[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 86b6353644d python:join: run domain adprep as part of
join_provision_own_domain()
via 4bba26579d1 python:provision: run adprep as part of provision
via f6d9f3760f7 samba-tool: let 'domain provision' to use the 2019
schema by default
via 90faa58e7fb samba-tool: let 'domain schemaupgrade' to use the 2019
schema by default
via 245a8aaf41f samba-tool: let 'domain functionalprep' to use
functional level 2016 by default
via da74c3fde10 samba-tool: allow 'domain level raise' to support level
2016
via e855fe20681 python/samba: let get_domain_descriptor() include
adprep 2016 ACEs
via 1e024f6568e domain_update: implement updates 82-89 in order to
reach the latest w2016 level
via c8f8efb31e9 forest_update: behave more like a Windows 2022 server
via c405f211760 setup/adprep: import the latest
{Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md
via c4b87dd50de setup/ad-schema: add the latest v1803 and v1903 schema
files from Microsoft
via dcce25ae8a7 python/samba: adapt ms_schema[_markdown].py to the
latest schema definitions
via b2fbfa0ff1c python/samba: adapt ms_forest_updates_markdown.py to
the latest Forest-Wide-Updates.md
via 17ce8beac3f python/samba: add support for LDB_CHANGETYPE_MODRDN to
modify_ldif()
via 167f0235865 lib/ldb: add LDB_CHANGETYPE_MODRDN support to
ldb_ldif_to_pyobject()
via 5011221996f python/samba: add support for LDB_CHANGETYPE_DELETE to
modify_ldif()
via 7055ec0a0b9 lib/ldb: add LDB_CHANGETYPE_DELETE support to
ldb_ldif_to_pyobject()
via 3ad3c1a69d0 python/samba: let modify_ldif() verify the changetype
value
via e24e7b96338 lib/ldb: re-order code in ldb_ldif_to_pyobject()
via cc5df80152d lib/ldb: let ldb_ldif_parse_modrdn() handle names
without 'rdn_name=' prefix
via f860e19c846 domain_update: make use of
self.sd_utils.update_aces_in_dacl()
via a3dac8efe4b domain_update: remove useless searches to
'(objectClass=samDomain)'
via c87f2606ae3 domain_update: make use of '"CN"' in sddl instead of
using an explicit SID
via a10f4f7cd25 domain_update: be more verbose about updates
via a8c0e82f928 forest_update: be more verbose about updates
via 65275acf058 forest_update: make use of
self.sd_utils.update_aces_in_dacl()
via a89b158d3f1 forest_update: we don't need any controls to update
sddl attributes
via f1f79a2e4b1 forest_update: only update SDDL for schema objects
via 838a36c743c forest_update: ignore ldb.ERR_ATTRIBUTE_OR_VALUE_EXISTS
in operation_ldif()
via 7fe87d3c8de functional_prep: fix error handling in order to stop on
the first error
via 65653bb02c2 schema_upgrade: add support for ntdsschemamodrdn and
ntdsschemadelete
via 65294d56bdf python/tests: use changetype: modify in order to delete
a single attribute
via c35ae5a77d5 s4:dsdb/tests: use changetype: modify in order to
delete a single attribute
via 01400b59803 blackbox/dbcheck: also run currently unused
dbcheck_reset_well_known_acls
via bb09c06d6d5 libcli/security: rewrite
calculate_inherited_from_parent()
via a0217c50e92 s4:dsdb/tests: add more detailed tests to
sec_descriptor.py
via 731c85add11 s4:dsdb/tests: allow sec_descriptor.py to run against
Windows 2022
via 6de4849f9ca s4:dsdb/tests: convert sec_descriptor.py to use
assert[Not]In()
via 2436d621d19 s4:dsdb/tests: let AclUndeleteTests.test_undelete()
remove the temporary ACE again
via e0a8e043d33 s4:dsdb/tests: let OwnerGroupDescriptorTests() remove
temporary ACEs on cleanup
via 7b0d5285361 s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141()
set the required ACE explicitly
from 7e3cbc2c641 s4:kdc: Fix typo
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 86b6353644dc9e32d250efffab13ebde7009477d
Author: Stefan Metzmacher
Date: Fri Mar 17 16:48:26 2023 +0100
python:join: run domain adprep as part of join_provision_own_domain()
This is currently unused as we don't support more than one
domain per forest, but it will help it future.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Wed Mar 22 23:05:39 UTC 2023 on atb-devel-224
