[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dadd3223882 tests/krb5: Add claims tests via 8b8a268084b tests/krb5: Allow specifying sname for getting service ticket via 6170d46cdd7 tests/krb5: Check claims buffers via fa90633b810 tests/krb5: Add xpress (de)compression functions via 20082340433 tests/krb5: Add function for creating claims via 88c9e2af205 krb5pac.idl: Add definitions for claims PAC buffers via e53455497c9 claims.idl: Add claim type definitions from 761ce8cfe41 s4:kdc: Set kerberos debug class for kdc service https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dadd32238822c6f2ee10cd55442c88e2034fb11a Author: Joseph Sutton Date: Fri Mar 4 16:23:32 2022 +1300 tests/krb5: Add claims tests Based on tests originally written by Stefan Metzmacher Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Sep 9 01:11:05 UTC 2022 on sn-devel-184 commit 8b8a268084b494e61a8e41e0ee11916474cc3bbd Author: Joseph Sutton Date: Mon Mar 7 17:07:03 2022 +1300 tests/krb5: Allow specifying sname for getting service ticket Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6170d46cdd77da1ed2ae6f19b893fad74cd21196 Author: Joseph Sutton Date: Fri Mar 4 16:22:07 2022 +1300 tests/krb5: Check claims buffers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fa90633b8109696c923e4559a17b82761f4dc486 Author: Joseph Sutton Date: Fri Mar 4 16:21:19 2022 +1300 tests/krb5: Add xpress (de)compression functions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 200823404335cb781b18e5be25934a2625018dd1 Author: Joseph Sutton Date: Fri Mar 4 16:20:18 2022 +1300 tests/krb5: Add function for creating claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 88c9e2af205cc8327d4977b9ca0ea626b6a3c1e1 Author: Joseph Sutton Date: Fri Mar 4 16:17:40 2022 +1300 krb5pac.idl: Add definitions for claims PAC buffers The PAC device info definition comes from [MS-PAC] 2.12. Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit e53455497c90be9665905fa878efb40872efa09b Author: Joseph Sutton Date: Fri Sep 9 11:02:01 2022 +1200 claims.idl: Add claim type definitions Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: librpc/idl/IDL_LICENSE.txt | 76 ++ librpc/idl/claims.idl| 118 +++ librpc/idl/krb5pac.idl | 23 + librpc/idl/wscript_build |1 + librpc/wscript_build |8 +- python/samba/tests/krb5/claims_tests.py | 1319 ++ python/samba/tests/krb5/kdc_base_test.py | 196 - python/samba/tests/krb5/kdc_tgs_tests.py |6 +- python/samba/tests/krb5/raw_testcase.py | 329 +++- python/samba/tests/krb5/s4u_tests.py |4 +- python/samba/tests/krb5/xpress.py| 128 +++ python/samba/tests/usage.py |1 + selftest/knownfail_heimdal_kdc | 88 ++ selftest/knownfail_mit_kdc | 89 ++ selftest/knownfail_mit_kdc_1_20 |4 + source4/librpc/wscript_build |7 + source4/selftest/tests.py|4 + 17 files changed, 2363 insertions(+), 38 deletions(-) create mode 100644 librpc/idl/claims.idl create mode 100755 python/samba/tests/krb5/claims_tests.py create mode 100644 python/samba/tests/krb5/xpress.py Changeset truncated at 500 lines: diff --git a/librpc/idl/IDL_LICENSE.txt b/librpc/idl/IDL_LICENSE.txt index 01ae670b69b..a2d87ecb044 100644 --- a/librpc/idl/IDL_LICENSE.txt +++ b/librpc/idl/IDL_LICENSE.txt @@ -7,3 +7,79 @@ under the following license: This work is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + + +The following relates to IDL obtained from Open Specifications Documentation + + Intellectual Property Rights Notice for Open Specifications Documentation + + * Technical Documentation. Microsoft publishes Open Specifications +documentation (“this documentation”) for protocols, file formats, +data portability, computer languages, and