[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 73e3ffb8418 python:tests: Store keys as bytes rather than as lists of ints via 6f12cf958f8 python:tests: Rewrite condition of while loop via cb97e3f13df python:tests: Store keys as bytes rather than as tuples via 94e055b582e python:gkdi: Add helper methods returning previous and next GKIDs via 282e5784a03 s4:kdc: Add helper variable indicating whether we think we are performing a keytab export via 5a048ef0f81 s4:kdc: Pass ldb context into samba_kdc_message2entry_keys() via 1889e0aea38 python: Move get_admin_sid() to SamDB via 786eab65cef s4:auth: Export AES128 gMSA keys along with AES256 keys by default via 103ca0276fb tests/krb5: Check that updated NT hashes of gMSAs have the values we expect via 1171589e355 ldb: Remove unnecessary declaration via 46955bc7664 lib:crypto: Fix Coverity build via 82224fca78c ctdb: Report errors from getline() via f9309c221b9 ctdb: Ensure ‘ret’ is always initialized from 1a02c6e59c1 WHATSNEW: document ldaps/tls related option changes https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 73e3ffb841842c748e0cda59ada0617dda035853 Author: Jo Sutton Date: Wed Apr 24 13:34:27 2024 +1200 python:tests: Store keys as bytes rather than as lists of ints Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 24 06:20:58 UTC 2024 on atb-devel-224 commit 6f12cf958f8ed92c3373372760564d95adcdfb94 Author: Jo Sutton Date: Wed Apr 24 13:37:40 2024 +1200 python:tests: Rewrite condition of while loop Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cb97e3f13dfa8e8f7512639389aaccf93d53959a Author: Jo Sutton Date: Wed Apr 24 13:36:28 2024 +1200 python:tests: Store keys as bytes rather than as tuples Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 94e055b582e3c4498b99d3997df3db614b3e94e8 Author: Jo Sutton Date: Wed Apr 24 12:42:40 2024 +1200 python:gkdi: Add helper methods returning previous and next GKIDs Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 282e5784a03add45dc662b27da6f2d29e1ab80cb Author: Jo Sutton Date: Mon Apr 15 14:45:51 2024 +1200 s4:kdc: Add helper variable indicating whether we think we are performing a keytab export Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 5a048ef0f81d4f212019a9687a726eb0bfd67227 Author: Jo Sutton Date: Mon Apr 15 14:39:45 2024 +1200 s4:kdc: Pass ldb context into samba_kdc_message2entry_keys() This ldb context can be used to query the current gMSA time. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 1889e0aea389662a1e4111d7537f3c4e1c93d492 Author: Jo Sutton Date: Mon Apr 15 13:23:15 2024 +1200 python: Move get_admin_sid() to SamDB Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 786eab65cefac69dfd38646437720f33994f8f47 Author: Jo Sutton Date: Tue Apr 23 13:13:20 2024 +1200 s4:auth: Export AES128 gMSA keys along with AES256 keys by default This is what an existing test expects. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 103ca0276fbda03592bfb4a460ba946218abfb16 Author: Jo Sutton Date: Mon Apr 22 10:53:30 2024 +1200 tests/krb5: Check that updated NT hashes of gMSAs have the values we expect Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 1171589e355e55b5fa08ae7da0210ac9ca2c7107 Author: Jo Sutton Date: Wed Apr 24 12:31:36 2024 +1200 ldb: Remove unnecessary declaration This declaration is a hold‐over from the Python 2 module initialization pattern. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 46955bc7664b8cf665c9bccf3b88d4afa26b9526 Author: Jo Sutton Date: Mon Apr 22 11:10:00 2024 +1200 lib:crypto: Fix Coverity build The Coverity build is failing with the following errors: [1936/5164] Compiling lib/crypto/gkdi.c In file included from /usr/lib64/gcc/x86_64-suse-linux/7/include/stdint.h:9:0, from /usr/include/inttypes.h:27, from ../../lib/crypto/../replace/replace.h:64, from ../../source4/include/includes.h:23, from ../../lib/crypto/gkdi.c:21: ../../lib/crypto/gkdi.c: In function ‘gkdi_get_key_start_time’: ../../lib/crypto/gkdi.c:197:4: error: initializer element is not constant UINT64_MAX / ^ ../../lib/crypto/gkdi.c:197:4: note: (near initialization for ‘max_gkid.l0_idx’) ../../lib/crypto/gkdi.c:200:4: error: initializer element is not constant UINT64_MAX / ^ ../../lib/crypto/gkdi.c:200:4
[SCM] Samba Shared Repository - branch master updated
s: we no longer need ifdef GNUTLS_NO_TICKETS
via 60b11645b0d s4:lib/tls: split out tstream_tls_prepare_gnutls()
via ac4bca77039 s4:lib/tls: assert that event contexts are not mixed
via 6688945fa03 s3:lib/tls: we need to call
tstream_tls_retry_handshake/disconnect() until all buffers are flushed
via 5844ef27aa4 s4:lib/tls: remove tstream_tls_push_trigger_write step
via 68f6a461e17 s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
via 8deba427e26 s4:libcli/ldap: fix no memory error code in
ldap_bind_sasl()
via 2435ab1ad70 ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to
be valid
via 8007569e9f7 s4:libcli/ldap: ldap4_new_connection() requires a valid
lp_ctx
via 96e4a92f192 tests/segfault.py: make sure samdb.connect(url) has a
valid lp_ctx
from 1cba9de1444 Fix a few "might be uninitialized" errors
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 1a02c6e59c18fdd23114312b8afca057f72602d4
Author: Stefan Metzmacher
Date: Mon Mar 4 19:34:22 2024 +0100
WHATSNEW: document ldaps/tls related option changes
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Wed Apr 24 00:59:53 UTC 2024 on atb-devel-224
commit acaa24c65d9f0300e0c6cb04d406b075a8994cee
Author: Stefan Metzmacher
Date: Mon Mar 4 19:33:52 2024 +0100
smbdotconf: finally remove unused "client use spnego principal" option
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 4ff1b321edbf35f72fc1837d77fb54f038a5b5e1
Author: Stefan Metzmacher
Date: Tue Mar 5 08:54:02 2024 +0100
s4:selftest: remove useless 'client use spnego principal' tests
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 5d350c1ecd18d2d691aeb559b387c8e3c811cb81
Author: Stefan Metzmacher
Date: Mon Mar 4 19:31:33 2024 +0100
auth/gensec: remove useless client_use_spnego_principal usage
It's off by default and all sane servers use
not_defined_in_RFC4178@please_ignore anyway.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit a34532cd9b12a576ff189caba8dcbd65520688e6
Author: Stefan Metzmacher
Date: Mon Mar 4 15:54:36 2024 +0100
s3:selftest/tests.py: run TLDAP tests with
sasl-sign,sasl-seal,ldaps,starttls
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit d189952f0ef45be8dc6b2dcc14e606d50bf90bad
Author: Stefan Metzmacher
Date: Tue Feb 13 22:53:29 2024 +0100
s3:torture: add ldaps/starttls support to run_tldap()
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 09647d1dc96690e7b52d4f37b6b4fc835a140817
Author: Stefan Metzmacher
Date: Mon Mar 4 15:27:24 2024 +0100
s3:torture: add '-T 'option=value' this is similar to '--option='=value'
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit e6be6fa94881a78c9e542d1187cf87f013b1d71d
Author: Stefan Metzmacher
Date: Mon Mar 4 15:08:17 2024 +0100
blackbox/test_net_ads_search_server: also test ldaps/starttls
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 9827055be3caaa0e98957446dfbab0b6b62b3253
Author: Stefan Metzmacher
Date: Tue Feb 13 16:04:57 2024 +0100
s4:selftest: also test samba4.ldb.simple.ldap with starttls and SASL-BIND
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 0122c0a6986e28355ca22545fa40442afc0c43e2
Author: Stefan Metzmacher
Date: Wed Jan 24 10:43:42 2024 +0100
s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 0f8a7c9ef6e34d973dfdf966041d3e68118563f8
Author: Stefan Metzmacher
Date: Fri Jan 26 09:18:33 2024 +0100
s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Review with: git show --patience
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 864ed28ce0e2d4b6712cf742f2dadd2aee445b9d
Author: Stefan Metzmacher
Date: Tue Jan 30 10:27:58 2024 +0100
s3:libads: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 844e1bdc6d43dc42550229bcc69dd4fe7631f042
Author: Stefan Metzmacher
Date: Fri Feb 9 15:40:00 2024 +0100
smbdotconf: add client ldap sasl wrapping = {starttls,ldaps}
In order to use SASL authentitation within a TLS connection
we now provide "client ldap sasl wrapping = starttls" or
"client ldap sasl wrapping = ldaps".
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 576ac69cbb3a2c57507c80b48eed2572b047e98e
Author: Stefan Metzmacher
Date: Tue Feb
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c49c48afe09 ldb:utf8: ldb_ascii_toupper() avoids real toupper() via dca6b2d2552 ldb:attrib_handlers: use ldb_ascii_toupper() in first loop via 078ecf486a6 ldb:pytests: test for Turkic i-dots in ldb_comparison_fold via a75c98ad688 ldb:attrib_handlers: make ldb_comparison_Boolean more consistent via 7280c8e53f4 ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs via 341b8fb60e2 ldb-samba:ldif_handlers: dn_link_comparison leaks less via 70356592563 ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects via 11d5a809325 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs via db963b1674e ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects via 2d3b917d0a0 ldb-samba:ldif_handlers: extended_dn_read_Sid(): free on failure via 42f2d96f82a ldb-samba:ldif_handlers: ldif_read_objectSid(): free a thing on failure via 6722e80d1b3 ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate via 4af670384a1 s4:dsdb: fix spelling in comment via a9eaf8a3abe ldb: comment for ldb_dn_compare_base via 6229feab74a s4:rpcsrv:samr: improve a comment in compare_msgRid via 7be535315a5 s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs via 31c322874b8 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare via 7ba6fcb9365 lib/socket: rearrange iface_comp() to use NUMERIC_CMP via acaa1323d03 gensec: sort_gensec uses NUMERIC_CMP via 75682e397b9 s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP via 8317a617364 dsdb:schema: use NUMERIC_CMP in place of uint32_cmp via 386216d4a15 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp via 8b2605a5d9c s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare via 9b73235d495 s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare via 5fe488d515a ldb:dn: make ldb_dn_compare() self-consistent via 531f31df993 ldb:sort: generalise both-NULL check to equality check via d4e69734c65 ldb:sort: check that elements have values via d785c1991c9 ldb:mod:sort: rearrange NULL checks from 20ce68f1594 tests/krb5: Test retrieving a denied gMSA password over an unsealed connection https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c49c48afe09a1a78989628bbffd49dd3efc154dd Author: Douglas Bagnall Date: Sat Apr 20 09:57:15 2024 +1200 ldb:utf8: ldb_ascii_toupper() avoids real toupper() If a non-lowercase ASCII character has an uppercase counterpart in some locale, toupper() will convert it to an int codepoint. Probably that codepoint is too big to fit in our char return type, so we would truncate it to 8 bit. So it becomes an arbitrary mapping. It would also behave strangely with a byte with the top bit set, say 0xE2. If char is unsigned on this system, that is 'â', which uppercases to 'Â', with the codepoint 0xC2. That seems fine in isolation, but remember this is ldb_utf8.c, and that byte was not a codepoint but a piece of a long utf-8 encoding. In the more likely case where char is signed, toupper() is being passed a negative number, the result of which is undefined. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Apr 23 02:37:25 UTC 2024 on atb-devel-224 commit dca6b2d25529288eaf7b31baf37ca4f6de4f4b9d Author: Douglas Bagnall Date: Thu Apr 11 13:46:28 2024 +1200 ldb:attrib_handlers: use ldb_ascii_toupper() in first loop In a dotless-I locale, we might meet an 'i' before we meet a byte with the high bit set, in which case we still want the ldb casefold comparison. Many ldb operations will do some case-folding before getting here, so hitting this might be quite rare even in those locales. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 078ecf486a62dc3aaa2842ada96456ac9870dad7 Author: Douglas Bagnall Date: Wed Apr 17 11:42:30 2024 +1200 ldb:pytests: test for Turkic i-dots in ldb_comparison_fold In tr_TR and some other locales where the letter 'i' uppercases to 'İ', which is not ideal for LDB as we need certain strings like 'guid' to casefold in the ASCII way. In fixing https://bugzilla.samba.org/show_bug.cgi?id=15248) we solved this problem in many cases, but for unindexed searches where the 'i' is not the last character in the string. This test shows that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 532789b4f3f s4:dsdb: Implement msDS-ManagedPassword attribute
via ddcf20b518c s4:dsdb: Add extra attrs to search request even if
replacement attribute is NULL
via be0029cff4a python:tests: Catch failures to authenticate with gMSA
managed passwords
via a52239af9df selftest: Expand out knownfails for gMSA getpassword
tests
via 6f9281b028c s4:dsdb: Set up passwords and password IDs of new gMSAs
via 85fbdcd048f s4:dsdb: Add functions for Group Managed Service
Accounts implementation
via 85d34934e13 s4:dsdb: Factor out a function to remove all password
related attributes
via 7b7fdfbce3c lib:crypto: Reformat source code
via bb5ca9f466f tests/krb5: Add tests for gMSAs
via 42710f0455c python:nt_time: Add NT_TIME_MAX constant
via c6ed19ad1a7 python:gkdi: Reformat code with ‘ruff’
via 5aaebb537e3 python:gkdi: Add Gkdi.from_key_envelope() method
via 0c0a25d0b2d python:gkdi: Add notes on GKDI time periods
via 13815813341 tests/gkdi: Change ‘current_gkid’ parameter to
‘current_time’
via b64a02d5b5a tests/gkdi: Remove implicit clock skew offset
via 13dcf7f74c2 tests/gkdi: Allow current time to be overridden
via 6d20d436dee tests/krb5: Make use of ‘expect_edata’ parameter
via 1f4e1c026d9 tests/krb5: Remove unused variable
via 586c4ec718c tests/krb5: Fix code spelling
via 5656fd2ff2b tests/krb5: Remove unused import
via 4b6f65a4a25 python:tests: Fix typo
via 5379956bd44 python:tests: Reformat code
via ae39a15b518 python:tests: Fix set declaration
via ea83bb84b98 python:tests: Replace deprecated method
assertRaisesRegexp()
via ff8e98daf1c s4:ldap_server: Consider ldapi connections to be
encrypted
via c63cabf1e09 s4:ldap_server: Store whether an LDAP connection is
over ldapi
via c2378d0c6f3 s4:ldap_server: Add copy of non‐privileged ops
specifically for ldapi connections
via ec6579829f9 s4:ldap_server: Rename privileged ops to indicate they
are used for ldapi
via 7df4bdd0fe7 s4:ldap_server: Fix code spelling
via 1a6dbcfb105 s4:ldap_server: Remove trailing whitespace
via c9370d3ced2 selftest: Move some KDS root key tests around to
prepare for gMSA server side
via bd60c605ca1 selftest: Remove duplicate setup of "spn/upn
namespaces" in the customdc testenv
via aa6795b32ff s3:auth: Add support standalone server with MIT Keberos
1.21
via b58395e5c37 s3:auth: Split auth3_generate_session_info_pac() into
functions
via 20c546f928d s3:auth: Re-format auth3_generate_session_info_pac()
via cdb31d7e45b s3:auth: Remove trailing spaces
from 75a4fbbf6a3 smbdotconf: Enable "winbind debug traceid" by default
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 532789b4f3f0efe5350089391a97f24296f3be90
Author: Jo Sutton
Date: Tue Feb 13 15:45:21 2024 +1300
s4:dsdb: Implement msDS-ManagedPassword attribute
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224
commit ddcf20b518c676140d83052bf0b79628a9299012
Author: Jo Sutton
Date: Tue Apr 9 16:15:48 2024 +1200
s4:dsdb: Add extra attrs to search request even if replacement attribute is
NULL
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit be0029cff4af5c7ef0fb54bdf18fbcb7165572eb
Author: Jo Sutton
Date: Tue Apr 9 14:09:17 2024 +1200
python:tests: Catch failures to authenticate with gMSA managed passwords
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit a52239af9dff958fb26c7bf5242a3f9e9b4fc3a2
Author: Jo Sutton
Date: Tue Apr 9 13:55:58 2024 +1200
selftest: Expand out knownfails for gMSA getpassword tests
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 6f9281b028ca6a8f392a1c0fff02ba9af5c0072f
Author: Jo Sutton
Date: Fri Apr 5 13:23:18 2024 +1300
s4:dsdb: Set up passwords and password IDs of new gMSAs
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 85fbdcd048fefc5c7edca709855e7510f3085a9a
Author: Jo Sutton
Date: Tue Feb 13 16:09:57 2024 +1300
s4:dsdb: Add functions for Group Managed Service Accounts implementation
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 85d34934e1348e4b09591499f6080b2867b9c99d
Author: Jo Sutton
Date: Tue Apr 9 12:15:00 2024 +1200
s4:dsdb: Factor out a function to remove all password related attributes
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 7b7fdfbce3c2b6f86399fb585e334a78fe696423
Author: Jo Sutton
Date: Tue Apr 2 10:33:27 2024 +1300
lib:crypto:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 81598b42455 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
via e35d54fd4d3 s3:util:sharesec ace_compare() uses NUMERIC_CMP()
via 31101a9fa15 s3:smbcacls: use NUMERIC_CMP in ace_compare
via 5e99262aaf5 s3:util:net_registry: registry_value_cmp() uses
NUMERIC_CMP()
via a197be2003d s4:wins: use NUMERIC_CMP in
nbtd_wins_randomize1Clist_sort()
via d8b97649ef4 s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
via 66d47537e42 s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
via 42ead213484 s4:dns_server: use NUMERIC_CMP in rec_cmp()
via ed3ab87bdb0 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
via dd4a0c27681 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
via 4641a971517 libcli/security: use NUMERIC_CMP in
dom_sid_compare_auth()
via cb94202c1cf libcli/security: use NUMERIC_CMP in dom_sid_compare()
via 21a071e4864 ldb: reduce non-transitive comparisons in
ldb_msg_element_compare()
via 5c36bc82415 ldb: avoid non-transitive comparison in ldb_val_cmp()
via e1519c36678 util:datablob: avoid non-transitive comparison in
data_blob_cmp()
via 838c6847029 ldb:attrib_handlers: ldb_comparison_binary uses
NUMERIC_CMP()
via f78b964cd81 ldb:attrib_handlers: ldb_comparison_Boolean uses
NUMERIC_CMP()
via 997b72d79e6 util: charset:util_str: use NUMERIC_CMP in
strncasecmp_m_handle
via 6159b098cf3 lib/torture: add assert_int_{less,greater} macros
via 3414a894ad6 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
via 4a9d274d43b s3:libsmb:namequery: note intransitivity in
addr_compare()
via f07ae699070 util:charset:codepoints: codepoint_cmpi warning about
non-transitivity
via 675fdeee3d6 util:charset:codepoints: condepoint_cmpi uses
NUMERIC_CMP()
via d4ce8231f98 util:test: test_ms_fn_match_protocol_no_wildcard: allow
-1
via f788a36 util:charset:util_str: use NUMERIC_CMP in
strcasecmp_m_handle
via a512759d7b2 torture:charset: test more of strcasecmp_m
via dda0bb6fc71 torture:charset: use < and > assertions for
strncasecmp_m
via ac0a8cd92ca torture:charset: use < and > assertions for strcasecmp_m
via 09c98ff1263 util:binsearch: user NUMERIC_CMP()
via ee4ebcccd7d s4: use numeric_cmp in dns_common_sort_zones()
via 623adcf4aae s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
via a6d76d6ee9f s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
via 75e51bd99b7 ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
via 5150b318f48 ldb:ldb_dn: use safe NUMERIC_CMP in
ldb_dn_compare_base()
via de1b94f79ea ldb: add NUMERIC_CMP macro to ldb.h
via 5ab93f48c57 util:tsort.h: add a macro for safely comparing numbers
via 8b6a584170e lib/fuzzing/decode_ndr_X_crash: guess the pipe from
filename
via 73e4f6026ad ldb: avoid out of bounds read and write in ldb_qsort()
from 60df2a09a43 selftest: move some more expected failures to
expectedfail.d
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 81598b42455d6758941da532c668b6d4e969cc40
Author: Douglas Bagnall
Date: Thu Apr 4 14:33:47 2024 +1300
s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
the access_mask is the easiest to overflow with subtraction -- other
fields are 8 or 16 bit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Wed Apr 10 23:58:12 UTC 2024 on atb-devel-224
commit e35d54fd4d381df67ab9b4f8390e2109b2142678
Author: Douglas Bagnall
Date: Thu Apr 4 14:08:02 2024 +1300
s3:util:sharesec ace_compare() uses NUMERIC_CMP()
ace->access_mask is uint32_t, so can overflow a signed int.
This would be easy to trigger, as it is a flags field rather than an
allocation count.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 31101a9fa1503be9d8137e42466f57d85136a156
Author: Douglas Bagnall
Date: Wed Apr 3 12:56:48 2024 +1300
s3:smbcacls: use NUMERIC_CMP in ace_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 5e99262aaf5fc6601f3859c8b060b680b11bf6ea
Author: Douglas Bagnall
Date: Thu Apr 4 14:25:54 2024 +1300
s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP()
v->type is an int-sized enum, so overflow might be possible if it could
be arbitrarily set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 60df2a09a43 selftest: move some more expected failures to expectedfail.d via bda4e1233a1 ldb: Add more segfault tests DN handling via 8ac18495ba2 pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb via d38a9e93cf3 python:upgrade/upgradeprovision: use dn.copy to align ldbs via 345eb854c3b pyldb: add dn.copy() python method. via fa9a32139ff s4:samba_upgradeprovision: align DN ownership via ed6d151c1b7 pyldb: add Message.ldb accessor via 8b6df2d0bca pyldb: add Dn.ldb accessor via a95e6aa5667 pyldb: add PyErr_internal_LDB_DN_OR_RAISE via d712c8d2edd pyldb: normalise name of pyldb_Message_Check via 72ad126ab74 ldb:pyldb: reorder structs for possible type-punning via c39021a494f pyldb: py_ldb_msg_set_dn checks dn ldb equality via 61ba0cc17df pyldb: py_ldb_msg_elements uses PyErr_LDB_MESSAGE_OR_RAISE via 9cadc61cd4c pyldb: py_ldb_msg_items checks for more errors via 6a2e6139ad0 pldb: py_ldb_msg_items uses PyErr_LDB_MESSAGE_OR_RAISE via b5fcc55b5ec pyldb: py_ldb_msg_contains() checks ldb equality via acba42b126c pyldb: py_ldb_msg_keys() uses PyErr_LDB_MESSAGE_OR_RAISE via d05ae6872b1 pyldb: py_ldb_msg_richcmp() uses PyErr_LDB_MESSAGE_OR_RAISE() via bc45a258d2a pyldb: use PyErr_LDB_MESSAGE_OR_RAISE() in various functions via f0e665f4a9a pyldb: add PyErr_LDB_MESSAGE_OR_RAISE() macro via b81b2578ad1 pyldb: catch up with README.Coding for some `PyArg_ParseTuple`s via 13545ed1390 pyldb: py_ldb_dn_concat() uses PyErr_LDB_DN_OR_RAISE via 1bbca1e3b42 pyldb: py_ldb_dn_len checks dn and ldb validity via f8b92e52811 pyldb: make py_ldb_dn_add_base() a bit less leaky via b83ea997e75 pyldb: py_ldb_dn_add_base() uses PyErr_LDB_DN_OR_RAISE via 67a9e573b00 pyldb: make py_ldb_dn_add_child() a bit less leaky via 310624ead50 pyldb: py_ldb_dn_add_child() uses PyErr_LDB_DN_OR_RAISE via 1eeb0e36516 pyldb: py_ldb_dn_get_parent() uses PyErr_LDB_DN_OR_RAISE via 8830149ef96 pyldb: py_ldb_dn_richcmp() uses PyErr_LDB_DN_OR_RAISE via 982a87cedfc pyldb: py_ldb_dn_get_extended_component() uses PyErr_LDB_DN_OR_RAISE via 5154c8c996f pyldb: py_ldb_dn_extended_str() uses PyErr_LDB_DN_OR_RAISE() via 0ce3f355022 pyldb: py_ldb_dn_get_casefold() uses PyErr_LDB_DN_OR_RAISE() via 85ba5d2c8f2 pyldb: py_ldb_dn_get_extended_component uses PyErr_LDB_DN_OR_RAISE() via 087d43ac615 pyldb: adapt some simple dn methods to use LDB_DN_OR_RAISE() via f98035a2a31 ldb:pyldb: PyErr_LDB_DN_OR_RAISE makes more rigourous checks via 8bb6287c3ba pytest:segfault: some more ldb crashes via 0bf80c10ca5 samba-tool domain backup: Use new ldb.disconnect() method to force-close files during backup via 8612b3e38b3 ldb:pytests: test ldb.connect() works after .disconnect() via fdc3212275b pyldb: Add ldb.disconnect() method to ensure DB handles are closed via 784ee21616a pyldb: Include a reference to the Ldb in objects that use via ffbe623963a selftest: Add tests that demonstrate the issues with ldb use after free via 3ffc6c139b0 pytest:krb5/lockout: associate user DN with the ldb it is used with from dbba6c22a41 auth/credentials: Read managed_password.passwords.query_interval only after parsing https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 60df2a09a4394d2b494224ad3d33314079e73066 Author: Douglas Bagnall Date: Fri Mar 22 16:20:18 2024 +1300 selftest: move some more expected failures to expectedfail.d Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 10 06:15:46 UTC 2024 on atb-devel-224 commit bda4e1233a145f11aa92b89a5658d94cd9252267 Author: Andrew Bartlett Date: Mon Mar 25 22:21:19 2024 +1300 ldb: Add more segfault tests DN handling - from_dict DN use-after-free - check for the same directly creating the ldb.Message Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8ac18495ba238985a82dbe5a3c95c78c3c51f4b6 Author: Douglas Bagnall Date: Mon Mar 18 12:24:53 2024 +1300 pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d38a9e93cf3444d7fe3939728673a637a03eb819 Author: Douglas Bagnall Date: Sun Mar 17 18:07:44 2024 +1300 python:upgrade/upgradeprovision: use dn.copy to align ldbs We need to do this when the dn is on a message from another ldb. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 345eb854c3b03a3c8e0e19fba0edb9eafd055ab9 Author: Douglas Bagnall Date: Sun Mar 17 17:56:09
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dbba6c22a41 auth/credentials: Read managed_password.passwords.query_interval only after parsing via 811c184bbb3 smbd: Simplify an if-condition via 51c950c1629 smbd: Save 3 lines via f573a513415 smbd: Remove an obsolete comment via 798826d4f1a smbXsrv_session: Remove a "can't happen" NULL check via 89981987379 smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB via 292c2645468 smbXsrv_session: Remove two implicit NULL initializations via c5f98c0d95c smbXsrv_session: Use struct initialization via 005ce15aab3 python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change via 50f424e8d35 s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3() via 8df1728e124 s3:rpc_server: Implement lsa_CreateTrustedDomain_common() via 3385c2fe44a s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck() via 8f52b649799 s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2() via 56e1051ad7e s3:rpc_client: Implement createtrustdomex3 command via bb4d8de9a80 s3:rpc_client: Implement createtrustdomex2 command via d078ee6af61 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes() via 97499a47550 s4:torture: Add test for lsa_CreateTrustedDomainEx3 via f390981c1a7 s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3() via 933ba496073 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3() via 87595140c34 s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA via 0177cd898ef s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain via b957cb34d44 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx via 1790828bc5f s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2 via 6d90397ff28 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common() via dad8c78edc7 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck() via 18af510bd50 s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain() via 8b1c0bd718b s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c via 354f61d868d s4:torture: Use dcerpc_lsa_OpenPolicy3_r() via 8e35e5f5675 s4:torture: Use rpc_lsa_encrypt_trustdom_info() via 05e9cb36b77 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info() via dbe9e9a8393 s4:torture: Use init_lsa_String() from init_lsa.h via 84d51503630 librpc:rpc: Add dcerpc_lsa.h via 2d60d1b96aa python: Use OpenPolicyFallback() in trust.py via 859e7f8c5f1 python: Implement CreateTrustedDomainFallback() via 812d4e0d6cc python: Add aead_aes_256_cbc_hmac_sha512() via 23e61d2cebc python: Use secrets.token_bytes instead of random via decacb0e7e1 python: Set parameter types for CreateTrustedDomainRelax() via 9e5fc815644 python:tests: Clean lsa_utils.py code according to Python standards via e32be2ade4f python:tests: Rename createtrustrelax.py to lsa_utils.py via 00ed209e483 python: Implement OpenPolicyFallback() via 85d0ab38f7c python:samba: Rename trust_utils.py to lsa_utils.py via 01940ae7afa buildtools: Fix PYTHONPATH and print it from be2ade2d88b netcmd: fix broken shell command missing Model https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dbba6c22a41ab12bd9804f10a878c965100ac7c0 Author: Andrew Bartlett Date: Tue Apr 9 16:11:16 2024 +1200 auth/credentials: Read managed_password.passwords.query_interval only after parsing The code previously read the uninitialised stack not the parsed structure, and so could segfault if the stack was not zero. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Apr 9 23:59:54 UTC 2024 on atb-devel-224 commit 811c184bbb30f8364a6c2f1835732d0c25e1b9c7 Author: Volker Lendecke Date: Fri Feb 9 12:37:53 2024 +0100 smbd: Simplify an if-condition current_sid == NULL is true if and only if we could not assign current_sid because num_sids was too small. Make that more explicit. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 51c950c16297ce45aeec85dff53af04f7f3b620f Author: Volker Lendecke Date: Fri Feb 9 12:47:48 2024 +0100 smbd: Save 3 lines Just cosmetic Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit f573a5134151e029329f19f292e6d6a324e291b8 Author: Volker Lendecke Date: Thu Feb 8 18:16:39 2024 +0100 smbd: Remove an obsolete comment This looks like a cut from other smbXsrv files.
