The branch, master has been updated
via 091af82f759 s4:kdc: Don’t convey PAC buffers from an RODC‐issued PAC
via 2733cd7b4c8 s4:kdc: Move return code checks closer to where the
return codes are set
via 1c1d402f362 s4:auth: Add comment about claims going ignored for
SamLogon
via bafd63bef31 s4:auth: Remove trailing whitespace
via beaec758c9f tests/krb5: Add tests for AllowedToAuthenticateTo with
SamLogon
via c277a4d3631 tests/krb5: Add test for an authentication policy that
allows a specific account
via 64806f37ab0 tests/krb5: Correct authentication policy SDDL
via 6b2de474888 tests/krb5: Remove unused parameter
‘expected_device_groups’
via f8fb8f028c9 tests/krb5: Remove unused parameter
‘expected_device_groups’
from d314fc5874e smbd: Make get_real_filename_cache_key() static in
files.c
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 091af82f75960c0c6abb04908b96051d9f53659d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 7 16:19:30 2023 +1300
s4:kdc: Don’t convey PAC buffers from an RODC‐issued PAC
Such buffers are not to be trusted.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Nov 7 22:54:42 UTC 2023 on atb-devel-224
commit 2733cd7b4c8b6a65a764eb7710a0f3f755f96675
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 7 16:22:41 2023 +1300
s4:kdc: Move return code checks closer to where the return codes are set
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1c1d402f36290e3aec3133702e84bf3a9e5755a6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 7 11:45:50 2023 +1300
s4:auth: Add comment about claims going ignored for SamLogon
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit bafd63bef31f30809fe16d357a8e1ba92dc6f264
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 7 11:43:36 2023 +1300
s4:auth: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit beaec758c9ffed19f00e87cdd317f47c13ef7dd2
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 7 11:10:59 2023 +1300
tests/krb5: Add tests for AllowedToAuthenticateTo with SamLogon
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c277a4d3631f2c1b5cd0a32bc5dfcccaafef9cb9
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Oct 17 12:01:34 2023 +1300
tests/krb5: Add test for an authentication policy that allows a specific
account
This is a counterpart to ‘test_conditional_ace_allowed_from_user_deny’.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 64806f37ab08c51d2fac23d7f153c3b2f0c5d984
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Nov 3 13:51:27 2023 +1300
tests/krb5: Correct authentication policy SDDL
There is no claim called ‘abc’, so the condition ‘(abc)’ is always going
to fail. Replace this with a condition using ‘Member_of’.
Furthermore, an ACL containing only Deny ACEs will only ever deny. Add a
trailing Allow ACE so that the ACL might allow other principals.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6b2de4748889a0b5674758169439cb7fb2106e7d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Nov 3 12:00:15 2023 +1300
tests/krb5: Remove unused parameter ‘expected_device_groups’
It was never passed in by any callers.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f8fb8f028c90887da6bbb0d1850fde398f667b7a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Nov 3 11:59:48 2023 +1300
tests/krb5: Remove unused parameter ‘expected_device_groups’
It was never passed in by any callers.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/conditional_ace_tests.py | 274 +++++++++++++++++++++--
selftest/knownfail_heimdal_kdc | 10 -
source4/auth/ntlm/auth_sam.c | 43 ++--
source4/kdc/pac-glue.c | 17 +-
4 files changed, 297 insertions(+), 47 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py
b/python/samba/tests/krb5/conditional_ace_tests.py
index de26a920ae0..88507cce164 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -31,7 +31,7 @@ from string import Formatter
import ldb
from samba import dsdb, ntstatus
-from samba.dcerpc import claims, krb5pac, security
+from samba.dcerpc import claims, krb5pac, netlogon, security
from samba.ndr import ndr_pack, ndr_unpack
from samba.sd_utils import escaped_claim_id
@@ -89,6 +89,11 @@ class ConditionalAceBaseTests(AuthnPolicyBaseTests):
cls._mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
+ # Create an account with which to perform SamLogon.
