(ldb, mem_ctx,
&(t->u.equality.value), &value);
+ a->syntax->canonicalise_fn(ldb, mem_ctx,
&(t->u.comparison.value), &value);
if (value.data == NULL) {
return NULL;
}
@@ -399,12 +399,12 @@ static char *parsetree_to_sql(struct ldb_module *module,
attr);
case LDB_OP_LESS:
- attr = ldb_attr_casefold(mem_ctx, t->u.equality.attr);
+ attr = ldb_attr_casefold(mem_ctx, t->u.comparison.attr);
if (attr == NULL) return NULL;
a = ldb_schema_attribute_by_name(ldb, attr);
/* Get a canonicalised copy of the data */
- a->syntax->canonicalise_fn(ldb, mem_ctx,
&(t->u.equality.value), &value);
+ a->syntax->canonicalise_fn(ldb, mem_ctx,
&(t->u.comparison.value), &value);
if (value.data == NULL) {
return NULL;
}
@@ -431,12 +431,12 @@ static char *parsetree_to_sql(struct ldb_module *module,
attr);
case LDB_OP_APPROX:
- attr = ldb_attr_casefold(mem_ctx, t->u.equality.attr);
+ attr = ldb_attr_casefold(mem_ctx, t->u.comparison.attr);
if (attr == NULL) return NULL;
a = ldb_schema_attribute_by_name(ldb, attr);
/* Get a canonicalised copy of the data */
- a->syntax->canonicalise_fn(ldb, mem_ctx,
&(t->u.equality.value), &value);
+ a->syntax->canonicalise_fn(ldb, mem_ctx,
&(t->u.comparison.value), &value);
if (value.data == NULL) {
return NULL;
}
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index adcb22f8c19..a6a2b40777f 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -41,7 +41,7 @@
* As it's also needed when Python.h is the first header we
* require a global -D__STDC_WANT_LIB_EXT1__=1
*/
-#ifndef __STDC_WANT_LIB_EXT1__
+#if __STDC_WANT_LIB_EXT1__ != 1
#error -D__STDC_WANT_LIB_EXT1__=1 required
#endif
diff --git a/lib/tsocket/tsocket.h b/lib/tsocket/tsocket.h
index cf95d8bec34..22eb758bccd 100644
--- a/lib/tsocket/tsocket.h
+++ b/lib/tsocket/tsocket.h
@@ -75,9 +75,9 @@ struct iovec;
* @defgroup tsocket_address The tsocket_address abstraction
* @ingroup tsocket
*
- * The tsocket_address represents an socket endpoint genericly.
+ * The tsocket_address represents an socket endpoint generically.
* As it's like an abstract class it has no specific constructor.
- * The specific constructors are descripted in later sections.
+ * The specific constructors are described in later sections.
*
* @{
*/
@@ -278,7 +278,7 @@ ssize_t tdgram_sendto_recv(struct tevent_req *req,
*
* @param[in] ev The tevent_context to run on.
*
- * @param[in] dgram The dgram context diconnect from.
+ * @param[in] dgram The dgram context to disconnect from.
*
* @return Returns a 'tevent_req' handle, where the caller can
* register a callback with tevent_req_set_callback().
@@ -551,7 +551,7 @@ int _tsocket_address_inet_from_strings(TALLOC_CTX *mem_ctx,
*
* @param[in] host_port_addr A valid ip address string based on the
* selected family (dns names are not allowed!). A port
- * number may follow sepatated by a colon. IPv6 may be
+ * number may follow separated by a colon. IPv6 may be
* surrounded in square brackets, and these are required
* if appending a port number. It's valid to pass NULL,
* which gets mapped to "0.0.0.0" or "::".
@@ -677,7 +677,7 @@ char *tsocket_address_unix_path(const struct
tsocket_address *addr,
* You can use this function to wrap an existing file descriptors into the
* tdgram abstraction. After that you're not able to use this file descriptor
* for anything else. The file descriptor will be closed when the stream gets
- * freed. If you still want to use the fd you have have to create a duplicate.
+ * freed. If you still want to use the fd you have to create a duplicate.
*
* @param[in] mem_ctx The talloc memory context to use.
*
@@ -909,7 +909,7 @@ int _tstream_inet_tcp_connect_recv(struct tevent_req *req,
* @brief Connect async to a unix domain endpoint and create a tstream_context
* for the stream based communication.
*
- * Use this function to connenct asynchronously to a unix domainendpoint and
+ * Use this function to connect asynchronously to a unix domainendpoint and
* create a tstream_context for the stream based communication.
*
* The callback is triggered when a socket is connected and ready for IO or an
@@ -1087,7 +1087,7 @@ ssize_t tsocket_address_bsd_sockaddr(const struct
tsocket_address *addr,
* You can use this function to wrap an existing file descriptors into the
* tstream abstraction. After that you're not able to use this file descriptor
* for anything else. The file descriptor will be closed when the stream gets
- * freed. If you still want to use the fd you have have to create a duplicate.
