[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 86b6353644d python:join: run domain adprep as part of join_provision_own_domain() via 4bba26579d1 python:provision: run adprep as part of provision via f6d9f3760f7 samba-tool: let 'domain provision' to use the 2019 schema by default via 90faa58e7fb samba-tool: let 'domain schemaupgrade' to use the 2019 schema by default via 245a8aaf41f samba-tool: let 'domain functionalprep' to use functional level 2016 by default via da74c3fde10 samba-tool: allow 'domain level raise' to support level 2016 via e855fe20681 python/samba: let get_domain_descriptor() include adprep 2016 ACEs via 1e024f6568e domain_update: implement updates 82-89 in order to reach the latest w2016 level via c8f8efb31e9 forest_update: behave more like a Windows 2022 server via c405f211760 setup/adprep: import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md via c4b87dd50de setup/ad-schema: add the latest v1803 and v1903 schema files from Microsoft via dcce25ae8a7 python/samba: adapt ms_schema[_markdown].py to the latest schema definitions via b2fbfa0ff1c python/samba: adapt ms_forest_updates_markdown.py to the latest Forest-Wide-Updates.md via 17ce8beac3f python/samba: add support for LDB_CHANGETYPE_MODRDN to modify_ldif() via 167f0235865 lib/ldb: add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject() via 5011221996f python/samba: add support for LDB_CHANGETYPE_DELETE to modify_ldif() via 7055ec0a0b9 lib/ldb: add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject() via 3ad3c1a69d0 python/samba: let modify_ldif() verify the changetype value via e24e7b96338 lib/ldb: re-order code in ldb_ldif_to_pyobject() via cc5df80152d lib/ldb: let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix via f860e19c846 domain_update: make use of self.sd_utils.update_aces_in_dacl() via a3dac8efe4b domain_update: remove useless searches to '(objectClass=samDomain)' via c87f2606ae3 domain_update: make use of '"CN"' in sddl instead of using an explicit SID via a10f4f7cd25 domain_update: be more verbose about updates via a8c0e82f928 forest_update: be more verbose about updates via 65275acf058 forest_update: make use of self.sd_utils.update_aces_in_dacl() via a89b158d3f1 forest_update: we don't need any controls to update sddl attributes via f1f79a2e4b1 forest_update: only update SDDL for schema objects via 838a36c743c forest_update: ignore ldb.ERR_ATTRIBUTE_OR_VALUE_EXISTS in operation_ldif() via 7fe87d3c8de functional_prep: fix error handling in order to stop on the first error via 65653bb02c2 schema_upgrade: add support for ntdsschemamodrdn and ntdsschemadelete via 65294d56bdf python/tests: use changetype: modify in order to delete a single attribute via c35ae5a77d5 s4:dsdb/tests: use changetype: modify in order to delete a single attribute via 01400b59803 blackbox/dbcheck: also run currently unused dbcheck_reset_well_known_acls via bb09c06d6d5 libcli/security: rewrite calculate_inherited_from_parent() via a0217c50e92 s4:dsdb/tests: add more detailed tests to sec_descriptor.py via 731c85add11 s4:dsdb/tests: allow sec_descriptor.py to run against Windows 2022 via 6de4849f9ca s4:dsdb/tests: convert sec_descriptor.py to use assert[Not]In() via 2436d621d19 s4:dsdb/tests: let AclUndeleteTests.test_undelete() remove the temporary ACE again via e0a8e043d33 s4:dsdb/tests: let OwnerGroupDescriptorTests() remove temporary ACEs on cleanup via 7b0d5285361 s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141() set the required ACE explicitly from 7e3cbc2c641 s4:kdc: Fix typo https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 86b6353644dc9e32d250efffab13ebde7009477d Author: Stefan Metzmacher Date: Fri Mar 17 16:48:26 2023 +0100 python:join: run domain adprep as part of join_provision_own_domain() This is currently unused as we don't support more than one domain per forest, but it will help it future. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 22 23:05:39 UTC 2023 on atb-devel-224 commit 4bba26579d124af6c0767bb98bee67357001e1e7 Author: Stefan Metzmacher Date: Fri Mar 17 16:48:26 2023 +0100 python:provision: run adprep as part of provision With the default of base_schema=2019 we'll adprep to 2016. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit f6d9f3760f7df8595a3882b3ad526326abbba1ca Author: Stefan Metzmacher Date: Thu Feb 23 15:05:01 2023 +0100