+ cls._mach_creds_ntlm = self._get_creds(
+ account_type=self.AccountType.USER,
+ ntlm=True)
+
# Create some new groups.
group0_name = self.get_new_username()
@@ -110,6 +115,13 @@ class ConditionalAceBaseTests(AuthnPolicyBaseTests):
account_type=self.AccountType.COMPUTER,
opts={'member_of': (group1_dn,)})
+ cls._member_of_both_creds_ntlm = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={
+ 'member_of': (group0_dn, group1_dn),
+ 'kerberos_enabled': False,
+ })
+
# Create some authentication silos.
cls._unenforced_silo = self.create_authn_silo(enforced=False)
cls._enforced_silo = self.create_authn_silo(enforced=True)
@@ -135,6 +147,16 @@ class ConditionalAceBaseTests(AuthnPolicyBaseTests):
'msDS-AuthNPolicySiloMembers',
expect_attr=False)
+ cls._member_of_enforced_silo_ntlm = self._get_creds(
+ account_type=self.AccountType.USER,
+ assigned_silo=self._enforced_silo,
+ ntlm=True,
+ cached=True)
+ self.add_to_group(str(self._member_of_enforced_silo_ntlm.get_dn()),
+ self._enforced_silo.dn,
+ 'msDS-AuthNPolicySiloMembers',
+ expect_attr=False)
+
# Create a couple of multi‐valued string claims for testing claim
# value comparisons.
@@ -2428,7 +2450,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_sids=None,
device_claims=None,
expected_groups=None,
- expected_device_groups=None,
expected_claims=None):
try:
code, crashes_windows = code
@@ -2574,7 +2595,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
]
expected_groups = self.map_sids(expected_groups, None, domain_sid_str)
- expected_device_groups = self.map_sids(expected_device_groups, None,
domain_sid_str)
# Show that obtaining a service ticket with RBCD is allowed.
self._tgs_req(service_tgt, code, service_creds, target_creds,
@@ -2587,9 +2607,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
decryption_key=target_decryption_key,
expected_sid=client_sid,
expected_groups=expected_groups,
- expect_device_info=bool(expected_device_groups) or None,
- expected_device_domain_sid=domain_sid_str,
- expected_device_groups=expected_device_groups,
expect_client_claims=bool(expected_claims) or None,
expected_client_claims=expected_claims,
expected_supported_etypes=target_etypes,
@@ -3170,7 +3187,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_sids=None,
device_claims=None,
expected_groups=None,
- expected_device_groups=None,
expected_claims=None):
try:
code, crashes_windows = code
@@ -3184,7 +3200,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self.assertIsNone(device_from_rodc)
self.assertIsNone(device_sids)
self.assertIsNone(device_claims)
- self.assertIsNone(expected_device_groups)
if client_from_rodc is None:
client_from_rodc = False
@@ -3279,7 +3294,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
domain_sid_str = samdb.get_domain_sid()
expected_groups = self.map_sids(expected_groups, None, domain_sid_str)
- expected_device_groups = self.map_sids(expected_device_groups, None,
domain_sid_str)
# Show that obtaining a service ticket is allowed.
self._tgs_req(client_tgt, code, client_creds, target_creds,
@@ -3289,9 +3303,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
decryption_key=target_decryption_key,
expected_sid=client_sid,
expected_groups=expected_groups,
- expect_device_info=bool(expected_device_groups) or None,
- expected_device_domain_sid=domain_sid_str,
- expected_device_groups=expected_device_groups,
expect_client_claims=bool(expected_claims) or None,
expected_client_claims=expected_claims,
expected_supported_etypes=target_etypes,
@@ -3305,6 +3316,34 @@ class ConditionalAceTests(ConditionalAceBaseTests):
event=event,
reason=reason)
+ def test_conditional_ace_allowed_from_user_allow(self):
+ # Create a machine account with which to perform FAST.
+ mach_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER)
+ mach_tgt = self.get_tgt(mach_creds)
+
+ # Create an authentication policy that explicitly allows the machine
+ # account for a user.