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via be2ade2d88b netcmd: fix broken shell command missing Model
via bcae4c2dbea python: lint: fix pylint R1720 unnecessary "raise"
after "else"
via 3dd49b9f567 python: lint: remove unused imports in claims and gmsa
commands
via 8f7ff1c7ef4 python: tests: type check should always use "is" or "is
not"
via e388bf4b4a2 python: tests: fix closing quote in docstring example
via a18c53a9b98 libcli/http: Detect unsupported Transfer-encoding type
via 93709d31590 selftest: Add new test for testing non-chunk transfer
encoding
via efdbf0511e0 selftest: fix potential reference before assigned error
via 8e931fce126 Do not fail checksums for RFC8009 types
via 2ecb69d9b7f python:tests: Improve keytab comparison of dckeytab
from 814ae222ca1 s3:winbindd: use better debug messages than
'talloc_strdup failed'
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit be2ade2d88bb89763fce2a34f8f68941424ad9ee
Author: Rob van der Linde
Date: Thu Mar 28 16:06:05 2024 +1300
netcmd: fix broken shell command missing Model
This is already in MODELS which is populated in ModelMeta
Signed-off-by: Rob van der Linde
Reviewed-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Mon Apr 8 04:07:22 UTC 2024 on atb-devel-224
commit bcae4c2dbea7067932e931456998b1ada20d615c
Author: Rob van der Linde
Date: Thu Mar 28 16:15:06 2024 +1300
python: lint: fix pylint R1720 unnecessary "raise" after "else"
Signed-off-by: Rob van der Linde
Reviewed-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 3dd49b9f567fdf14e7a616351805d1aac9a3083a
Author: Rob van der Linde
Date: Thu Mar 28 16:09:44 2024 +1300
python: lint: remove unused imports in claims and gmsa commands
Signed-off-by: Rob van der Linde
Reviewed-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 8f7ff1c7ef4a570193faa2e3181a757bc98c3e08
Author: Rob van der Linde
Date: Thu Mar 28 15:59:33 2024 +1300
python: tests: type check should always use "is" or "is not"
Signed-off-by: Rob van der Linde
Reviewed-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit e388bf4b4a2012bd1fdde7e63b957b32c1a69c75
Author: Rob van der Linde
Date: Thu Mar 28 15:58:34 2024 +1300
python: tests: fix closing quote in docstring example
Signed-off-by: Rob van der Linde
Reviewed-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137
Author: Noel Power
Date: Thu Mar 28 10:48:58 2024 +
libcli/http: Detect unsupported Transfer-encoding type
Also removes knownfail for test that now passes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
commit 93709d31590d4ca25fbac813b9e499755b81ddb5
Author: Noel Power
Date: Thu Mar 28 09:16:33 2024 +
selftest: Add new test for testing non-chunk transfer encoding
And add a known fail because there is a bug :-(
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
commit efdbf0511e0a89f865210170001fbebf17a45278
Author: Noel Power
Date: Thu Mar 28 09:09:02 2024 +
selftest: fix potential reference before assigned error
This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
commit 8e931fce126e8c1128da893c806702731c08758a
Author: Alexander Bokovoy
Date: Thu Jun 22 09:56:12 2023 +0300
Do not fail checksums for RFC8009 types
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.
[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
PAC Decode: Failed to verify the service sig
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 06c589aaa1a python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED via f29693d1311 python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash via 2fd5166a8c1 python/tests/krb5: Allow getting a TGT in pkinit tests via b2fe1ea1c6a python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED via 7cc8f455191 tests/krb5: Fix PK-INIT test framework to allow expired password keys via 46263c5c202 python/samba/krb5: Allow client address (caddr) to be missing or empty via 3d1ec5dc676 auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials via 93f4be16471 netcmd: docs: update documentation for new auth policy command structure via 6e02c97193c netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group via dcb6a14fa23 netcmd: auth policy: add service-allowed-to-authenticate-from subcommands via 97c2ff19daa netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group via e88be1aed97 netcmd: auth policy: add user-allowed-to-authenticate-from subcommands via 2cbacad82d6 netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group via 316a84a5975 netcmd: auth policy: add service-allowed-to-authenticate-to subcommands via 5db2a1581d3 netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group via 4ba087f8187 netcmd: auth policy: add user-allowed-to-authenticate-to subcommands via 49c3bca8033 netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group via 86d3706bd26 netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands via 96f00738cec netcmd: auth policy: extract policy base commands into policy.py via c0e748f0117 netcmd: auth policy: turn policy.py into module via 13d53ee3e25 netcmd: auth silo: extract silo base commands into silo.py via a2e9529ee63 netcmd: auth silo: move silo_member.py into silo module via 4d2c8ea9578 netcmd: auth silo: turn silo.py into module via 2af65446cfd netcmd: docs: add section headings for auth policies and silos via 7fbe5156096 netcmd: docs: consistently put around GROUP and SILO via 4e1d12835ff netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing via 26feb09fd10 netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device" via a7edd5b5367 netcmd: docs: add documentation for service-account group-msa-membership commands via 03a6740a90b netcmd: docs: add documentation for service-account base command via cf60e3cad6b netcmd: gmsa: improve descriptions of --dns-host-name and match docs via 828420b4f09 python: domain: models: add OrganizationalUnit container model via 5ac4b6969be python: domain: models: move OrganizationalPerson to org.py via 3c0833ead51 python: domain: models: move MODELS to registry.py because it's not really a constant via bfd1f8cd467 python: domain: models: MODELS lookup does need to include base Model for shell command via 0c5d09ae143 python: domain: models: add children method to return a models direct children via cca0cfe421c python: tests: write a test for the Model.as_dict method via 917e2a73538 python: tests: computer model tests should clean up via ed07dee8649 python: domain: models: as_dict() should also exclude empty list fields via fc982e550f4 s4-dsdb: Create KdfParameters at runtime via d316e5f0869 s4-dsdb: Indent DH parameters table in gkdi_create_root_key() via 3687bf22aa1 s4-dsdb: Populate new GKDI root keys from the server configuration object via 565314f4482 pyldb: Improve search for error string in PyErr_SetLdbError via 06912de3b2a dsdb: Add API tests for new_gkdi_root_key() via f379ea8b812 pyldb: Consolidate PyErr_SetLdbError() using the pyldb version via 287cf82682c plydb: Keep talloc_reference() to the DN in PyDict_AsMessage via 37327afd0aa pyldb: Fix documentation comment on Message.from_dict() method from f0a8d832683 s4/torture: Fix misplaced positional arguments for u64 comparison https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 06c589aaa1a30e5577d9de4532246949f30809e5 Author: Andrew Bartlett Date: Wed Mar 20 14:56:47 2024 +1300 python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED This in particular tests the returned NTLM password buffers as well as the password rotation on expired accounts described at https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 9550d37f2f9 winbind: Log NOT_IMPLEMENTED as debug
via 03240c91fb6 libcli/http: Handle http chunked transfer encoding
via 30acd609f56 tests: add test for chunked encoding with http cli
library
via 5f03d84e3b5 libcli/http: Optimise reading for content-length
via 74cdebeae3d selftest: Add basic content-lenght http tests
via cd6c075476c Add simple http_client for use in black box tests (in
following commits)
from 6fb98f70c62 ndr: always attempt ACE coda pull if ACE type suggests
a coda
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 9550d37f2f9170c183d5a5e8f666cbbf21c5f444
Author: David Mulder
Date: Mon Mar 11 07:36:58 2024 -0600
winbind: Log NOT_IMPLEMENTED as debug
This message happens frequently when running a
PDC/NT4 mode w/out winbind.
Signed-off-by: David Mulder
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Wed Mar 27 02:15:31 UTC 2024 on atb-devel-224
commit 03240c91fb6ffcf5afe47c14a1ba7a8bc12f2348
Author: Noel Power
Date: Mon Mar 25 19:44:10 2024 +
libcli/http: Handle http chunked transfer encoding
Also removes the knownfail for the chunked transfer test
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
commit 30acd609f560352d3edb0c931b9a864110025b2c
Author: Noel Power
Date: Thu Sep 23 12:18:22 2021 +0100
tests: add test for chunked encoding with http cli library
Adds http test client to excercise the http client library
and a blackbox test to run the client. This client is built
only with selftest
also adds a knownfail for the test
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
commit 5f03d84e3b52bf5a31a0f885cb83bdcb48ec96f7
Author: Noel Power
Date: Fri Mar 22 08:55:49 2024 +
libcli/http: Optimise reading for content-length
Instead of reading byte-by-byte we know the content length we
want to read so lets use it.
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
commit 74cdebeae3d1bc35eea96b51b9491f6c52844b10
Author: Noel Power
Date: Mon Mar 25 16:25:55 2024 +
selftest: Add basic content-lenght http tests
very simple test of basic http request/response plus some checks to
ensure http response doesn't exceed the response max length set by
the client call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
commit cd6c075476c820b4fe8bdc10a24d8fc8ac74e9c9
Author: Noel Power
Date: Mon Mar 25 19:21:54 2024 +
Add simple http_client for use in black box tests (in following commits)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
---
Summary of changes:
libcli/http/http.c | 265 +-
libcli/http/http_internal.h | 4 +
python/samba/tests/blackbox/http_chunk.py | 116
python/samba/tests/blackbox/http_content.py | 95 +++
selftest/tests.py | 2 +
source3/auth/auth_winbind.c | 6 +-
source4/client/http_test.c | 401
source4/wscript_build | 5 +
8 files changed, 886 insertions(+), 8 deletions(-)
create mode 100644 python/samba/tests/blackbox/http_chunk.py
create mode 100644 python/samba/tests/blackbox/http_content.py
create mode 100644 source4/client/http_test.c
Changeset truncated at 500 lines:
diff --git a/libcli/http/http.c b/libcli/http/http.c
index 96c573af137..3681500f194 100644
--- a/libcli/http/http.c
+++ b/libcli/http/http.c
@@ -45,6 +45,12 @@ static int http_response_needs_body(struct http_request *req)
char c;
unsigned long long v;
+ cmp = strcasecmp(h->key, "Transfer-Encoding");
+ if (cmp == 0) {
+ cmp = strcasecmp(h->value, "chunked");
+ return 2;
+ }
+
cmp = strcasecmp(h->key, "Content-Length");
if (cmp != 0) {
continue;
@@ -66,6 +72,11 @@ static int http_response_needs_body(struct http_request *req)
return 0;
}
+struct http_chunk
+{
+ struct http_chunk *prev, *next;
+ DATA_BLOB blob;
+};
struct http_read_response_state {
enum http_parser_state parser_state;
@@ -73,6 +84,7 @@ struct http
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 6fb98f70c62 ndr: always attempt ACE coda pull if ACE type suggests
a coda
from 7edf5467fc7 lib: Remove timeval_set()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 6fb98f70c6274e172787c8d5f73aa93920171e7c
Author: Douglas Bagnall
Date: Sat Mar 23 08:27:41 2024 +1300
ndr: always attempt ACE coda pull if ACE type suggests a coda
We were skipping the pull in cases where the coda size was calculated
to be zero. This has the right result for empty conditional ACEs, but
not for Resource Attribute ACEs where the
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 coda was not intialised.
The situation is made a bit worse, because the function that
calculates the coda size (ndr_subcontext_size_of_ace_coda()) can
return zero in conditions that are not exactly errors, but in which
the would-be calculated value makes so little sense that zero is
thought to be a safer default.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15613
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Mon Mar 25 06:00:21 UTC 2024 on atb-devel-224
---
Summary of changes:
librpc/ndr/ndr_sec_helper.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index f870a17aafc..1a156b01d40 100644
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -104,7 +104,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct
ndr_pull *ndr, ndr_flags
{
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
if (ndr_flags & NDR_SCALARS) {
- ssize_t sub_size;
NDR_CHECK(ndr_pull_align(ndr, 5));
NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS,
>type));
NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS,
>flags));
@@ -112,12 +111,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct
ndr_pull *ndr, ndr_flags
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, >access_mask));
NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr,
NDR_SCALARS, r));
NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, >trustee));
- sub_size = ndr_subcontext_size_of_ace_coda(r, r->size,
ndr->flags);
- if (!sec_ace_has_extra_blob(r->type) || sub_size == 0) {
+ if (!sec_ace_has_extra_blob(r->type)) {
r->coda.ignored.data = NULL;
r->coda.ignored.length = 0;
} else {
struct ndr_pull *_ndr_coda;
+ ssize_t sub_size = ndr_subcontext_size_of_ace_coda(r,
r->size, ndr->flags);
NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0,
sub_size));
NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda,
>coda, r->type));
NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda,
NDR_SCALARS|NDR_BUFFERS, >coda));
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7edf5467fc7 lib: Remove timeval_set() via a3e186b6171 lib: Remove timeval_until() via 842e7378439 fuzz:fuzz_ndr_X: don't skip printing on push error via cebe12bc85a ldb-samba: matching rules: notify of search failure in transitive filter via 90964caaf2e fuzz:_conditional_ace_blob discards a const via e1071cd1df6 fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail via 168e5df62f9 fuzzing: fuzz_ndr_X ndr_print does printing from 4f0ed9b0038 tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7edf5467fc77cc1039c0ef9fd4579bfb7333c159 Author: Volker Lendecke Date: Wed Mar 13 16:19:48 2024 +0100 lib: Remove timeval_set() We have the same function in tevent, no need to duplicate code. More lines just due to clang-format. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 22 06:07:42 UTC 2024 on atb-devel-224 commit a3e186b61719cd0e1ec60006d7ea675c01d69c36 Author: Volker Lendecke Date: Wed Mar 13 16:07:00 2024 +0100 lib: Remove timeval_until() We have the same function in tevent, no need to duplicate code. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 842e7378439fcf354260c98b9ea7dadf59c601c7 Author: Douglas Bagnall Date: Thu Mar 21 14:48:34 2024 +1300 fuzz:fuzz_ndr_X: don't skip printing on push error push should not have changed the struct, so it is valid to try to print it also. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit cebe12bc85a7f178e7ccaecd1c075f2e40478139 Author: Douglas Bagnall Date: Thu Dec 28 12:45:41 2023 +1300 ldb-samba: matching rules: notify of search failure in transitive filter It can be very hard to known where transitive checks fail, and this will help. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15515 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 90964caaf2e2ae0c36aa223ddfb66a5cdec42a6c Author: Douglas Bagnall Date: Thu Dec 28 13:46:48 2023 +1300 fuzz:_conditional_ace_blob discards a const Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e1071cd1df6b639a2a4b273b82bdc968df363dbb Author: Douglas Bagnall Date: Wed Mar 20 17:29:52 2024 +1300 fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail This can legitimately fail, due to e.g. integers being interpreted as local attributes due to their position (the original data is complete nonsense, bravely decompiled by sddl_from_conditional_ace). In the example found the original begins like 61 72 74 78 02 00 00 00 00 00 00 00 00 03 01 02 |artx| 0010 f7 ff ff ff ff ff ff ff 03 01 a1 02 00 3b 00 00 |.;..| 0020 00 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 |.;..| 0030 03 01 02 a5 ff ff ff ff ff ff ff 03 01 a1 02 78 |...x| 0040 00 00 00 00 00 00 00 03 01 85 02 00 3b 00 00 00 |;...| 0050 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 03 |;...| 0060 01 02 a5 00 00 00 00 00 00 00 03 01 81 02 00 00 || 0070 00 00 00 00 00 00 03 01 81 02 00 3b 00 00 00 00 |...;| while the SDDL cycled version looks like 61 72 74 78 f8 04 00 00 00 30 00 30 00 f8 2e 00 |artx.0.0| 0010 00 00 30 00 31 00 37 00 37 00 37 00 37 00 37 00 |..0.1.7.7.7.7.7.| 0020 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 |7.7.7.7.7.7.7.7.| 0030 37 00 37 00 37 00 37 00 37 00 37 00 36 00 37 00 |7.7.7.7.7.7.6.7.| 0040 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 30 00 |..0.3.5.4.0.| 0050 30 00 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 |0...0.3.5.4.| 0060 30 00 30 00 f8 2e 00 00 00 30 00 31 00 37 00 37 |0.0..0.1.7.7| 0070 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 |.7.7.7.7.7.7.7.7| and this new interpretation ends up being more than 1 bytes long, so the conversion fails. The SDDL ends up looking like this: (((00) || (0177767)) || (035400)) || \ (((035400) || (0177645)) \ >= 0170) || (035400)) || (((035400 != 0245) [...] where all the octal digits on the left hand side of operators are UTF-16 strings. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65322 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett com
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4f0ed9b0038 tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ via eac23954156 s4:auth: Update error messages via 67af86d2ab8 auth:credentials: Remove unused include via 8b86174bd34 auth:credentials: Remove trailing line via 67457394e42 tests/krb5: Allow specifying SamDB to use when creating an account via 0bc8d1469b8 python:tests: Do not have current_time() and current_nt_time() implicitly include clock skew via 96ac8144b43 python: Correct time conversion function name via cd44f8063b2 s4:libnet: Fix code spelling via d8fa0dd62eb python: Type ‘format’ parameter as optional via cd7b0720de7 python: Correctly qualify strptime() via ed5f8af3299 python:tests: Fix code spelling via 2f25c23b7bb s4:auth: Allocate strings on shorter‐lived memory context via 398a555fc26 python:tests: Simplify expression via 86db3056177 python:tests: Use Managed Service Accounts well‐known GUID via 55bc523da7d s4:auth: Fix grammar in error message from 8f1a80147d8 pidl: add "return ENOTSUP" for int return type in s3 template https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4f0ed9b00389fa641a423b88ab5462b32dd7bbca Author: Jo Sutton Date: Tue May 2 15:42:24 2023 +1200 tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15607 Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 21 04:19:18 UTC 2024 on atb-devel-224 commit eac2395415616595c6163768baa163a83a3cea5a Author: Jo Sutton Date: Tue Mar 12 11:08:30 2024 +1300 s4:auth: Update error messages Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 67af86d2ab8cb1c9f7a253652feb4897389c6e64 Author: Jo Sutton Date: Tue Mar 12 11:08:14 2024 +1300 auth:credentials: Remove unused include Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 8b86174bd3409a651fc4d8c8a5edc55b714502ed Author: Jo Sutton Date: Tue Mar 12 11:07:56 2024 +1300 auth:credentials: Remove trailing line Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 67457394e423598af7b8aa654628af9b7ecea5ee Author: Jo Sutton Date: Fri Mar 8 16:34:49 2024 +1300 tests/krb5: Allow specifying SamDB to use when creating an account Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 0bc8d1469b89ddf4b3f6cd07e0941137e05dff9d Author: Jo Sutton Date: Mon Mar 4 13:38:10 2024 +1300 python:tests: Do not have current_time() and current_nt_time() implicitly include clock skew This is just too error‐prone. current_gkid() will still continue to return the next GKID if it’s within clock skew. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 96ac8144b4311516bd4acf9be95a86b574f359f4 Author: Jo Sutton Date: Thu Mar 7 17:14:24 2024 +1300 python: Correct time conversion function name Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cd44f8063b2f7ed6bbcd063e450ec99624308c61 Author: Jo Sutton Date: Tue Mar 5 12:37:11 2024 +1300 s4:libnet: Fix code spelling Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit d8fa0dd62eb158e6f4c2270267421c3a77be6680 Author: Jo Sutton Date: Tue Mar 5 12:32:16 2024 +1300 python: Type ‘format’ parameter as optional Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cd7b0720de7b85903c5d4dfb74fb66bd29519f1d Author: Jo Sutton Date: Tue Mar 5 12:31:27 2024 +1300 python: Correctly qualify strptime() Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit ed5f8af3299143e020a72916c37a3d54a71f1ccc Author: Jo Sutton Date: Mon Mar 4 13:38:29 2024 +1300 python:tests: Fix code spelling Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 2f25c23b7bb4f935e3b9ebf77fa1309de1e2df48 Author: Jo Sutton Date: Thu Mar 14 15:14:55 2024 +1300 s4:auth: Allocate strings on shorter‐lived memory context Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 398a555fc26b386668c83320ce9898816c717f41 Author: Jo Sutton Date: Wed Mar 13 10:12:33 2024 +1300 python:tests: Simplify expression ‘not keytab_bytes’ is shorter and equivalent. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 86db3056177115a2b443a8b4c6ff8b2b6086d2c8 Author: Jo Sutton Date: Tue Mar 12 16:24:59 2024 +1300 python:tests: Use Managed Service Accounts well‐known GUID Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 55bc523da7d516a4ed43eafb0f22170ea59d9e32 Author: Jo Sutton Date:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 8f1a80147d8 pidl: add "return ENOTSUP" for int return type in s3
template
via 56719a5d107 pidl: fix trailing double-quote on last line of s3
server stubs
via efffb2484bb s3-librpc: merge two PIDL lists
via d13226366b2 ldb_dn: make LDB_FREE, TALLOC_FREE
via bf654a04675 pyldb: ldb_msg_richcmp: avoid one intransitive compare
via 8cf77b5775a ldb:ldb_dn: use safe transitive comparison in
ldb_dn_compare()
via 118b9ec5e07 pyldb: add a FIXME for a non-transitive compare
via 461192fdbea pyldb_utils: pyldb_Object_AsDn() sets TypeError more
often
via e4babdfa445 ldb:pyldb.h: include some headers that are used
via 2ed90bbfb47 lib/ldb: don't allow repeated connections
via d58c2c299de ldb:pytests: test duplicate connections fail
via c7c42762c68 ldb-samba:ldb_wrap: don't crash if "ldb_url" opaque is
unset
via 4ce132cea93 pyldb: py_ldb_init() uses py_ldb_connect() for
connecting
via 14a6109e9a2 pyldb: catch errors in ldb_db_get_casefold
via c17ff0a3357 pytest:segfault: do not assume PLEASE_NO_GDB_BACKTRACE
var is unset
via 5ceecd3f739 pytest:segfault: prevent @no_gdb_backtrace smearing on
exception
via 682a87fd0a8 selftest: Run samba.tests.segfault with TALLOC_FREE_FILL
via c04ac95ce40 py:samdb: make SamDB.__str__ show the URL and ID
via ecd65265ac0 selftest/gdb_backtrace: print `info threads` and some
signpost headers
via 12ce289922c selftest/gdb_backtrace: avoid printing backtrace twice
with 1 thread
via 904479cdf6d selftest/gdb_backtrace: print python traceback if
available
from da500249fcf tests: gmsa blackbox tests
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 8f1a80147d8d95c5f59f2e8c2a18bfaee29cfcf5
Author: Günther Deschner
Date: Tue Mar 19 22:00:11 2024 +0100
pidl: add "return ENOTSUP" for int return type in s3 template
Guenther
Signed-off-by: Guenther Deschner
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Mar 21 00:45:29 UTC 2024 on atb-devel-224
commit 56719a5d107b6590b10165347345d6b5366af755
Author: Günther Deschner
Date: Tue Mar 19 18:24:13 2024 +0100
pidl: fix trailing double-quote on last line of s3 server stubs
Guenther
Signed-off-by: Guenther Deschner
Reviewed-by: Andrew Bartlett
commit efffb2484bbf7058eec1f085bab65639c42b1656
Author: Günther Deschner
Date: Thu Mar 14 15:22:25 2024 +0100
s3-librpc: merge two PIDL lists
Guenther
Signed-off-by: Guenther Deschner
Reviewed-by: Andrew Bartlett
commit d13226366b254502125f572b8bd574709c125613
Author: Douglas Bagnall
Date: Fri Mar 15 23:29:34 2024 +1300
ldb_dn: make LDB_FREE, TALLOC_FREE
This LDB_FREE() seems to predate TALLOC_FREE(), and was identical
until TALLOC_FREE was optimised to avoid calling talloc_free(NULL) in
b9fcfc6399eab750880ee0b9806311dd351a8ff6.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit bf654a046754c1ceaf669fb7e9f36eddc3266a28
Author: Douglas Bagnall
Date: Fri Mar 15 15:47:55 2024 +1300
pyldb: ldb_msg_richcmp: avoid one intransitive compare
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 8cf77b5775a314b606bf870f99695a45cfbbd084
Author: Douglas Bagnall
Date: Fri Mar 15 15:03:44 2024 +1300
ldb:ldb_dn: use safe transitive comparison in ldb_dn_compare()
The comparison we make is unconventional, and makes no difference in
normal usage, where we just want to know whether two DNs are the same
or not. But with over 100 callers, it is possible that something
somewhere is attempting a sort.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 118b9ec5e075e19c79e8974beeb64dcb0392877f
Author: Douglas Bagnall
Date: Thu Mar 14 16:36:07 2024 +1300
pyldb: add a FIXME for a non-transitive compare
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 461192fdbeaafcd9d0af083d220afff3af2bdef7
Author: Douglas Bagnall
Date: Fri Mar 15 12:12:26 2024 +1300
pyldb_utils: pyldb_Object_AsDn() sets TypeError more often
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit e4babdfa4451ce251ce4632a320deb63d38003cd
Author: Douglas Bagnall
Date: Thu Mar 7 22:29:10 2024 +1300
ldb:pyldb.h: include some headers that are used
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 2ed90bbfb4777f5948df10760342c031b5fcd081
Author: Douglas Bagnall
Date: Wed Mar 20 12:18:12 2024 +1300
lib/ldb: don't allow repeated connections
In the best case, this would have leaked.
Signed-off-by:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via da500249fcf tests: gmsa blackbox tests via 7dcc06fa88b tests: models: test additional Computer constructor cases via c004fdd0f34 tests: models: fix username should be account_name via 87cf1a29378 tests: user: create gmsa with models via ea3838b6bcc tests: user: fix PEP8 spacing around operator via 878abe023ed tests: user: gmsa dNSHostName is a required field via 40e0cb2ccaa tests: samdb: Make use of the domain_sid property via 3c022f444a1 python: fix json encoder should handle Exception via 52165b8eada python: models: add Container model via bda232944cf python: models: add kwargs to __json__ and as_dict methods via 7fafb268bf9 python: pep8: fix import sorting after move via f739ef813c0 python: move models out of the netcmd package via 1f511acc133 python: create domain module to move models into via e25c4872034 netcmd: gmsa: show viewers also works if SID is not found via 12adbfc6abf netcmd: gmsa: add and remove don't fetch trustee if it is a SID via 87d00915e96 netcmd: gmsa: add_trustee and remove_trustee change argument to sid via 48c0ed76e02 netcmd: gmsa: fix typo if trustee is not found via a6e79982c90 netcmd: gmsa: create should allow custom SDDL via 200948c172d netcmd: models: improve Computer constructor adding "$" handling via bd79c074e2d netcmd: models: allow scope to be overridden in query via 3e22f8f3034 netcmd: models: add User.get_sid_for_principal helper via 12f3db0109a netcmd: models: User.find also tries object_sid via 4f97df7056b python: samdb: Make connecting_user_sid a property via c221f7080c5 python: samdb: Move get_connecting_user_sid to samdb from b815abe7799 libcli/security: check again for NULL values https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit da500249fcf52629c8d3da4d608b85b96b43cca6 Author: Rob van der Linde Date: Fri Mar 1 11:22:03 2024 +1300 tests: gmsa blackbox tests Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224 commit 7dcc06fa88b06cedcaa9165536eb47c6fed27fc4 Author: Rob van der Linde Date: Wed Mar 6 16:52:53 2024 +1300 tests: models: test additional Computer constructor cases Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit c004fdd0f34ec009fa4f24535ffb5773ee506e37 Author: Rob van der Linde Date: Wed Mar 6 16:49:21 2024 +1300 tests: models: fix username should be account_name The reason this didn't fail, is because it doesn't save the Computers. This gets fixed in the next commit. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 87cf1a2937837d268de0339f88f02d4304355f75 Author: Rob van der Linde Date: Tue Mar 5 16:39:33 2024 +1300 tests: user: create gmsa with models It was fetching the GMSA with the models straight after creating it anyway. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ea3838b6bcc5a60bbef201f016dfecea0af68b54 Author: Rob van der Linde Date: Tue Mar 5 16:20:52 2024 +1300 tests: user: fix PEP8 spacing around operator Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 878abe023ed8cabe3e24a998a9ed870de8f64ee1 Author: Rob van der Linde Date: Tue Mar 5 12:14:06 2024 +1300 tests: user: gmsa dNSHostName is a required field Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 40e0cb2ccaa659d3ee109949044fe006e7a7d2bb Author: Rob van der Linde Date: Wed Feb 28 17:00:24 2024 +1300 tests: samdb: Make use of the domain_sid property Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3c022f444a1c8644cdd4011475b2a16f834b18ab Author: Rob van der Linde Date: Wed Mar 20 09:50:49 2024 +1300 python: fix json encoder should handle Exception This happens if --json is used and a CommandError is raised, so will affect other commands too where --json is used. This happens in the print_json_status method. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 52165b8eada72ac2d2e015faba372af8ae9c7284 Author: Rob van der Linde Date: Wed Mar 13 23:07:52 2024 +1300 python: models: add Container model Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via b815abe7799 libcli/security: check again for NULL values
via 78f728063a1 libcli/security: claims_conversions: check for NULL in
claims array
from 97a23e57dc8 s4-auth/kerberos: Report errors observed during
smb_krb5_remove_obsolete_keytab_entries()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit b815abe77991d7929717ea3ed4b9d7bef7179715
Author: Douglas Bagnall
Date: Sun Mar 17 23:08:23 2024 +1300
libcli/security: check again for NULL values
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224
commit 78f728063a1e510966a45f7f1d9515ea3bd16214
Author: Douglas Bagnall
Date: Sun Mar 17 23:07:17 2024 +1300
libcli/security: claims_conversions: check for NULL in claims array
If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.
There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
---
Summary of changes:
libcli/security/claims-conversions.c | 13 +
1 file changed, 13 insertions(+)
Changeset truncated at 500 lines:
diff --git a/libcli/security/claims-conversions.c
b/libcli/security/claims-conversions.c
index bbba5973852..ccf1375fc8f 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token(
uint8_t f = claim->flags &
CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR;
+ if (claim->values[offset].int_value == NULL) {
+ return false;
+ }
switch (claim->value_type) {
case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64:
return claim_v1_int_to_ace_int(claim, offset, result);
@@ -935,6 +938,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx,
.case_sensitive = case_sensitive
};
+ /*
+* It could be that the values array contains a NULL pointer, in which
+* case we don't need to worry about what type it is.