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7e3cbc2c641 s4:kdc: Fix typo via 9d59e42a2ba s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions via c7b00ccc76f s4:kdc: Rename claims_blob to client_claims_blob via fbed57b86bc s4:kdc: Fix leak via 9c4f7e4b339 s4:kdc: Don't modify cached user_info_dc SIDs via c62937822d8 s4:kdc: Don't check PAC-OPTIONS claims-supported bit via 3e97ea3f35e s4:kdc: Have samba_kdc_update_pac() take device parameters via a326aec4c04 s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer() via 1a625702e81 libcli/security: Correctly handle ACL deletion via 545b40a70b0 s4/dsdb/repl_meta_data: Pass NULL into ldb_msg_add_empty via 211d19a04c3 ldb: Don't create error string if there is no error from 6241380bc52 samba-tool: rewrite dsacl.py to use the new sd_utils helpers https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7e3cbc2c6418a876ab4770f1fd5ff12e8c8dae9d Author: Joseph Sutton Date: Tue Mar 21 09:43:01 2023 +1300 s4:kdc: Fix typo Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 22 19:36:28 UTC 2023 on atb-devel-224 commit 9d59e42a2bacf53eda99f0a3d96f9ce4088b1ddc Author: Joseph Sutton Date: Mon Mar 20 15:16:21 2023 +1300 s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions Instead of having one large function that returns every PAC blob, we now have a more manageable assortment of smaller functions that each return one blob. That gives us more fine-grained handling of PAC blobs, with callers now able to procure only the specific blobs that they need. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c7b00ccc76f4a055dd761c929c23b014b214c4f5 Author: Joseph Sutton Date: Mon Mar 20 15:13:39 2023 +1300 s4:kdc: Rename claims_blob to client_claims_blob This will not be the only claims blob. Later there will also be a device_claims_blob. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fbed57b86bc5b358a7373c134ce26a012b4280ef Author: Joseph Sutton Date: Mon Mar 20 15:11:54 2023 +1300 s4:kdc: Fix leak Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9c4f7e4b339d6ed5ed1030f87c9a871b06987265 Author: Joseph Sutton Date: Mon Mar 20 15:02:53 2023 +1300 s4:kdc: Don't modify cached user_info_dc SIDs samba_kdc_get_pac_blobs() passes a pointer to a user_info_dc structure obtained from samba_kdc_get_user_info_from_db() into samba_add_asserted_identity(). The latter function modifies the SIDs of the user_info_dc structure in order to add the Asserted Identity SID, but samba_kdc_get_user_info_from_db() actually caches that structure internally, meaning that subsequent calls will return the modified structure. We should not modify cached SIDs, so have samba_kdc_get_user_info_from_db() return a pointer to constant data, and copy the returned array of SIDs before adding the Asserted Identity SID. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c62937822d8d814a70d32efab93be721791c57f0 Author: Joseph Sutton Date: Fri Mar 17 11:57:09 2023 +1300 s4:kdc: Don't check PAC-OPTIONS claims-supported bit Windows only consults the PAC-OPTIONS claims bit to find out whether or not to add claims to the PAC if the ClaimsCompIdFASTSupport option is set to 1. If this option is set to 2 or 3, the bit is ignored and claims are always added. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3e97ea3f35e3d147b491bb2da959b0f8a6207835 Author: Joseph Sutton Date: Fri Mar 17 11:14:15 2023 +1300 s4:kdc: Have samba_kdc_update_pac() take device parameters These will be used later when we add support for compound authentication. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a326aec4c0495200d05ab8b2310f23199058167a Author: Joseph Sutton Date: Fri Mar 17 11:07:11 2023 +1300 s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer() Heimdal contains an assertion that the data pointer is not NULL. We need to pass in a pointer to some dummy data instead. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1a625702e81ef2a6bd38c486e3056ce61da800e8 Author: Joseph Sutton Date: Mon Mar 13 10:09:15 2023 +1300 libcli/security: Correctly handle ACL deletion If there were two consecutive occurrences of an ACL to be deleted, we would miss the second one. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 545b40a70b02141ed292ddd3ff63d1f62070bb85 Author: Joseph Sutton Date:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6241380bc52 samba-tool: rewrite dsacl.py to use the new sd_utils helpers via a1109a9bf12 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers via 8411e6d302e python:sd_utils: introduce update_aces_in_dacl() helper via 4627997ddae python/samba/ndr: add ndr_deepcopy() helper via 9ea06aaf9f5 py_security: allow idx argument to descriptor.[s|d]acl_add() via 2c02378029f libcli/security: add security_descriptor_[s|d]acl_insert() helpers via c3cb915a67a libcli/security: prepare security_descriptor_acl_add() to place the ace at a position via 9d8ff0d1e0b replace: add ARRAY_INSERT_ELEMENT() helper via 9053862b892 lib/ldb-samba: let ldif_read_ntSecurityDescriptor() only try sddl if isupper() from be1aae77b76 libcli/security: Reorder SDDL access flags table to match Windows https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6241380bc52e41744d134e31d77ab900e604e0d1 Author: Stefan Metzmacher Date: Thu Mar 16 18:32:49 2023 +0100 samba-tool: rewrite dsacl.py to use the new sd_utils helpers Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Mar 22 15:57:15 UTC 2023 on atb-devel-224 commit a1109a9bf12e020636b8d66fc54984aac58bfe6b Author: Stefan Metzmacher Date: Thu Mar 16 18:03:10 2023 +0100 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers They better represent what they are doing, we keep dacl_add_ace() as wrapper of dacl_prepend_aces() in order to let existing callers work as before. In future it would be good to have a dacl_insert_aces() that would canonicalize the ace order before storing, but that a task for another day. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8411e6d302e25d10f1035ebbdcbde7308566e930 Author: Stefan Metzmacher Date: Fri Mar 10 18:25:18 2023 +0100 python:sd_utils: introduce update_aces_in_dacl() helper This is a more generic api that can be re-used in other places as well in future. It operates on a security descriptor object instead of SDDL. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 4627997ddae44265ad35b3234232eb74458c6c34 Author: Stefan Metzmacher Date: Fri Mar 17 14:08:34 2023 +0100 python/samba/ndr: add ndr_deepcopy() helper This uses ndr_pack/unpack in order to create a deep copy of the given object. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74 Author: Stefan Metzmacher Date: Thu Mar 16 10:11:05 2023 +0100 py_security: allow idx argument to descriptor.[s|d]acl_add() Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 2c02378029fff6636b8f19e45af78b265f2210ed Author: Stefan Metzmacher Date: Thu Mar 16 10:03:44 2023 +0100 libcli/security: add security_descriptor_[s|d]acl_insert() helpers Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit c3cb915a67aff6739b72b86d7d139609df309ada Author: Stefan Metzmacher Date: Thu Mar 16 10:00:11 2023 +0100 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position Often it is important to insert an ace at a specific position in the ACL. As a default we still append by default by using -1, which is the generic version of passing the number of existing aces. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b Author: Stefan Metzmacher Date: Thu Mar 16 09:57:43 2023 +0100 replace: add ARRAY_INSERT_ELEMENT() helper Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9053862b89258850c22735cc4123fe5bc0d2e6fa Author: Stefan Metzmacher Date: Mon May 17 17:14:34 2021 +0200 lib/ldb-samba: let ldif_read_ntSecurityDescriptor() only try sddl if isupper() Trying ndr_pull_security_descriptor on SDDL produces just strange debug messages, which can cause confusion. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: lib/ldb-samba/ldif_handlers.c | 24 -- lib/replace/replace.h | 15 libcli/security/security_descriptor.c | 55 ++--