standards +support. Additionally, overview documents cover inter-protocol +relationships and interactions. + + * Copyrights. This documentation is covered by Microsoft +copyrights. Regardless of any other terms that are contained in +the terms of use for the Microsoft website that hosts this +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 761ce8cfe41 s4:kdc: Set kerberos debug class for kdc service via a88bb04ca23 selftest: Add Address Sanitizer suppressions via 7800097af4e selftest: Create asan_options variable via 1591d7bdbf0 selftest: Fix address sanitizer with python3 via 08dda9cefdd selftest: Remove tailing whitspaces in selftest.pl via 6b9018d3c98 waf: Do not use as-needed if we build with Address Sanitizer via b475e020664 s4:gensec: Do not link subsystems against dlopen() modules! via b5013634175 pytest samba-tool forest: use runcmd via 098886946fa make runcmd, runsubcmd, exact aliases via 273797d8cf9 pytest: samba-tool: coalesce run*cmd functions via 4bfcd16a3c6 samba-tool: binary uses samba_tool function via a1c615f87de pytest/samba-tool: entry function follows too logic via 8b23ef30032 pytest/password-lockout: fix using samba_tool function via 202182e0fdc pytest/samba_dnsupdate: fix using samba-tool function via c41887d903f pytest/netcmd: fix for new samba-tool api via 5247c87cc2c samba-tool: add a convenience function that does it all via 153ad8fc3a9 samba-tool: command that has exception, shows exception via 304ac5bb777 samba-tool: _resolve() can set outf, errf via ed787869897 samba-tool: more conventional usage of parser.parse_args via 9ec0863ff24 samba-tool: separate ._run() from command resolution via 8b403ab7c55 samba-tool: do not crash on unimplemented .run() from 8132edf1197 s3:libads: let cldap_ping_list() use cldap_multi_netlogon() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 761ce8cfe41139ab5656dec5cc05f2f576095216 Author: Andreas Schneider Date: Tue Sep 6 10:19:54 2022 +0200 s4:kdc: Set kerberos debug class for kdc service Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 8 23:34:15 UTC 2022 on sn-devel-184 commit a88bb04ca233cbe19aa9bae1cc5078274785cb4d Author: Andreas Schneider Date: Tue Sep 6 10:06:37 2022 +0200 selftest: Add Address Sanitizer suppressions Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 7800097af4e8ba071b31cecaf19a76b0e4b8a053 Author: Andreas Schneider Date: Tue Sep 6 10:06:05 2022 +0200 selftest: Create asan_options variable Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1591d7bdbf045bee45e7e2775a7be464fe236d1c Author: Andreas Schneider Date: Tue Sep 6 08:59:56 2022 +0200 selftest: Fix address sanitizer with python3 ==9542==AddressSanitizer: failed to intercept 'crypt' ==9542==AddressSanitizer: failed to intercept 'crypt_r' [..] AddressSanitizer:DEADLYSIGNAL = ==29768==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x bp 0x7ffcec4bf3c0 sp 0x7ffcec4beb58 T0) ==29768==Hint: pc points to the zero page. ==29768==The signal is caused by a READ memory access. ==29768==Hint: address points to the zero page. #0 0x0 () #1 0x7f052cca4129 in crypt_crypt_impl /usr/src/debug/python310-core-3.10.6-3.1.x86_64/Modules/_cryptmodule.c:44 We would need to build python without --as-needed as we can't so that we need to preload the library to avoid a segfault. See also: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669 Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 08dda9cefdddf6953ac54b282e8b0e434426d1d6 Author: Andreas Schneider Date: Tue Sep 6 08:48:49 2022 +0200 selftest: Remove tailing whitspaces in selftest.pl Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6b9018d3c98113c6984a1fe65cce42771ccb4600 Author: Andreas Schneider Date: Tue Sep 6 08:47:47 2022 +0200 waf: Do not use as-needed if we build with Address Sanitizer https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669 Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b475e02066437920b671bdd0f91602f4f5b7c5f0 Author: Andreas Schneider Date: Thu Sep 8 10:32:38 2022 +0200 s4:gensec: Do not link subsystems against dlopen() modules! This is not a shared library. This only worked because we use '--as-needed' as linker option. Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b5013634175ef4b0a32e120e8b5806ad7283623b Author: Douglas Bagnall
[SCM] Socket Wrapper Repository - branch master updated
The branch, master has been updated via f5c3e25 Fix -Wcast-qual warnings from cdc071a Bump version to 1.3.4 https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master - Log - commit f5c3e25c9910d305a26f267fcfa0bfe8d97834ec Author: Alex Richardson Date: Fri Oct 1 10:00:32 2021 +0100 Fix -Wcast-qual warnings Without this change I get the following -Werror build failure when building samba on macOS: ``` ../../third_party/socket_wrapper/socket_wrapper.c:5420:15: error: cast from 'const struct cmsghdr *' to 'unsigned char *' drops const qualifier [-Werror,-Wcast-qual] __fds_in.p = CMSG_DATA(cmsg); ^ /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/socket.h:631:51: note: expanded from macro 'CMSG_DATA' #define CMSG_DATA(cmsg) ((unsigned char *)(cmsg) + \ ^ ``` Signed-off-by: Alex Richardson Reviewed-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- Summary of changes: CompilerChecks.cmake | 2 +- src/socket_wrapper.c | 8 2 files changed, 5 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/CompilerChecks.cmake b/CompilerChecks.cmake index 195d619..8d18fbf 100644 --- a/CompilerChecks.cmake +++ b/CompilerChecks.cmake @@ -22,7 +22,7 @@ if (UNIX) add_c_compiler_flag("-Wshadow" SUPPORTED_COMPILER_FLAGS) add_c_compiler_flag("-Wmissing-prototypes" SUPPORTED_COMPILER_FLAGS) add_c_compiler_flag("-Wcast-align" SUPPORTED_COMPILER_FLAGS) -#add_c_compiler_flag("-Wcast-qual" SUPPORTED_COMPILER_FLAGS) +add_c_compiler_flag("-Wcast-qual" SUPPORTED_COMPILER_FLAGS) add_c_compiler_flag("-Werror=address" SUPPORTED_COMPILER_FLAGS) add_c_compiler_flag("-Wstrict-prototypes" SUPPORTED_COMPILER_FLAGS) add_c_compiler_flag("-Werror=strict-prototypes" SUPPORTED_COMPILER_FLAGS) diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c index 5804e93..ec8321f 100644 --- a/src/socket_wrapper.c +++ b/src/socket_wrapper.c @@ -5325,7 +5325,7 @@ union __swrap_cmsghdr { struct cmsghdr *cmsg; }; -static int swrap_sendmsg_unix_scm_rights(const struct cmsghdr *cmsg, +static int swrap_sendmsg_unix_scm_rights(struct cmsghdr *cmsg, uint8_t **cm_data, size_t *cm_data_space, int *scm_rights_pipe_fd) @@ -5557,7 +5557,7 @@ static int swrap_sendmsg_unix_scm_rights(const struct cmsghdr *cmsg, return 0; } -static int swrap_sendmsg_unix_sol_socket(const struct cmsghdr *cmsg, +static int swrap_sendmsg_unix_sol_socket(struct cmsghdr *cmsg, uint8_t **cm_data, size_t *cm_data_space, int *scm_rights_pipe_fd) @@ -5581,7 +5581,7 @@ static int swrap_sendmsg_unix_sol_socket(const struct cmsghdr *cmsg, return rc; } -static int swrap_recvmsg_unix_scm_rights(const struct cmsghdr *cmsg, +static int swrap_recvmsg_unix_scm_rights(struct cmsghdr *cmsg, uint8_t **cm_data, size_t *cm_data_space) { @@ -5860,7 +5860,7 @@ static int swrap_recvmsg_unix_scm_rights(const struct cmsghdr *cmsg, return 0; } -static int swrap_recvmsg_unix_sol_socket(const struct cmsghdr *cmsg, +static int swrap_recvmsg_unix_sol_socket(struct cmsghdr *cmsg, uint8_t **cm_data, size_t *cm_data_space) { -- Socket Wrapper Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8132edf1197 s3:libads: let cldap_ping_list() use cldap_multi_netlogon() via ab6b9465eda s3:libads: split out ads_fill_cldap_reply() out of ads_try_connect() from c2e235efd40 s3:modules - fix read of uninitialized memory https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8132edf119757ee91070facffef016c93de9c2a6 Author: Stefan Metzmacher Date: Wed Aug 24 16:11:06 2022 +0200 s3:libads: let cldap_ping_list() use cldap_multi_netlogon() We have a list of ip addresses, so we can request them all together under a single timeout, instead of asking each ip with it's own timeout. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Sep 8 08:12:46 UTC 2022 on sn-devel-184 commit ab6b9465eda9f219bbed3bd65e89668e5e2c93c6 Author: Stefan Metzmacher Date: Wed Aug 24 16:36:17 2022 +0200 s3:libads: split out ads_fill_cldap_reply() out of ads_try_connect() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- Summary of changes: source3/libads/ldap.c | 246 +- 1 file changed, 202 insertions(+), 44 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index e7e34998f74..da5a924cde0 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -25,6 +25,7 @@ #include "ads.h" #include "libads/sitename_cache.h" #include "libads/cldap.h" +#include "../lib/tsocket/tsocket.h" #include "../lib/addns/dnsquery.h" #include "../libds/common/flags.h" #include "smbldap.h" @@ -249,43 +250,23 @@ bool ads_closest_dc(ADS_STRUCT *ads) return False; } - -/* - try a connection to a given ldap server, returning True and setting the servers IP - in the ads struct if successful - */ -static bool ads_try_connect(ADS_STRUCT *ads, bool gc, - struct sockaddr_storage *ss) +static bool ads_fill_cldap_reply(ADS_STRUCT *ads, +bool gc, +const struct sockaddr_storage *ss, +const struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply) { - struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply; TALLOC_CTX *frame = talloc_stackframe(); bool ret = false; char addr[INET6_ADDRSTRLEN]; ADS_STATUS status; - if (ss == NULL) { - TALLOC_FREE(frame); - return False; - } - print_sockaddr(addr, sizeof(addr), ss); - DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n", - addr, ads->server.realm)); - - ZERO_STRUCT( cldap_reply ); - - if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, _reply ) ) { - DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr)); - ret = false; - goto out; - } - /* Check the CLDAP reply flags */ - if ( !(cldap_reply.server_type & NBT_SERVER_LDAP) ) { - DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n", - addr)); + if (!(cldap_reply->server_type & NBT_SERVER_LDAP)) { + DBG_WARNING("%s's CLDAP reply says it is not an LDAP server!\n", + addr); ret = false; goto out; } @@ -299,14 +280,14 @@ static bool ads_try_connect(ADS_STRUCT *ads, bool gc, TALLOC_FREE(ads->config.client_site_name); TALLOC_FREE(ads->server.workgroup); - if (!check_cldap_reply_required_flags(cldap_reply.server_type, + if (!check_cldap_reply_required_flags(cldap_reply->server_type, ads->config.flags)) { ret = false; goto out; } ads->config.ldap_server_name = talloc_strdup(ads, -cldap_reply.pdc_dns_name); +cldap_reply->pdc_dns_name); if (ads->config.ldap_server_name == NULL) { DBG_WARNING("Out of memory\n"); ret = false; @@ -315,7 +296,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, bool gc, ads->config.realm = talloc_asprintf_strupper_m(ads, "%s", - cldap_reply.dns_domain); + cldap_reply->dns_domain); if (ads->config.realm == NULL) { DBG_WARNING("Out of memory\n"); ret = false; @@ -330,9 +311,9 @@ static bool