+ * freed. If you still want to use the fd you have to create a duplicate.
*
* @param[in] mem_ctx The talloc memory context to use.
*
diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
index 2a80ba5df0a..568f7827184 100644
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -476,13 +476,13 @@ enum ndr_compression_alg {
#define NDR_PULL_ALLOC_N(ndr, s, n) do { \
_NDR_PULL_FIX_CURRENT_MEM_CTX(ndr);\
(s) = talloc_array_ptrtype(ndr->current_mem_ctx, (s), n); \
- if (unlikely(!(s))) return ndr_pull_error(ndr, NDR_ERR_ALLOC, "Alloc %u
* %s failed: %s\n", (unsigned)n, # s, __location__); \
+ if (unlikely(!(s))) return ndr_pull_error(ndr, NDR_ERR_ALLOC, "Alloc
%zu * %s failed: %s\n", (size_t)n, # s, __location__); \
} while (0)
#define NDR_PUSH_ALLOC_SIZE(ndr, s, size) do { \
(s) = talloc_array(ndr, uint8_t, size); \
- if (unlikely(!(s))) return ndr_push_error(ndr, NDR_ERR_ALLOC, "push
alloc %u failed: %s\n", (unsigned)size, __location__); \
+ if (unlikely(!(s))) return ndr_push_error(ndr, NDR_ERR_ALLOC, "push
alloc %zu failed: %s\n", (size_t)size, __location__); \
} while (0)
#define NDR_PUSH_ALLOC(ndr, s) do { \
diff --git a/python/samba/tests/krb5/authn_policy_tests.py
b/python/samba/tests/krb5/authn_policy_tests.py
index 213879e7e6e..adb8a9ae99a 100755
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -160,7 +160,7 @@ def policy_check_fn(fn):
return wrapper_fn
-class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
+class AuthnPolicyBaseTests(AuthLogTestBase, KdcTgsBaseTests):
@classmethod
def setUpClass(cls):
super().setUpClass()
@@ -178,11 +178,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
cls._max_ticket_life = None
cls._max_renew_life = None
- def setUp(self):
- super().setUp()
- self.do_asn1_print = global_asn1_print
- self.do_hexdump = global_hexdump
-
def take(self, n, iterable, *, take_all=True):
"""Yield n items from an iterable."""
i = -1
@@ -262,7 +257,12 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
ntlm=False,
spn=None,
allowed_rodc=None,
- cached=True):
+ additional_details=None,
+ cached=None):
+ if cached is None:
+ # Policies and silos are rarely reused between accounts.
+ cached = assigned_policy is None and assigned_silo is None
+
opts = {
'kerberos_enabled': not ntlm,
'spn': spn,
@@ -278,13 +278,13 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
members += (member_of,)
if assigned_policy is not None:
opts['assigned_policy'] = str(assigned_policy.dn)
- cached = False # Policies are rarely reused between accounts.
if assigned_silo is not None:
opts['assigned_silo'] = str(assigned_silo.dn)
- cached = False # Silos are rarely reused between accounts.
if allowed_rodc:
opts['allowed_replication_mock'] = True
opts['revealed_to_mock_rodc'] = True
+ if additional_details is not None:
+ opts['additional_details'] = self.freeze(additional_details)
if members:
opts['member_of'] = members
@@ -957,6 +957,182 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
audit_event=server_policy_event,
reason=server_policy_reason)
+ def check_ticket_times(self,
+ ticket_creds,
+ expected_life=None,
+ expected_renew_life=None):
+ ticket = ticket_creds.ticket_private
+
+ authtime = ticket['authtime']
+ starttime = ticket.get('starttime', authtime)
+ endtime = ticket['endtime']
+ renew_till = ticket.get('renew-till', None)
+
+ starttime = self.get_EpochFromKerberosTime(starttime)
+
+ if expected_life is not None:
+ actual_end = self.get_EpochFromKerberosTime(
+ endtime.decode('ascii'))
+ actual_lifetime = actual_end - starttime
+
+ self.assertEqual(expected_life, actual_lifetime)
+
+ if renew_till is None:
+ self.assertIsNone(expected_renew_life)
+ else:
+ if expected_renew_life is not None:
+ actual_renew_till = self.get_EpochFromKerberosTime(
+ renew_till.decode('ascii'))
+ actual_renew_life = actual_renew_till - starttime
+
+ self.assertEqual(expected_renew_life, actual_renew_life)
+
+ def _get_tgt(self, creds, *,
+ armor_tgt=None,
+ till=None,
+ kdc_options=None,
+ expected_flags=None,
+ unexpected_flags=None,
+ expected_error=0,
+ expect_status=None,
+ expected_status=None):
+ user_name = creds.get_username()
+ realm = creds.get_realm()
+ salt = creds.get_salt()
+
+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=user_name.split('/'))
+ sname = self.PrincipalName_create(name_type=NT_SRV_INST,
+ names=['krbtgt', realm])
+ expected_sname = self.PrincipalName_create(
+ name_type=NT_SRV_INST, names=['krbtgt', realm.upper()])
+
+ expected_cname = cname
+
+ if till is None:
+ till = self.get_KerberosTime(offset=36000)
+
+ renew_time = till
+
+ krbtgt_creds = self.get_krbtgt_creds()
+ ticket_decryption_key = (
+ self.TicketDecryptionKey_from_creds(krbtgt_creds))
+
+ expected_etypes = krbtgt_creds.tgs_supported_enctypes
+
+ if kdc_options is None:
+ kdc_options = str(krb5_asn1.KDCOptions('renewable'))
+ # Contrary to Microsoft’s documentation, the returned ticket is
+ # renewable.