commit 4bba26579d124af6c0767bb98bee67357001e1e7
Author: Stefan Metzmacher
Date: Fri Mar 17 16:48:26 2023 +0100
python:provision: run adprep as part of provision
With the default of base_schema=2019 we'll adprep to 2016.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit f6d9f3760f7df8595a3882b3ad526326abbba1ca
Author: Stefan Metzmacher
Date: Thu Feb 23 15:05:01 2023 +0100
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7e3cbc2c641 s4:kdc: Fix typo via 9d59e42a2ba s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions via c7b00ccc76f s4:kdc: Rename claims_blob to client_claims_blob via fbed57b86bc s4:kdc: Fix leak via 9c4f7e4b339 s4:kdc: Don't modify cached user_info_dc SIDs via c62937822d8 s4:kdc: Don't check PAC-OPTIONS claims-supported bit via 3e97ea3f35e s4:kdc: Have samba_kdc_update_pac() take device parameters via a326aec4c04 s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer() via 1a625702e81 libcli/security: Correctly handle ACL deletion via 545b40a70b0 s4/dsdb/repl_meta_data: Pass NULL into ldb_msg_add_empty via 211d19a04c3 ldb: Don't create error string if there is no error from 6241380bc52 samba-tool: rewrite dsacl.py to use the new sd_utils helpers https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7e3cbc2c6418a876ab4770f1fd5ff12e8c8dae9d Author: Joseph Sutton Date: Tue Mar 21 09:43:01 2023 +1300 s4:kdc: Fix typo Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 22 19:36:28 UTC 2023 on atb-devel-224 commit 9d59e42a2bacf53eda99f0a3d96f9ce4088b1ddc Author: Joseph Sutton Date: Mon Mar 20 15:16:21 2023 +1300 s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions Instead of having one large function that returns every PAC blob, we now have a more manageable assortment of smaller functions that each return one blob. That gives us more fine-grained handling of PAC blobs, with callers now able to procure only the specific blobs that they need. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c7b00ccc76f4a055dd761c929c23b014b214c4f5 Author: Joseph Sutton Date: Mon Mar 20 15:13:39 2023 +1300 s4:kdc: Rename claims_blob to client_claims_blob This will not be the only claims blob. Later there will also be a device_claims_blob. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fbed57b86bc5b358a7373c134ce26a012b4280ef Author: Joseph Sutton Date: Mon Mar 20 15:11:54 2023 +1300 s4:kdc: Fix leak Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9c4f7e4b339d6ed5ed1030f87c9a871b06987265 Author: Joseph Sutton Date: Mon Mar 20 15:02:53 2023 +1300 s4:kdc: Don't modify cached user_info_dc SIDs samba_kdc_get_pac_blobs() passes a pointer to a user_info_dc structure obtained from samba_kdc_get_user_info_from_db() into samba_add_asserted_identity(). The latter function modifies the SIDs of the user_info_dc structure in order to add the Asserted Identity SID, but samba_kdc_get_user_info_from_db() actually caches that structure internally, meaning that subsequent calls will return the modified structure. We should not modify cached SIDs, so have samba_kdc_get_user_info_from_db() return a pointer to constant data, and copy the returned array of SIDs before adding the Asserted Identity SID. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c62937822d8d814a70d32efab93be721791c57f0 Author: Joseph Sutton Date: Fri Mar 17 11:57:09 2023 +1300 s4:kdc: Don't check PAC-OPTIONS claims-supported bit Windows only consults the PAC-OPTIONS claims bit to find out whether or not to add claims to the PAC if the ClaimsCompIdFASTSupport option is set to 1. If this option is set to 2 or 3, the bit is ignored and claims are always added. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3e97ea3f35e3d147b491bb2da959b0f8a6207835 Author: Joseph Sutton Date: Fri Mar 17 11:14:15 2023 +1300 s4:kdc: Have samba_kdc_update_pac() take device parameters These will be used later when we add support for compound authentication. