[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 91eb3f1d223 testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh via 11741791cc6 testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh via 619f097b7d4 testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh via 16b9b508af4 samba-tool/ntacl: implement set --recursive via 27b29cfa766 samba-tool/ntacl: add set --verbose and print out the file/directory name via 6327fd9cdba samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all via 4ca5b78f5b7 samba-tool/ntacl: let changedomsid ignore symlinks via 3694f2ce620 vfs_aio_pthread: don't crash without a pthreadpool via 0e9f1eec5a2 samba-tool: print default (domain) for --dns-directory-partition option in help message via b26dcfba10e tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime via 489cdefa6ab tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey() from 0ef8083cca0 WHATSNEW: Mention new default schema and Functional Level prep https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 91eb3f1d2236ad88eb3cf6ad036ae16ea2eac6b8 Author: Stefan Metzmacher Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Jun 22 00:22:47 UTC 2023 on atb-devel-224 commit 11741791cc6ae339efd71b122ea9313b710bf1ac Author: Stefan Metzmacher Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 619f097b7d4c0fa4614ab12042292c1e9a8fe234 Author: Stefan Metzmacher Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 16b9b508af4432abe5717da129b1be921c0227c6 Author: Stefan Metzmacher Date: Tue May 2 16:18:51 2023 +0200 samba-tool/ntacl: implement set --recursive Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 27b29cfa766099252b417da06599aee585a228bc Author: Stefan Metzmacher Date: Tue May 2 16:18:26 2023 +0200 samba-tool/ntacl: add set --verbose and print out the file/directory name Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 6327fd9cdbaf3dad4b09ce291de1f42259e11d2b Author: Stefan Metzmacher Date: Tue May 2 16:18:26 2023 +0200 samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 4ca5b78f5b7c35e6276d92f7948334dad7a59456 Author: Stefan Metzmacher Date: Tue May 16 13:57:51 2023 +0200 samba-tool/ntacl: let changedomsid ignore symlinks Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 3694f2ce6205a647eb5dab2115785fb45decaf0b Author: Stefan Metzmacher Date: Tue May 2 15:15:16 2023 +0200 vfs_aio_pthread: don't crash without a pthreadpool During 'samba-tool ntacl sysvolreset' and similar. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0e9f1eec5a2e484d947a433cc854d9903de8537f Author: Björn Baumbach Date: Wed Jun 21 20:52:03 2023 +0200 samba-tool: print default (domain) for --dns-directory-partition option in help message Signed-off-by: Björn Baumbach Reviewed-by: Andrew Bartlett commit b26dcfba10e3e38c04f3fe20dbf49e7e6ef4f0ed Author: Stefan Metzmacher Date: Thu Mar 24 00:12:47 2022 +0100 tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime This demonstrates that we use the correct authtime when doing constrained delegation. The actual fix for the problem is already in place via commit 75ec66c729faad60fa18b9504ba4053b3e2f47bc third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de) The related patch is: 006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 489cdefa6ab1bf7bd5cf3ea0ea64c03dc08fa8bd Author: Stefan Metzmacher Date: Thu Mar 17 14:46:55 2022 +0100 tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey() This demonstrates that we use the correct key for EncAuthorizationData together with constrained