+*/
+ for (i = 0; i < claim->value_count; i++) {
+ if (claim->values[i].int_value == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) {
NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx,
claim);
if (NT_STATUS_IS_OK(status)) {
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 97a23e57dc8 s4-auth/kerberos: Report errors observed during
smb_krb5_remove_obsolete_keytab_entries()
via 9d7a97dc982 samba-tool domain exportkeytab: Refuse to overwrite an
existing file in full-db export
via a0867595fbd s4-libnet: Prepare for a "rolling update" keytab export
via 7b662a92878 s4-auth/kerberos: Do not add true duplicates to
exported keytab
via 3bb215d1946 selftest: Add tests of samba-tool domain export-keytab
--keep-stale-entries behaviour
via f81d7047b6a selftest: Add tests for "samba-tool domain
exportkeytab" with existing files"
via b2dff173666 samba-tool domain exportkeytab: Raise a proper
CommandError
via 014f1b561e8 s4-libnet: Raise NTSTATUSError not RuntimeError in
keytab export
via 0cb1e4dbf8e samba-tool: Add option --keep-stale-entries to
"samba-tool domain exportkeytab"
via 2f97f6fe484 lib/krb5_wrap: Pull already_hashed case out of
smb_krb5_kt_add_entry()
via 9fc4070f89d lib/krb5_wrap: Rename confusing add_salt parameter to
smb_krb5_kt_add_entry()
via 43ce741d1ff python/tests: Add test that gMSA keytab export works
and matches direct keytab export
via 91c05536108 s4-auth/kerberos: Note the good possability that the
msDS-KeyVersionNumber is wrong
via 0490aed7168 auth/credentials: Cope with GMSA 5min password preview
in cli_credentials_set_gmsa_passwords()
via bd2edecff06 s4-libnet: Add export of gMSA keys to "samba-tool
domain exportkeytab"
via 66a9c1daa86 s4-kdc: Prepare for gMSA support by recording it on the
entry
via 48affb137fb auth/credentials: Allow generation of old Kerberos keys
also
via b8308f3fe06 auth/credentials: Make cli_credentials_get_aes256_key
into generic key access
via 13d346ce0c4 auth/credentials: Add hook to set credentials from
msDS-ManagedPassword blob
via 44063674734 s4-libnet: Pass the full struct smb_krb5_context to
sdb_kt_copy()
via dd993c21703 auth/credentials: Dynamically calculate the salt
principal (unless speccified)
via 9fc11e329c9 auth/credentials: Use salt on credentials object for
Creds.get_aes256_key()
via 74f9d2e5190 auth/credentials: Add bindings for getting and setting
the salt principal
via f34b910b5bc s4-libnet: Provide hint for "samba-tool domain
exportkeytab" if used over LDAP without gMSA
via d4155f8a998 Make "samba-tool domain exportkeytab" prune old keys
via 6b3ce044d2d s4-auth/kerberos: Rename create_keytab() to
smb_krb5_fill_keytab()
via 2c33862b9e0 s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPES
via a2ed51df7c0 s4-auth/kerberos: Remove unused paremters to
create_keytab()
via 9246ee48040 samba-tool domain exportkeytab: Add support for -H to
point to a different sam.ldb
via b6cffcb3fb0 libnet: Prepare to allow "samba-tool domain
exportkeytab to support -H
via 7a8c091698e python: Explain strange enable_net_export_keytab()
behaviour is no longer due Heimdal
from c97071726e1 packaging: Provide a systemd service file for samba-bgqd
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----
commit 97a23e57dc88fe6b4a851bb0e0db09a4ee9b37fb
Author: Andrew Bartlett
Date: Thu Mar 14 16:55:19 2024 +1300
s4-auth/kerberos: Report errors observed during
smb_krb5_remove_obsolete_keytab_entries()
Previously any errors noticed during the main loop would be ignored.
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224
commit 9d7a97dc9820e9f69a25a7321d84eb18cd3c6c08
Author: Andrew Bartlett
Date: Thu Mar 7 14:53:53 2024 +1300
samba-tool domain exportkeytab: Refuse to overwrite an existing file in
full-db export
Since 87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain
exportkeytab has
silently unlinked the given target file. Instead, the administrator now
needs
to specify a file that does not exist.
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
commit a0867595fbdb0e59b3c649f80f36e99ca74af41e
Author: Andrew Bartlett
Date: Wed Mar 6 17:48:09 2024 +1300
s4-libnet: Prepare for a "rolling update" keytab export
This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
commit 7b662a928784c889f0d0e4124b723fa6fd20
Author: Andrew Bartlett
Date: Wed Mar 6 17:43:47 2024 +1300
s4-auth/kerberos: Do not add true duplicates to exported key
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via da7f056fb5d lib/ldb-samba: Remove unused ldb.set_opaque_integer()
via d73c92a35dd dsdb: Remove calls to ldb.set_opaque_integer()
via 416b6c5a03d lib/ldb-samba: Align py_ldb_set_opaque_integer() with
pyldb_set_opaque() and use "unsigned long long"
via 195c0e0d491 lib/ldb: Allocate opaque on ldb_ctx
via b42043897a6 python/samba/provision: Ensure KDS root key is usable
as soon as provision is complete
via fb219d545bb selftest: Assert that the provision KDS root key is
already valid for use
from 9b0330ea3f5 pytest:samba-tool domain kds root-key: test with normal
user
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit da7f056fb5d932ad4a302f1fab0ef886183f3b8f
Author: Andrew Bartlett
Date: Mon Mar 4 14:45:42 2024 +1300
lib/ldb-samba: Remove unused ldb.set_opaque_integer()
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Tue Mar 5 03:55:33 UTC 2024 on atb-devel-224
commit d73c92a35dda1e20cd75b7061fc151234996d9b4
Author: Andrew Bartlett
Date: Mon Mar 4 14:44:53 2024 +1300
dsdb: Remove calls to ldb.set_opaque_integer()
This routine will shortly be removed, it is now replaced by an
improved ldb.set_opaque()
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
commit 416b6c5a03d4fa9d55decc1de6a9ab409fa045f0
Author: Andrew Bartlett
Date: Mon Mar 4 14:27:19 2024 +1300
lib/ldb-samba: Align py_ldb_set_opaque_integer() with pyldb_set_opaque()
and use "unsigned long long"
We need to change the internal types assumed in Samba for the opaque
integers to "unsigned long long" as this is what ldb.set_opaque() will
create, and we want to move to this interface rather than have a
duplicate.
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
commit 195c0e0d4912d37a8404e83e0e3357bb47b61e0d
Author: Andrew Bartlett
Date: Mon Mar 4 13:02:54 2024 +1300
lib/ldb: Allocate opaque on ldb_ctx
Just in case this LDB is given away into the C code, that opaque must live
as long as the LDB itself, not the python wrapper object.
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
commit b42043897a6ebf52f70c5bdcdcfe6a18f8ad6fd8
Author: Andrew Bartlett
Date: Tue Mar 5 11:49:49 2024 +1300
python/samba/provision: Ensure KDS root key is usable as soon as provision
is complete
We do this by setting the start time to being 10 hours 5min earlier
than now.
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
commit fb219d545bb3bd328200a3097b52594617fc246a
Author: Andrew Bartlett
Date: Tue Mar 5 12:38:06 2024 +1300
selftest: Assert that the provision KDS root key is already valid for use
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
---
Summary of changes:
lib/ldb-samba/pyldb.c| 67
lib/ldb/pyldb.c | 6 +--
python/samba/join.py | 12 ++---
python/samba/provision/__init__.py | 20 +--
python/samba/tests/dsdb_quiet_provision_tests.py | 14 -
source4/dsdb/common/util.c | 14 ++---
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 4 +-
source4/dsdb/samdb/ldb_modules/rootdse.c | 13 +++--
source4/torture/drs/python/ridalloc_exop.py | 4 +-
9 files changed, 55 insertions(+), 99 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb-samba/pyldb.c b/lib/ldb-samba/pyldb.c
index 2241abc01df..8154679146b 100644
--- a/lib/ldb-samba/pyldb.c
+++ b/lib/ldb-samba/pyldb.c
@@ -91,71 +91,6 @@ static PyObject *py_ldb_set_credentials(PyObject *self,
PyObject *args)
Py_RETURN_NONE;
}
-/* XXX: This function really should be in libldb's pyldb.c */
-static PyObject *py_ldb_set_opaque_integer(PyObject *self, PyObject *args)
-{
- int value;
- int *old_val, *new_val;
- char *py_opaque_name, *opaque_name_talloc;
- struct ldb_context *ldb;
- int ret;
- TALLOC_CTX *tmp_ctx;
-
- if (!PyArg_ParseTuple(args, "si", _opaque_name, ))
- return NULL;
-
- ldb = pyldb_Ldb_AS_LDBCONTEXT(self);
-
- /* see if we have a cached copy */
- old_val = (int *)ldb_get_opaque(ldb, py_opaque_name);
- /* XXX: We shouldn't just blindly assume that the value that is
-* already present has the size of an int and is not shared
-* with other code that may rely on it not changing.
-* JRV 20100403 */
-
- if (old_val) {
- *old_val = value;
- Py_RETURN_NONE;
- }
-
- tmp_ctx = tall
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 9b0330ea3f5 pytest:samba-tool domain kds root-key: test with normal
user
via ccfa16e2ec4 samba-tool: tidy up uncaught insufficient rights
LdbError
from ee94d708557 ldb: Update ldb.get_opaque() to return talloc‐managed
opaque values
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 9b0330ea3f5d5b41f84356ec54a2e5a6ecbbaccd
Author: Douglas Bagnall
Date: Mon Mar 4 10:46:02 2024 +1300
pytest:samba-tool domain kds root-key: test with normal user
It would be bad if samba-tool let ordinary users read root-key secrets.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Mon Mar 4 03:20:46 UTC 2024 on atb-devel-224
commit ccfa16e2ec48da4ab601ca6b8b0ccfc77d625085
Author: Douglas Bagnall
Date: Mon Mar 4 10:43:17 2024 +1300
samba-tool: tidy up uncaught insufficient rights LdbError
It is likely that many sub-commands will produce a traceback when people
go `-H ldap://server -Ubob` when they needed to go `-UAdministrator`.
We can catch these and show only the core message.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
---
Summary of changes:
python/samba/netcmd/__init__.py| 5 +-
.../samba/tests/samba_tool/domain_kds_root_key.py | 105 +
2 files changed, 109 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/__init__.py b/python/samba/netcmd/__init__.py
index 3e1f1c45aef..7d743526207 100644
--- a/python/samba/netcmd/__init__.py
+++ b/python/samba/netcmd/__init__.py
@@ -23,7 +23,7 @@ import textwrap
import traceback
import samba
-from ldb import ERR_INVALID_CREDENTIALS, LdbError
+from ldb import ERR_INVALID_CREDENTIALS, ERR_INSUFFICIENT_ACCESS_RIGHTS,
LdbError
from samba import colour
from samba.auth import system_session
from samba.getopt import Option, OptionParser
@@ -242,6 +242,9 @@ class Command(object):
elif ldb_emsg.startswith("Unable to open tdb "):
self._print_error(message, ldb_emsg, 'ldb')
force_traceback = False
+elif ldb_ecode == ERR_INSUFFICIENT_ACCESS_RIGHTS:
+self._print_error("User has insufficient access rights")
+force_traceback = False
else:
self._print_error(message, ldb_emsg, 'ldb')
diff --git a/python/samba/tests/samba_tool/domain_kds_root_key.py
b/python/samba/tests/samba_tool/domain_kds_root_key.py
index ad8e6e97f90..3a6613a14c0 100644
--- a/python/samba/tests/samba_tool/domain_kds_root_key.py
+++ b/python/samba/tests/samba_tool/domain_kds_root_key.py
@@ -39,6 +39,9 @@ HOST = "ldap://{DC_SERVER}".format(**os.environ)
CREDS = "-U{DC_USERNAME}%{DC_PASSWORD}".format(**os.environ)
SMBCONF = os.environ['SERVERCONFFILE']
+# alice%Secret007
+NON_ADMIN_CREDS = "-U{DOMAIN_USER}%{DOMAIN_USER_PASSWORD}".format(**os.environ)
+
TIMESTAMP_RE = r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+00:00'
NOWISH = 'about now'
@@ -500,6 +503,22 @@ class KdsRootKeyTests(KdsRootKeyTestsBase):
f"created root key {new_guids[0]}, usable from
{TIMESTAMP_RE}")
self._delete_root_key(new_guids[0])
+def test_create_json_non_admin(self):
+"""can you create a root-key without being admin?"""
+pre_create = self._get_root_key_guids()
+
+result, out, err = self.runcmd("domain", "kds", "root-key", "create",
+ "-H", HOST, NON_ADMIN_CREDS, "--json")
+self.assertCmdFail(result)
+
+post_create = self._get_root_key_guids()
+
+self.assertEqual(set(pre_create), set(post_create))
+data = json.loads(out)
+self.assertEqual(data['status'], 'error')
+self.assertEqual(data['message'], 'User has insufficient access
rights')
+self.assertEqual(err, "", "not expecting stderr messages")
+
def test_create_json_1997(self):
"""does create work?"""
pre_create = self._get_root_key_guids()
@@ -640,6 +659,81 @@ class KdsRootKeyTests(KdsRootKeyTestsBase):
self.assertIn(guid, pre_names)
self.assertNotIn(guid, post_names)
+def test_delete_non_admin(self):
+"""does delete as non-admin fail?"""
+# make one to delete, and get the list as JSON
+_guid, dn, _created, _used = self._create_root_key_timediff()
+guid = str(_guid)
+
+result, out, err = self.
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ee94d708557 ldb: Update ldb.get_opaque() to return talloc‐managed opaque values via 256320532a4 ldb: Update ldb.set_opaque() to accept only supported types via 81fd42165e9 ldb: Remove trailing whitespace via ab6cb4bc972 ldb: Pass a supported opaque type to ldb.set_opaque() via 35e7ce88dd7 ldb: Add tests for Python set_opaque() and get_opaque() via 757036cefe5 pyldb: Remove unused and broken Python access to LDB module API via 7a38a98871b pyldb: Improve docstric for whoami(), which takes no arguments. via f8fcd21812d pyldb: Remove last caller to and definition of PyLdb_Check() via 61e5958a3ac pyldb: Use "O!" to specify the type of py_ldb via 8b0d00a8e3e pyldb: Move PyErr_LDB_OR_RAISE() and PyErr_LDB_DN_OR_RAISE() into pyldb.h via 6c3ca9e4967 dns: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE() via 083c948 dns: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE() via 2ba8e656dab dsdb: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE() via da63ee78b34 dsdb: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE() via dbdecac5f89 ldb/pyldb: Call Py_DECREF(list) on failure in PyLdbResult_FromResult() via 53cdfff711a ldb/pyldb: Check errors from PyLdbMessage_FromMessage from cabe817f63e netcmd: models: Create ClaimType in the model layer instead https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ee94d7085570da981b0772c141a76a899c7b0e66 Author: Jo Sutton Date: Fri Mar 1 16:23:58 2024 +1300 ldb: Update ldb.get_opaque() to return talloc‐managed opaque values Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sun Mar 3 23:33:44 UTC 2024 on atb-devel-224 commit 256320532a45e1e8ff94d2c7b246797a5f8291b6 Author: Jo Sutton Date: Fri Mar 1 16:23:53 2024 +1300 ldb: Update ldb.set_opaque() to accept only supported types Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 81fd42165e9fd55fd15e4abd3172e3e291edc527 Author: Jo Sutton Date: Thu Feb 29 13:07:47 2024 +1300 ldb: Remove trailing whitespace Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit ab6cb4bc97255296d53415eafbeb1a71a9d17cc8 Author: Jo Sutton Date: Fri Mar 1 16:18:10 2024 +1300 ldb: Pass a supported opaque type to ldb.set_opaque() We are about to modify ldb.set_opaque() to accept only certain types, and ldb.Ldb is not one of those types. Pass in a value that is supported and whose lifetime is guaranteed to outlive the Ldb object. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 35e7ce88dd7694663a0c5f171f6a0fa751265902 Author: Jo Sutton Date: Fri Mar 1 16:06:49 2024 +1300 ldb: Add tests for Python set_opaque() and get_opaque() Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 757036cefe589248ace0d6da2ef70f9a7ff19554 Author: Andrew Bartlett Date: Tue Nov 14 19:12:02 2023 +1300 pyldb: Remove unused and broken Python access to LDB module API These exposed the private LDB modules API to python, and was untested and broken since LDB was made async internally as it never called ldb_wait() on the result. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 7a38a98871b63b57ae4e8bbb6c59213f8271a1b5 Author: Andrew Bartlett Date: Wed Dec 6 11:18:47 2023 +1300 pyldb: Improve docstric for whoami(), which takes no arguments. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit f8fcd21812d307d63639755221662568203e6e53 Author: Andrew Bartlett Date: Tue Dec 5 11:59:46 2023 +1300 pyldb: Remove last caller to and definition of PyLdb_Check() This is now checked by PyArg_ParseTupleAndKeywords(). Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 61e5958a3acf2169fc25ba7ec71b67ad08c38012 Author: Andrew Bartlett Date: Tue Dec 5 11:53:58 2023 +1300 pyldb: Use "O!" to specify the type of py_ldb Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8b0d00a8e3e9fb427db6eef565de7b09e42784f8 Author: Andrew Bartlett Date: Tue Dec 5 10:34:56 2023 +1300 pyldb: Move PyErr_LDB_OR_RAISE() and PyErr_LDB_DN_OR_RAISE() into pyldb.h While these style of macros are against our coding style, it is still better to have them in a single place, and while pyldb.h is technically public Samba is the only user of the C bindings. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 6c3ca9e4967746af5bf087a339e368d4a0bf9e96 Author: Andrew Bartlett Date: Tue Dec 5 10:31:48 2023 +1300 dns: Use pyldb_check_type() in P
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cabe817f63e netcmd: models: Create ClaimType in the model layer instead via 09aa2597888 netcmd: models: ClaimType: move all dunder methods to the top for consistency via 2d7cbba23ef netcmd: claims: tidy up, avoid setting enabled twice via 05098443475 netcmd: models: rename lookup methods to find for consistency via 076bc6ee1da netcmd: models: Rename username to account_name for consistency via e70b8751398 netcmd: models: Add optional base_dn argument to Model.query method via d961aacdf2b netcmd: models: Add Person and OrganizationalPerson via 7a4dc035210 netcmd: models: Add a repr method to Query for help in the shell via 3d367079081 netcmd: models: Rename method to Query._from_message for consistency via a1345442ccb netcmd: models: Model.from_message should be internal via 993b6da2db8 netcmd: silos: silo and auth policy commands use Query class better via 9238afc16c6 netcmd: silos: silo and auth policy commands use print via 983f04e1aa6 netcmd: models: move remove trustee code to the GMSA model via 2456fa71bd6 netcmd: models: move add trustee code to the GMSA model via 85ca9e7cba4 netcmd: tests: add tests for service-account commands via a7a35ae5e3c netcmd: gmsa: cli commands for managing group msa membership via 7b1b7d130bc netcmd: gmsa: base cli commands for group managed service accounts via 14a4f642b46 python: models: Computer constructor automatically adds "$" to account name via 87c8e578de0 selftest: aces: fix mutable default args in assemble_ace via 1093f4b6b11 selftest: aces: use constant from samba.security via 62e11cfa8af python: sd_utils: pep8 import sorting via 0127ddd7e26 python: sd_utils: remove redundant brackets around simple assert statements via 1afb6465b81 python: sd_utils: pep8 fix spacing around via 63d9b27908c netcmd: properly show command name in show help via 120bf34c696 netcmd: add newline before epilog so there is a space between via 982ebebfbe1 netcmd: models: model __json__ method should call as_dict instead via 181764a5d62 netcmd: models: setting kwarg to None should use field default via ca973caa283 netcmd: models: Model.query adds optional polymorphic flag for returning specific class types via ccce7e7c031 netcmd: models: ModelMeta needs to also set fields and meta if class is Model via 58700354869 netcmd: models: move object_sid field from User to base Model via f54cfbea908 netcmd: models: bring Model class forward into module via f8b5f7f5920 netcmd: models: ModelMeta no longer needs to inherit from ABCMeta via f90e09a2856 netcmd: models: Model.get_object_class returns top instead of None via b3cc3ade434 netcmd: models: Query.first and Query.last should use count from instance via e41114ad5b1 netcmd: models: set the default for managed password interval on the model via 611403d4013 netcmd: models: move group msa membership default to constants via dccafff1b36 netcmd: shell: show Models subheading via 14285db4823 netcmd: models: make MODELS constant keyed by object class instead via 1d0084673ef netcmd: models: move MODELS constant to constants.py to avoid import loop via a5470623526 netcmd: models: update docstring of Computer.find method via 6834a1bdc9e netcmd: models: gmsa move find method to Computer model via e1d61746c32 netcmd: models: gmsa GroupManagedServiceAccount inherits from Computer via 1cd7cf66807 netcmd: models: gmsa move GroupManagedServiceAccount model to gmsa.py via 84c721ec4a9 netcmd: models: gmsa trustees update docstring and incorrect return type via c8857abb740 netcmd: models: gmsa trustees property only looks at allowed aces via f5c6a42d97f netcmd: models: make GroupManagedServiceAccount.trustees a property via cd395558b02 netcmd: models: avoid fetching each user in trustees method via cf110742af0 netcmd: models: Remove unused groups_sddl method from User model via 4e31942d1fe netcmd: models: add default SDDL to group_msa_membership from 9f167b9b772 WHATSNEW: Add information on LDB no longer available standalone https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cabe817f63e1518f4a3b467694646b0a90fda647 Author: Rob van der Linde Date: Wed Feb 28 13:17:48 2024 +1300 netcmd: models: Create ClaimType in the model layer instead Having it inside a command isn't very re-usable. Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 1 05:52:5
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9f167b9b772 WHATSNEW: Add information on LDB no longer available standalone via 81994b85adf build: Allow --with-ldbmodulesdir to override location of LDB modules via 5af23f1b585 ldb: Unconditionally set LDB_PACKAGE_VERSION via 625fb48326e ldb: Remove "private_library" variable with just one user via 07cc744effe ldb: Rename VERSION to LDB_VERSION to avoid confusion via d163518e2ff lib/ldb: Remove duplicate aspects of build system via ef7e9566bf5 ldb: Remove remaining components of independent ldb build system via 7c860d79d3c lib/ldb: Remove references to conf.env.standalone_ldb via c1125a316fc lib/ldb: bld.CONFIG_SET(USING_SYSTEM_LDB) is now never set via 1edd8c066c2 lib/ldb: Adapt pkg-config files to being build from the main build. via de1ab855ee2 lib/ldb: Always build standalone via b83614144b7 build: Move --with-ldap/--without-ldap from source3 build to top level via 1f50febc99f ldb: Remove the ability for Samba to compile against a system LDB via e10932577bb build: Remove duplicated check for -Wl,-no-undefined on OpenBSD via 9fe559ecea4 build: Call conf.CHECK_XSLTPROC_MANPAGES() directly in wscript via 3b80c7f4ac1 autobuild: Move autobuild to expecting ldb to build as part of Samba via 9b5d226a5ae ldb: Honour --private-library=!ldb as meaning build as a public library via 1f41997b4c6 build: Allow --private-libraries to include a default via 7d1bc4fa902 build: Ensure that a forced-private library has no public headers via 2471a0037e2 ldb: Make pyldb-util always a private library via a4afb2eeade selftest: Bring ldb test defintions into one place in selftest/tests.py via 05ce3810e39 selftest: Always and only run ldb test-tdb test in Samba selftest via b98e05aec81 selftest: Move LDB cmocka based unit tests to Samba testsuite via 4c16618ee3c ldb: Prepare ldb tests for subunit output via b76516d5155 sefltest: Remove duplicate run of ldb.python.crash and ldb.python.repack via 8af7867505e ldb: Move tests to selftest/tests.py and out of standlone build from d6bfd26049b pytests: samba-tool domain kds root_key https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9f167b9b772214e76e75213711952ec6f9c9620e Author: Andrew Bartlett Date: Mon Feb 19 11:01:30 2024 +1300 WHATSNEW: Add information on LDB no longer available standalone Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 1 03:45:21 UTC 2024 on atb-devel-224 commit 81994b85adf21cce128c23ad1863e9b45717ecec Author: Andrew Bartlett Date: Wed Feb 14 11:54:54 2024 +1300 build: Allow --with-ldbmodulesdir to override location of LDB modules This will allow some packagers to set this to a directory that does not mention Samba, or to put a version string in to avoid loading old modules. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 5af23f1b5850df2285986a279c3911724eaa4660 Author: Andrew Bartlett Date: Mon Feb 12 15:00:30 2024 +1300 ldb: Unconditionally set LDB_PACKAGE_VERSION This is only parsed once now and there is no confusion with the main build, so we can set it without checking. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 625fb48326ec62a33ce0abdbfb0f6f3d33d7cc64 Author: Andrew Bartlett Date: Mon Feb 12 15:26:14 2024 +1300 ldb: Remove "private_library" variable with just one user Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 07cc744effeff5e359010674a31dd8e16d75d6fc Author: Andrew Bartlett Date: Mon Feb 12 14:06:12 2024 +1300 ldb: Rename VERSION to LDB_VERSION to avoid confusion Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit d163518e2ff7d7bef79e6948462e65cec40976c7 Author: Andrew Bartlett Date: Mon Feb 12 11:16:28 2024 +1300 lib/ldb: Remove duplicate aspects of build system We no longer need aspects of our build that made sense for the standalone operation of LDB now that ldb is only provided as part of Samba. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit ef7e9566bf55033ebbc75c115213de7ae04cfe44 Author: Andrew Bartlett Date: Mon Feb 12 14:05:17 2024 +1300 ldb: Remove remaining components of independent ldb build system Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 7c860d79d3c2337d174a1f908b03c25af8ec2c02 Author: Andrew Bartlett Date: Mon Feb 12 12:41:02 2024 +1300 lib/ldb: Remove references to conf.env.standalone_ldb This is not a simple replaceme
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d6bfd26049b pytests: samba-tool domain kds root_key via d0234391a8a samba-tool: add `samba-tool domain kds root_key delete` via 710093dc279 samba-tool: add `samba-tool domain kds root_key create` via ee1e9f1fb22 samba-tool: add `samba-tool domain kds root_key view` via a92699cda06 samba-tool: add `samba-tool domain kds root_key list` via 884d40ca165 samba-tool: don't error if there are no sub-commands via 79342a8411d provision: add a default root key via 53bf56c62b1 pytest:dsdb: check that there is a gkdi root key via c6208a3b0ec pytest:gkdi: shift create_root_key into a function via e1ab10b1fc1 pytest:samba-tool: add a flag to print more in runcmd via ae0f38c319c samba-tool user delete: use account type constant via e5efa217467 samba-tool domain: add LDB Result to json encoders via bbd9249a9c2 ldb:pyldb exposes Result type via 17dbaf4d330 python:samdb: wrapper for _dsdb_create_gkdi_root_key() via a7c955dc7f9 s4:pydsdb: python bindings for gkdi_new_root_key() via 214ac139d86 samba-tool domain kds root_key via 327f5dc4e58 samba-tool domain kds: add root key sub-command via fbd9740272e samba-tool domain: add kds sub-branch via d46daab2aed s4:dsdb: Add functions for GKDI root key creation via e7a96915e82 lib:crypto: Check for overflow in GKDI rollover interval calculation via 2be2dca44a6 lib:crypto: Correct GKDI interval start time calculation via 924eb6bac50 lib:crypto: Add error checking to GKDI key start time calculation via 02f18a88dad selftest: Ignore msKds-DomainID in ldapcmp_restoredc.sh and samba.tests.domain_backup_offline from 667265b6851 ctdb-tests: Limit red-black tree test to 5s of random inserts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d6bfd26049b954ff976a528818e1019c4414f8e6 Author: Douglas Bagnall Date: Fri Feb 16 16:36:06 2024 +1300 pytests: samba-tool domain kds root_key Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 1 01:27:30 UTC 2024 on atb-devel-224 commit d0234391a8a47f6f39f7965c03fbda8f61815251 Author: Douglas Bagnall Date: Wed Feb 28 17:55:54 2024 +1300 samba-tool: add `samba-tool domain kds root_key delete` For deleting root keys. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 710093dc27922c0e28a8950120821df6f853b3ee Author: Douglas Bagnall Date: Wed Feb 28 17:55:16 2024 +1300 samba-tool: add `samba-tool domain kds root_key create` For making new root keys. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ee1e9f1fb220fb3c2c3cf0c87b92900acb8e8909 Author: Douglas Bagnall Date: Wed Feb 28 17:54:24 2024 +1300 samba-tool: add `samba-tool domain kds root_key view` This is for looking at one root key. There isn't much to know. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit a92699cda06bf278d91c1351685613ccaa91cd9d Author: Douglas Bagnall Date: Wed Feb 28 17:34:25 2024 +1300 samba-tool: add `samba-tool domain kds root_key list` This lists root keys, in descending chronological order according to the use_start_toime attribute. That's becuase you usually only care about the newest one. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 884d40ca16549d5a69119a2a2470ae4e45ee816a Author: Douglas Bagnall Date: Thu Feb 29 16:29:30 2024 +1300 samba-tool: don't error if there are no sub-commands This is useful when you commit samba-tool tests before you commit the samba-tool code, and you want the tests to fail rather than error. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 79342a8411d6e1534e03ce43be0506007959c115 Author: Douglas Bagnall Date: Wed Feb 28 15:28:22 2024 +1300 provision: add a default root key Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 53bf56c62b18da1bfd85099454ebc654ab738785 Author: Douglas Bagnall Date: Wed Feb 28 15:32:41 2024 +1300 pytest:dsdb: check that there is a gkdi root key Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit c6208a3b0ec1d8a6c76755d66846d28deb274123 Author: Douglas Bagnall Date: Thu Feb 22 16:17:37 2024 +1300 pytest:gkdi: shift create_root_key into a function This is so the samba-tool domain kds root_key tests can use it as a function. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e1ab10b1fc19ac35ea1dcaf0161d59d394fc363c Author: Douglas Bagnall Date: Fri Feb 23 16:24:11 2024 +1300 pytest:samba-tool
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0c1ac197768 samba-tool user getpassword: Clarify success wording via 00daa520ce8 python/nt_time: have a go at using 1_000_000 number separators. via d3d87aee2a7 python:nt_time: add a nt_now() function via 33a8ae1748a python:nt_time: add string_from_nt_time via 60022ed55f7 py:nt_time: add nt_time_from_string() via bfba074d2f4 pyldb: try to turn ldb_string_to_time() errors into exceptions via 8892b0cc926 ldb: ldb_string_to_time reports more errors via 9beb57892db s4:pydsdb: add not-implemented raising functions to when appropriate via ed344bb22f4 pyldb: catch some talloc failures via c68b390e66f pyldb: free some finished requests via a4c4e3c95f9 pyldb: free things more often on error via 994fa07 pyldb: add a macro to free when raising exceptions via 8cf9d4cae1e pytest:audit_log_base: use string_is_guid() via 6d087d1d29e pytest:auth_log_base: use string_is_guid() from 0fe263a56d0 pylibs: add string_is_guid() helper. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0c1ac19776835034df8f54a78c2022375cff921e Author: Andrew Bartlett Date: Thu Feb 29 14:57:40 2024 +1300 samba-tool user getpassword: Clarify success wording It may be the case that there was no password, or read access to the password was not permitted. The structure of the code and the pattern in LDIF that missing information is simply returned as missing attributes makes it hard to detect and communicate a clear error here, particularly as an error may not be wanted if (say) pwdLastSet is queried on a gMSA that we can not read. So we just make the string to indicate, as I think it was meant, that the tool ran to compleation. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Feb 29 05:07:45 UTC 2024 on atb-devel-224 commit 00daa520ce80deb76e08684b3f9b3f22202bcd2c Author: Douglas Bagnall Date: Fri Feb 23 16:23:03 2024 +1300 python/nt_time: have a go at using 1_000_000 number separators. I noticed these are available in Python 3.6+, which is what we support, and they're arguably nicer than using exponentiation. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d3d87aee2a782691f7bf5b8247f07068fc2fb381 Author: Douglas Bagnall Date: Wed Feb 28 16:52:12 2024 +1300 python:nt_time: add a nt_now() function Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 33a8ae1748ae02435b0097366085ddaabb503dc8 Author: Douglas Bagnall Date: Wed Feb 28 16:51:41 2024 +1300 python:nt_time: add string_from_nt_time Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 60022ed55f7a213440b70c6d4b4796a4a7b0fa9f Author: Douglas Bagnall Date: Wed Feb 14 14:31:35 2024 +1300 py:nt_time: add nt_time_from_string() This is for samba-tool, which could do with a common understanding of time strings across various sub-tools. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit bfba074d2f41e70ce743ce7e216c498ab5bd977a Author: Douglas Bagnall Date: Wed Feb 14 14:22:53 2024 +1300 pyldb: try to turn ldb_string_to_time() errors into exceptions Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8892b0cc92650c20f908f1076677ab4c2b6cc418 Author: Douglas Bagnall Date: Wed Feb 14 14:20:28 2024 +1300 ldb: ldb_string_to_time reports more errors The underlying function should return -1 and set errno when given invalid strings, but we were not looking and have decided on 0 for error. It would be a pain to change this function to return -1. Apart from the API fuss, it is sometimes used unchecked to set an unsigned number and an unchecked 0 is better than UINT*_MAX in those contexts. It is probably not easy to get an -1 from a timegm() -- most implementations will happily convert overflows for you, so e.g. the 15th month would be March of the next year. But EOVERFLOW is mentioned in the manpages. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 9beb57892db1e4056a038519961cc657cf7a744f Author: Douglas Bagnall Date: Wed Feb 21 23:13:51 2024 +1300 s4:pydsdb: add not-implemented raising functions to when appropriate It will be less confusing, I hope. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ed344bb22f449b977e2ffc30e486446615163110 Author: Douglas Bagnall Date: Wed Feb 28 16:30:29 2024 +1300 pyldb: catch some talloc failures Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 0fe263a56d0 pylibs: add string_is_guid() helper.
via 7b089e1206a samba-tool: with --json, error messages are in JSON
via 1f128fee27c samba-tool: instances remember whether --json was
requested
via 542ba5cbd5e samba-tool: add self.print_json_status() helper
via 742fc4d841c samba-tool: avoid mutable Command class values
via 29abab6a460 samba-tool domain level: avoid using assert
via 8650ba0a187 samba-tool domain claim: use secrets module for token
via 2908a6d67bc samba-tool user getpassword: Also return the time a
GMSA password is valid until
via 71f7c4a3c59 samba-tool: Allow ;format=UnixTime etc to operate on
virtual attributes
via dfe71c4235a python/samba/tests: Include more detail on invoication
in test of "samba-tool user show"
via 380c80b4d60 samba-tool user getpassword: Do not show preview of
gMSA password
via 801e3fd6dd1 s3:libads: Trace ldap search base/filter/scope
from 2b515b7dcc6 s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT
freshness used
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 0fe263a56d049b62be71ced9d8a78bc0a749c195
Author: Douglas Bagnall
Date: Thu Feb 15 21:20:24 2024 +
pylibs: add string_is_guid() helper.