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a326aec4c0495200d05ab8b2310f23199058167a Author: Joseph Sutton Date: Fri Mar 17 11:07:11 2023 +1300 s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer() Heimdal contains an assertion that the data pointer is not NULL. We need to pass in a pointer to some dummy data instead. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1a625702e81ef2a6bd38c486e3056ce61da800e8 Author: Joseph Sutton Date: Mon Mar 13 10:09:15 2023 +1300 libcli/security: Correctly handle ACL deletion If there were two consecutive occurrences of an ACL to be deleted, we would miss the second one. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 545b40a70b02141ed292ddd3ff63d1f62070bb85 Author: Joseph Sutton Date:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 6241380bc52 samba-tool: rewrite dsacl.py to use the new sd_utils
helpers
via a1109a9bf12 python:sd_utils: add
dacl_{prepend,append,delete}_aces() helpers
via 8411e6d302e python:sd_utils: introduce update_aces_in_dacl() helper
via 4627997ddae python/samba/ndr: add ndr_deepcopy() helper
via 9ea06aaf9f5 py_security: allow idx argument to
descriptor.[s|d]acl_add()
via 2c02378029f libcli/security: add
security_descriptor_[s|d]acl_insert() helpers
via c3cb915a67a libcli/security: prepare security_descriptor_acl_add()
to place the ace at a position
via 9d8ff0d1e0b replace: add ARRAY_INSERT_ELEMENT() helper
via 9053862b892 lib/ldb-samba: let ldif_read_ntSecurityDescriptor()
only try sddl if isupper()
from be1aae77b76 libcli/security: Reorder SDDL access flags table to
match Windows
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 6241380bc52e41744d134e31d77ab900e604e0d1
Author: Stefan Metzmacher
Date: Thu Mar 16 18:32:49 2023 +0100
samba-tool: rewrite dsacl.py to use the new sd_utils helpers
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Mar 22 15:57:15 UTC 2023 on atb-devel-224
commit a1109a9bf12e020636b8d66fc54984aac58bfe6b
Author: Stefan Metzmacher
Date: Thu Mar 16 18:03:10 2023 +0100
python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.
In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 8411e6d302e25d10f1035ebbdcbde7308566e930
Author: Stefan Metzmacher
Date: Fri Mar 10 18:25:18 2023 +0100
python:sd_utils: introduce update_aces_in_dacl() helper
This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 4627997ddae44265ad35b3234232eb74458c6c34
Author: Stefan Metzmacher
Date: Fri Mar 17 14:08:34 2023 +0100
python/samba/ndr: add ndr_deepcopy() helper
This uses ndr_pack/unpack in order to create a deep copy
of the given object.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74
Author: Stefan Metzmacher
Date: Thu Mar 16 10:11:05 2023 +0100
py_security: allow idx argument to descriptor.[s|d]acl_add()
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 2c02378029fff6636b8f19e45af78b265f2210ed
Author: Stefan Metzmacher
Date: Thu Mar 16 10:03:44 2023 +0100
libcli/security: add security_descriptor_[s|d]acl_insert() helpers
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit c3cb915a67aff6739b72b86d7d139609df309ada
Author: Stefan Metzmacher
Date: Thu Mar 16 10:00:11 2023 +0100
libcli/security: prepare security_descriptor_acl_add() to place the ace at
a position
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b
Author: Stefan Metzmacher
Date: Thu Mar 16 09:57:43 2023 +0100
replace: add ARRAY_INSERT_ELEMENT() helper
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 9053862b89258850c22735cc4123fe5bc0d2e6fa
Author: Stefan Metzmacher
Date: Mon May 17 17:14:34 2021 +0200
lib/ldb-samba: let ldif_read_ntSecurityDescriptor() only try sddl if
isupper()
Trying ndr_pull_security_descriptor on SDDL produces just strange
debug messages, which can cause confusion.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
---
Summary of changes:
lib/ldb-samba/ldif_handlers.c | 24 --
lib/replace/replace.h | 15
libcli/security/security_descriptor.c | 55 ++--