+ allowed = (f'O:SYD:(XA;;CR;;;{mach_creds.get_sid()};'
+ f'(Member_of SID({mach_creds.get_sid()})))')
+ denied = 'O:SYD:(D;;CR;;;WD)'
+ policy = self.create_authn_policy(enforced=True,
+ user_allowed_from=allowed,
+ service_allowed_from=denied)
+
+ # Create a user account with the assigned policy.
+ client_creds = self._get_creds(account_type=self.AccountType.USER,
+ assigned_policy=policy)
+
+ # Show that authentication succeeds.
+ self._get_tgt(client_creds, armor_tgt=mach_tgt,
+ expected_error=0)
+
+ self.check_as_log(
+ client_creds,
+ armor_creds=mach_creds,
+ client_policy=policy)
+
def test_conditional_ace_allowed_from_user_deny(self):
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
@@ -3314,7 +3353,9 @@ class ConditionalAceTests(ConditionalAceBaseTests):
# Create an authentication policy that explicitly denies the machine
# account for a user.
allowed = 'O:SYD:(A;;CR;;;WD)'
- denied = f'O:SYD:(XD;;CR;;;{mach_creds.get_sid()};(abc))'
+ denied = (f'O:SYD:(XD;;CR;;;{mach_creds.get_sid()};'
+ f'(Member_of SID({mach_creds.get_sid()})))'
+ f'(A;;CR;;;WD)')
policy = self.create_authn_policy(enforced=True,
user_allowed_from=denied,
service_allowed_from=allowed)
@@ -5333,6 +5374,213 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
client_policy=client_policy)
+class SamLogonTests(ConditionalAceBaseTests):
+ # These tests show that although conditional ACEs work with SamLogon,
+ # claims do not appear to be used at all.
+
+ def test_samlogon_allowed_to_computer_member_of(self):
+ # Create an authentication policy that applies to a computer and
+ # requires that the account should belong to both groups.
+ allowed = (f'O:SYD:(XA;;CR;;;WD;(Member_of '
+ f'{{SID({self._group0_sid}), SID({self._group1_sid})}}))')
+ policy = self.create_authn_policy(enforced=True,
+ computer_allowed_to=allowed)
+
+ # Create a computer account with the assigned policy.
+ target_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
+ assigned_policy=policy)
+
+ # When the account is a member of both groups, network SamLogon
+ # succeeds.
+ self._test_samlogon(creds=self._member_of_both_creds_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonNetworkInformation)
+
+ self.check_samlogon_network_log(self._member_of_both_creds_ntlm,
+ server_policy=policy)
+
+ # Interactive SamLogon also succeeds.
+ self._test_samlogon(creds=self._member_of_both_creds_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonInteractiveInformation)
+
+ self.check_samlogon_interactive_log(self._member_of_both_creds_ntlm,
+ server_policy=policy)
+
+ # When the account is a member of neither group, network SamLogon
+ # fails.
+ self._test_samlogon(
+ creds=self._mach_creds_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonNetworkInformation,
+ expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
+
+ self.check_samlogon_network_log(
+ self._mach_creds_ntlm,
+ server_policy=policy,
+
server_policy_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.NTLM_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED)
+
+ # Interactive SamLogon also fails.
+ self._test_samlogon(
+ creds=self._mach_creds_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonInteractiveInformation,
+ expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
+
+ self.check_samlogon_interactive_log(
+ self._mach_creds_ntlm,
+ server_policy=policy,
+
server_policy_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.NTLM_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED)
+
+ def test_samlogon_allowed_to_service_member_of(self):
+ # Create an authentication policy that applies to a managed service and
+ # requires that the account should belong to both groups.
+ allowed = (f'O:SYD:(XA;;CR;;;WD;(Member_of '
+ f'{{SID({self._group0_sid}), SID({self._group1_sid})}}))')
+ policy = self.create_authn_policy(enforced=True,
+ service_allowed_to=allowed)
+
+ # Create a managed service account with the assigned policy.