In various places we use regular expressions to check for GUID-ness,
though typically we don't match GUIDs with uppercase hex digits when
we really should.
If we centralise the check, we have more chance of getting it right.
Pair-programmed-by: Andrew Bartlett
Signed-off-by: Douglas Bagnall
Signed-off-by: Andrew Bartlett
Reviewed-by: Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Feb 29 02:38:07 UTC 2024 on atb-devel-224
commit 7b089e1206a8a8256ad108f5f0e03d3b33f8bf9f
Author: Douglas Bagnall
Date: Wed Feb 28 16:14:24 2024 +1300
samba-tool: with --json, error messages are in JSON
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 1f128fee27c50aa305de3434443c4a52c408f9c6
Author: Douglas Bagnall
Date: Wed Feb 28 16:13:15 2024 +1300
samba-tool: instances remember whether --json was requested
All our subcommands are going to learn --json eventually, and they
shouldn't all have to do this individually.
The next commit uses this to automatically format CommandErrors as JSON.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 542ba5cbd5e9a562cd81b5b2385b56d03555a87f
Author: Douglas Bagnall
Date: Fri Feb 16 00:59:25 2024 +
samba-tool: add self.print_json_status() helper
This is a helper to return JSON for simple messages.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 742fc4d841c1b02cc733760e7841ca13a95f3ebc
Author: Douglas Bagnall
Date: Fri Feb 23 16:19:02 2024 +1300
samba-tool: avoid mutable Command class values
These values are shared across all instances of the class,
which makes no difference in samba-tool itself, because there
is one instance per process. But in tests we can have many
Command classes at once (due to runcmd()), and if any of them
happened to append to takes_args or takes_options rather than
replacing it, well, the effect would be subtle.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 29abab6a460aa61699c4a1811c148552874c1236
Author: Douglas Bagnall
Date: Wed Feb 14 05:09:30 2024 +
samba-tool domain level: avoid using assert
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 8650ba0a187d4c0a05fd4596570b940431338a27
Author: Douglas Bagnall
Date: Fri Feb 2 14:23:38 2024 +1300
samba-tool domain claim: use secrets module for token
`binascii.hexlify(os.urandom(8)).decode()` was fine, but `os.urandom`
is OS specific and can theoretically block (says the documentation).
We will let Python's secrets module worry about such details.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 2908a6d67bca58c9de6991cbe312276408a34b7a
Author: Andrew Bartlett
Date: Fri Feb 9 11:44:33 2024 +1300
samba-tool user getpassword: Also return the time a GMSA password is valid
until
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 71f7c4a3c59d170f3cf48c5230d3edf4d51d500c
Author: Andrew Bartlett
Date: Wed Feb 28 17:27:31 2024 +1300
samba-tool: Allow ;format=UnixTime etc to operate on virtual attributes
To convert a virtual attribute we must understand that it has
been put into "obj" under the name including the ;format= part
and so we must look it back up with that name when looking to
covert it fr
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2b515b7dcc6 s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used via 009a4706d23 python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used via 724f403d886 libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY via ea41dccb99b third_party/heimdal: import lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d) from f1a83798f01 third_party/heimdal: Import lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2b515b7dcc655f6be4365cc8adffee999b4354bf Author: Andrew Bartlett Date: Tue Feb 27 11:23:03 2024 +1300 s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Feb 28 04:45:48 UTC 2024 on atb-devel-224 commit 009a4706d238b7d6107c6adc684a37cd7a3bed0c Author: Andrew Bartlett Date: Tue Feb 27 11:55:33 2024 +1300 python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit 724f403d8863bf3f29bff35bff0f274183621bb3 Author: Andrew Bartlett Date: Tue Feb 27 11:09:38 2024 +1300 libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY This allows an ACL level check (rather than only an all-or-nothing KDC configuration) that PKINIT freshness was used during the AS-REQ. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit ea41dccb99b6448c93c43b8de8d2bcca698f1a7c Author: Andrew Bartlett Date: Tue Feb 27 14:55:27 2024 +1300 third_party/heimdal: import lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d) Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- Summary of changes: libcli/security/dom_sid.h | 1 + libcli/security/util_sid.c | 4 librpc/idl/security.idl| 8 python/samba/tests/krb5/pkinit_tests.py| 14 +- source4/kdc/pac-glue.c | 10 ++ source4/kdc/pac-glue.h | 1 + source4/kdc/wdc-samba4.c | 10 ++ third_party/heimdal/kdc/kdc-accessors.h| 7 +++ third_party/heimdal/kdc/kdc_locl.h | 1 + third_party/heimdal/kdc/libkdc-exports.def | 1 + third_party/heimdal/kdc/pkinit.c | 2 ++ third_party/heimdal/kdc/version-script.map | 1 + third_party/heimdal/lib/asn1/asn1_err.et | 2 +- third_party/heimdal/lib/asn1/asn1_print.c | 2 +- third_party/heimdal/lib/base/heimbase.c| 2 +- third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c | 2 +- third_party/heimdal/lib/hx509/cert.c | 2 +- third_party/heimdal/lib/hx509/hx509_err.et | 4 ++-- third_party/heimdal/lib/krb5/crypto.c | 8 third_party/heimdal/lib/sqlite/sqlite3.c | 2 +- third_party/heimdal/po/heim_com_err569856/de.po| 2 +- .../heimdal/po/heim_com_err569856/heim_com_err569856.pot | 2 +- third_party/heimdal/po/heimdal_krb5/de.po | 3 +-- third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot | 2 +- third_party/heimdal/po/heimdal_krb5/sv_SE.po | 2 +- 25 files changed, 76 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index 343001e87ee..5e1c5d90958 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -43,6 +43,7 @@ extern const struct dom_sid global_sid_Network; extern const struct dom_sid global_sid_Asserted_Identity; extern const struct dom_sid global_sid_Asserted_Identity_Service; extern const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority; +extern const struct dom_sid global_sid_Fresh_Public_Key_Identity; extern const struct dom_sid global_sid_Creator_Owner; extern const struct dom_sid global_sid_Creator_Group; extern const struct dom_sid global_sid_Owner_Rights; diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c index 54a2fc35fda..0942b2fe259 100644 --- a/libcli/security/util_sid.c +++ b/libcli/security/util_sid.c @@ -83,6 +83,10 @@ const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority = /*
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via f1a83798f01 third_party/heimdal: Import
lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2)
via beaeeaff501 s4:rpc_server: Make some arrays static
via 3b85345c4c5 lib:util: Fix printing hex‐escaped characters
via 7e855f8d89c lib:util: Correctly determine whether a character needs
to be escaped
via 18208dbef72 s4:rpc_server: Remove trailing whitespace
via 4b0f3f3d100 python: Fail the test if we don’t receive an
NTSTATUSError
via 3e342e2d37a tests/krb5: Move assertLocalSamDB() into RawKerberosTest
via df475fbc2f8 tests/krb5: type hinting
via 69c3044a726 python/tests: Use TestCaseInTempDir rather than
"private dir" for exported keytab
via a1d7af24853 python/tests: Convert dckeytab test to use new NDR
keytab parser
via 2e230f728ec python/tests: Add test for new krb5 keytab parser
via e6ef2fc2240 librpc/idl: Check protocol version number in Kerberos
ccache parser
via ecaaff57e45 librpc/idl: Add a parser for a FILE: format keytab
via 9a5cc120421 python/samba/samdb: Only do caching of well known DNs
in dbcheck
from 5a0fce58650 source4/torture: Add SEC_STD_DELETE to enable proper
cleanup
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit f1a83798f0102f7d35295a6c0d4db0580a791579
Author: Jo Sutton
Date: Wed Feb 14 09:37:13 2024 +1300
third_party/heimdal: Import lorikeet-heimdal-202402132018 (commit
66d4c120376f60ce0d02f4c23956df8e4d6007f2)
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Tue Feb 27 02:19:31 UTC 2024 on atb-devel-224
commit beaeeaff501b22fdfb3928d788597398fcbbbe29
Author: Jo Sutton
Date: Tue Feb 20 16:46:07 2024 +1300
s4:rpc_server: Make some arrays static
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 3b85345c4c5bc7fa7196c8802a6be60e0e4a043f
Author: Jo Sutton
Date: Tue Feb 20 16:35:43 2024 +1300
lib:util: Fix printing hex‐escaped characters
A signed char, passed to snprintf(), will be promoted to an ‘int’, and
then interpreted (according to the format string) as an ‘unsigned int’.
Any negative values passed in will thus be interpreted as large unsigned
values, too large to be represented in the two characters allocated for
them. In practice, they will always be represented as ‘\xFF’.
Cast these characters to ‘unsigned char’, and use the appropriate length
modifier for that type.
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 7e855f8d89cb0b3491d31c93da608417c38c6b00
Author: Jo Sutton
Date: Tue Feb 20 16:30:15 2024 +1300
lib:util: Correctly determine whether a character needs to be escaped
The condition ‘c > 0x1F’ is clearly meant to test whether a character is
a control code or not. While it works for ASCII characters, when ‘char’
is signed it fails for codepoints above 0x7f, which get represented as
negative values. Make this calculation work as it was (presumably)
intended by casting to ‘unsigned char’.
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 18208dbef721babf21533e5058f388d3b98d372e
Author: Jo Sutton
Date: Tue Feb 20 14:43:33 2024 +1300
s4:rpc_server: Remove trailing whitespace
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 4b0f3f3d100dcdf5a5bf9947a2baa574af76ad30
Author: Jo Sutton
Date: Tue Feb 20 12:27:36 2024 +1300
python: Fail the test if we don’t receive an NTSTATUSError
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 3e342e2d37aed612cab59f5433870f5208a6
Author: Jo Sutton
Date: Thu Feb 15 13:45:10 2024 +1300
tests/krb5: Move assertLocalSamDB() into RawKerberosTest
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit df475fbc2f8e19e37674ece59cdb8daa0aece072
Author: Jo Sutton
Date: Fri Dec 8 14:05:45 2023 +1300
tests/krb5: type hinting
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 69c3044a7265c83d053b2690de772eb4ff9d86ca
Author: Andrew Bartlett
Date: Wed Feb 21 14:29:44 2024 +1300
python/tests: Use TestCaseInTempDir rather than "private dir" for exported
keytab
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
commit a1d7af2485365b188f1364d6a8388c9cc30e8107
Author: Andrew Bartlett
Date: Wed Feb 21 14:14:24 2024 +1300
python/tests: Convert dckeytab test to use new NDR keytab parser
This is much nicer than reading strings out of the binary file.
Signed-off-by: Andrew Bartlett
Reviewed-by: Jo Sutton
commit 2e230f728ec8026997183ad50ff6371961c9a9ea
Author: Andrew Bartlett
Date: Wed Feb 21 10:22:12 2024
[SCM] Samba Shared Repository - branch master updated
instead of
string
via 9ca05ec28ce netcmd: delegation: don't use assert but raise
CommandError
via 6d7ad278659 netcmd: delegation: initial value not required because
of raise below
via ec6fb98b4a4 netcmd: delegation: move line down where it gets used
via 1608dde944f netcmd: delegation: pep8 fix blank lines
via 68092f85fa4 netcmd: bugfix: json encoder failed to call super method
via ea63b058fc4 netcmd: json encoder supports security descriptor
objects
via de8b61cbbe3 netcmd: support hyphens in top-level commands and
convert to underscore
via 2a95f83c5c3 libds: remove unreachable break statements after return
from 7a674ee9ffe docs-xml: document "smb3 share cap:{CONTINUOUS
AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}"
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 4698cf0f335f96cd902f234a09dc48102e33952a
Author: Jo Sutton
Date: Tue Feb 13 16:53:57 2024 +1300
s4:dsdb: Fix grammar
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Feb 16 03:47:12 UTC 2024 on atb-devel-224
commit a8387195707baa9c2a11437755eb85ff040dee0f
Author: Jo Sutton
Date: Wed Feb 14 08:17:03 2024 +1300
libcli/security: Make ‘session_info’ parameter const
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 8c970eaa2ed5bae4501df6ebfc3af67a946a0c76
Author: Jo Sutton
Date: Mon Feb 12 16:48:36 2024 +1300
s4:ldap_server: Remove trailing whitespace
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 1e13e37e219bcf5804662143fcf85332c6954ac8
Author: Jo Sutton
Date: Thu Jan 18 14:28:04 2024 +1300
libcli/security: Include missing headers
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit b0b9e03c99098c46580b151064f673c6c47e1b4e
Author: Jo Sutton
Date: Tue Feb 13 14:13:46 2024 +1300
s4:dsdb: Let requests with the AS_SYSTEM control reset an account’s password
dsdb_have_system_access() takes into account the AS_SYSTEM control as
well as the result of dsdb_module_am_system().
This change means that we can reset the password of an account without
being SYSTEM by means of the AS_SYSTEM control. This is essential for
ldapsrv_SearchRequest() to be able to process the automatic password
changes of Group Managed Service Accounts.
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit eece2e8a9c6c5bf32c2824ed5853b88d1e3f679b
Author: Jo Sutton
Date: Tue Feb 13 14:12:30 2024 +1300
s4:dsdb: Make use of dsdb_have_system_access()
There should not be any change in behaviour.
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 1ad9b93dbf6dd2b899bcb11c20c841735aede12f
Author: Jo Sutton
Date: Tue Feb 13 14:09:23 2024 +1300
s4:dsdb: Add function to determine whether we have system access
This takes into account the dsdb session info, as well as the presence
or absence of an AS_SYSTEM control.
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit e0e2126face6d0a46dff348a8c690eb943dc2930
Author: Jo Sutton
Date: Thu Feb 15 16:48:29 2024 +1300
s4:dsdb: Add include guard to dsdb/samdb/ldb_modules/util.h
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 91fdd4316458d1dd9c696aff8d36737e5095b10f
Author: Jo Sutton
Date: Thu Feb 15 16:48:06 2024 +1300
s4:dsdb: Remove redundant include
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 324d0fbc06d358756e69696b8d8cf389e91e0054
Author: Jo Sutton
Date: Tue Feb 13 14:06:38 2024 +1300
s4:dsdb: Add function to create a GMSA password update request
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit d55c281c538dac7361614fc8c56466d1fbf89805
Author: Jo Sutton
Date: Tue Feb 13 13:50:40 2024 +1300
s4:dsdb: Remove unused includes
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit e1d27ba5455cdd7a69e16112ed05c75ba5c1f003
Author: Jo Sutton
Date: Tue Feb 13 13:45:10 2024 +1300
s4:dsdb: Add to ‘user_attrs’ attributes required for Group Managed Service
Accounts
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 0d3d2c433a0ecb8fefe57fef2e60121f684ed6a7
Author: Jo Sutton
Date: Tue Feb 13 13:43:59 2024 +1300
s3:passdb: Reformat long line
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 676601340c5ff8895845b089289dcbb2e9f60d91
Author: Jo Sutton
Date: Tue Feb 13 13:40:48 2024 +1300
s3:passdb: Reformat array of strings
Signed-off-by: Jo Sutton
Reviewed-by: Andrew Bartlett
commit 2135e91b406104944b0f27edb892450acaae9968
Author: Jo Sutton
Date: Tue Feb 13 13:40:29 2024 +1300
s3:passdb: Make array
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0e17b9cb19a selftest: Fix code spelling via b415d736f06 s4:dsdb: Fix code formatting via cf978d3e9fe s4:dsdb: Avoid buffer overflow in samdb_result_hashes() via 3c01d9a6ea6 s4:dsdb: Mark hash returned by samdb_result_hash() as secret via 3a7f4da6c47 s4:dsdb: Correct reference to source file via 7145993929a s4:dsdb: Remove trailing whitespace via 8c9344ea02d s4:dsdb: Correct NDR push error message via 2113f1c3178 s4:dsdb: Fix code spelling via 3b54546de66 s4:dsdb: Remove trailing whitespace via 75d9f5332d6 s4:auth: Fix code spelling via 76b9c9a8a66 s4:libcli: Remove unnecessary uses of discard_const_p() via e8497f13430 s4:dsdb: Remove duplicate userAccountControl array entry via def0cd0fd4e s3:smbd: Fix code spelling via 14da75c4e12 librpc:idl: Fix code spelling via 19870248c06 librpc:idl: Remove trailing whitespace via 437e3dd1e6a libcli/security: Make ‘replace_sid’ parameter const via 0b287f2e4e9 lib:util: Remove trailing whitespace via 160727acde8 ldb: Fix code spelling via 0c1f421c107 ndr: ignore trailing bytes in ndr_pull_security_ace() via a72c198921f ndr: ndr_push_security_ace: calculate coda size once via ecb5da3e492 ndr: avoid object ACE push overhead for non-object ACE via fce4d51eb49 ndr: avoid object ACE pull overhead for non-object ACE via 2a60ec98409 ndr: do not push ACE->coda.ignored blob via 4face258dee ndr: mark invalid pull ndr_flags as unlikely via c2673b02a7a ndr: skip talloc when pulling empty DATA_BLOB via ee1b8ae04b1 ndr: ACE push avoids no-op coda pushes via dc08e7924c2 ndr: make security_ace push manual via ac0c8ee01ea ndr: short-circuit ace coda if no bytes left via 1e6a876c2cc ndr: shift ndr_pull_security_ace to manual code via 9811762775b pidl: calculate subcontext_size only once per pull via 5fa66376654 perftest: ndr_pack runs in none environment via 93e6ea4cff2 perftest:ndr_pack: spin in do_nothing for a while via 2f68545087f perftest:ndr_pack: use a valid dummy SID via ceb5389260c perftest:ndr_pack_performance: remove irrelevant imports, options via d25fe2447b5 perftest:ndr_pack: slightly reduce python overhead via e802611743a perftest: ndr_pack_performance gets more SD types via d5371f6bcd2 perftest:ndr_pack: rename SD tests with object ACEs via a3641b323b7 netcmd: models: mark some hidden fields on the base Model as readonly via dcb3dd59147 netcmd: models: tests: add tests for NtTimeField via 37855511f63 netcmd: models: add new NtTimeField model field via 4c08b420ddf netcmd: models: model field DateTimeField returns datetime in UTC via 10ef49b0491 netcmd: models: move enum import to correct place via 21667b9b512 netcmd: models: fix build_expression on SIDField handles security.dom_sid via cbcc8039d15 netcmd: models: fix build_expression did not work with EnumField via 9bd7a56364d netcmd: models: fix BooleanField filtering didn't work on FALSE value via e11aa29ef85 netcmd: models: move expression code to Field class via d8251cc0ea9 netcmd: models: add AccountType enum to User model via 884b24dc6d8 netcmd: models: add AccountType IntFlag field via 4595a1dae37 netcmd: models: EnumField now also supports IntFlag via 3c8d449ad3d netcmd: models: check for None in build_expression instead via c2b63fe85ea netcmd: models: change import style to use brackets via d046f71878e netcmd: models: enums and constants also brought forward via 05f90fe1e4b netcmd: models: fix docstring was missing param via d6fe66ddeeb python: Remove ‘typing.Final’ via ecc84aa448a python: do not make use of typing.Final for python 3.6 from 9b2f2302ee4 s3/rpc_client: cleanup unmarshalling of variant types from row columns https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0e17b9cb19ae1c222ce86855bb348b9bef4dab63 Author: Jo Sutton Date: Fri Jan 12 13:28:55 2024 +1300 selftest: Fix code spelling Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Feb 8 03:51:51 UTC 2024 on atb-devel-224 commit b415d736f0688d6f6aab982e12a3dc9c15fa2723 Author: Jo Sutton Date: Fri Jan 12 11:39:11 2024 +1300 s4:dsdb: Fix code formatting Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cf978d3e9fef1db1b5200de500c81d9de7f87572 Author: Jo Sutton Date: Fri Jan 12 10:43:39 2024 +1300 s4:dsdb: Avoid buffer overflow in samdb_result_hashes() Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett com
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 5f5a49d78af lib:crypto: Add tests for GKDI key derivation
via 9f16157f104 lib:crypto: Add implementation of GKDI key derivation
via 6d280fac869 tests/krb5: Raise an error if root key data is the
wrong length
via 4946ab4c17f tests/krb5: Test that root key data is the correct
length in bytes
via 8277d7accf7 tests/krb5: Create root key just for implicit root key
tests
via bd3091dfc54 tests/krb5: Check properties of current GKDI key
from b4563a24904 fuzz: allow max size conditional ACE round-trip failure
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 5f5a49d78af938304586bb4ee45aabc5f28f54c3
Author: Joseph Sutton
Date: Fri Dec 22 11:04:51 2023 +1300
lib:crypto: Add tests for GKDI key derivation
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Dec 22 06:31:29 UTC 2023 on atb-devel-224
commit 9f16157f1049677434aadd25b47e338a66099e86
Author: Joseph Sutton
Date: Mon Nov 13 17:08:58 2023 +1300
lib:crypto: Add implementation of GKDI key derivation
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 6d280fac8690eb6985ce477f3f9bb6e5faf3256d
Author: Joseph Sutton
Date: Wed Dec 20 16:39:14 2023 +1300
tests/krb5: Raise an error if root key data is the wrong length
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 4946ab4c17f1d4615a98e4c8d1f5e82456aa5cf7
Author: Joseph Sutton
Date: Wed Dec 20 16:38:33 2023 +1300
tests/krb5: Test that root key data is the correct length in bytes
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 8277d7accf71cad3b33051d8a4d45d74968f35c3
Author: Joseph Sutton
Date: Tue Dec 19 09:38:27 2023 +1300
tests/krb5: Create root key just for implicit root key tests
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit bd3091dfc545cb50734f7c9108be41f5cd4059b6
Author: Joseph Sutton
Date: Tue Dec 19 09:37:40 2023 +1300
tests/krb5: Check properties of current GKDI key
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
---
Summary of changes:
lib/crypto/gkdi.c | 375 ++
lib/crypto/gkdi.h | 67 +
lib/crypto/test_gkdi_key_derivation.c | 492 ++
lib/crypto/wscript| 12 +-
librpc/idl/gkdi.idl | 8 +
python/samba/tests/gkdi.py| 13 +-
python/samba/tests/krb5/gkdi_tests.py | 75 --
selftest/knownfail.d/gkdi | 1 +
selftest/tests.py | 2 +
9 files changed, 1015 insertions(+), 30 deletions(-)
create mode 100644 lib/crypto/test_gkdi_key_derivation.c
Changeset truncated at 500 lines:
diff --git a/lib/crypto/gkdi.c b/lib/crypto/gkdi.c
index e049cf96bac..6799dcfd70e 100644
--- a/lib/crypto/gkdi.c
+++ b/lib/crypto/gkdi.c
@@ -18,4 +18,379 @@
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
+#include "includes.h"
+#include
+#include
+
+#include "lib/crypto/gnutls_helpers.h"
+
+#include "lib/util/bytearray.h"
+
+#include "librpc/gen_ndr/ndr_security.h"
+#include "librpc/gen_ndr/gkdi.h"
+#include "librpc/gen_ndr/ndr_gkdi.h"
+
#include "lib/crypto/gkdi.h"
+
+static const uint8_t kds_service[] = {
+ /* “KDS service” as a NULL‐terminated UTF‐16LE string. */
+ 'K', 0, 'D', 0, 'S', 0, ' ', 0, 's', 0, 'e', 0,
+ 'r', 0, 'v', 0, 'i', 0, 'c', 0, 'e', 0, 0, 0,
+};
+
+struct GkdiContextShort {
+ uint8_t buf[sizeof((struct GUID_ndr_buf){}.buf) + sizeof(int32_t) +
+ sizeof(int32_t) + sizeof(int32_t)];
+};
+
+static NTSTATUS make_gkdi_context(const struct GkdiDerivationCtx *ctx,
+ struct GkdiContextShort *out_ctx)
+{
+ enum ndr_err_code ndr_err;
+ DATA_BLOB b = {.data = out_ctx->buf, .length = sizeof out_ctx->buf};
+
+ if (ctx->target_security_descriptor.length) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ndr_err = ndr_push_struct_into_fixed_blob(
+ , ctx, (ndr_push_flags_fn_t)ndr_push_GkdiDerivationCtx);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS make_gkdi_context_security_descriptor(
+ TALLOC_CTX *mem_ctx,
+ const struct GkdiDerivationCtx *ctx,
+ const DATA_BLOB security_descriptor,
+ DATA_BLOB *out_ctx)
+{
+ enum ndr_err_code ndr_err;
+ struct GkdiDerivationCtx ctx_with_sd = *ctx;
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b4563a24904 fuzz: allow max size conditional ACE round-trip failure via 21853b01e65 libcli/security: sddl conditional ACE: write -0 when asked via 8f0c91f3a83 libcli/security: rearrange conditional ACE sddl_write_int via 46f61570714 libcli/security: tests for signed zeros in sddl condtional ACEs via 8a9f395821d librpc: Do not allow u16string to be encoded in a big‐endian context via 346844b730b librpc: Change type of ‘u16string’ from ‘const uint16_t *’ to ‘const unsigned char *’ via 65db36ca327 librpc: Add missing spaces to error messages via a38025b3a73 s3/lib: add log_panic_action() via 85c4d03e38a s3/lib: factor out call_panic_action() from smb_panic_s3() from 080a62bba87 tests/krb5: Add Python implementation and tests for Group Key Distribution Service https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b4563a24904e823497552f6e4ef77e8041f2cc5d Author: Douglas Bagnall Date: Wed Dec 20 14:26:00 2023 +1300 fuzz: allow max size conditional ACE round-trip failure The encoder, being cautious not to overstep the arbitrary 1 byte boundary, might not encode an exactly 1 byte condition. This is an off-by-one, but in the safe direction. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65118 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Dec 22 00:51:13 UTC 2023 on atb-devel-224 commit 21853b01e65f8b79bdf478d4fe470dcb1639cc48 Author: Douglas Bagnall Date: Wed Dec 20 13:40:15 2023 +1300 libcli/security: sddl conditional ACE: write -0 when asked Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8f0c91f3a833b24c27e63721ca15838c92a1cea4 Author: Douglas Bagnall Date: Wed Dec 20 13:38:53 2023 +1300 libcli/security: rearrange conditional ACE sddl_write_int REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 46f61570714fffe43f5328cd46e1d1848a4d5daa Author: Douglas Bagnall Date: Wed Dec 20 13:37:29 2023 +1300 libcli/security: tests for signed zeros in sddl condtional ACEs REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8a9f395821d62273e28f32895a4c3116a0606423 Author: Joseph Sutton Date: Fri Dec 22 09:58:53 2023 +1300 librpc: Do not allow u16string to be encoded in a big‐endian context Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 346844b730b06fe5ad53dc93fc0f4d4470794cb5 Author: Joseph Sutton Date: Thu Dec 21 11:51:19 2023 +1300 librpc: Change type of ‘u16string’ from ‘const uint16_t *’ to ‘const unsigned char *’ A u16string is supposed to contain UTF‐16 code units, but ndr_pull_u16string() and ndr_push_u16string() fail to correctly ensure this on big‐endian systems. Code that relies on the u16string array containing correct values will then fail. Fix ndr_pull_u16string() and ndr_push_u16string() to work on big‐endian systems, ensuring that other code can use these strings without having to worry about first encoding them to little‐endian. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 65db36ca327d10344566e2fb4330e19050d645ef Author: Joseph Sutton Date: Fri Dec 22 09:54:55 2023 +1300 librpc: Add missing spaces to error messages Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a38025b3a73b9fe96c9a99adf4dfa5536806c15f Author: Ralph Boehme Date: Wed Dec 13 07:57:46 2023 +0100 s3/lib: add log_panic_action() Can be used to log a nice stack backtrace with full debug symbols by setting "panic action" to something like panic action = cd /home/slow/git/samba/master && /home/slow/git/samba/master/selftest/gdb_backtrace %d This is similar to log_stack_trace(), but that doesn't come with debug symbols. Signed-off-by: Ralph Boehme Reviewed-by: Andrew Bartlett commit 85c4d03e38a5c983e7b99ca48c3e262465485a56 Author: Ralph Boehme Date: Fri Dec 15 07:15:22 2023 +0100 s3/lib: factor out call_panic_action() from smb_panic_s3() No change in behaviour. Best viewed with git show -w. Signed-off-by: Ralph Boehme Reviewed-by: Andrew Bartlett --- Summary of changes: lib/fuzzing/fuzz_conditional_ace_blob.c | 11 ++ lib/util