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0ef8083cca0 WHATSNEW: Mention new default schema and Functional Level prep via a9d543cdfce s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs via c95813374a4 testprogs/blackbox: also raise the levels to 2012_R2/2016 in functionalprep.sh via d2777d47d1e testprogs/blackbox: also prepare for to 2016 (schema=2019) in functionalprep.sh via 205ee77c2fe samba-tool: let 'domain level raise' call check_and_update_fl() in a transaction via 3724ae3e108 samba-tool: move some parts of 'domain level [show|raise]' in to subfunctions via e92988ec946 samba-tool: move some parts of 'domain level [show|raise]' in to try/except via ea2712336b2 samba-tool: let 'domain level raise --domain-level' use the correct crossRef dn via f9f9771a55f samba-tool: check for invalid 'domain level' subcommands first via 1b1895a0d84 samba-tool: Fix missing import for "domain level raise --forest-level=2016" via 48cc2862c28 docs-xml/smbdotconf: also allow 2012[_R2] for 'ad dc functional level' from ad98643fbd9 s4:kdc: Replace FAST cookie with dummy string https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0ef8083cca0ffdf20d98545fb7e3aa576e661222 Author: Andrew Bartlett Date: Wed Jun 14 16:14:51 2023 +1200 WHATSNEW: Mention new default schema and Functional Level prep Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jun 21 20:01:06 UTC 2023 on atb-devel-224 commit a9d543cdfce1d0ff2976a20bb8f15f68d9de0a41 Author: Joseph Sutton Date: Mon Apr 3 16:49:50 2023 +1200 s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs Samba security features like AD claims, Authentication Policies and Authentication Silos are enabled once the DC is at the required functional level. We comment at the callers of of dsdb_dc_functional_level() to explain why we do this. Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit c95813374a4fa92b446041696baf617d7b19a7f2 Author: Stefan Metzmacher Date: Wed Jun 21 10:21:32 2023 +0200 testprogs/blackbox: also raise the levels to 2012_R2/2016 in functionalprep.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit d2777d47d1e3beda4295ece6d1c438fab2621925 Author: Stefan Metzmacher Date: Wed Jun 21 10:21:32 2023 +0200 testprogs/blackbox: also prepare for to 2016 (schema=2019) in functionalprep.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 205ee77c2fe812b71138bbf72ce5b17f238696f1 Author: Stefan Metzmacher Date: Wed Jun 21 12:07:08 2023 +0200 samba-tool: let 'domain level raise' call check_and_update_fl() in a transaction This makes it possible to raise the levels without starting 'samba' first, which is very useful for blackbox tests. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 3724ae3e1089136e7d3d3f111ab3420be71a7730 Author: Stefan Metzmacher Date: Wed Jun 21 12:07:08 2023 +0200 samba-tool: move some parts of 'domain level [show|raise]' in to subfunctions This will make it easier to use transactions in the following changes... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit e92988ec9467e603e5c1aa7f8d337deebbf282dd Author: Stefan Metzmacher Date: Wed Jun 21 12:07:08 2023 +0200 samba-tool: move some parts of 'domain level [show|raise]' in to try/except This just adds indentation for now, the following changes will add transactions... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit ea2712336b28ffda938b4d0b1b17d8eaafb7714d Author: Stefan Metzmacher Date: Wed Jun 21 11:57:12 2023 +0200 samba-tool: let 'domain level raise --domain-level' use the correct crossRef dn We should not rely on lp.get('workgroup')... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit f9f9771a55ffa5cd99b8c3d9228bae6f73938b5d Author: Stefan Metzmacher Date: Wed Jun 21 11:07:17 2023 +0200 samba-tool: check for invalid 'domain level' subcommands first This will simplify further changes... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 1b1895a0d84fb9fc07411adc648527180476bacd Author: Andrew Bartlett Date: Wed Jun 21 11:43:01 2023 +1200 samba-tool: Fix missing import for "domain level raise --forest-level=2016" Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 48cc2862c289f2b3cf027037fe071fe2e5d81202 Author: Stefan Metzmacher Date: Wed Jun 21 10:31:34 2023 +0200