+ target_creds = self._get_creds(
+ account_type=self.AccountType.MANAGED_SERVICE,
+ assigned_policy=policy)
+
+ # When the account is a member of both groups, network SamLogon
+ # succeeds.
+ self._test_samlogon(creds=self._member_of_both_creds_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonNetworkInformation)
+
+ self.check_samlogon_network_log(self._member_of_both_creds_ntlm,
+ server_policy=policy)
+
+ # Interactive SamLogon also succeeds.
+ self._test_samlogon(creds=self._member_of_both_creds_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonInteractiveInformation)
+
+ self.check_samlogon_interactive_log(self._member_of_both_creds_ntlm,
+ server_policy=policy)
+
+ # When the account is a member of neither group, network SamLogon
+ # fails.
+ self._test_samlogon(
+ creds=self._mach_creds_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonNetworkInformation,
+ expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
+
+ self.check_samlogon_network_log(
+ self._mach_creds_ntlm,
+ server_policy=policy,
+
server_policy_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.NTLM_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED)
+
+ # Interactive SamLogon also fails.
+ self._test_samlogon(
+ creds=self._mach_creds_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonInteractiveInformation,
+ expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
+
+ self.check_samlogon_interactive_log(
+ self._mach_creds_ntlm,
+ server_policy=policy,
+
server_policy_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.NTLM_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED)
+
+ def test_samlogon_allowed_to_computer_silo(self):
+ # Create an authentication policy that applies to a computer and
+ # requires that the account belong to the enforced silo.
+ allowed = (f'O:SYD:(XA;;CR;;;WD;'
+ f'(@User.ad://ext/AuthenticationSilo == '
+ f'"{self._enforced_silo}"))')
+ policy = self.create_authn_policy(enforced=True,
+ computer_allowed_to=allowed)
+
+ # Create a computer account with the assigned policy.
+ target_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
+ assigned_policy=policy)
+
+ # Even though the account is a member of the silo, its claims are
+ # ignored, and network SamLogon fails.
+ self._test_samlogon(
+ creds=self._member_of_enforced_silo_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonNetworkInformation,
+ expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
+
+ self.check_samlogon_network_log(
+ self._member_of_enforced_silo_ntlm,
+ server_policy=policy,
+
server_policy_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.NTLM_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED)
+
+ # Interactive SamLogon also fails.
+ self._test_samlogon(
+ creds=self._member_of_enforced_silo_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonInteractiveInformation,
+ expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
+
+ self.check_samlogon_interactive_log(
+ self._member_of_enforced_silo_ntlm,
+ server_policy=policy,
+
server_policy_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.NTLM_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED)
+
+ def test_samlogon_allowed_to_service_silo(self):
+ # Create an authentication policy that applies to a managed service and
+ # requires that the account belong to the enforced silo.
+ allowed = (f'O:SYD:(XA;;CR;;;WD;'
+ f'(@User.ad://ext/AuthenticationSilo == '
+ f'"{self._enforced_silo}"))')
+ policy = self.create_authn_policy(enforced=True,
+ service_allowed_to=allowed)
+
+ # Create a managed service account with the assigned policy.
+ target_creds = self._get_creds(
+ account_type=self.AccountType.MANAGED_SERVICE,
+ assigned_policy=policy)
+
+ # Even though the account is a member of the silo, its claims are
+ # ignored, and network SamLogon fails.
+ self._test_samlogon(
+ creds=self._member_of_enforced_silo_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonNetworkInformation,
+ expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
+
+ self.check_samlogon_network_log(
+ self._member_of_enforced_silo_ntlm,
+ server_policy=policy,
+
server_policy_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.NTLM_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED)
+
+ # Interactive SamLogon also fails.