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 080a62bba87 tests/krb5: Add Python implementation and tests for Group Key Distribution Service via f6bb2d40108 python: Add NT Time utility functions via a5a58918f79 pyglue: Export some GKDI constants via e19d74bb259 pyglue: Export some more HRESULT constants via 9ed2544d9fa pyglue: Fix code spelling via 6369f2cf1be lib:crypto: Add GKDI module with some constants via 44f6bfea5a2 gkdi.idl: Verify magic numbers of pulled GKDI structures via f86d65117ba s4:libcli: Fix conversion from HRESULT and WERROR to Python objects via 1e67be78554 s4:libcli: Remove trailing whitespace via 858f70037bd python:tests: Catch strings passed to utf16_encoded_len() with embedded nulls via 27231a965e3 selftest: Rename ‘samba.unittests.test_gnutls_sp800_108’ to something more consistent with existing tests via f5ae39548b9 gkdi.idl: Add ‘additional_info’ field to KeyEnvelope structure via 183fd79c381 gkdi.idl: Comment on domain and forest name fields via 4b39a3e7753 s3:utils: Do not pass invalid file descriptor to close() (CID 1550131) via dbfb19b7f90 tests/krb5: Remove redundant definitions via 0a65dff4737 ldb: Fix code spelling via dfefdcb1e00 buildtools: Use correct variable in error message via e2146e4a755 lib:cmdline: Fix code spelling via edb4c3b3dd2 pyglue: Remove unnecessary uses of discard_const_p() via 74ca3134b1b python:tests: Don’t needlessly create single‐element tuple via b7df67d0ae3 lib:util: Use portable integer constants via 507ff192630 s3:param: Remove unnecessary use of discard_const_p() via 10553111f0e python:tests: Rename parameter to be consistent with overridden method via 6256ad74426 python:tests: Raise exception of more specific type NotImplementedError via 3b150354534 python:tests: Use ‘False’ in boolean expression rather than ‘None’ via 93379df9778 librpc:ndr: Don’t unnecessarily parenthesize macro arguments via a334ad85b82 lib:util: Remove redundant casts in PUSH_*() macros via 7d88280baaa lib:util: Don’t unnecessarily parenthesize macro arguments via 0a62d38b639 lib:util: Cast macro parameter ‘val’ to expected type via 52c29ebc803 lib:util: Parenthesize macro parameters via dac9cd00858 s4:auth: Clarify comment about requiring FAST armor via 58c6e46adac s3:lib: Define TIME_FIXUP_CONSTANT_INT using INT64_C() macro via 26e704d1fa0 lib:util: Define TIME_FIXUP_CONSTANT_INT using INT64_C() macro from 828f3c99122 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 080a62bba875c2a5df7c04703d095142200dad0e Author: Joseph Sutton Date: Fri Dec 8 16:38:21 2023 +1300 tests/krb5: Add Python implementation and tests for Group Key Distribution Service Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Dec 21 21:19:30 UTC 2023 on atb-devel-224 commit f6bb2d40108417d8c163f07f8519ff9ed16dd078 Author: Joseph Sutton Date: Mon Dec 18 19:11:37 2023 +1300 python: Add NT Time utility functions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a5a58918f790dd368470b1a22f718216425bb7d1 Author: Joseph Sutton Date: Tue Dec 12 18:31:34 2023 +1300 pyglue: Export some GKDI constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e19d74bb259c2f9436425587d86cbfcd45a0b144 Author: Joseph Sutton Date: Tue Dec 12 18:31:19 2023 +1300 pyglue: Export some more HRESULT constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9ed2544d9fa658847aef7edf781624dd9cb4f650 Author: Joseph Sutton Date: Tue Dec 12 19:27:17 2023 +1300 pyglue: Fix code spelling Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6369f2cf1bec699296ca2c47b1f9a6a0d60878d0 Author: Joseph Sutton Date: Mon Nov 13 17:08:58 2023 +1300 lib:crypto: Add GKDI module with some constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 44f6bfea5a27303d8ffa2f454eb3d991ab5392c4 Author: Joseph Sutton Date: Tue Dec 12 18:27:46 2023 +1300 gkdi.idl: Verify magic numbers of pulled GKDI structures Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f86d65117ba0c964c64fb58b5a6845561156819c Author: Joseph Sutton Date: Fri Dec 8 15:58:32 2023 +1300 s4:libcli: Fix conversion from HRESULT and WERROR to Python objects The inner values of HRESULT and WERROR are 32‐bit unsigned integers, which might not be representable in type ‘int’. We must then use the ‘k’ format
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 83e36d97c95 netcmd: add shell command via c8ded4621d3 python: use python3 style super statements via 3db3251342a netcmd: getpassword: get rid of pointless overridden constructors via ddba4a06bbe python: pep257: docstring should use double quotes from ff52e342887 python: Remove references to removed parameters https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 83e36d97c956c2dba1caef45e0205cb5b1b164f3 Author: Rob van der Linde Date: Thu Nov 2 20:28:34 2023 +1300 netcmd: add shell command A simple samba-tool shell, can be quite useful to play around with the ldb database and models. All models get imported and the samdb connection variable made available. Example usage: bin/samba-tool shell -H --workgroup --realm >>> silos = AuthenticationSilo.query(ldb) >>> for silo in silos: ... print(silo) ... Signed-off-by: Rob van der Linde Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Dec 15 03:51:55 UTC 2023 on atb-devel-224 commit c8ded4621d399e3561d6043bee4202ff42d50f1a Author: Rob van der Linde Date: Thu Dec 14 15:30:42 2023 +1300 python: use python3 style super statements Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3db3251342a9323be3ad3ec36588af7e9268af60 Author: Rob van der Linde Date: Thu Dec 14 15:24:29 2023 +1300 netcmd: getpassword: get rid of pointless overridden constructors Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ddba4a06bbe236dfecf6ee6fee8493e8ca0c2b14 Author: Rob van der Linde Date: Thu Dec 14 15:14:27 2023 +1300 python: pep257: docstring should use double quotes Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: docs-xml/manpages/samba-tool.8.xml | 18 +++ python/samba/common.py | 2 +- python/samba/dbchecker.py | 90 +++ python/samba/dnsserver.py | 16 +-- python/samba/drs_utils.py | 27 ++--- python/samba/gp/gp_sec_ext.py | 6 +- python/samba/gp/gpclass.py | 122 ++--- python/samba/gp/util/logging.py| 4 +- python/samba/gp_parse/gp_ini.py| 15 +-- python/samba/idmap.py | 10 +- python/samba/join.py | 56 +- python/samba/kcc/kcc_utils.py | 54 - python/samba/logger.py | 2 +- python/samba/netcmd/common.py | 14 +-- python/samba/netcmd/domain/backup.py | 32 +++--- python/samba/netcmd/drs.py | 12 +- python/samba/netcmd/gpcommon.py| 2 +- python/samba/netcmd/gpo.py | 25 ++--- python/samba/netcmd/main.py| 1 + python/samba/netcmd/rodc.py| 2 +- python/samba/netcmd/shell.py | 74 + python/samba/netcmd/user/readpasswords/common.py | 2 +- .../samba/netcmd/user/readpasswords/getpassword.py | 2 - .../netcmd/user/readpasswords/syncpasswords.py | 2 - python/samba/ntacls.py | 2 +- python/samba/policies.py | 12 +- python/samba/provision/__init__.py | 4 +- python/samba/provision/sambadns.py | 26 ++--- python/samba/samdb.py | 85 +++--- python/samba/subunit/run.py| 8 +- 30 files changed, 404 insertions(+), 323 deletions(-) create mode 100644 python/samba/netcmd/shell.py Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index c05be31b3d3..6b3a73020e3 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -2406,6 +2406,24 @@ Display an objectclass schema definition. + + shell + Opens an interactive Samba Python shell. + + + + shell [options] + Opens an interactive Python shell for Samba ldb connection. + + + -H, --URL + + LDB URL for database or target server. + + + + + sites Manage sites. d
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ff52e342887 python: Remove references to removed parameters via f9d4a40 python: Remove unused parameter ‘backup’ via 891e1da968a python: Remove unused parameter ‘serverrole’ via 7750edc14e2 python: Remove unused parameter ‘am_rodc’ via 10d79ef21f7 python: Remove unused parameter ‘am_rodc’ via e67196e13cb python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’ via beefbb277a9 python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’ via 7e7f7d63ed6 python: Remove unused parameter ‘fill’ via 9fbd3435512 python: Remove unused parameter ‘keytab_path’ via 9cc823454ac python: Remove unused parameter ‘erase’ via efaa27c498e python: Remove unused parameter ‘backend_store_size’ via b6dc21169c7 python: Remove unused parameter ‘root_gid’ via 6fdf710ba7e python: Remove unused parameters ‘maxuid’ and ‘maxgid’ via 8c288c6beb6 python: Remove unused parameters ‘maxuid’ and ‘maxgid’ via 8331142081a python: Remove unused parameter ‘name’ via 704ad18bf5b python: Remove unused parameter ‘netlogon’ via eb727331a37 python: Remove unused parameter ‘samdb’ via d9a665a0e44 python: Remove unused parameter ‘lp’ via 24e7220 python: Remove unused parameter ‘message’ via 5132771fb71 python: Remove unused parameter ‘targetdir’ via 8439dcb4842 python: Remove unused parameter ‘backend_store’ via e37dfc29671 python: Remove unused parameter ‘lp’ via 58814bfd392 python: Remove unused parameter ‘lp’ via c692653459b python: Remove unused parameter ‘targetdir’ via 49801372c61 python: Remove unused parameter ‘targetdir’ via a84c5212655 python: Remove unused parameter ‘backend_store’ via 95e0df789c3 python: Remove unused parameter ‘lp’ via 7064e39fae8 python: Remove unused parameter ‘logger’ via a341aca14cb python: Make use of ‘prefix’ parameter via d8b5cb103b1 python: Remove unused parameter ‘lp’ via 7e65a368d66 python: Remove unused parameter ‘targetdir’ via f9b22c6d5e0 python: Make use of ‘serverdn’ parameter via dddaed61ea6 python: Remove unused variable ‘machinesid’ via dd9dfb0e664 python: Remove unfinished join method via 25f8e507931 libcli/security: allow SDDL conditional ACE round-trip for -00 and -0x0 via 66f341e5c39 libcli/security: allow round-trip for conditional ACE hex integers via d33ed631479 libcli/security: allow round-trip for conditional ACE octal integers via bbe217604bd libcli/security: tests for conditional ACE integer base persistence via b247a11e62e libcli/security: fix tests for SDDL conditional ACE round-trip via db6b06578b6 libcli/security: clarify tests for SDDL round trips via a016ce70684 libcli/security: don't allow conditional ACE SIDs to have trailing bytes via e004a5a444f libcli/security: SDDL decode stops earlier with too many ACEs from 3a01ef710d4 tests: Add a test for the idmap_nss : use_upn setting https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ff52e342887a9a6054580fec238880646302ecb8 Author: Joseph Sutton Date: Fri Dec 1 15:01:16 2023 +1300 python: Remove references to removed parameters Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Dec 14 04:32:31 UTC 2023 on atb-devel-224 commit f9d4a408a4e5a5f193b5f314af1fa1d3a579 Author: Joseph Sutton Date: Thu Nov 23 21:04:07 2023 +1300 python: Remove unused parameter ‘backup’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 891e1da968a41c53ae3e2f24c9837930ce4c1007 Author: Joseph Sutton Date: Thu Nov 23 21:03:57 2023 +1300 python: Remove unused parameter ‘serverrole’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7750edc14e2a4d38873a5157681b881ae1d8785b Author: Joseph Sutton Date: Thu Nov 23 21:03:19 2023 +1300 python: Remove unused parameter ‘am_rodc’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 10d79ef21f708df54098a8fa8051deacc5cd97ae Author: Joseph Sutton Date: Thu Nov 23 21:02:13 2023 +1300 python: Remove unused parameter ‘am_rodc’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e67196e13cb4d470650291f17df05ea1ad877045 Author: Joseph Sutton Date: Thu Nov 23 21:01:19 2023 +1300 python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit beefbb277a95b876e1fa323f9401da531d73ab9b Author: Joseph Sutton Date: Thu Nov 23 20:59:59 2023 +1300 python: Remove unused
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via f642aff5544 buildtools: Remove ‘keep_underscore’ parameter
via 623645963ee buildtools: Remove useless ‘keep_underscore’ parameter
via e3ad675303d buildtools: Pass through parameter ‘keep_underscore’
via 45b7a0c13e2 s4:librpc: Fix code spelling
via 2e5d75141d7 buildtools: Fix code spelling
via cdff2b767ec buildtools: Remove unused parameter ‘env’
from f2f7ed419e0 s3:utils: Fix auth callback with smburl
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit f642aff554464b833ec4575464cc481ee9a8d807
Author: Joseph Sutton
Date: Mon Nov 13 09:44:26 2023 +1300
buildtools: Remove ‘keep_underscore’ parameter
Nothing now passes this in.
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Mon Dec 11 02:13:39 UTC 2023 on atb-devel-224
commit 623645963eef05f6ae3141392a6c828f85679ba6
Author: Joseph Sutton
Date: Mon Nov 13 09:39:20 2023 +1300
buildtools: Remove useless ‘keep_underscore’ parameter
SAMBA_LIBARY()’s ‘keep_underscore’ parameter has an effect only if None
is passed in for ‘bundled_name’. However, SAMBA_PLUGIN() always passes
in a string for ‘bundled_name’. Therefore ‘keep_underscore’ will never
have any effect — remove it.
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit e3ad675303d21eded172cb692b9313e5dfbbbcca
Author: Joseph Sutton
Date: Sat Oct 21 12:08:23 2023 +1300
buildtools: Pass through parameter ‘keep_underscore’
This parameter has gone unused until now.
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 45b7a0c13e292da5898ca67c4814cf80bd7ae6a4
Author: Joseph Sutton
Date: Sat Nov 11 10:03:20 2023 +1300
s4:librpc: Fix code spelling
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 2e5d75141d79d1be5495fc423131eeafb9fb6175
Author: Joseph Sutton
Date: Sat Oct 21 15:14:04 2023 +1300
buildtools: Fix code spelling
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit cdff2b767ec243bc4c29e4637fc20e7812621bb3
Author: Joseph Sutton
Date: Sat Oct 21 14:13:27 2023 +1300
buildtools: Remove unused parameter ‘env’
This parameter goes unused, and nothing passes it in.
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
---
Summary of changes:
buildtools/wafsamba/wafsamba.py | 15 +--
nsswitch/wscript_build | 2 --
source4/librpc/wscript_build| 2 +-
3 files changed, 6 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 8c0aa23fe21..858458ae2af 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -109,7 +109,6 @@ def SAMBA_LIBRARY(bld, libname, source,
ldflags='',
external_library=False,
realname=None,
- keep_underscore=False,
autoproto=None,
autoproto_extra_source='',
group='main',
@@ -141,7 +140,7 @@ def SAMBA_LIBRARY(bld, libname, source,
'''define a Samba library'''
# We support:
-# - LIBRARY: this can be use to link via -llibname
+# - LIBRARY: this can be used to link via -llibname
# - MODULE: this is module from SAMBA_MODULE()
# - PLUGIN: this is plugin for external consumers to be
#loaded via dlopen()
@@ -298,10 +297,7 @@ def SAMBA_LIBRARY(bld, libname, source,
if bundled_name is not None:
pass
elif target_type == 'PYTHON' or realname or not private_library:
-if keep_underscore:
-bundled_name = libname
-else:
-bundled_name = libname.replace('_', '-')
+bundled_name = libname.replace('_', '-')
else:
assert (private_library is True and realname is None)
bundled_name = PRIVATE_NAME(bld, libname.replace('_', '-'))
@@ -654,7 +650,6 @@ def SAMBA_PLUGIN(bld, pluginname, source,
vars=None,
subdir=None,
realname=None,
- keep_underscore=False,
autoproto=None,
autoproto_extra_source='',
install_path=None,
@@ -1133,7 +1128,7 @@ def INSTALL_WILDCARD(bld, destdir, pattern,
chmod=MODE_644, flat=False,
python_fixup=python_fixup, base_name=trim_path)
Build.BuildContext.INSTALL_WILDCARD = INSTALL_WILDCARD
-def INSTALL_DIR(bld, path, chmod=0o755, env=None):
+def INSTALL_DIR(bld, path, chmod=0o755):
"""Install a directory if it doesn't exist, always
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f2f7ed419e0 s3:utils: Fix auth callback with smburl via 5b38f3be8cb s3:tests: Add interactive smbget test for password entry via a7622bc7db0 auth:creds: Add cli_credentials_get_domain_and_obtained() via 1041dae03f0 auth:creds: Fix cli_credentials_get_password_and_obtained() with callback via ab4b25964a4 auth:creds:tests: Add test for password callback via c46769f3f10 s3:tests: Fix smbget test via 1a04fd255c2 s3:tests: Remove the non-working test_kerberos_upn_denied of smbget via 468fb05d635 s3:tests: Fix the test_kerberos_trust in smbget testsuite via 62b0b79ce06 s3:tests: Fix test_kerberos in smbget tests via 337034e675a s3:tests: Pass down a normal domain user for test_smbget.sh via 56d0c3a0263 selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables via a2af6946f5e selftest: Remove trailing tabs/white spaces in Samba4.pm via c14c5dec09f s3:tests: Fix authentication with smbget_user in smbget tests via 646046cb583 selftest/knownfail: move more parts to expectedfail.d/ntlm-auth via 54f95df693b selftest/knownfail: move some parts to expectedfail.d/ntlm-auth via 5af5f9807d7 selftest/knownfail.d: move encrypted_secrets to expectedfail.d via 2497a4afe50 selftest/knownfail.d: move ntlmv1-restrictions to expectedfail.d via bac2559746f selftest/knownfail.d: move samba-4.5-emulation to expectedfail.d via f60d794666a selftest/knownfail.d: move labdc to expectedfail.d via 3ea40efe046 selftest/knownfail.d: remove empty files via 7a6d9a7217b selftest/knownfail.d: README memntions expectedfail.d via 04ed1206057 selftest: add an expectedfail directory from 992f7625211 selftest: Remove unused import https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f2f7ed419e03e5ae8cc85f42af5b2bcf91abefe2 Author: Andreas Schneider Date: Wed Dec 6 13:16:53 2023 +0100 s3:utils: Fix auth callback with smburl BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sun Dec 10 22:22:51 UTC 2023 on atb-devel-224 commit 5b38f3be8cb986aa2db3aab5c3c3d2e8739893ce Author: Andreas Schneider Date: Wed Dec 6 15:58:08 2023 +0100 s3:tests: Add interactive smbget test for password entry BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit a7622bc7db093558c6f6e3da4d2a899a764dec09 Author: Andreas Schneider Date: Wed Dec 6 13:26:43 2023 +0100 auth:creds: Add cli_credentials_get_domain_and_obtained() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 1041dae03f0f7e9e2b6b4a649eb1d298a34ce699 Author: Andreas Schneider Date: Wed Dec 6 13:06:42 2023 +0100 auth:creds: Fix cli_credentials_get_password_and_obtained() with callback BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit ab4b25964a43a1ef550f10580ad395e178fe647e Author: Andreas Schneider Date: Wed Dec 6 13:16:26 2023 +0100 auth:creds:tests: Add test for password callback BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit c46769f3f10d21ed802e17aa79ae17e345168e63 Author: Andreas Schneider Date: Thu Dec 7 09:47:14 2023 +0100 s3:tests: Fix smbget test Time to fix the smget share to not have `guest ok = yes` set. A new [smbget_guest] will be used for guest only tests. This way we can correctly test different authentication mechanisms. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 1a04fd255c2c94e01bda9840bfd6b372007bb3c7 Author: Andreas Schneider Date: Thu Dec 7 13:11:46 2023 +0100 s3:tests: Remove the non-working test_kerberos_upn_denied of smbget See TODO code comment for details. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 468fb05d6357779228e411076e286abcdb70cf96 Author: Andreas Schneider Date: Thu Dec 7 11:43:33 2023 +0100 s3:tests: Fix the test_kerberos_trust in smbget testsuite BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 62b0b79ce065246417996dec61afa6a10f6ab99b Author: Andreas Schneider Date: Thu Dec 7 10:51:32 2023 +0100 s3:tests: Fix test_kerberos
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 992f7625211 selftest: Remove unused import
via 5c4ee07ea2e Revert "s4:torture: Increase multichannel timeout"
via b4039bf6908 s4:ntvfs: Remove trailing whitespace
via 43c375515f2 pymessaging: Remove trailing whitespace
via 251f39a9fe6 s4:kdc: Remove unused includes
via 0982d030a49 s4:include: Fix code spelling
via 3d04f62e179 s4:include: Remove trailing whitespace
via b58cd077bc8 s4:dsdb: Fix code spelling
via 64f66273292 s4:dsdb: Remove trailing whitespace
via 9ebe4de113b s4:dsdb: Use portable integer constant INT64_MAX
via e1dc284fed2 s4:dsdb: Use portable integer constant INT64_MAX
via 6eec3ae6a65 s4:dsdb: Use portable integer constant INT64_MIN
via ccbaaf26067 s4:dsdb: Remove unused includes
via e8052ecad0e s4:dsdb: Remove trailing whitespace
via 235b518ccf8 s4:auth: Fix code spelling
via 513401806e2 s3:rpc_server: Fix code spelling
via ed908e937cb s3:modules: Fix code spelling
via f27ab6d9f5d s3:include: Fix code spelling
via 8a9e07ad864 s3:include: Remove trailing whitespace
via 9b06fd8ddae tests/krb5: Remove unused parameter
via 2e891f59b8c tests/krb5: Fix indentation
via d791bfae772 tests/dcerpc: Remove unused imports
via e7a2c4ba64b tests/dcerpc: Correct docstring
via 5287411be8d python:tests: Remove leftover debugging message
via 49f54e2bd62 python:tests: Remove unused imports
via abab561d443 python:tests: Remove unnecessary f‐strings
via 2eb7b95de38 python: Add missing word to comment
via c7ab99a8668 python: Fix code spelling
via b82abfe00cc gp: Remove unused import
via c62d17dbe70 security.idl: Remove trailing whitespace
via e05c3477fc4 librpc: Fix code spelling
via 4846ebbd8a6 librpc: Remove trailing whitespace
via 6e998655835 libcli/security: Fix code spelling
via b3199f2a696 libcli/security: Remove unused includes
via 8aa164ce403 util/data_blob: Fix code spelling
via c07f72a531a util/data_blob: Remove trailing whitespace
via 1947bd6d6d9 util/charset: Remove trailing whitespace
via a56bf3fa261 lib/torture: Remove trailing whitespace
via 0691a112f6d talloc: Fix documentation
via ac860150413 lib/fuzzing: Fix code spelling
via f6bc1ad9667 ldb: Fix code spelling
via 2a9e8849ad4 lib:crypto: Remove unused Rijndael cipher header
via 7658c9bf0a9 lib:crypto: Remove redundant array zeroing
via af2b5f46b9a docs-xml: Fix code spelling
via cec6c7e233c ctdb: Fix code spelling
via 265e3699ac3 ctdb: Remove trailing whitespace
via 18d9873e5d7 buildtools: Update docstring to be more accurate
via e607a59c806 auth:gensec: Zero digest array in error case
via 60e9e3e01cd tests/ndr: Add tests for Group Key Distribution Service
blobs
via 2cb6e37e5b5 gkdi.idl: Add definitions for the Group Key
Distribution Service
via 261d3ade8dd python:tests: Permit newer copyright notice
from 763b2efe69d s3:utils: Fix setting the debug level
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 992f76252114c09ddaad0204edd97af8043425b3
Author: Joseph Sutton
Date: Thu Nov 9 10:55:24 2023 +1300
selftest: Remove unused import
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Dec 8 03:25:20 UTC 2023 on atb-devel-224
commit 5c4ee07ea2eaa5b5d307b467f5b829547f5a3da8
Author: Joseph Sutton
Date: Thu Nov 30 11:57:08 2023 +1300
Revert "s4:torture: Increase multichannel timeout"
This reverts commit c6d0df787a1f6007e1f4594f68ff1f75a46bd293.
Said commit did not help with GitLab CI timeouts, but just made the CI
pipeline take longer when the test did time out.
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit b4039bf69089feb5ba5d185fcf54696e4c3c005d
Author: Joseph Sutton
Date: Tue Oct 24 16:24:03 2023 +1300
s4:ntvfs: Remove trailing whitespace
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 43c375515f281f94ceabf678f80ef90884fe4f00
Author: Joseph Sutton
Date: Tue Nov 14 13:07:01 2023 +1300
pymessaging: Remove trailing whitespace
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 251f39a9fe637964da28bc2908ba9dcce0bbf9f3
Author: Joseph Sutton
Date: Mon Dec 4 19:25:33 2023 +1300
s4:kdc: Remove unused includes
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 0982d030a49ca903733873ca99d112b4cf2662b4
Author: Joseph Sutton
Date: Thu Nov 9 16:02:59 2023 +1300
s4:include: Fix code spelling
Signed-o
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 763b2efe69d s3:utils: Fix setting the debug level
via e5fe856e76e s3:tests: Add smbget test for
smb://DOAMIN;user%password@server/share/file
via 40de9033650 pycredentials: Properly check type in
creds.set_nt_hash() and samr.encrypt_samr_password()
from 00034d02289 s3:auth: Allow 'Unix Users' and 'Unix Groups' to create
a local token
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 763b2efe69dc74e1c0cd954607031012f832486d
Author: Andreas Schneider
Date: Wed Dec 6 08:48:34 2023 +0100
s3:utils: Fix setting the debug level
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Dec 7 05:33:21 UTC 2023 on atb-devel-224
commit e5fe856e76eba26e3b85a391bcea02dfe045c26e
Author: Andreas Schneider
Date: Tue Dec 5 15:46:48 2023 +0100
s3:tests: Add smbget test for smb://DOAMIN;user%password@server/share/file
This is supported according to the smbget manpage!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
commit 40de90336506233994a57cbde7a107e26ffe22bf
Author: Andrew Bartlett
Date: Thu Dec 7 15:50:43 2023 +1300
pycredentials: Properly check type in creds.set_nt_hash() and
samr.encrypt_samr_password()
We should not be just doing a talloc type check, we should check the python
type first.
Signed-off-by: Andrew Bartlett
Reviewed-by: Joseph Sutton
---
Summary of changes:
auth/credentials/pycredentials.c| 10 ++
auth/credentials/wscript_build | 3 ++-
source3/script/tests/test_smbget.sh | 20
source3/utils/smbget.c | 6 +-
4 files changed, 37 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 8e7d8ae7b56..a27e02d1aa5 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -568,6 +568,11 @@ static PyObject *py_creds_set_nt_hash(PyObject *self,
PyObject *args)
}
obt = _obt;
+ if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.samr", "Password")) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
pwd = pytalloc_get_type(py_cp, struct samr_Password);
if (pwd == NULL) {
/* pytalloc_get_type sets TypeError */
@@ -1073,6 +1078,11 @@ static PyObject *py_creds_encrypt_samr_password(PyObject
*self,
return NULL;
}
+ if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.samr", "Password")) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
pwd = pytalloc_get_type(py_cp, struct samr_Password);
if (pwd == NULL) {
/* pytalloc_get_type sets TypeError */
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
index 7568554df4d..83c6e8ca5a0 100644
--- a/auth/credentials/wscript_build
+++ b/auth/credentials/wscript_build
@@ -27,12 +27,13 @@ bld.SAMBA_SUBSYSTEM('CREDENTIALS_CMDLINE',
source='credentials_cmdline.c',
deps='samba-credentials')
+pyrpc_util = bld.pyembed_libname('pyrpc_util')
pytalloc_util = bld.pyembed_libname('pytalloc-util')
pyparam_util = bld.pyembed_libname('pyparam_util')
bld.SAMBA_PYTHON('pycredentials',
source='pycredentials.c',
-public_deps='samba-credentials %s %s CREDENTIALS_CMDLINE CREDENTIALS_KRB5
CREDENTIALS_SECRETS' % (pytalloc_util, pyparam_util),
+public_deps='samba-credentials %s %s %s CREDENTIALS_CMDLINE
CREDENTIALS_KRB5 CREDENTIALS_SECRETS' % (pyrpc_util, pytalloc_util,
pyparam_util),
realname='samba/credentials.so'
)
diff --git a/source3/script/tests/test_smbget.sh
b/source3/script/tests/test_smbget.sh
index 46c1f4a68a5..bdc62a71eff 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -145,6 +145,22 @@ test_singlefile_smburl()
return 0
}
+test_singlefile_smburl2()
+{
+ clear_download_area
+ $SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile"
+ if [ $? -ne 0 ]; then
+ echo 'ERROR: RC does not match, expected: 0'
+ return 1
+ fi
+ cmp --silent $WORKDIR/testfile ./testfile
+ if [ $? -ne 0 ]; then
+ echo 'ERROR: file content does not match'
+ return 1
+ fi
+ return 0
+}
+
test_singlefile_authfile()
{
clear_download_area
@@ -499,6 +515,10 @@
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via b12a33e2251 third_party/heimdal: import
lorikeet-heimdal-202311290849 (commit 84fb4579594a5fd8f8462450777eb24d5832be07)
via f65a17e7abb lib:crypto: Use bytearray macros
from 83edfcff5cc vfs_ceph: call 'ceph_fgetxattr' only if valid fd
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit b12a33e225197ec71285586ec44140b421f2e5c6
Author: Andrew Bartlett
Date: Wed Nov 29 22:46:28 2023 +1300
third_party/heimdal: import lorikeet-heimdal-202311290849 (commit
84fb4579594a5fd8f8462450777eb24d5832be07)
Some of our pending PRs for Heimdal were recently accepted,
so this brings in a new update (mostly improved spelling).
