[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dadd3223882 tests/krb5: Add claims tests via 8b8a268084b tests/krb5: Allow specifying sname for getting service ticket via 6170d46cdd7 tests/krb5: Check claims buffers via fa90633b810 tests/krb5: Add xpress (de)compression functions via 20082340433 tests/krb5: Add function for creating claims via 88c9e2af205 krb5pac.idl: Add definitions for claims PAC buffers via e53455497c9 claims.idl: Add claim type definitions from 761ce8cfe41 s4:kdc: Set kerberos debug class for kdc service https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dadd32238822c6f2ee10cd55442c88e2034fb11a Author: Joseph Sutton Date: Fri Mar 4 16:23:32 2022 +1300 tests/krb5: Add claims tests Based on tests originally written by Stefan Metzmacher Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Sep 9 01:11:05 UTC 2022 on sn-devel-184 commit 8b8a268084b494e61a8e41e0ee11916474cc3bbd Author: Joseph Sutton Date: Mon Mar 7 17:07:03 2022 +1300 tests/krb5: Allow specifying sname for getting service ticket Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6170d46cdd77da1ed2ae6f19b893fad74cd21196 Author: Joseph Sutton Date: Fri Mar 4 16:22:07 2022 +1300 tests/krb5: Check claims buffers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fa90633b8109696c923e4559a17b82761f4dc486 Author: Joseph Sutton Date: Fri Mar 4 16:21:19 2022 +1300 tests/krb5: Add xpress (de)compression functions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 200823404335cb781b18e5be25934a2625018dd1 Author: Joseph Sutton Date: Fri Mar 4 16:20:18 2022 +1300 tests/krb5: Add function for creating claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 88c9e2af205cc8327d4977b9ca0ea626b6a3c1e1 Author: Joseph Sutton Date: Fri Mar 4 16:17:40 2022 +1300 krb5pac.idl: Add definitions for claims PAC buffers The PAC device info definition comes from [MS-PAC] 2.12. Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit e53455497c90be9665905fa878efb40872efa09b Author: Joseph Sutton Date: Fri Sep 9 11:02:01 2022 +1200 claims.idl: Add claim type definitions Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: librpc/idl/IDL_LICENSE.txt | 76 ++ librpc/idl/claims.idl| 118 +++ librpc/idl/krb5pac.idl | 23 + librpc/idl/wscript_build |1 + librpc/wscript_build |8 +- python/samba/tests/krb5/claims_tests.py | 1319 ++ python/samba/tests/krb5/kdc_base_test.py | 196 - python/samba/tests/krb5/kdc_tgs_tests.py |6 +- python/samba/tests/krb5/raw_testcase.py | 329 +++- python/samba/tests/krb5/s4u_tests.py |4 +- python/samba/tests/krb5/xpress.py| 128 +++ python/samba/tests/usage.py |1 + selftest/knownfail_heimdal_kdc | 88 ++ selftest/knownfail_mit_kdc | 89 ++ selftest/knownfail_mit_kdc_1_20 |4 + source4/librpc/wscript_build |7 + source4/selftest/tests.py|4 + 17 files changed, 2363 insertions(+), 38 deletions(-) create mode 100644 librpc/idl/claims.idl create mode 100755 python/samba/tests/krb5/claims_tests.py create mode 100644 python/samba/tests/krb5/xpress.py Changeset truncated at 500 lines: diff --git a/librpc/idl/IDL_LICENSE.txt b/librpc/idl/IDL_LICENSE.txt index 01ae670b69b..a2d87ecb044 100644 --- a/librpc/idl/IDL_LICENSE.txt +++ b/librpc/idl/IDL_LICENSE.txt @@ -7,3 +7,79 @@ under the following license: This work is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + + +The following relates to IDL obtained from Open Specifications Documentation + + Intellectual Property Rights Notice for Open Specifications Documentation + + * Technical Documentation. Microsoft publishes Open Specifications +documentation (“this documentation”) for protocols, file formats, +data portability, computer languages, and standards +support. Additionally, overview documents cover inter-protocol +relationships and interactions. + + * Copyrights. This documentation is covered by Microsoft +copyrights. Regardless of any other terms that are contained in +the terms of use for the Microsoft website that hosts this +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 761ce8cfe41 s4:kdc: Set kerberos debug class for kdc service via a88bb04ca23 selftest: Add Address Sanitizer suppressions via 7800097af4e selftest: Create asan_options variable via 1591d7bdbf0 selftest: Fix address sanitizer with python3 via 08dda9cefdd selftest: Remove tailing whitspaces in selftest.pl via 6b9018d3c98 waf: Do not use as-needed if we build with Address Sanitizer via b475e020664 s4:gensec: Do not link subsystems against dlopen() modules! via b5013634175 pytest samba-tool forest: use runcmd via 098886946fa make runcmd, runsubcmd, exact aliases via 273797d8cf9 pytest: samba-tool: coalesce run*cmd functions via 4bfcd16a3c6 samba-tool: binary uses samba_tool function via a1c615f87de pytest/samba-tool: entry function follows too logic via 8b23ef30032 pytest/password-lockout: fix using samba_tool function via 202182e0fdc pytest/samba_dnsupdate: fix using samba-tool function via c41887d903f pytest/netcmd: fix for new samba-tool api via 5247c87cc2c samba-tool: add a convenience function that does it all via 153ad8fc3a9 samba-tool: command that has exception, shows exception via 304ac5bb777 samba-tool: _resolve() can set outf, errf via ed787869897 samba-tool: more conventional usage of parser.parse_args via 9ec0863ff24 samba-tool: separate ._run() from command resolution via 8b403ab7c55 samba-tool: do not crash on unimplemented .run() from 8132edf1197 s3:libads: let cldap_ping_list() use cldap_multi_netlogon() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 761ce8cfe41139ab5656dec5cc05f2f576095216 Author: Andreas Schneider Date: Tue Sep 6 10:19:54 2022 +0200 s4:kdc: Set kerberos debug class for kdc service Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 8 23:34:15 UTC 2022 on sn-devel-184 commit a88bb04ca233cbe19aa9bae1cc5078274785cb4d Author: Andreas Schneider Date: Tue Sep 6 10:06:37 2022 +0200 selftest: Add Address Sanitizer suppressions Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 7800097af4e8ba071b31cecaf19a76b0e4b8a053 Author: Andreas Schneider Date: Tue Sep 6 10:06:05 2022 +0200 selftest: Create asan_options variable Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1591d7bdbf045bee45e7e2775a7be464fe236d1c Author: Andreas Schneider Date: Tue Sep 6 08:59:56 2022 +0200 selftest: Fix address sanitizer with python3 ==9542==AddressSanitizer: failed to intercept 'crypt' ==9542==AddressSanitizer: failed to intercept 'crypt_r' [..] AddressSanitizer:DEADLYSIGNAL = ==29768==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x bp 0x7ffcec4bf3c0 sp 0x7ffcec4beb58 T0) ==29768==Hint: pc points to the zero page. ==29768==The signal is caused by a READ memory access. ==29768==Hint: address points to the zero page. #0 0x0 () #1 0x7f052cca4129 in crypt_crypt_impl /usr/src/debug/python310-core-3.10.6-3.1.x86_64/Modules/_cryptmodule.c:44 We would need to build python without --as-needed as we can't so that we need to preload the library to avoid a segfault. See also: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669 Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 08dda9cefdddf6953ac54b282e8b0e434426d1d6 Author: Andreas Schneider Date: Tue Sep 6 08:48:49 2022 +0200 selftest: Remove tailing whitspaces in selftest.pl Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6b9018d3c98113c6984a1fe65cce42771ccb4600 Author: Andreas Schneider Date: Tue Sep 6 08:47:47 2022 +0200 waf: Do not use as-needed if we build with Address Sanitizer https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669 Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b475e02066437920b671bdd0f91602f4f5b7c5f0 Author: Andreas Schneider Date: Thu Sep 8 10:32:38 2022 +0200 s4:gensec: Do not link subsystems against dlopen() modules! This is not a shared library. This only worked because we use '--as-needed' as linker option. Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b5013634175ef4b0a32e120e8b5806ad7283623b Author: Douglas Bagnall
[SCM] Socket Wrapper Repository - branch master updated
The branch, master has been updated
via f5c3e25 Fix -Wcast-qual warnings
from cdc071a Bump version to 1.3.4
https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master
- Log -
commit f5c3e25c9910d305a26f267fcfa0bfe8d97834ec
Author: Alex Richardson
Date: Fri Oct 1 10:00:32 2021 +0100
Fix -Wcast-qual warnings
Without this change I get the following -Werror build failure when building
samba on macOS:
```
../../third_party/socket_wrapper/socket_wrapper.c:5420:15: error: cast from
'const struct cmsghdr *' to 'unsigned char *' drops const qualifier
[-Werror,-Wcast-qual]
__fds_in.p = CMSG_DATA(cmsg);
^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/socket.h:631:51:
note: expanded from macro 'CMSG_DATA'
#define CMSG_DATA(cmsg) ((unsigned char *)(cmsg) + \
^
```
Signed-off-by: Alex Richardson
Reviewed-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
---
Summary of changes:
CompilerChecks.cmake | 2 +-
src/socket_wrapper.c | 8
2 files changed, 5 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/CompilerChecks.cmake b/CompilerChecks.cmake
index 195d619..8d18fbf 100644
--- a/CompilerChecks.cmake
+++ b/CompilerChecks.cmake
@@ -22,7 +22,7 @@ if (UNIX)
add_c_compiler_flag("-Wshadow" SUPPORTED_COMPILER_FLAGS)
add_c_compiler_flag("-Wmissing-prototypes" SUPPORTED_COMPILER_FLAGS)
add_c_compiler_flag("-Wcast-align" SUPPORTED_COMPILER_FLAGS)
-#add_c_compiler_flag("-Wcast-qual" SUPPORTED_COMPILER_FLAGS)
+add_c_compiler_flag("-Wcast-qual" SUPPORTED_COMPILER_FLAGS)
add_c_compiler_flag("-Werror=address" SUPPORTED_COMPILER_FLAGS)
add_c_compiler_flag("-Wstrict-prototypes" SUPPORTED_COMPILER_FLAGS)
add_c_compiler_flag("-Werror=strict-prototypes" SUPPORTED_COMPILER_FLAGS)
diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c
index 5804e93..ec8321f 100644
--- a/src/socket_wrapper.c
+++ b/src/socket_wrapper.c
@@ -5325,7 +5325,7 @@ union __swrap_cmsghdr {
struct cmsghdr *cmsg;
};
-static int swrap_sendmsg_unix_scm_rights(const struct cmsghdr *cmsg,
+static int swrap_sendmsg_unix_scm_rights(struct cmsghdr *cmsg,
uint8_t **cm_data,
size_t *cm_data_space,
int *scm_rights_pipe_fd)
@@ -5557,7 +5557,7 @@ static int swrap_sendmsg_unix_scm_rights(const struct
cmsghdr *cmsg,
return 0;
}
-static int swrap_sendmsg_unix_sol_socket(const struct cmsghdr *cmsg,
+static int swrap_sendmsg_unix_sol_socket(struct cmsghdr *cmsg,
uint8_t **cm_data,
size_t *cm_data_space,
int *scm_rights_pipe_fd)
@@ -5581,7 +5581,7 @@ static int swrap_sendmsg_unix_sol_socket(const struct
cmsghdr *cmsg,
return rc;
}
-static int swrap_recvmsg_unix_scm_rights(const struct cmsghdr *cmsg,
+static int swrap_recvmsg_unix_scm_rights(struct cmsghdr *cmsg,
uint8_t **cm_data,
size_t *cm_data_space)
{
@@ -5860,7 +5860,7 @@ static int swrap_recvmsg_unix_scm_rights(const struct
cmsghdr *cmsg,
return 0;
}
-static int swrap_recvmsg_unix_sol_socket(const struct cmsghdr *cmsg,
+static int swrap_recvmsg_unix_sol_socket(struct cmsghdr *cmsg,
uint8_t **cm_data,
size_t *cm_data_space)
{
--