+ self._test_samlogon(
+ creds=self._member_of_enforced_silo_ntlm,
+ domain_joined_mach_creds=target_creds,
+ logon_type=netlogon.NetlogonInteractiveInformation,
+ expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
+
+ self.check_samlogon_interactive_log(
+ self._member_of_enforced_silo_ntlm,
+ server_policy=policy,
+
server_policy_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.NTLM_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED)
+
+
if __name__ == '__main__':
global_asn1_print = False
global_hexdump = False
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 52d6a10de1f..62eab29cf5c 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -35,10 +35,6 @@
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed
#
-# Extra PAC buffers tests
-#
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_tgs_req_from_rodc_extra_pac_buffers\(ad_dc\)$
-#
# Protected Users tests
#
# This test fails, which is fine, as we have an alternate test that considers
a policy error as successful.
@@ -156,14 +152,8 @@
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info_target_policy\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_rodc_issued\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_claims_rodc_issued\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_claims_target_policy\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_claims\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_rodc_issued\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_info_rodc_issued\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_rodc_issued\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_rodc_issued\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_rodc_issued\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_rodc_issued\(ad_dc\)$
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 0c48b9c0b6a..d12045d8e1c 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -1,20 +1,20 @@
-/*
+/*
Unix SMB/CIFS implementation.
Password and authentication handling
Copyright (C) Andrew Bartlett <abart...@samba.org> 2001-2009
Copyright (C) Gerald Carter 2003
Copyright (C) Stefan Metzmacher 2005-2010
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -61,16 +61,16 @@ static NTSTATUS authsam_password_ok(struct auth4_context
*auth_context,
struct smb_krb5_context *smb_krb5_context,
const DATA_BLOB *stored_aes_256_key,
const krb5_data *salt,
- const struct auth_usersupplied_info
*user_info,
- DATA_BLOB *user_sess_key,
+ const struct auth_usersupplied_info
*user_info,
+ DATA_BLOB *user_sess_key,
DATA_BLOB *lm_sess_key)
{
NTSTATUS status;
switch (user_info->password_state) {
- case AUTH_PASSWORD_PLAIN:
+ case AUTH_PASSWORD_PLAIN:
{
- const struct auth_usersupplied_info *user_info_temp;
+ const struct auth_usersupplied_info *user_info_temp;
if (nt_pwd == NULL && stored_aes_256_key != NULL &&
user_info->password.plaintext != NULL) {
bool pw_equal;
@@ -111,8 +111,8 @@ static NTSTATUS authsam_password_ok(struct auth4_context
*auth_context,
return NT_STATUS_OK;
}
- status = encrypt_user_info(mem_ctx, auth_context,
- AUTH_PASSWORD_HASH,
+ status = encrypt_user_info(mem_ctx, auth_context,
+ AUTH_PASSWORD_HASH,
user_info, &user_info_temp);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to convert plaintext password to
password HASH: %s\n", nt_errstr(status)));
@@ -125,7 +125,7 @@ static NTSTATUS authsam_password_ok(struct auth4_context
*auth_context,
case AUTH_PASSWORD_HASH:
*lm_sess_key = data_blob(NULL, 0);
*user_sess_key = data_blob(NULL, 0);
- status = hash_password_check(mem_ctx,
+ status = hash_password_check(mem_ctx,
false,
lpcfg_ntlm_auth(auth_context->lp_ctx),
NULL,
@@ -134,18 +134,18 @@ static NTSTATUS authsam_password_ok(struct auth4_context
*auth_context,
NULL, nt_pwd);
NT_STATUS_NOT_OK_RETURN(status);
break;
-
+
case AUTH_PASSWORD_RESPONSE:
- status = ntlm_password_check(mem_ctx,
+ status = ntlm_password_check(mem_ctx,
false,
lpcfg_ntlm_auth(auth_context->lp_ctx),
- user_info->logon_parameters,
- &auth_context->challenge.data,
-
&user_info->password.response.lanman,
+ user_info->logon_parameters,
+ &auth_context->challenge.data,
+
&user_info->password.response.lanman,
&user_info->password.response.nt,
user_info->mapped.account_name,
- user_info->client.account_name,
- user_info->client.domain_name,
+ user_info->client.account_name,
+ user_info->client.domain_name,
NULL, nt_pwd,
--
Samba Shared Repository