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ad98643fbd9 s4:kdc: Replace FAST cookie with dummy string via fc4740426d2 third_party/heimdal: Import lorikeet-heimdal-202306112240 (commit c7f4ffe1a6e8dafc86ec3357c498d31c97ece386) via 53caae00b82 tests/krb5: Test that FX-COOKIE matches cookie returned by Windows from c4e27ae4f69 smbd: Don't set security_descriptor_hash_v4->time https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ad98643fbd914b7fb28d43a36bd51eeb1f8e2e06 Author: Joseph Sutton Date: Fri Jun 9 15:46:33 2023 +1200 s4:kdc: Replace FAST cookie with dummy string All that uses the FAST cookie is the gss-preauth authentication mechanism, which is untested in Samba, and disabled by default. Disabling the FAST cookie code (and sending a dummy string instead) relieves us of the maintenance and testing burden of this untested code. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224 commit fc4740426d2f43ca7703e3e4e6ef71c902ce5cd3 Author: Joseph Sutton Date: Mon Jun 12 12:12:06 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202306112240 (commit c7f4ffe1a6e8dafc86ec3357c498d31c97ece386) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 53caae00b824e1fe67a67978a5ad604964f10c7a Author: Joseph Sutton Date: Mon Jun 12 13:06:21 2023 +1200 tests/krb5: Test that FX-COOKIE matches cookie returned by Windows The cookie produced by Windows differs depending on whether FAST was used. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: python/samba/tests/krb5/fast_tests.py| 87 +++ selftest/knownfail_heimdal_kdc | 1 + selftest/knownfail_mit_kdc | 3 + source4/kdc/db-glue.c| 19 - source4/kdc/hdb-samba4.c | 117 +-- source4/kdc/kdc-heimdal.c| 29 source4/kdc/samba_kdc.h | 2 - third_party/heimdal/kdc/default_config.c | 9 +++ third_party/heimdal/kdc/fast.c | 72 ++- third_party/heimdal/kdc/kdc.h| 7 ++ third_party/heimdal/kdc/kerberos5.c | 7 +- third_party/heimdal/lib/krb5/krb5.conf.5 | 3 + 12 files changed, 203 insertions(+), 153 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index e57ea5e1c4b..1c4b5256cef 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -1418,6 +1418,86 @@ class FAST_Tests(KDCBaseTest): } ]) +def test_fx_cookie_fast(self): +"""Test that the FAST cookie is present and that its value is as +expected when FAST is used.""" +kdc_exchange_dict = self._run_test_sequence([ +{ +'rep_type': KRB_AS_REP, +'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, +'use_fast': True, +'fast_armor': FX_FAST_ARMOR_AP_REQUEST, +'gen_armor_tgt_fn': self.get_mach_tgt +}, +]) + +cookie = kdc_exchange_dict.get('fast_cookie') +self.assertEqual(b'Microsoft', cookie) + +def test_fx_cookie_no_fast(self): +"""Test that the FAST cookie is present and that its value is as +expected when FAST is not used.""" +kdc_exchange_dict = self._run_test_sequence([ +{ +'rep_type': KRB_AS_REP, +'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, +'use_fast': False +}, +]) + +cookie = kdc_exchange_dict.get('fast_cookie') +self.assertEqual(b'Microsof\x00', cookie) + +def test_unsolicited_fx_cookie_preauth(self): +"""Test sending an unsolicited FX-COOKIE in an AS-REQ without +pre-authentication data.""" + +# Include a FAST cookie. +fast_cookie = self.create_fast_cookie('Samba-Test') + +kdc_exchange_dict = self._run_test_sequence([ +{ +'rep_type': KRB_AS_REP, +'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, +'use_fast': True, +'fast_armor': FX_FAST_ARMOR_AP_REQUEST, +'gen_armor_tgt_fn': self.get_mach_tgt, +'fast_cookie': fast_cookie, +}, +]) + +got_cookie = kdc_exchange_dict.get('fast_cookie') +self.assertEqual(b'Microsoft', got_cookie) + +