Signed-off-by: Andrew Bartlett
Reviewed-by: Joseph Sutton
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Nov 30 21:25:56 UTC 2023 on atb-devel-224
commit f65a17e7abb83b2d352fd7f75d3a32b7a729b76c
Author: Andreas Schneider
Date: Thu Nov 30 08:32:45 2023 +0100
lib:crypto: Use bytearray macros
Do not use old macros which are not descriptive by the name.
Signed-off-by: Andreas Schneider
Reviewed-by: Joseph Sutton
---
Summary of changes:
lib/crypto/gnutls_sp800_108.c | 4 +-
third_party/heimdal/kdc/kerberos5.c| 17 +++---
third_party/heimdal/kdc/krb5tgs.c | 2 +-
third_party/heimdal/kdc/pkinit.c | 10 ++--
third_party/heimdal/kuser/kinit.c | 2 +-
third_party/heimdal/lib/base/json.c| 2 +-
third_party/heimdal/lib/hdb/ext.c | 8 +--
third_party/heimdal/lib/hx509/cert.c | 26 -
third_party/heimdal/lib/hx509/cms.c| 64 +++---
third_party/heimdal/lib/hx509/crypto-ec.c | 2 +-
third_party/heimdal/lib/hx509/crypto.c | 4 +-
third_party/heimdal/lib/hx509/hx509_err.et | 2 +-
third_party/heimdal/lib/hx509/req.c| 2 +-
third_party/heimdal/lib/hx509/revoke.c | 32 +--
third_party/heimdal/lib/hx509/test_cms.in | 2 +-
third_party/heimdal/lib/kadm5/bump_pw_expire.c | 7 ++-
third_party/heimdal/lib/krb5/cache.c | 4 +-
third_party/heimdal/lib/krb5/crypto.c | 10 ++--
third_party/heimdal/lib/krb5/digest.c | 2 +-
third_party/heimdal/lib/krb5/init_creds_pw.c | 34 ++--
third_party/heimdal/lib/krb5/krb5.conf.5 | 3 +-
third_party/heimdal/lib/krb5/krb5_err.et | 2 +-
third_party/heimdal/lib/krb5/pac.c | 4 +-
third_party/heimdal/lib/krb5/pkinit.c | 16 +++---
third_party/heimdal/lib/krb5/store.c | 34 ++--
third_party/heimdal/lib/roken/parse_time-test.c| 1 +
third_party/heimdal/lib/wind/utf8.c| 8 +--
third_party/heimdal/po/heimdal_krb5/de.po | 2 +-
.../heimdal/po/heimdal_krb5/heimdal_krb5.pot | 2 +-
third_party/heimdal/po/heimdal_krb5/sv_SE.po | 2 +-
30 files changed, 159 insertions(+), 151 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/crypto/gnutls_sp800_108.c b/lib/crypto/gnutls_sp800_108.c
index dc04354d3d2..65710657bae 100644
--- a/lib/crypto/gnutls_sp800_108.c
+++ b/lib/crypto/gnutls_sp800_108.c
@@ -41,7 +41,7 @@ static NTSTATUS samba_gnutls_sp800_108_derive_key_part(
static const uint8_t zero = 0;
int rc;
- RSIVAL(buf, 0, i);
+ PUSH_BE_U32(buf, 0, i);
rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
if (rc < 0) {
return gnutls_error_to_ntstatus(rc,
@@ -69,7 +69,7 @@ static NTSTATUS samba_gnutls_sp800_108_derive_key_part(
return gnutls_error_to_ntstatus(
rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
- RSIVAL(buf, 0, L);
+ PUSH_BE_U32(buf, 0, L);
rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
if (rc < 0) {
return gnutls_error_to_ntstatus(
diff --git a/third_party/heimdal/kdc/kerberos5.c
b/third_party/heimdal/kdc/kerberos5.c
index 76cecd3e12f..5991711a289 100644
--- a/third_party/heimdal/kdc/kerberos5.c
+++ b/third_party/heimdal/kdc/kerberos5.c
@@ -1125,7 +1125,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
ret = pa_enc_ts_decrypt_kvno(r, kvno, _data, _data, _key);
if (ret == KRB5KDC_ERR_ETYPE_NOSUPP) {
char *estr;
- _kdc_set_e_text(r, "No key matching entype");
+ _kdc_set_e_text(r, "No key matching enctype");
if(krb5_enctype_to_string(r->context, enc_data.etype, ))
estr = NULL;
if(estr == NULL)
@@ -1143,6 +1143,7 @@ pa_enc_ts_validate(ast
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via af53df6cd6e python/samba/tests: Fix incorrect super-class in cred_opt.py setUp() via 0f2ff51a4b4 python/samba/tests: Fix incorrect superclass in test_min_domain_uid.py via 42e78285632 python: Correct Python2 super() calls that called the wrong class via 6ac48336780 python: tests: update all super calls to python 3 style in tests via e8fda61a57f python: get rid of pointless empty overridden methods via 983f222e382 python: Use constants from hresult.h for python constants via b14ead30da3 python: move HRES_SEC_* constants to samba module via 1a45e49b5f6 python: tests: make HRES_SEC_E_* constant an int via 6bcfcacd536 python: PEP275: docstrings should always use double quotes via 35d71bfc6f5 python: fix missing colon around param in docstring from 72c6f38e9fe lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit af53df6cd6e21f7394bb4b638e398588c8495127 Author: Andrew Bartlett Date: Thu Nov 30 13:31:33 2023 +1300 python/samba/tests: Fix incorrect super-class in cred_opt.py setUp() This will allow TEST_DEBUG_LEVEL to work in this test. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 30 02:03:05 UTC 2023 on atb-devel-224 commit 0f2ff51a4b4884ada7335cba73dc516e8475f356 Author: Andrew Bartlett Date: Thu Nov 30 13:28:56 2023 +1300 python/samba/tests: Fix incorrect superclass in test_min_domain_uid.py This was not intentional as far as can be determined. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 42e7828563220f7c7f281f68c3cdcd529e6f6ef8 Author: Andrew Bartlett Date: Thu Nov 30 13:22:18 2023 +1300 python: Correct Python2 super() calls that called the wrong class These changes have been checked as safe as skipping a superclass has no actual impact. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 6ac48336780813cd5cb0cd9e5b5f1355aa342096 Author: Rob van der Linde Date: Tue Nov 28 16:38:22 2023 +1300 python: tests: update all super calls to python 3 style in tests Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett [abart...@samba.org Some python2 style super() calls remain due to being an actual, even if reasonable, behaviour change] commit e8fda61a57fbec996aa05eff8e696057237c7be0 Author: Rob van der Linde Date: Tue Nov 28 15:59:41 2023 +1300 python: get rid of pointless empty overridden methods Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 983f222e382dfd2cf9df202f0645bdb1ec8a62ed Author: Andrew Bartlett Date: Thu Nov 30 10:37:13 2023 +1300 python: Use constants from hresult.h for python constants This encourages us to keep a single source for constants. In the future this should be a generated python file like for ntstatus. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit b14ead30da3fa6a12412ce97724daebb3cc3ebfa Author: Rob van der Linde Date: Tue Nov 28 15:13:21 2023 +1300 python: move HRES_SEC_* constants to samba module Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1a45e49b5f6286f8a5071536e5a780322b7e1e9c Author: Rob van der Linde Date: Wed Nov 29 16:00:13 2023 +1300 python: tests: make HRES_SEC_E_* constant an int Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6bcfcacd536f8fb82aacd533f39b74e663bd343d Author: Rob van der Linde Date: Tue Nov 28 15:11:12 2023 +1300 python: PEP275: docstrings should always use double quotes Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 35d71bfc6f5cf379ac64a289bf97a6e4ddac1d20 Author: Rob van der Linde Date: Tue Nov 28 15:02:00 2023 +1300 python: fix missing colon around param in docstring Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: python/pyglue.c| 5 ++ python/samba/__init__.py | 5 +- python/samba/tests/__init__.py | 6 +- python/samba/tests/audit_log_base.py | 2 +- python/samba/tests/audit_log_dsdb.py | 4 +- python/samba/tests/audit_log_pass_change.py| 5 +- python/samba/tests/auth.py
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 72c6f38e9fe lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors via 017c90e1bac lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key() via cd1168a1319 lib:crypto: Have samba_gnutls_sp800_108_derive_key() support various output key lengths via 6b5ccd25083 lib:crypto: Clean up HMAC handle in one place via b1c6a93085a lib:crypto: Add missing call to gnutls_hmac_deinit() via 19f2365c6a0 lib:crypto: Add common out path to samba_gnutls_sp800_108_derive_key() via 014f606099b lib:crypto: Split out core of samba_gnutls_sp800_108_derive_key() via 5f5b5b75ca5 lib:crypto: Add tests for samba_gnutls_sp800_108_derive_key() via 04b6dc8d0bb lib:crypto: Add samba_gnutls_sp800_108_derive_key() via 2c4b014b9ae lib:crypto: Remove unused variable via 768178be708 lib:crypto: Remove unused imports via 30be2446ed1 libcli/smb: Add ‘algorithm’ parameter to smb2_key_derivation() via b5b21579844 libcli/auth: Return more consistent status code on gnutls HMAC failure via 150a6ca38ab auth/gensec: Return more consistent status codes on gnutls hashing failure via 1e07da1cfe1 s4:utils: Use correct enumeration constant via 33167207d24 s4:utils: Remove trailing whitespace via 99ded98b394 s4:libcli: Call correct function to get HMAC output length via 769b6527526 s4:libcli: Remove trailing whitespace via 5d53ac8af07 libcli/smb: Call correct function to get HMAC output length via 2482a714cf2 libcli/auth: Call correct function to get HMAC output length via cee483fd4a0 libcli/auth: Use correct enumeration constant via 4bb031f8755 libcli/smb: Include missing headers via acb67bd93ed selftest: Remove knownfail entries for non‐existent tests via 187d3baab3c librpc:ndr: Use correct libndr flags type via 79f6da42128 librpc:ndr: Remove trailing whitespace via 5571116ba0a docs-xml: Add missing closing parenthesis via e3f81fa71ee pidl: Make sure to cast whole expressions via 59b94325248 conditional_ace.idl: Fix undefined shift via 3da132a8dfb pidl: Fix subscripts of dereferenced arrays via dbc9c9bd128 pidl: Remove unneeded casts via 561537adbbb pidl: Fix grammar in warning message via 25988f5d259 pidl: Remove trailing whitespace via 9d7bce5bbbd pidl: Remove unused imports from c4a5d4eb62f third_party: Update waf to version 2.0.26 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 72c6f38e9fe158ab639622da7a8a29d666b992b1 Author: Joseph Sutton Date: Thu Nov 23 16:54:12 2023 +1300 lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 30 01:03:29 UTC 2023 on atb-devel-224 commit 017c90e1bac09afb33fbd4b6b87208f27f692820 Author: Joseph Sutton Date: Wed Nov 29 15:46:30 2023 +1300 lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key() Our code won’t use this, but NIST’s test vectors are based on handing a fixed buffer to the key derivation function. View with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cd1168a131931abb7043f5b108da9aaa2094e391 Author: Joseph Sutton Date: Wed Nov 29 12:44:10 2023 +1300 lib:crypto: Have samba_gnutls_sp800_108_derive_key() support various output key lengths View with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6b5ccd2508312e9c89262a123203c8eb7e25839d Author: Joseph Sutton Date: Wed Nov 29 12:27:03 2023 +1300 lib:crypto: Clean up HMAC handle in one place This is less error prone than having to ensure it’s cleaned up in every error path. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b1c6a93085a3eb324976375be6e441be28c9f846 Author: Joseph Sutton Date: Wed Nov 29 12:29:58 2023 +1300 lib:crypto: Add missing call to gnutls_hmac_deinit() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 19f2365c6a0cbc07d9e2301c3ab205b00787830e Author: Joseph Sutton Date: Wed Nov 29 12:28:10 2023 +1300 lib:crypto: Add common out path to samba_gnutls_sp800_108_derive_key() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 014f606099b787cb13f965aa2950399c75767033 Author: Joseph Sutton Date: Wed Nov 29 11:49:19 2023 +1300 lib:crypto: Split out core of samba_gnutls_sp800_108_derive_key() We are going to need to alter the structure of this function a little bit. Signed-off
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e2651628844 tests: claims blackbox: add device and server silo restrictions test via 834fc223e2e python: tests: claims blackbox tests use ntstatus constants via 0d907a02141 tests: claims blackbox: use raw strings rather than escaping \ via dc74cabaa4d tests: claims: blackbox device tests via 64212a371be selftest: Run samba.tests.gensec in an enviroment build also with MIT Krb5 via c49fd98ed7a s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials via 0293d233bf2 python/tests: Add test for creds.set_krb5_fast_credentials() via ebdb1f6b43a python/tests: Lock in key-word arguments as key-word only in samba.tests.gssapi via 61b0397de20 python/tests: Import samba.gensec, not gensec via cc2c9b2a1e7 auth/credentials: Add Python bindings for association of a connection for FAST via bed1893a75e auth/credentials: Add API to allow requesting a Kerberos ticket to be protected with FAST via dbb682f5fac build: Add build time detection for the MIT FAST ccache API via 6222d572eec third_party/heimdal: Provide krb5_init_creds_opt_set_fast_ccache() and krb5_init_creds_opt_set_fast_flags() (import lorikeet-heimdal-202311290114 (commit 4c8517e161396330c76240bf09609a0dd5f9ea20)) from a757a51a26f libcli/security: note suboptimality of conditional ACE Contains operators https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e2651628844d6a4262de4093770d958fc1ee4535 Author: Rob van der Linde Date: Tue Nov 28 13:05:33 2023 +1300 tests: claims blackbox: add device and server silo restrictions test Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Nov 29 04:15:27 UTC 2023 on atb-devel-224 commit 834fc223e2e3a9c07e1df57cf7f4ae39afb13db2 Author: Rob van der Linde Date: Wed Nov 29 11:37:42 2023 +1300 python: tests: claims blackbox tests use ntstatus constants Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 0d907a021415d1a94469faf3fcd301022979fefc Author: Rob van der Linde Date: Tue Nov 28 12:46:53 2023 +1300 tests: claims blackbox: use raw strings rather than escaping \ Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit dc74cabaa4d7ec52c9d33b19aaafe4272de249a5 Author: Rob van der Linde Date: Tue Nov 21 16:27:09 2023 +1300 tests: claims: blackbox device tests Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 64212a371be2c262338d604944cc73b397913fdb Author: Andrew Bartlett Date: Tue Nov 28 17:07:15 2023 +1300 selftest: Run samba.tests.gensec in an enviroment build also with MIT Krb5 We would like confidence that the FAST hooks work with both implementations. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit c49fd98ed7a547fe37b354d93671a9d2f05c8b34 Author: Andrew Bartlett Date: Mon Nov 20 14:12:19 2023 +1300 s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 0293d233bf206fabe1e209548c0c44d511f9e73f Author: Andrew Bartlett Date: Mon Nov 20 12:17:57 2023 +1300 python/tests: Add test for creds.set_krb5_fast_credentials() Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit ebdb1f6b43af4141bf598f6dffdc47df94401336 Author: Andrew Bartlett Date: Mon Nov 20 12:42:15 2023 +1300 python/tests: Lock in key-word arguments as key-word only in samba.tests.gssapi Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 61b0397de2031813bdcf35a742eeba2dc9c5f9b9 Author: Andrew Bartlett Date: Mon Nov 20 13:02:21 2023 +1300 python/tests: Import samba.gensec, not gensec This allows this function to be used by gensec.py (a test) without collision. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit cc2c9b2a1e72802675a6e0494679774b920abe8c Author: Andrew Bartlett Date: Mon Nov 20 12:16:04 2023 +1300 auth/credentials: Add Python bindings for association of a connection for FAST Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit bed1893a75e7bf5e7b607fb1bc5712e3175d17a9 Author: Andrew Bartlett Date: Fri Nov 17 17:41:53 2023 +1300 auth/credentials: Add API to allow requesting a Kerberos ticket to be protected with FAST Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit dbb682f5fac1094bfd5ad70c35bfe9e9c877b935 Author: Andrew Bartlett Date: Tue Nov 28
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a757a51a26f libcli/security: note suboptimality of conditional ACE Contains operators via 2eb00c0bba5 libcli/security: comparability check: claim members are of one type via 55999b7b7b2 libcli/security: shift comparability check to shortcut exits via 6c6f25904ee libcli/security: add shortcuts for conditional ACE compare via 8bad19c42e1 libcli/security: improve conditional ACE composite comparison via 6a07d2fe44e libcli/security: separate out claim_v1_to_ace_composite_unchecked() via e338625ebf1 libcli/security: avoid leak on SDDL encode failure via 4f56c702834 libcli/security: claim_v1_to_ace_token(): avoid unnecessary re-sort via e223ce4a930 libcli/security: add_claim_to_token() re-sorts/checks claims via 843fd4d15f7 libcli/security: resource attribute claims use claim_v1_check_and_sort() via 8074257c3ae libcli/security: wire claim conversion uses claim_v1_check_and_sort() via 4b032d25584 libcli/security: claim_v1_check_and_sort(): add all types via a19f914fb9f libcli/security: begin claim_v1_check_and_sort with Boolean checks via 4ebb488e512 libcli/security: don't allow two NULL string claims via 1c88dfc6ac5 libcli/security: wire claims conversion: remove strings uniqueness check via 08096fd5b40 libcli/security: int wire claims drop uniqueness check via 10fd3e5836c libcli/security: simplify wire claim conversion mem, 3/3: rm tmp_ctx via d7da41a9bef libcli/security: simplify wire claim conversion mem, 2/3: one tree via 7656d133345 libcli/security: simplify wire claim conversion mem, 1/3: avoid NULL parent via a836ad14422 pytest: conditional_ace_claims tests large composite comparisons via cea44421ebc libcli/security/sddl: improve some SDDL error messages via bc9da956822 pytest: conditional_ace_claims: write_c_test_on_failure() copes with claims via 4cc91d28283 pytest: token_factory note that a flag is not set via 51d9444baa0 pytest: token_factory copes with empty claims via f9f87247188 pytest: token_factory claims can have case_sensitive flag via adf695aa343 pytest: token_factory separate out list_to_claim() helper via fc480144292 libcli/security: sddl_conditional_ace: check a talloc_new() via 78506e1752a libcli/security: conditional ACE sddl writers take const tokens via 33d2deec514 lib/security:CA: tokens_are_comparable() accepts NULL operator via 6e15a20228c libcli/security: CA: tokens_are_comparable() considers the obvious via fc890742ab4 libcli/security: add test_claims_conversion via da077b84862 libcli/security: test_run_conditional_ace tests more comparisons via 2f40583ab2f libcli/security: test_run_conditional_ace can set debug levels via e81e0706388 librpc/idl:security: add claims flag indicating orderly and unique members via a8f83fe8a2f librpc/idl:security: add a couple of claims flags via f4ea27b84a5 librpc/idl:condtional_ace: shift CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR to last bit via 6aa6ef4b7c1 librpc/idl:conditional_ace: make a flags field 32 bit via ca572691622 libcli/security: remove redundant claim SID size check via fa96bbbe816 libcli/security: avoid leak when converting SID claims from 8f42b8431ef s3: smbd: Allow fchmod from the NFS-style mode ACL in set_nt_acl() for a SMB2 POSIX handle. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a757a51a26f664591ab776db99bf48acfa698591 Author: Douglas Bagnall Date: Sat Nov 25 12:55:09 2023 +1300 libcli/security: note suboptimality of conditional ACE Contains operators The Contains and Any_of operators could use a sorted comparison like compare_composites_via_sort(), rather than O(n²) nested loops. But that would involve amount of quite fiddly work that I am not starting on now. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224 commit 2eb00c0bba5ed1abaa15c1511c6012da56a78604 Author: Douglas Bagnall Date: Thu Nov 23 13:03:15 2023 +1300 libcli/security: comparability check: claim members are of one type We know from the way claims are defined, and from the code that checks sortedness and sets the flag. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 55999b7b7b2b423eea3c26425c09130059bb4fd9 Author: Douglas Bagnall Date: Thu Nov 23 13:01:49 2023 +1300 libcli/security: shift comparability check to shortcut exits The ordinary comparison path, using the sorted arrays, already implicitly checks for comparability. We only need this when
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 0b74adb3f01 samba-tool: Improve help messages for "samba-tool
domain auth policy"
via 828d534c47f docs-xml: Improve and consolidate "samba-tool domain
auth policy create/modify" docs
via 9c5a7d12445 netcmd: auth: set better metavar that matches the docs
from 14b17c3de6d libcli/security/tests: gunzip the oversized-acls test
vectors
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 0b74adb3f01e8211f13391f021792799d528ebba
Author: Andrew Bartlett
Date: Thu Nov 23 17:31:23 2023 +1300
samba-tool: Improve help messages for "samba-tool domain auth policy"
Signed-off-by: Andrew Bartlett
Reviewed-by: Joseph Sutton
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Mon Nov 27 04:05:46 UTC 2023 on atb-devel-224
commit 828d534c47fbee23349107e09f60b530a24cbd55
Author: Andrew Bartlett
Date: Thu Nov 23 12:47:04 2023 +1300
docs-xml: Improve and consolidate "samba-tool domain auth policy
create/modify" docs
Signed-off-by: Andrew Bartlett
Reviewed-by: Joseph Sutton
commit 9c5a7d1244554136d1fc4f556b6f1bf91df61a7f
Author: Rob van der Linde
Date: Thu Nov 23 14:08:04 2023 +1300
netcmd: auth: set better metavar that matches the docs
Signed-off-by: Rob van der Linde
Reviewed-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
---
Summary of changes:
docs-xml/manpages/samba-tool.8.xml| 346 +-
python/samba/netcmd/domain/auth/policy.py | 81 ---
python/samba/netcmd/domain/auth/silo.py | 18 +-
3 files changed, 212 insertions(+), 233 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/samba-tool.8.xml
b/docs-xml/manpages/samba-tool.8.xml
index e96ee4fc048..227fd291eb0 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -723,8 +723,13 @@
--user-allow-ntlm-auth
- Allow NTLM network authentication when
user
- is restricted to selected devices.
+ Allow NTLM and
+ Interactive NETLOGON SamLogon
+ authentication despite the
+ fact that
+
allowed-to-authenticate-from
+ is in use, which would
+ otherwise restrict the user to selected
devices.
@@ -732,10 +737,19 @@
--user-allowed-to-authenticate-from
- Conditions user is allowed to
authenticate from.
+ Conditions a device must meet
+ for users covered by this
+ policy to be allowed to
+ authenticate. While this is a
+ restriction on the device,
+ any conditional ACE rules are
+ expressed as if the device was
+ a user.
- Must be a valid SDDL string.
+ Must be a valid SDDL string
+ without reference to Device
+ keywords.
Example:
O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
@@ -746,7 +760,11 @@
--user-allowed-to-authenticate-from-silo
- User is allowed to authenticate from a
given silo.
+ User is allowed to
+ authenticate, if the device they
+ authenticate from is assigned
+ and granted membership of a
+ given silo.
This attribute avoids the need to write
SDDL by hand and
@@ -755,24 +773,54 @@
-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 14b17c3de6d libcli/security/tests: gunzip the oversized-acls test
vectors
via 19129660dfe libcli/security/tests: remove duplicate TX-integer
tests from oversized-ACLs
via cf295c94aad libcli/security:sddl: remove vestiges of shared
conditional/resource ACE SID parsing
via 20ffec711d6 libcli/security: improve error messages in RA ACE SDDL
via dc60891de9f libcli/security: conditional ACE sid parser no longer
expects RA ACEs
via 0a2e335e378 libcli/security: parse resource attribute ace SIDs
separately
via 79292c8d1ef libcli/security/sddl: write RA octet strings the
Windows way
via 38e7b4dcbdb libcli/security: add a parser for resource attribute
ACE byte strings
via 9ef71399cee libcli/security: sddl_conditional_ace: remove
check_resource_attr_type()
via 059610a62e5 libcli/security: sddl_conditional_ace: add parse_bool
for RA aces
via 800f770e111 libcli/security: sddl_conditional_ace: add parse_uint
for RA aces
via 33caae43812 libcli/security: un-invert parse_resource_attr_list,
check type first
via cda9371b59c libcli/security/test_sddl_conditional_ace: adjust RA
octet parse tests
via 4ab9cb19074 libcli/security:sddl_condtional_ace: log compiler
errors at some debug levels
via f18ffd11829 libcli/security: initialise conditional ACE token flags
via 8e3be66a496 pytest: security_descriptors tests get enumerator in
name
via 5e925f9755f dosmode: prefer capabilities over become_root
via 1dd81928a2f libgpo: fix wrong lineending in admx files
from f5c76c3c814 Revert "README.Coding.md: add DBG_STARTUP_NOTICE macro"
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 14b17c3de6d478d1c86d23996f9c0acb7f2c07e1
Author: Douglas Bagnall
Date: Fri Nov 24 17:15:55 2023 +1300
libcli/security/tests: gunzip the oversized-acls test vectors
These are just as readable with `less` as they were with `zless`.
This file has been slightly manually edited to add line-breaks. There
is not an easy setting in Python's json module to get good formatting.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Mon Nov 27 02:10:12 UTC 2023 on atb-devel-224
commit 19129660dfe7312585b057a90b51ad9405661478
Author: Douglas Bagnall
Date: Fri Nov 24 16:59:05 2023 +1300
libcli/security/tests: remove duplicate TX-integer tests from oversized-ACLs
We had two sets of test vectors (Windows ground-truth for SDDL
compilation) that got mixed up.
The "oversized ACLs" set is ACLs that contain repeated ACEs, like
"D:P(D;MP)(D;MP)" -- Windows will assign a size to the ACL
that is greater than the sum of the ACEs, while Samba will not (in
part because we don't actually store a size for the ACL, instead
calculating it on the fly from the size of the ACEs).
The "TX integers" set is for resource attribute ACEs with octet-string
data that contains pure integers (lacking '#' characters) in their
SDDL, like «(RA;WD;("bar",TX,0x0,0077,00,0077,00))». We used to
think that was weird, and that RA-TX ACEs should contain octet-strings
in the conditional ACE style. But now we have realised it's not weird,
it's normal, and we have fixed our handling of these ACEs.