Socket Wrapper Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 8132edf1197 s3:libads: let cldap_ping_list() use
cldap_multi_netlogon()
via ab6b9465eda s3:libads: split out ads_fill_cldap_reply() out of
ads_try_connect()
from c2e235efd40 s3:modules - fix read of uninitialized memory
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 8132edf119757ee91070facffef016c93de9c2a6
Author: Stefan Metzmacher
Date: Wed Aug 24 16:11:06 2022 +0200
s3:libads: let cldap_ping_list() use cldap_multi_netlogon()
We have a list of ip addresses, so we can request them
all together under a single timeout, instead of asking
each ip with it's own timeout.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Autobuild-User(master): Andreas Schneider
Autobuild-Date(master): Thu Sep 8 08:12:46 UTC 2022 on sn-devel-184
commit ab6b9465eda9f219bbed3bd65e89668e5e2c93c6
Author: Stefan Metzmacher
Date: Wed Aug 24 16:36:17 2022 +0200
s3:libads: split out ads_fill_cldap_reply() out of ads_try_connect()
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
---
Summary of changes:
source3/libads/ldap.c | 246 +-
1 file changed, 202 insertions(+), 44 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index e7e34998f74..da5a924cde0 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -25,6 +25,7 @@
#include "ads.h"
#include "libads/sitename_cache.h"
#include "libads/cldap.h"
+#include "../lib/tsocket/tsocket.h"
#include "../lib/addns/dnsquery.h"
#include "../libds/common/flags.h"
#include "smbldap.h"
@@ -249,43 +250,23 @@ bool ads_closest_dc(ADS_STRUCT *ads)
return False;
}
-
-/*
- try a connection to a given ldap server, returning True and setting the
servers IP
- in the ads struct if successful
- */
-static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
- struct sockaddr_storage *ss)
+static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
+bool gc,
+const struct sockaddr_storage *ss,
+const struct NETLOGON_SAM_LOGON_RESPONSE_EX
*cldap_reply)
{
- struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
TALLOC_CTX *frame = talloc_stackframe();
bool ret = false;
char addr[INET6_ADDRSTRLEN];
ADS_STATUS status;
- if (ss == NULL) {
- TALLOC_FREE(frame);
- return False;
- }
-
print_sockaddr(addr, sizeof(addr), ss);
- DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
- addr, ads->server.realm));
-
- ZERO_STRUCT( cldap_reply );
-
- if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, _reply )
) {
- DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
- ret = false;
- goto out;
- }
-
/* Check the CLDAP reply flags */
- if ( !(cldap_reply.server_type & NBT_SERVER_LDAP) ) {
- DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an
LDAP server!\n",
- addr));
+ if (!(cldap_reply->server_type & NBT_SERVER_LDAP)) {
+ DBG_WARNING("%s's CLDAP reply says it is not an LDAP server!\n",
+ addr);
ret = false;
goto out;
}
@@ -299,14 +280,14 @@ static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
TALLOC_FREE(ads->config.client_site_name);
TALLOC_FREE(ads->server.workgroup);
- if (!check_cldap_reply_required_flags(cldap_reply.server_type,
+ if (!check_cldap_reply_required_flags(cldap_reply->server_type,
ads->config.flags)) {
ret = false;
goto out;
}
ads->config.ldap_server_name = talloc_strdup(ads,
-cldap_reply.pdc_dns_name);
+cldap_reply->pdc_dns_name);
if (ads->config.ldap_server_name == NULL) {
DBG_WARNING("Out of memory\n");
ret = false;
@@ -315,7 +296,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
ads->config.realm = talloc_asprintf_strupper_m(ads,
"%s",
- cldap_reply.dns_domain);
+ cldap_reply->dns_domain);
if (ads->config.realm == NULL) {
DBG_WARNING("Out of memory\n");
ret = false;
@@ -330,9 +311,9 @@ static bool