[SCM] Socket Wrapper Repository - branch master updated
The branch, master has been updated via d8b61a6 Bump version to 1.4.1 from 71a55a6 swrap: Add support for openat64() https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master - Log - commit d8b61a6734e9dba718308ece5a66c751e3150c83 Author: Andreas Schneider Date: Mon May 8 12:59:33 2023 +0200 Bump version to 1.4.1 Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme --- Summary of changes: CHANGELOG | 4 CMakeLists.txt | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/CHANGELOG b/CHANGELOG index 68e40f9..0e1d39c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,10 @@ CHANGELOG = +version 1.4.1 (released 2023-06-21) + * Fixed issue with fnctl() on 32bit + * Added openat64() to detect stale fds + version 1.4.0 (released 2023-01-18) * Added support for sendmmsg()/recvmmsg() * Added support for handling close, recvmmsg and sendmmsg syscalls diff --git a/CMakeLists.txt b/CMakeLists.txt index 47e9824..02fe340 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -11,7 +11,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/Modules") include(DefineCMakeDefaults) include(DefineCompilerFlags) -project(socket_wrapper VERSION 1.4.0 LANGUAGES C) +project(socket_wrapper VERSION 1.4.1 LANGUAGES C) # global needed variables set(APPLICATION_NAME ${PROJECT_NAME}) @@ -25,7 +25,7 @@ set(APPLICATION_NAME ${PROJECT_NAME}) # Increment PATCH. set(LIBRARY_VERSION_MAJOR 0) set(LIBRARY_VERSION_MINOR 4) -set(LIBRARY_VERSION_PATCH 0) +set(LIBRARY_VERSION_PATCH 1) set(LIBRARY_VERSION "${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}.${LIBRARY_VERSION_PATCH}") set(LIBRARY_SOVERSION ${LIBRARY_VERSION_MAJOR}) -- Socket Wrapper Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c4e27ae4f69 smbd: Don't set security_descriptor_hash_v4->time from d34ff44d91b s3:winbind: Fix talloc parent in find_dc() leading to a segfault https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c4e27ae4f69c3a3e067db3627455175b0b427cb1 Author: Volker Lendecke Date: Tue Jun 20 09:56:22 2023 +0200 smbd: Don't set security_descriptor_hash_v4->time This prevents de-duplication of xattrs in the backend file system where otherwise ACLs are often very similar. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Wed Jun 21 07:11:56 UTC 2023 on atb-devel-224 --- Summary of changes: librpc/idl/xattr.idl | 5 + source3/modules/vfs_acl_common.c | 4 2 files changed, 5 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/xattr.idl b/librpc/idl/xattr.idl index 82d4ec5a473..d1cf913e9d8 100644 --- a/librpc/idl/xattr.idl +++ b/librpc/idl/xattr.idl @@ -204,6 +204,11 @@ interface xattr * this hash (to allow * forensics later, if we have * a bug in one codepath */ + /* +* "time" is always set to 0. Left here to avoid +* bumping the union versions. Remove in case a v5 is +* necessary. +*/ NTTIME time; uint8 sys_acl_hash[64]; /* 64 bytes hash. */ } security_descriptor_hash_v4; diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index fd54d7b2dd6..7a35a946f51 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -259,9 +259,6 @@ static NTSTATUS create_sys_acl_blob(const struct security_descriptor *psd, struct security_descriptor_hash_v4 sd_hs4; enum ndr_err_code ndr_err; TALLOC_CTX *ctx = talloc_tos(); - NTTIME nttime_now; - struct timeval now = timeval_current(); - nttime_now = timeval_to_nttime(); ZERO_STRUCT(xacl); ZERO_STRUCT(sd_hs4); @@ -272,7 +269,6 @@ static NTSTATUS create_sys_acl_blob(const struct security_descriptor *psd, xacl.info.sd_hs4->hash_type = hash_type; memcpy(_hs4->hash[0], hash, XATTR_SD_HASH_SIZE); xacl.info.sd_hs4->description = description; - xacl.info.sd_hs4->time = nttime_now; memcpy(_hs4->sys_acl_hash[0], sys_acl_hash, XATTR_SD_HASH_SIZE); ndr_err = ndr_push_struct_blob( -- Samba Shared Repository