As a result of this mix-up, some of the tests labelled as "oversized
ACLs" started passing when we fixed the TX integer problem, and that
was confusing. All of the removed tests are already on the TX integer
set -- the removed ones were duplicates.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit cf295c94aad9e2bafad398a338669f90d605fb5f
Author: Douglas Bagnall
Date: Thu Nov 2 15:48:20 2023 +1300
libcli/security:sddl: remove vestiges of shared conditional/resource ACE
SID parsing
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 20ffec711d60ba0d48e7677fddeb0886b9468139
Author: Douglas Bagnall
Date: Thu Nov 2 15:42:11 2023 +1300
libcli/security: improve error messages in RA ACE SDDL
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit dc60891de9f1d4341b38e71c630c2fd70f900f11
Author: Douglas Bagnall
Date: Thu Nov 2 15:41:33 2023 +1300
libcli/security: conditional ACE sid parser no longer expects RA ACEs
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 0a2e335e378a985d08d74fb1935d0e852480ee3c
Author: Douglas Bagnall
Date: Thu Nov 2 15:37:33 2023 +1300
libcli/security: parse resource attribute ace SIDs separately
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartl
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 028c90547e3 python:tests: Add ndrdump test for GMSA Managed Password blobs via c0e6fe0bff2 tests/ndr: Add tests for GMSA Managed Password blobs via 21a3f60cfc7 python:tests: Move NDR tests to their own directory via 19b4fb8b5ac librpc: Add NDR test for GMSA Managed Password blobs via 35611f2ba0f gmsa.idl: Add definition for MANAGEDPASSWORD_BLOB via f94b981e864 pidl: Add new ‘u16string’ type via 436814572d4 pidl: Add a helper function to determine whether a type is a string type via d1e5a6176c1 s4:librpc: Produce more helpful error message when bytes length is odd via 4629fc7c610 util/charset: Have talloc_utf16_str[n]dup() accept NULL pointers via 30dd348823c librpc:ndr: Don’t try to log always‐NULL string from 34d80fc96fe gitlab-ci: Update Fedora to version 39 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 028c90547e3c7ea6b49de6797579038f6d2f16bd Author: Joseph Sutton Date: Mon Nov 20 16:05:13 2023 +1300 python:tests: Add ndrdump test for GMSA Managed Password blobs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 20 22:51:17 UTC 2023 on atb-devel-224 commit c0e6fe0bff2bb692b5405fc6efeb1e362af821fe Author: Joseph Sutton Date: Mon Nov 13 17:08:58 2023 +1300 tests/ndr: Add tests for GMSA Managed Password blobs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 21a3f60cfc783d07994b29696c7a75e2372dd114 Author: Joseph Sutton Date: Mon Nov 20 15:46:16 2023 +1300 python:tests: Move NDR tests to their own directory Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 19b4fb8b5ac5aa0a998b7f530a748065cf489b4a Author: Joseph Sutton Date: Thu Nov 16 10:54:42 2023 +1300 librpc: Add NDR test for GMSA Managed Password blobs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 35611f2ba0feb79f78dbb7995a1018b39e2ad005 Author: Joseph Sutton Date: Fri Nov 17 14:59:20 2023 +1300 gmsa.idl: Add definition for MANAGEDPASSWORD_BLOB Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f94b981e8641a6b18f72a50b6596e9275bb034e4 Author: Joseph Sutton Date: Mon Nov 20 10:07:22 2023 +1300 pidl: Add new ‘u16string’ type This type represents a UTF‐16–encoded string. These strings are kept UTF‐16–encoded rather than converted to the Unix charset to be stored in memory; this avoids issues regarding NULL termination and conversion between character sets. We want to be able to handle strings that are not valid UTF‐16. Not bumping the NDR ABI version, because there hasn’t been an NDR release since commit c4f281e9ae36c225b6003e0fa1cb8fb2e67bf543. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 436814572d435f6de4f3b390f07d0124fc4a7105 Author: Joseph Sutton Date: Mon Nov 20 10:03:59 2023 +1300 pidl: Add a helper function to determine whether a type is a string type Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d1e5a6176c1191e46a22319d356fa93b0fee76f3 Author: Joseph Sutton Date: Fri Nov 17 12:56:17 2023 +1300 s4:librpc: Produce more helpful error message when bytes length is odd Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4629fc7c610a255fda33ae4dce0fd225b01e5c88 Author: Joseph Sutton Date: Fri Nov 17 12:52:29 2023 +1300 util/charset: Have talloc_utf16_str[n]dup() accept NULL pointers This is in line with ‘talloc_str[n]dup()’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 30dd348823c03adcf0e1bbf7adaa5ea1c30ca7a5 Author: Joseph Sutton Date: Fri Nov 17 10:45:29 2023 +1300 librpc:ndr: Don’t try to log always‐NULL string Commit c51795c747198f9e002505ffa39ad710beff0358 reorganized ndr_pull_string() so that when we reach this DEBUG(), we don’t yet have a string to log — ‘as’ will always be NULL. Attempting to log a NULL string invokes undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: lib/util/charset/util_unistr.c | 6 + librpc/ABI/ndr-4.0.0.sigs | 3 + librpc/idl/gmsa.idl| 44 ++ librpc/idl/idl_types.h | 5 + librpc/idl/wscript_build | 1 + librpc/ndr/libndr.h| 1 + librpc/ndr/ndr_string.c| 134 - librpc/tests/test_ndr_gmsa.c | 159
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5119d5540de s4-winreg: fix dcesrv_winreg_EnumValue behavior via 1fd0689f0ef s3-winreg: fix _winreg_EnumValue behavior via 43a8a03767a s4-torture: add test to check for Windows behavior of EnumValue call via 36745d63d68 s4-torture: add torture_assert_werr_equal_goto and torture_assert_werr_ok_goto macros via 9501dbeeb1e s3-rpcclient: add winreg_enumval command via baa67024bca s4/server.c: move some log messages from ERR to NOTICE via 55d895dc422 profile: issues info message with lower log level via 72f20311acc source3/nmbd/nmbd.c: use DBG_STARTUP_NOTICE via 50337acaa56 lib/util/become_daemon.c: use DBG_STARTUP_NOTICE via bb370b9381e README.Coding.md: add DBG_STARTUP_NOTICE macro via 159cfde446c logging: use DBG_STARTUP_NOTICE for startup message via ccfe345fece debug.h: introduce DEBUG_STARTUP_NOTICE via b7631bf603f lib/util: move copyright define to copyright.h from 19105f51d03 vfs_ceph: Fix some uninitialized structs and pointers https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5119d5540de6fa56cb92c82a2bf719c6656a2988 Author: Günther Deschner Date: Thu Nov 16 21:05:12 2023 +0100 s4-winreg: fix dcesrv_winreg_EnumValue behavior When returning WERR_MORE_DATA the winreg server needs to indicate the required buffer size. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 20 04:50:00 UTC 2023 on atb-devel-224 commit 1fd0689f0ef3e833ffd23683d89fa39077a7ce63 Author: Günther Deschner Date: Wed Nov 15 17:13:20 2023 +0100 s3-winreg: fix _winreg_EnumValue behavior When returning WERR_MORE_DATA the winreg server needs to indicate the required buffer size. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit 43a8a03767a0758e9dbe7a4d3473bfba4aa784c3 Author: Günther Deschner Date: Wed Nov 15 17:36:46 2023 +0100 s4-torture: add test to check for Windows behavior of EnumValue call Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit 36745d63d687bdd310be0415c1a871a65a5ee724 Author: Günther Deschner Date: Wed Nov 15 19:07:32 2023 +0100 s4-torture: add torture_assert_werr_equal_goto and torture_assert_werr_ok_goto macros Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit 9501dbeeb1e98ce0dfe2f6a6df63605734bd4ae4 Author: Günther Deschner Date: Mon Nov 13 16:49:32 2023 +0100 s3-rpcclient: add winreg_enumval command Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit baa67024bca391f2e212b91131f544cc911c6895 Author: Björn Jacke Date: Mon Sep 18 13:45:54 2023 +0200 s4/server.c: move some log messages from ERR to NOTICE BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit 55d895dc42248ad524a10812b9975ac05a722fdc Author: Björn Jacke Date: Mon Sep 18 23:42:31 2023 +0200 profile: issues info message with lower log level BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit 72f20311acc4ab8851f18ac2b87f7ecc7803afad Author: Björn Jacke Date: Mon Sep 18 14:35:55 2023 +0200 source3/nmbd/nmbd.c: use DBG_STARTUP_NOTICE BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit 50337acaa566b6696e035e38f6408f65805182a0 Author: Björn Jacke Date: Mon Sep 18 14:34:29 2023 +0200 lib/util/become_daemon.c: use DBG_STARTUP_NOTICE BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit bb370b9381e5d223ff4ac62f612888f90a63fcc5 Author: Björn Jacke Date: Wed Nov 15 19:44:38 2023 +0100 README.Coding.md: add DBG_STARTUP_NOTICE macro BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit 159cfde446c95c387ef212be103b109ea0dca93d Author: Björn Jacke Date: Mon Jun 5 18:10:07 2023 +0200 logging: use DBG_STARTUP_NOTICE for startup message BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit ccfe345fece0a5a44d766fb9426d43c2e046d040 Author: Björn Jacke Date: Mon Sep 18 13:48:06 2023 +0200 debug.h: introduce DEBUG_STARTUP_NOTICE this is log level -1 and lowest syslog priority. This is used for start up messages and copyright notices, which should
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fe1d45cf1e9 s4:librpc: Add functions converting between bytes and UTF‐16 strings via 5f3f3c0cc3e s4:librpc: Remove trailing whitespace via df19006c782 tests/krb5: Allow creating Group Managed Service Accounts via 7a9ad610226 pidl: Don’t overwrite exception set by PyUnicode_AsEncodedString() via ddb98e7d611 pidl: Remove trailing whitespace via e04f627e4f2 librpc:ndr: Fix comment via 204a46b712c librpc:ndr: Don’t duplicate strings needlessly via e01e6202e60 librpc:ndr: Move call to convert_string_talloc() on to its own line via 2e2b80f895d librpc:ndr: Introduce common out path in ndr_push_string() via 5e580fadeed librpc:ndr: Fix error message via 4b03c6de54b librpc:ndr: Fix code formatting via 939ceb233ef util/charset: Add talloc_utf16_str[n]dup() via b6ff89f6fb3 util/charset: Include missing headers via 3f0809f1eef util/charset: Remove unnecessary cast from 3f908e19a04 s4-scripting: Remove repl_cleartext_pwd.py https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fe1d45cf1e90e9d75f3a47d65b920e2a7e472c97 Author: Joseph Sutton Date: Thu Nov 16 11:20:22 2023 +1300 s4:librpc: Add functions converting between bytes and UTF‐16 strings Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 16 06:23:35 UTC 2023 on atb-devel-224 commit 5f3f3c0cc3ef7ca5237ba1e4865259e02f41a12c Author: Joseph Sutton Date: Wed Nov 8 21:09:14 2023 +1300 s4:librpc: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit df19006c7825609c18a6e21d3920696bc0955e70 Author: Joseph Sutton Date: Mon Nov 13 17:07:02 2023 +1300 tests/krb5: Allow creating Group Managed Service Accounts Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7a9ad610226dfbdb5e645e6fe98fd266a960e2d1 Author: Joseph Sutton Date: Wed Nov 15 12:10:36 2023 +1300 pidl: Don’t overwrite exception set by PyUnicode_AsEncodedString() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ddb98e7d611f7c3160af4ea54bb6cf6bdf1ad0a3 Author: Joseph Sutton Date: Thu Nov 9 14:08:19 2023 +1300 pidl: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e04f627e4f2c6b2a2501634fd212e2527f4e0891 Author: Joseph Sutton Date: Wed Nov 15 15:07:53 2023 +1300 librpc:ndr: Fix comment Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 204a46b712cb025d2462b7e4319c04d451e2d550 Author: Joseph Sutton Date: Thu Nov 16 10:15:36 2023 +1300 librpc:ndr: Don’t duplicate strings needlessly If the source string doesn’t need to be converted, there’s no reason for it to be talloc‐allocated. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e01e6202e606476066231b0b84903c604db07a6e Author: Joseph Sutton Date: Thu Nov 16 14:50:58 2023 +1300 librpc:ndr: Move call to convert_string_talloc() on to its own line Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2e2b80f895dbe436290321074464b54f2943640f Author: Joseph Sutton Date: Thu Nov 16 10:22:26 2023 +1300 librpc:ndr: Introduce common out path in ndr_push_string() This ensures that ‘dest’ gets freed on failure. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5e580fadeed52ab723c1f6252dd4a49d0824a229 Author: Joseph Sutton Date: Mon Nov 13 17:04:34 2023 +1300 librpc:ndr: Fix error message Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4b03c6de54bfe7773ea97bf6707c6144433acf11 Author: Joseph Sutton Date: Thu Nov 16 10:43:12 2023 +1300 librpc:ndr: Fix code formatting Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 939ceb233ef94a0d2d45da39076ba3e78665c776 Author: Joseph Sutton Date: Thu Nov 16 11:10:28 2023 +1300 util/charset: Add talloc_utf16_str[n]dup() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b6ff89f6fb32a74365cc7116beb1ef949aaae021 Author: Joseph Sutton Date: Wed Nov 15 15:26:56 2023 +1300 util/charset: Include missing headers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3f0809f1eef116454584a84b270a1fd7feeebe64 Author: Joseph Sutton Date: Mon Nov 13 12:21:20 2023 +1300 util/charset: Remove unnecessary cast Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: lib/util/charset/charset.h | 6 ++ lib/util/charset/convert_string.c| 2
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 3f908e19a04 s4-scripting: Remove repl_cleartext_pwd.py
via 4ec50d91097 s4-scripting/devel: Fix str() vs bytes() issue in
repl_cleartext_pwd.py
via 79ef40b0262 s4-scripting/devel: Fix repl_cleartext_pwd to use
built-in RC4
via 6613b5bd121 s3/utils: Use sddl_decode_err_msg instead of sddl_decode
via b319769ebd1 s3/utils: Detect (and report) failure to parse sddl
via d0d026bdb51 libcli/security: Debug only when we failed to decode
from 7c1e3f0d82a python:tests: Ensure we clean up callbacks in
pymessaging tests
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 3f908e19a0422f9552d43e30762d93a8fc988ab2
Author: Andrew Bartlett
Date: Thu Nov 16 14:10:45 2023 +1300
s4-scripting: Remove repl_cleartext_pwd.py
This script was the precursor to newer samba-tool commands and no longer
works. The previous commits record some of the work to have it operate in
the
modern era, but keeping this around is more trouble than it is worth.
Use these commands instead:
samba-tool drs clone-dc-database --include-secrets
samba-tool user getpassword administrator --attributes=virtualClearTextUTF8
Signed-off-by: Andrew Bartlett
Reviewed-by: Reviewed-by: Joseph Sutton
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Nov 16 02:46:57 UTC 2023 on atb-devel-224
commit 4ec50d91097dd2467411b1150808ea62652696a3
Author: Andrew Bartlett
Date: Thu Mar 30 01:29:22 2023 +
s4-scripting/devel: Fix str() vs bytes() issue in repl_cleartext_pwd.py
Signed-off-by: Andrew Bartlett
Reviewed-by: Reviewed-by: Joseph Sutton
commit 79ef40b02627668e03651782e45b98ffa0373329
Author: Andrew Bartlett
Date: Thu Mar 30 14:22:24 2023 +1300
s4-scripting/devel: Fix repl_cleartext_pwd to use built-in RC4
This allows the usage test to pass on our CI hosts without
python-crypto and not uxsuccess on hosts with it.
Signed-off-by: Andrew Bartlett
Reviewed-by: Reviewed-by: Joseph Sutton
commit 6613b5bd121e3450060053a5ee8cff0ecd69d55e
Author: Noel Power
Date: Wed Nov 15 13:07:26 2023 +
s3/utils: Use sddl_decode_err_msg instead of sddl_decode
Use sddl_decode_err_msg instead of sddl_decode for possible better
error reporting.
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
commit b319769ebd1caf4a406211f62cf6086ad3057672
Author: Noel Power
Date: Wed Nov 15 12:55:36 2023 +
s3/utils: Detect (and report) failure to parse sddl
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
commit d0d026bdb512b5765f9a8ecc5268fbc238571adc
Author: Noel Power
Date: Wed Nov 15 11:29:46 2023 +
libcli/security: Debug only when we failed to decode
Signed-off-by: Noel Power
Reviewed-by: Andrew Bartlett
---
Summary of changes:
libcli/security/sddl.c| 13 +-
selftest/knownfail.d/usage| 2 -
source3/utils/smbcacls.c | 61 +++-
source4/scripting/devel/repl_cleartext_pwd.py | 412 --
4 files changed, 65 insertions(+), 423 deletions(-)
delete mode 100755 source4/scripting/devel/repl_cleartext_pwd.py
Changeset truncated at 500 lines:
diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 2cad84a937a..a4659c107b5 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -995,11 +995,14 @@ struct security_descriptor *sddl_decode(TALLOC_CTX
*mem_ctx, const char *sddl,
ACE_CONDITION_FLAG_ALLOW_DEVICE,
,
_offset);
- DBG_NOTICE("could not decode '%s'\n", sddl);
- if (msg != NULL) {
- DBG_NOTICE(" %*c\n", (int)msg_offset, '^');
- DBG_NOTICE("error '%s'\n", msg);
- talloc_free(discard_const(msg));
+ if (sd == NULL) {
+ DBG_NOTICE("could not decode '%s'\n", sddl);
+ if (msg != NULL) {
+ DBG_NOTICE(" %*c\n",
+ (int)msg_offset, '^');
+ DBG_NOTICE("error '%s'\n", msg);
+ talloc_free(discard_const(msg));
+ }
}
return sd;
}
diff --git a/selftest/knownfail.d/usage b/selftest/knownfail.d/usage
index b8e0bbc356d..e7d707f0e7d 100644
--- a/selftest/knownfail.d/usage
+++ b/selftest/knownfail.d/usage
@@ -5,7 +5,6 @@
samba.tests.usage.sa
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7c1e3f0d82a python:tests: Ensure we clean up callbacks in pymessaging tests via beff3e6d776 python:tests: Fix crashing pymessaging tests via ec3e420840e util/charset: Prefer PULL_LE_U16() to older SVAL() macro via 99e0a0f21ad util/charset/tests: Add tests for UTF‐16 string length functions via 7ebf7f424d0 s4:torture: Remove trailing whitespace via a46746381b2 util/charset: Add utf16_len_n() via 74a5a3b74e1 util/charset: Include final UTF‐16 code unit in length calculation loop via 516f35b5a11 util/charset: Add utf16_len() via 16996d145b1 util/charset: Rename utf16_len() to utf16_null_terminated_len() via 542e5a3039a util/charset: Rename utf16_len_n() to utf16_null_terminated_len_n() via c2a743190fc s4:smb_server: Remove trailing whitespace via a63cf19ee43 s4:libcli: Remove trailing whitespace via 982238e914a util/charset: Remove trailing whitespace via 1e029b2cd75 librpc:ndr: Convert NDR flags types to enumerations via 2562f24d112 librpc:ndr: Fix comment via 5b693597b0d libndr:ndr: Allow only one string encoding flag via ce2f4ecd596 librpc:ndr: Prohibit STR_NULLTERM|STR_NOTERM flags combination via ef0109d2cd7 librpc:ndr: Check return values of talloc functions via b11978a06cf librpc:ndr: Fix error messages via 609965b6ea0 libcli/security:sddl_decode message offset safety latch via 1f4e018ef1b libcli/security/test_sddl_conditional_ace: add message tests via 2b4f97249f3 libcli/security:sddl_parse: add some top level error messages via 15fcf9b769b libcl/security:sddl_decode_acl: expand a comment via 01f8b61035a libcli/security:sddl_decode_ace: fix ';' count message via dd41357fcd0 libcl/security:sddl_decode_acl: add a message via 206db403b49 libcli/security:sddl_decode_ace: add more messages via f712f8d3710 libcli/security: adjust log verbosity in sddl_decode via 74c6cf44b9d libcli/security:sddl_decode_ace: turn DBG_WARNINGs into messages via 23a83d37df6 pytest:samba-tool domain auth policy: expect error message detail via b18fe675c0d libcli/security:sddl_decode_err_msg(): don't pretend msg is optional (CID1548624) from 12e5c15a97b vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7c1e3f0d82a08cf0e5fea4fabbc7ad05d0ebbb84 Author: Joseph Sutton Date: Tue Nov 14 12:45:35 2023 +1300 python:tests: Ensure we clean up callbacks in pymessaging tests Not calling ‘deregister()’ results in memory getting leaked. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Nov 15 23:11:13 UTC 2023 on atb-devel-224 commit beff3e6d7762b423500a7ebf163878ede68b4a2f Author: Joseph Sutton Date: Tue Nov 14 12:34:01 2023 +1300 python:tests: Fix crashing pymessaging tests Commit 8c75d9fc73614fad29a998d08c4b11034ab2aebb changed Messaging.deregister() to take a two‐element tuple containing private data as well as a callback, but it did not change the call in samba.tests.messaging.MessagingTests.test_register to match. Since imessaging_deregister() completely ignored the ‘private_data’ parameter passed to it (assuming the callback was registered with msg_type == -1), everything still appeared to work — until commit b22c21799527323877b330c16c23057582721abb changed Messaging.deregister() to no longer leak memory. Now the wrong variable had its reference count decremented, causing the test to crash. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ec3e420840eded527a2a7bb1177b5daa79ee8448 Author: Joseph Sutton Date: Thu Nov 9 12:46:17 2023 +1300 util/charset: Prefer PULL_LE_U16() to older SVAL() macro Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 99e0a0f21adc36e42ecce56c88e584e38e6fb23d Author: Joseph Sutton Date: Tue Nov 14 12:31:07 2023 +1300 util/charset/tests: Add tests for UTF‐16 string length functions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7ebf7f424d0b5d6872ee6a74e369ccd96de4b9f3 Author: Joseph Sutton Date: Tue Nov 14 13:07:19 2023 +1300 s4:torture: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a46746381b2bf7c336e4411430ecfc5fbb3cbb2a Author: Joseph Sutton Date: Thu Nov 9 12:43:07 2023 +1300 util/charset: Add utf16_len_n() This function returns the length in bytes — at most ‘n’ — of a UTF‐16 string excluding the null terminator. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b6661e77de2 netcmd: docs: update docs for silo member grant + revoke via 88ea6b17e17 netcmd: tests: update silo member grant and revoke docstings and comments via 9708209d759 netcmd: tests: rename silo member tests to grant + revoke via 2ee86e78cf6 netcmd: tests: rename add_silo_member and remove_silo_member methods in test via d9552dc08db netcmd: silo member: update docstrings comments and print statements for grant + revoke via becb0ecf35d netcmd: silo member: update command line options help text for grant + revoke via fb2453d1a36 netcmd: silo member: rename add and remove commands to grant and revoke via 047ddb10019 netcmd: silo member: update model docstrings and exception text via abc3b508313 netcmd: silo member: rename model methods to grant and revoke via 19613057d90 netcmd: silo member: rename exceptions to grant and revoke via 422cc1d17d2 netcmd: models: fix incorrect return type should not be User via 42be08c1928 netcmd: models: Model.query method makes use of Query class via efedfab33e0 netcmd: models: add Query class to replace simple generator via 172f55fb0e8 netcmd: docs: document samba-tool user auth silo and policy commands via c9ba99a948d netcmd: tests: add tests for user auth policy and silo commands via ca9a11c6e81 netcmd: tests: rename domain_auth_base.py to silo_base.py via bcc77601f2f netcmd: tests: rename base class to be used by more tests via 422680f82fd netcmd: add auth silo and policy sub-commands to samba-tool user via 2f20fa9b90a netcmd: silo member: Make output consistent with user command via 30992e865c5 netcmd: model: User model str method returns username not cn via d4e84177ca4 netcmd: tests: make use of unique_name via d3e18dbe43f netcmd: silo member uses consistent output with other commands via 0eb727a54d4 netcmd: silo member add and remove should not set assigned_silo via 9250508601f netcmd: silo member: make use of User.find function via 921cc1df67e netcmd: model: add a find method to User model to avoid repeating code via a75cbd85e0f netcmd: model: add missing assigned_policy field on User model via 925ec0e6c8c netcmd: user: PEP8 E303 E305: fix too many or too little blank lines via db08030c8f4 netcmd: user: PEP8 E225: missing whitespace around operator via f1c6d4cb733 netcmd: user: PEP8 E221: fix multiple spaces before operator via 6b0cb653639 netcmd: user: PEP8 E127: fix hanging indent not lining up via 30cb66aec48 netcmd: user: PEP8 E502: backslash is redundant between brackets via cae5456a294 netcmd: user: PEP8 E117: code is overindented via d9c230ff80d python/samba/tests: Add smbcacl tests for save/restore via 520e3ac06d5 docs-xml: Update manpages for new -T, --save & --restore options via fa5725cdb01 s3/utils: Add support to smbcacls to restore dacls from file via db88697df2b s3/utils: Add functionality to smbcacls to save dacl(s) to a restore file via dd2133ba486 s3/utils: Add recursive option to smcacls via 1273f9a2a51 s3/utils: Add save and restore config switches (and help output) via 8ead28b26b8 s3/utils: ensure sddl_encode/sddl_decode both use domain_sid via 426ca4cf4b6 pytests: sid_strings: do not fail if epoch ending has zeros from b649007a532 smbd: remove now unneccessary wrapper vfs_fget_dos_attributes() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b6661e77de2e8bb63385c42f1eee97f835a16775 Author: Rob van der Linde Date: Wed Nov 8 10:21:02 2023 +1300 netcmd: docs: update docs for silo member grant + revoke Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Nov 15 05:00:58 UTC 2023 on atb-devel-224 commit 88ea6b17e17a129d3c4135f0fb42c739effa8f17 Author: Rob van der Linde Date: Wed Nov 8 09:44:14 2023 +1300 netcmd: tests: update silo member grant and revoke docstings and comments Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 9708209d759c2bfd0e3845b5eb890c5abfd21ccc Author: Rob van der Linde Date: Wed Nov 8 09:42:33 2023 +1300 netcmd: tests: rename silo member tests to grant + revoke Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2ee86e78cf6119b0280e6777f1c97aa60ae9c4d2 Author: Rob van der Linde Date: Wed Nov 8 09:35:13 2023 +1300 netcmd: tests: rename add_silo_member and remove_silo_member methods in test Signed-off-by: Rob van der L
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 29bb93d03a4 libcli/security: conditional aces: don't allow U+
in unicode
via 4decb074d8f librpc/ndr: Add support for
LIBNDR_FLAG_STR_NO_EMBEDDED_NUL
via 2b4a17f54fe librpc/ndr: Remove confusing case where returned string
pointer "as" could be NULL
from 29558014911 torture3: Correct use of enum client_flavour defines
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 29bb93d03a48c789e71a434eea65f286bd0029bd
Author: Andrew Bartlett
Date: Tue Nov 7 13:44:55 2023 +1300
libcli/security: conditional aces: don't allow U+ in unicode
Allowing this broke a round-trip decode-encode fuzz test. Credit to
OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62742
(Comments are from an earlier commit by Douglas Bagnall
)
Signed-off-by: Andrew Bartlett
Reviewed-by: Reviewed-by: Joseph Sutton
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Mon Nov 13 02:30:23 UTC 2023 on atb-devel-224
commit 4decb074d8feed66201057fd663e257cf45c65d6
Author: Andrew Bartlett
Date: Mon Nov 6 11:11:14 2023 +1300
librpc/ndr: Add support for LIBNDR_FLAG_STR_NO_EMBEDDED_NUL
This requires that, other than termination, no NUL (\0) codepoints
exist in the input string, because bytes beyon that will be lost
in the output string.
This in turn causes trouble for round-trip testing, so it is easiest
to reject it upfront (on an opt-in basis).
Signed-off-by: Andrew Bartlett
Reviewed-by: Reviewed-by: Joseph Sutton
commit 2b4a17f54fee552717068377dfc15f474fde
Author: Andrew Bartlett
Date: Mon Nov 6 10:18:47 2023 +1300
librpc/ndr: Remove confusing case where returned string pointer "as" could
be NULL
The failure to talloc_strdup("") is just an error and all other cases set
the
string or given an error.
Signed-off-by: Andrew Bartlett
Reviewed-by: Reviewed-by: Joseph Sutton
---
Summary of changes:
librpc/idl/conditional_ace.idl | 7 +-
librpc/idl/idl_types.h | 1 +
librpc/ndr/libndr.h| 2 +
librpc/ndr/ndr_string.c| 52 ++-
librpc/tests/test_ndr_string.c | 337 -
5 files changed, 395 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/conditional_ace.idl b/librpc/idl/conditional_ace.idl
index e36fe9b43a1..5842c7dddcb 100644
--- a/librpc/idl/conditional_ace.idl
+++ b/librpc/idl/conditional_ace.idl
@@ -276,7 +276,12 @@ interface conditional_ace
} ace_condition_int;
typedef [public] struct {
- [flag(STR_SIZE4|STR_NOTERM|STR_BYTESIZE)] string value;
+ /*
+* Zeroes are not allowed in the binary format (which
+* is otherwise UTF-16), and if we did let them
+* through we would end up with a truncated string.
+*/
+ [flag(STR_SIZE4|STR_NOTERM|STR_BYTESIZE|STR_NO_EMBEDDED_NUL)]
string value;
} ace_condition_unicode;
typedef [public] struct {
diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h
index 2d063de0bc7..a21893f6562 100644
--- a/librpc/idl/idl_types.h
+++ b/librpc/idl/idl_types.h
@@ -5,6 +5,7 @@
#define STR_NOTERM LIBNDR_FLAG_STR_NOTERM
#define STR_NULLTERM LIBNDR_FLAG_STR_NULLTERM
#define STR_BYTESIZE LIBNDR_FLAG_STR_BYTESIZE
+#define STR_NO_EMBEDDED_NUL LIBNDR_FLAG_STR_NO_EMBEDDED_NUL
#define STR_CONFORMANT LIBNDR_FLAG_STR_CONFORMANT
#define STR_CHARLENLIBNDR_FLAG_STR_CHARLEN
#define STR_UTF8 LIBNDR_FLAG_STR_UTF8
diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
index b0596039526..3a453b5b168 100644
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -150,6 +150,7 @@ struct ndr_print {
#define LIBNDR_FLAG_STR_NULLTERM (1U<<6)
#define LIBNDR_FLAG_STR_SIZE2 (1U<<7)
#define LIBNDR_FLAG_STR_BYTESIZE (1U<<8)
+#define LIBNDR_FLAG_STR_NO_EMBEDDED_NUL (1U<<9)
#define LIBNDR_FLAG_STR_CONFORMANT (1U<<10)
#define LIBNDR_FLAG_STR_CHARLEN(1U<<11)
#define LIBNDR_FLAG_STR_UTF8 (1U<<12)
@@ -162,6 +163,7 @@ struct ndr_print {
LIBNDR_FLAG_STR_NULLTERM | \
LIBNDR_FLAG_STR_SIZE2 | \
LIBNDR_FLAG_STR_BYTESIZE | \
+ LIBNDR_FLAG_STR_NO_EMBEDDED_NUL | \
LIBNDR_FLAG_STR_CONFORMANT | \
LIBNDR_FLAG_STR_CHARLEN | \
LIBNDR_FLAG_STR_UTF8 | \
diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index d0b64dc6fd9..57a49e34c17 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -50,6 +50,12 @@ _PUBLIC_
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via b8ffb245964 third_party/heimdal: krb5: Try to decode e-data as
KERB-ERROR-DATA (falling back to METHOD-DATA) (Import
lorikeet-heimdal-202311092338 (commit 50996e5f0b0f22a4eb755a6f22cb7b4ecab2aeea))
from fb867873d87 netcmd: Disallow device‐specific attributes and
operators for allowed‐to‐authenticate‐from fields
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit b8ffb24596452edb647d8df8b2ec608a607ebac4
Author: Joseph Sutton
Date: Fri Nov 10 12:43:03 2023 +1300
third_party/heimdal: krb5: Try to decode e-data as KERB-ERROR-DATA (falling
back to METHOD-DATA) (Import lorikeet-heimdal-202311092338 (commit
50996e5f0b0f22a4eb755a6f22cb7b4ecab2aeea))
Previously we tried to decode KERB-ERROR-DATA as METHOD-DATA,
resulting in a confusing error message. Now we just ignore it; but we
could also choose to set an error message containing the NTSTATUS code
in hexadecimal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15514
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Nov 10 01:35:32 UTC 2023 on atb-devel-224
---
Summary of changes:
third_party/heimdal/lib/krb5/get_cred.c | 30 +-
third_party/heimdal/lib/krb5/init_creds_pw.c | 37
2 files changed, 51 insertions(+), 16 deletions(-)
Changeset truncated at 500 lines:
diff --git a/third_party/heimdal/lib/krb5/get_cred.c
b/third_party/heimdal/lib/krb5/get_cred.c
index 6e48846bcb3..ff06325912b 100644
--- a/third_party/heimdal/lib/krb5/get_cred.c
+++ b/third_party/heimdal/lib/krb5/get_cred.c
@@ -719,13 +719,31 @@ get_cred_kdc(krb5_context context,
memset(, 0, sizeof(md));
if (rep.error.e_data) {
- ret = decode_METHOD_DATA(rep.error.e_data->data,
-rep.error.e_data->length,
-, NULL);
+ KERB_ERROR_DATA kerb_error_data;
+
+ memset(_error_data, 0, sizeof(kerb_error_data));
+
+ /* First try to decode the e-data as KERB-ERROR-DATA. */
+ ret = decode_KERB_ERROR_DATA(rep.error.e_data->data,
+rep.error.e_data->length,
+_error_data,
+);
if (ret) {
- krb5_set_error_message(context, ret,
- N_("Failed to decode METHOD-DATA", ""));
- goto out;
+ /* That failed, so try to decode it as METHOD-DATA. */
+ ret = decode_METHOD_DATA(rep.error.e_data->data,
+rep.error.e_data->length,
+, NULL);
+ if (ret) {
+ krb5_set_error_message(context, ret,
+ N_("Failed to decode METHOD-DATA",
""));
+ goto out;
+ }
+ } else if (len != rep.error.e_data->length) {
+ /* Trailing data — just ignore the error. */
+ free_KERB_ERROR_DATA(_error_data);
+ } else {
+ /* OK. */
+ free_KERB_ERROR_DATA(_error_data);
}
}
diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c
b/third_party/heimdal/lib/krb5/init_creds_pw.c
index 2c026ad29f2..8b6db0be594 100644
--- a/third_party/heimdal/lib/krb5/init_creds_pw.c
+++ b/third_party/heimdal/lib/krb5/init_creds_pw.c
@@ -3146,19 +3146,36 @@ init_creds_step(krb5_context context,
memset(>md, 0, sizeof(ctx->md));
if (ctx->error.e_data) {
+ KERB_ERROR_DATA kerb_error_data;
krb5_error_code ret2;
- ret2 = decode_METHOD_DATA(ctx->error.e_data->data,
-ctx->error.e_data->length,
->md,
-NULL);
+ memset(_error_data, 0, sizeof(kerb_error_data));
+
+ /* First try to decode the e-data as KERB-ERROR-DATA. */
+ ret2 = decode_KERB_ERROR_DATA(ctx->error.e_data->data,
+ ctx->error.e_data->length,
+ _error_data,
+ );
if (ret2) {
- /*
-* Just ignore any error, the error will be pushed
-* out from krb5_error_from_rd_error() if there
-* was one.