+ expected_flags = krb5_asn1.TicketFlags('renewable')
+
+ preauth_key = self.PasswordKey_from_creds(creds,
+ kcrypto.Enctype.AES256)
+
+ expected_realm = realm.upper()
+
+ etypes = kcrypto.Enctype.AES256, kcrypto.Enctype.RC4
+
+ if armor_tgt is not None:
+ authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
+ armor_key = self.generate_armor_key(authenticator_subkey,
+ armor_tgt.session_key)
+ armor_subkey = authenticator_subkey
+
+ client_challenge_key = self.generate_client_challenge_key(
+ armor_key, preauth_key)
+ enc_challenge_padata = self.get_challenge_pa_data(
+ client_challenge_key)
+
+ def generate_fast_padata_fn(kdc_exchange_dict,
+ _callback_dict,
+ req_body):
+ return [enc_challenge_padata], req_body
+
+ generate_fast_fn = self.generate_simple_fast
+ generate_fast_armor_fn = self.generate_ap_req
+ generate_padata_fn = None
+
+ fast_armor_type = FX_FAST_ARMOR_AP_REQUEST
+ else:
+ ts_enc_padata = self.get_enc_timestamp_pa_data_from_key(
+ preauth_key)
+
+ def generate_padata_fn(kdc_exchange_dict,
+ _callback_dict,
+ req_body):
+ return [ts_enc_padata], req_body
+
+ generate_fast_fn = None
+ generate_fast_padata_fn = None
+ generate_fast_armor_fn = None
+
+ armor_key = None
+ armor_subkey = None
+
+ fast_armor_type = None
+
+ if not expected_error:
+ check_error_fn = None
+ check_rep_fn = self.generic_check_kdc_rep
+ else:
+ check_error_fn = self.generic_check_kdc_error
+ check_rep_fn = None
+
+ kdc_exchange_dict = self.as_exchange_dict(
+ creds=creds,
+ expected_error_mode=expected_error,
+ expect_status=expect_status,
+ expected_status=expected_status,
+ expected_crealm=expected_realm,
+ expected_cname=expected_cname,
+ expected_srealm=expected_realm,
+ expected_sname=expected_sname,
+ expected_salt=salt,
+ expected_flags=expected_flags,
+ unexpected_flags=unexpected_flags,
+ expected_supported_etypes=expected_etypes,
+ generate_padata_fn=generate_padata_fn,
+ generate_fast_padata_fn=generate_fast_padata_fn,
+ generate_fast_fn=generate_fast_fn,
+ generate_fast_armor_fn=generate_fast_armor_fn,
+ fast_armor_type=fast_armor_type,
+ check_error_fn=check_error_fn,
+ check_rep_fn=check_rep_fn,
+ check_kdc_private_fn=self.generic_check_kdc_private,
+ armor_key=armor_key,
+ armor_tgt=armor_tgt,
+ armor_subkey=armor_subkey,
+ kdc_options=kdc_options,
+ preauth_key=preauth_key,
+ ticket_decryption_key=ticket_decryption_key,
+ # PA-DATA types are not important for these tests.
+ check_patypes=False)
+
+ rep = self._generic_kdc_exchange(kdc_exchange_dict,
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ till_time=till,
+ renew_time=renew_time,
+ etypes=etypes)
+ if expected_error:
+ self.check_error_rep(rep, expected_error)
+
+ return None
+
+ self.check_as_reply(rep)
+
+ ticket_creds = kdc_exchange_dict['rep_ticket_creds']
+ return ticket_creds
+
+
+class AuthnPolicyTests(AuthnPolicyBaseTests):
+ def setUp(self):
+ super().setUp()
+ self.do_asn1_print = global_asn1_print
+ self.do_hexdump = global_hexdump
+
def test_authn_policy_tgt_lifetime_user(self):
--
Samba Shared Repository