-*/
- _krb5_debug
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fb867873d87 netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields via c5932c4794b netcmd: Add ‘allow_device_in_sddl’ parameter to SDDLField() via 7f0f930a427 s4:librpc: Add ‘allow_device_in_sddl’ parameter to security.descriptor.from_sddl() via 935f4edd81f libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable via a08a724a28e netcmd:tests: Test authentication policies containing device‐specific attributes and operators via db36a930e62 libcli/security: Mark arrays ‘const’ via e388e9a8560 ilbcli/security: Fix duplicated words via e822a4efb73 libcli/security: Include missing headers via 9c35b3747e4 libcli/security: Reassign flags via 5f9f9242ce7 s4:librpc: Fix leak via a11e0c02a45 s4:librpc: Remove trailing whitespace via d0ca1bcd983 third_party/heimdal: Import lorikeet-heimdal-202311082119 (commit 844610f06bac2b7b2a208cbabc7414bde23abac7) via 5ebd1b8daef tests/krb5: Test Kerberos principal names containing non–BMP Unicode characters via 0b059dafd91 tests/krb5: Add ‘expected_sname’ parameter to _fast_as_req() via e802cce43e9 tests/krb5: Encode KerberosString objects as UTF‐8 via ff83d4b08f4 tests/krb5: Move ‘rfc4120_pyasn1’ to ‘rfc4120_pyasn1_generated’ via 05ffdaeec77 librpc: add missing service control defines via fd319adcc1d s4-torture: add test for svcctl_ControlServiceExW() via 51c21f72afd librpc: add svcctl_ServiceStopReason enums via 80b4893aa12 s4-torture: add test for svcctl_QueryServiceConfigEx via cfedb32258b librpc: use SERVICE_CONTROL enum in ControlService calls via 7292e378781 librpc: add various new commands and types to SVCCTL IDL. via cb348e5be11 svcctl: rename SERVICE_FAILURE_ACTIONS to SERVICE_FAILURE_ACTIONSW via 6d8867925f1 svcctl: unify operation names and always prefix with svcctl_ from 963fc353e70 vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fb867873d872f78c652099637d3ee74d09426821 Author: Joseph Sutton Date: Tue Nov 7 15:44:21 2023 +1300 netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 9 09:01:25 UTC 2023 on atb-devel-224 commit c5932c4794b13a7975ec3c951e576a71152f4835 Author: Joseph Sutton Date: Tue Nov 7 15:43:29 2023 +1300 netcmd: Add ‘allow_device_in_sddl’ parameter to SDDLField() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7f0f930a427be94c82922c4947554a94534d9be9 Author: Joseph Sutton Date: Tue Nov 7 15:42:38 2023 +1300 s4:librpc: Add ‘allow_device_in_sddl’ parameter to security.descriptor.from_sddl() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 935f4edd81f8115c390daa8f35c35dda64e99cfb Author: Joseph Sutton Date: Fri Nov 3 14:57:02 2023 +1300 libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a08a724a28e4796eb0c739a560b0192a8ac2e00d Author: Joseph Sutton Date: Tue Nov 7 16:50:49 2023 +1300 netcmd:tests: Test authentication policies containing device‐specific attributes and operators Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit db36a930e62a00fb97c5b111c7d008522e32b110 Author: Joseph Sutton Date: Tue Nov 7 15:35:28 2023 +1300 libcli/security: Mark arrays ‘const’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e388e9a8560171b08181482025b1234aa17d4fb3 Author: Joseph Sutton Date: Tue Nov 7 13:39:04 2023 +1300 ilbcli/security: Fix duplicated words Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e822a4efb73c4f8576732b7eaef778db979fc26a Author: Joseph Sutton Date: Tue Nov 7 11:57:21 2023 +1300 libcli/security: Include missing headers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9c35b3747e487b351fa631b92197f90a353ec513 Author: Joseph Sutton Date: Tue Nov 7 11:48:58 2023 +1300 libcli/security: Reassign flags Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5f9f9242ce709c17422d07bd58e8fccd9f6737ad Author: Joseph Sutton Date: Tue Nov 7 12:16:12 2023 +1300 s4:librpc: Fix leak We should not leak error messages returned by sddl_decode_err_msg(). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 091af82f759 s4:kdc: Don’t convey PAC buffers from an RODC‐issued PAC via 2733cd7b4c8 s4:kdc: Move return code checks closer to where the return codes are set via 1c1d402f362 s4:auth: Add comment about claims going ignored for SamLogon via bafd63bef31 s4:auth: Remove trailing whitespace via beaec758c9f tests/krb5: Add tests for AllowedToAuthenticateTo with SamLogon via c277a4d3631 tests/krb5: Add test for an authentication policy that allows a specific account via 64806f37ab0 tests/krb5: Correct authentication policy SDDL via 6b2de474888 tests/krb5: Remove unused parameter ‘expected_device_groups’ via f8fb8f028c9 tests/krb5: Remove unused parameter ‘expected_device_groups’ from d314fc5874e smbd: Make get_real_filename_cache_key() static in files.c https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 091af82f75960c0c6abb04908b96051d9f53659d Author: Joseph Sutton Date: Tue Nov 7 16:19:30 2023 +1300 s4:kdc: Don’t convey PAC buffers from an RODC‐issued PAC Such buffers are not to be trusted. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Nov 7 22:54:42 UTC 2023 on atb-devel-224 commit 2733cd7b4c8b6a65a764eb7710a0f3f755f96675 Author: Joseph Sutton Date: Tue Nov 7 16:22:41 2023 +1300 s4:kdc: Move return code checks closer to where the return codes are set Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1c1d402f36290e3aec3133702e84bf3a9e5755a6 Author: Joseph Sutton Date: Tue Nov 7 11:45:50 2023 +1300 s4:auth: Add comment about claims going ignored for SamLogon Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit bafd63bef31f30809fe16d357a8e1ba92dc6f264 Author: Joseph Sutton Date: Tue Nov 7 11:43:36 2023 +1300 s4:auth: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit beaec758c9ffed19f00e87cdd317f47c13ef7dd2 Author: Joseph Sutton Date: Tue Nov 7 11:10:59 2023 +1300 tests/krb5: Add tests for AllowedToAuthenticateTo with SamLogon Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c277a4d3631f2c1b5cd0a32bc5dfcccaafef9cb9 Author: Joseph Sutton Date: Tue Oct 17 12:01:34 2023 +1300 tests/krb5: Add test for an authentication policy that allows a specific account This is a counterpart to ‘test_conditional_ace_allowed_from_user_deny’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 64806f37ab08c51d2fac23d7f153c3b2f0c5d984 Author: Joseph Sutton Date: Fri Nov 3 13:51:27 2023 +1300 tests/krb5: Correct authentication policy SDDL There is no claim called ‘abc’, so the condition ‘(abc)’ is always going to fail. Replace this with a condition using ‘Member_of’. Furthermore, an ACL containing only Deny ACEs will only ever deny. Add a trailing Allow ACE so that the ACL might allow other principals. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6b2de4748889a0b5674758169439cb7fb2106e7d Author: Joseph Sutton Date: Fri Nov 3 12:00:15 2023 +1300 tests/krb5: Remove unused parameter ‘expected_device_groups’ It was never passed in by any callers. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f8fb8f028c90887da6bbb0d1850fde398f667b7a Author: Joseph Sutton Date: Fri Nov 3 11:59:48 2023 +1300 tests/krb5: Remove unused parameter ‘expected_device_groups’ It was never passed in by any callers. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: python/samba/tests/krb5/conditional_ace_tests.py | 274 +-- selftest/knownfail_heimdal_kdc | 10 - source4/auth/ntlm/auth_sam.c | 43 ++-- source4/kdc/pac-glue.c | 17 +- 4 files changed, 297 insertions(+), 47 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index de26a920ae0..88507cce164 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -31,7 +31,7 @@ from string import Formatter import ldb from samba import dsdb, ntstatus -from samba.dcerpc import claims, krb5pac, security +from samba.dcerpc import claims, krb5pac, netlogon, security from samba.ndr import ndr_pack, ndr_unpack from samba.sd_utils import escaped_claim_id @@ -89,6 +89,11 @@ class ConditionalAceBaseTests(AuthnPolicyBaseTests): cls._mach_creds
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via cfec96d5e9f third_party/heimdal: Import
lorikeet-heimdal-202311030123 (commit 2346a67fe25cbf16128501665db41f6840546e15)
from 3ef68efca29 tests/krb5: Fix comments
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit cfec96d5e9fb2195f9e14e09bf66a68c969f4bbd
Author: Joseph Sutton
Date: Fri Nov 3 14:27:52 2023 +1300
third_party/heimdal: Import lorikeet-heimdal-202311030123 (commit
2346a67fe25cbf16128501665db41f6840546e15)
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Nov 3 03:53:08 UTC 2023 on atb-devel-224
---
Summary of changes:
third_party/heimdal/kdc/fast.c | 18 --
third_party/heimdal/kdc/pkinit.c | 2 +-
third_party/heimdal/lib/hcrypto/bn.c | 4 +-
third_party/heimdal/lib/hcrypto/pkcs12.c | 4 +-
third_party/heimdal/lib/hdb/common.c | 1 -
third_party/heimdal/lib/hdb/hdb-ldap.c | 1 +
third_party/heimdal/lib/hx509/ca.c | 13 ++--
third_party/heimdal/lib/hx509/cms.c| 2 +-
third_party/heimdal/lib/hx509/hxtool.c | 2 +
third_party/heimdal/lib/hx509/ks_file.c| 2 +-
third_party/heimdal/lib/krb5/acache.c | 2 +
third_party/heimdal/lib/krb5/build_ap_req.c| 6 +-
third_party/heimdal/lib/krb5/context.c | 72 --
third_party/heimdal/lib/krb5/kx509.c | 2 +-
third_party/heimdal/lib/krb5/pkinit.c | 4 +-
third_party/heimdal/lib/krb5/store.c | 2 +-
third_party/heimdal/lib/roken/base32.c | 16 ++---
.../heimdal/lib/wind/gen-punycode-examples.py | 8 +--
18 files changed, 108 insertions(+), 53 deletions(-)
Changeset truncated at 500 lines:
diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c
index 7b96371723e..bc77f74664c 100644
--- a/third_party/heimdal/kdc/fast.c
+++ b/third_party/heimdal/kdc/fast.c
@@ -406,8 +406,8 @@ _kdc_fast_mk_e_data(astgs_request_t r,
NULL,
error_client,
error_server,
- NULL,
- NULL,
+ csec,
+ cusec,
e_data);
if (ret) {
kdc_log(r->context, r->config, 1,
@@ -508,8 +508,8 @@ _kdc_fast_mk_error(astgs_request_t r,
error_client = NULL;
error_server = NULL;
}
- csec = 0;
- cusec = 0;
+ csec = NULL;
+ cusec = NULL;
}
ret = krb5_mk_error(r->context,
@@ -603,6 +603,9 @@ fast_unwrap_request(astgs_request_t r,
*
*/
if (fxreq.u.armored_data.armor != NULL) {
+ krb5uint32 kvno;
+ krb5uint32 *kvno_ptr = NULL;
+
if (fxreq.u.armored_data.armor->armor_type != 1) {
kdc_log(r->context, r->config, 4,
"Incorrect AS-REQ armor type");
@@ -628,9 +631,14 @@ fast_unwrap_request(astgs_request_t r,
goto out;
}
+ if (ap_req.ticket.enc_part.kvno != NULL) {
+ kvno = *ap_req.ticket.enc_part.kvno;
+ kvno_ptr =
+ }
+
ret = _kdc_db_fetch(r->context, r->config, armor_server_principal,
HDB_F_GET_KRBTGT | HDB_F_DELAY_NEW_KEYS,
- (krb5uint32 *)ap_req.ticket.enc_part.kvno,
+ kvno_ptr,
>armor_serverdb, >armor_server);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
free_AP_REQ(_req);
diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c
index d97ae227ae6..255441ce071 100644
--- a/third_party/heimdal/kdc/pkinit.c
+++ b/third_party/heimdal/kdc/pkinit.c
@@ -1078,9 +1078,9 @@ pk_mk_pa_reply_dh(krb5_context context,
unsigned char *p;
ret = _kdc_serialize_ecdh_key(context, cp->u.ecdh.key, ,
_info.subjectPublicKey.length);
-dh_info.subjectPublicKey.data = p;
if (ret)
goto out;
+dh_info.subjectPublicKey.data = p;
} else
krb5_abortx(context, "no keyex selected ?");
diff --git a/third_party/heimdal/lib/hcrypto/bn.c
b/third_party/heimdal/lib/hcrypto/bn.c
index 62297b145f1..9e9db4ec89a 100644
--- a/third_party/heimdal/lib/hcrypto/bn.c
+++ b/third_party/heimdal/lib/hcrypto/bn.c
@@ -235,7 +235,7 @@ static const unsigned char is_set[8] = { 1, 2, 4, 8, 16,
32, 64, 128 };
int
BN_is_bit_set(const BIGNUM *bn, int bit)
{
-heim_integer *hi = (heim_integer *)bn;
+const heim_integer *hi = (cons
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3ef68efca29 tests/krb5: Fix comments via 62373eeef06 tests/krb5: Test RODC‐issued TGTs that already contain device info/claims via 86fb7d17ff7 tests/krb5: Don’t reuse SID S-1-2-3-4 via 224408f9592 tests/krb5: Test target authentication policies when the TGT already contains device info/claims via 622ac53f222 tests/krb5: Add tests for PACs containing extraneous buffers via 69d588a8702 tests/krb5: Pass a list of PAC modification functions via 6e999eab1c3 tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims via 014c939bdd7 tests/krb5: Add support to test framework for existing device info or claims buffers via e468a7d6271 tests/krb5: Always expect client claims via 7048f380eb2 tests/krb5: Ensure that device SIDs and claims are present only if we expect them to be via 51a4443b044 tests/krb5: No longer pass two‐component form of TGS principal via 6033b1c00dc tests/krb5: Remove unused import via b0a09a69cc8 selftest/flapping: Mark smb2.multichannel.bugs.bug_15346(nt4_dc) flapping via 687b1b99314 tests: Convert the regression test for bug15505 to python via 9dd5e12cfa4 tests: Make clean_file() handle directories via b5392b552ed tests: Allow to specify share names in smb2symlink tests from 1372ef0ef46 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499404) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3ef68efca292651a7b83166767452a6986175924 Author: Joseph Sutton Date: Wed Nov 1 09:33:10 2023 +1300 tests/krb5: Fix comments Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 2 20:13:50 UTC 2023 on atb-devel-224 commit 62373eeef069a7631093f237b4ca95c3992fb346 Author: Joseph Sutton Date: Thu Nov 2 14:32:58 2023 +1300 tests/krb5: Test RODC‐issued TGTs that already contain device info/claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 86fb7d17ff7683c66ce74e16b3be927b97ea5e5d Author: Joseph Sutton Date: Thu Nov 2 14:32:00 2023 +1300 tests/krb5: Don’t reuse SID S-1-2-3-4 We’re already using it in ‘client_sids’ to work around a bug in Windows. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 224408f9592442a503c6b33454b9dcefec64331d Author: Joseph Sutton Date: Wed Nov 1 16:59:21 2023 +1300 tests/krb5: Test target authentication policies when the TGT already contains device info/claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 622ac53f2229c005a7f35779298af8405549c0d4 Author: Joseph Sutton Date: Thu Nov 2 15:29:32 2023 +1300 tests/krb5: Add tests for PACs containing extraneous buffers Test that the KDC removes these buffers from RODC‐issued PACs. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 69d588a8702fa5b973e33bf7cea1d01fcf112b1c Author: Joseph Sutton Date: Thu Nov 2 15:27:24 2023 +1300 tests/krb5: Pass a list of PAC modification functions This is simpler than chaining functions together. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6e999eab1c3ffd79730f9003f7f284b51a840a15 Author: Joseph Sutton Date: Wed Nov 1 13:55:14 2023 +1300 tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 014c939bdd7f49c484ec36f0ec9159aa7012edcd Author: Joseph Sutton Date: Wed Nov 1 10:16:57 2023 +1300 tests/krb5: Add support to test framework for existing device info or claims buffers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e468a7d62716ff28e84f753fe187828e94f2c50b Author: Joseph Sutton Date: Wed Nov 1 13:39:28 2023 +1300 tests/krb5: Always expect client claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7048f380eb28e9d411fae27fba45b66a08de0a54 Author: Joseph Sutton Date: Wed Nov 1 13:38:24 2023 +1300 tests/krb5: Ensure that device SIDs and claims are present only if we expect them to be Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 51a4443b04490d412b018f3ef303f77cb7304d10 Author: Joseph Sutton Date: Wed Nov 1 13:07:54 2023 +1300 tests/krb5: No longer pass two‐component form of TGS principal Samba now handles one‐component TGS principals more correctly. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6033b1c00dc080a8f0445bae6a8c4ccd54934237 Author: Joseph Sutton Date: Wed Nov 1 12:05:50 2023 +1300 tests/krb5
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1372ef0ef46 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499404) via fa25793ebff s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499407) via c095ec02ff1 s3:rpc_client: Add missing ‘break’ statement via 90505d3aa82 s3:rpc_client: Align integer types (CID 1548342) via 4db4df284d5 s3:utils: Initialize flags (CID 1499396) via 4feb76592b8 s3:utils: Avoid integer overflow (CID 1548343) via 55d06fa9e32 s3:utils: Align integer type via 8b2269328bf s3:utils: Remove condition that cannot be true (CID 1548341) via 77183ded7de s3:utils: Check return value of samba_cmdline_init() (CID 1548345) via a9e8cf4ff66 s3:utils: Fix code spelling via 7322bb30982 s3:utils: Remove unused‐but‐set variable via ec687e7ca91 s3:smbd: Remove unreachable code (CID 710840) via 5f865bd14dd tests/krb5: Test conditional ACE expressions with empty composite literals via ff1d00e079b selftest: Sort conditional ACE knownfails via 4131179a048 libcli/security: Allow empty composites and resource attribute lists via 5df344a890f libcli/security: Remove reference to conditional ACE recursive composites via c2fe72fb213 third_party/heimdal: Import lorikeet-heimdal-202311012221 (commit 87159bd32148be80a0d9bfc984db481e4a0f2831) from e7f38c3a190 pytest:samba-tool domain test policy: test SDDL diagnostics https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1372ef0ef46f6eee615c2fffd5286e96aeb8417a Author: Joseph Sutton Date: Tue Oct 31 12:14:27 2023 +1300 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499404) dcesrv_lsa_CreateTrustedDomain_base() invokes DCESRV_PULL_HANDLE(), which invokes DCESRV_PULL_HANDLE_RETVAL(), which invokes DCESRV_CHECK_HANDLE(), which might invoke DCESRV_FAULT(), which accesses r2.out.result, which is uninitialized — invoking undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 2 04:04:49 UTC 2023 on atb-devel-224 commit fa25793ebff92bee2bb1bf0b437b5f705ee8a1dc Author: Joseph Sutton Date: Tue Oct 31 12:11:37 2023 +1300 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499407) dcesrv_lsa_CreateTrustedDomain_base() invokes DCESRV_PULL_HANDLE(), which invokes DCESRV_PULL_HANDLE_RETVAL(), which invokes DCESRV_CHECK_HANDLE(), which might invoke DCESRV_FAULT(), which accesses r2.out.result, which is uninitialized — invoking undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c095ec02ff1a13bed5503a460eb6a8a39f03ade3 Author: Joseph Sutton Date: Tue Oct 31 12:21:26 2023 +1300 s3:rpc_client: Add missing ‘break’ statement Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 90505d3aa82677c428fe87c38df1a3227c4ad115 Author: Joseph Sutton Date: Tue Oct 31 11:39:09 2023 +1300 s3:rpc_client: Align integer types (CID 1548342) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4db4df284d5e1d5300b9cd1597581c110cca3807 Author: Joseph Sutton Date: Tue Oct 31 12:16:15 2023 +1300 s3:utils: Initialize flags (CID 1499396) If ‘got_bcast’ is false and ‘give_flags’ is true, this variable will be used uninitialized. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4feb76592b8f63cb2e91ebeb36212daa5bd088da Author: Joseph Sutton Date: Tue Oct 31 11:35:25 2023 +1300 s3:utils: Avoid integer overflow (CID 1548343) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 55d06fa9e328897548455f757da1452138336016 Author: Joseph Sutton Date: Tue Oct 31 11:33:39 2023 +1300 s3:utils: Align integer type If ‘count’ is larger than INT_MAX, ‘i’ might overflow in the loop and lead to undefined behaviour. See also CID 1548342. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8b2269328bf1d85c6505cf8ecb95977435bdf93c Author: Joseph Sutton Date: Tue Oct 31 11:30:27 2023 +1300 s3:utils: Remove condition that cannot be true (CID 1548341) ‘limit’ is an unsigned integer, and thus will never be less than zero. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 77183ded7de9d5b23663aa5f68a94a9c9b87902c Author: Joseph Sutton Date: Tue Oct 31 11:20:05 2023 +1300 s3:utils: Check return value of samba_cmdline_init() (CID 1548345) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a9e8cf4ff6621bb4f50f10dc11f60c1995b01084 Author: Joseph Sutton Date: Tue
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e7f38c3a190 pytest:samba-tool domain test policy: test SDDL diagnostics via d915443ab00 pytest: samba_tool domain auth policy fix for SDDL err msg via cc2498f35b4 samba-tool: try to present diagnostics for SDDL errors. via 42b5a09a031 pytest:sddl: assert SDDLValueError values make sense via d7fe04205f8 s4/librpc/py_security: use SDDLValueError for better error messages via fd8cf82be1e pytest:sddl: handle SDDLValueError via 328ddf6d3aa pytest:security_descriptors: handle SDDLValueError via d47c6654f96 pytest: sid_strings: handle SDDLValueError via 054725440f2 s4/librpc/py_security: add SDDLValueError via 0c123e142f4 ndr/py_security: mod patch reports errors via cbf8349ec53 lib/ldb: pyldb search iterator avoids exception leak via 1d8024e733e lib/ldb: py LDBError avoids leak and checks for alloc failure via ffa08426e0e libcli/security: conditional ace err messages don't hardcode offset via c31d41d7219 libcli/security: sddl: guard against inconsistent msg pointers via c63a8989770 libcli/security: sddl: remove unreachable debug via 67fa97d61f9 libcli/security: sddl_decode_ace/acl pass through messages via 93347aa5af1 libcli/security: add sddl_decode_err_msg() via 9b57d5cd5c8 libcli/security: sddl_conditional_ace: ensure message is talloced via cc11165ecbc libcli/security: sddl: check a talloc_zero via 5319c5bdac8 libcli/security: SDDL accepts lowercase "s-" in SIDs via c75be6c3261 librpc:ndr: Increase size of ‘libndr_flags’ type to 64 bits via a396b705c8a librpc:ndr: Introduce ‘ndr_flags_type’ type via c4f281e9ae3 librpc:ndr: Introduce ‘libndr_flags’ type via 4ec7578e79c s4:torture: Make static variables constant via 83c68236526 librpc:ndr: Fix code spelling via 0071a60fb63 dcerpc.idl: Use simple boolean value instead of flag via bea9958b607 s4:kdc: Call kdc_request_set_e_data() instead of kdc_set_e_data() via 57c543a1d91 third_party/heimdal: Import lorikeet-heimdal-202310310018 (commit 3a433861903ff7c35f3a42c2e88aef2fab7bb5b4) (CID 1544591, CID 1544617) via b06751389db s4:auth: Comment about claims in the security token via ebbba22cfbd s4:auth: Remove trailing whitespace via 0733ea3663f s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself via f8bfd607ca3 tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs via 6760dd48ad0 s4:kdc: Do not add Claims Valid SID twice via 54eb175816b tests/krb5: Rename ‘krbtgt_creds’ to ‘rodc_krbtgt_creds’ via 66b45978621 tests/krb5: Don’t pass unnecessary parameter via 2b69e1e7c31 tests/krb5: Use __slots__ to indicate which attributes are used by classes via b0da50b5b0d s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it via 915b40521e6 s4:auth: Check that the PAC is not NULL before dereferencing it via 76e27c3ab13 libcli/security: Add sid_attrs_contains_sid() via 69edfd7b11a libcli/security: Make use of sids_contains_sid() via 04611d9ebc1 libcli/security: Add sids_contains_sid() via ce3f04dca9a libcli/security: Make use of sids_contains_sid_attrs() via 5ff72d0e04e libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs() via 487e21ec899 s4:dsdb: Make sids_contains_sid() usable by other Samba modules via ce9fbceadba libcli/security: Correct function documentation via 01b89669931 libcli/security: Remove unnecessary return statement via 12b0c9d043f s4:dsdb: Align integer type via 3b936623a42 s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs via 7ba4bb81645 tests/krb5: Add tests to see how SIDs are conveyed from PACs via dc1e2b41ca4 tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs via 947d3e5932e tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC from 1862561d1a1 smbd: Open file as REPARSE_POINT in unlink_internals() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e7f38c3a190c0faacdbab230439d98d7e3fe7c0e Author: Douglas Bagnall Date: Sat Oct 28 12:09:04 2023 +1300 pytest:samba-tool domain test policy: test SDDL diagnostics The existing 'bad SDDL' test has SDDL so bad that the diagnostics are not exercised. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Nov 1 21:12:33 UTC 2023 on atb-devel-224 commit d915443ab0076389036890c0046de9d33c5d7
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0bb67a3a7e7 python: silos: add support for allowed to authenticate from silo shortcut via 84916935751 python: add docstring for escaped_claim_id function via 16d52aa559a python: move method escaped_claim_id from test to samba.sd_utils via 47f5bc78b88 python: silos: add some missing tests for auth policy command via 2aa4d67411a python: tests: claims and silo tests make use of unique_name via 2dd06ae41a2 python: tests: improve comments for auth silo and policy tests via 95cb6a0bb16 python: tests: qa and developers were not in the correct case via e87d74066af python: tests: addCleanup is always before create operation via d19e268221e python: tests: function to generate a unique name from caller via ed245e28875 netcmd: tests: make use of addCleanup via 3e9f74a680b netcmd: claims: rename claims and silo tests via 156887c6d0b netcmd: silo command uses more consistent naming for tgt args via 15fb8a5f2ef netcmd: silo command uses more consistent naming for policy args via c22400fd8ef netcmd: silo command remove combined --policy which set all 3 from b6ae5d66819 codespell: Ignore .git https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0bb67a3a7e79a687e7809ab41f056c36629bc19f Author: Rob van der Linde Date: Thu Oct 12 17:08:34 2023 +1300 python: silos: add support for allowed to authenticate from silo shortcut this avoids the need to write SDDL, the user just needs to give the silo name Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 27 00:30:05 UTC 2023 on atb-devel-224 commit 8491693575115ef651a8320abd699edd3c739758 Author: Rob van der Linde Date: Fri Oct 27 12:11:34 2023 +1300 python: add docstring for escaped_claim_id function Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 16d52aa559ab60a9e2b1aba71c9f866833bab9f0 Author: Rob van der Linde Date: Thu Oct 26 13:13:44 2023 +1300 python: move method escaped_claim_id from test to samba.sd_utils This is so that it can be used in other places too without the need to import or extend the test base class Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 47f5bc78b88b371c40a85b0b716793da771dc6c9 Author: Rob van der Linde Date: Thu Oct 12 16:59:43 2023 +1300 python: silos: add some missing tests for auth policy command Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2aa4d67411a91d1e135164ddb4857d04d6692a35 Author: Rob van der Linde Date: Thu Oct 12 16:55:34 2023 +1300 python: tests: claims and silo tests make use of unique_name Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2dd06ae41a2154db82378587fa662a35bf78c386 Author: Rob van der Linde Date: Thu Oct 26 11:18:04 2023 +1300 python: tests: improve comments for auth silo and policy tests Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 95cb6a0bb1625c2b2099c7374424d595164be2e8 Author: Rob van der Linde Date: Wed Oct 25 17:25:51 2023 +1300 python: tests: qa and developers were not in the correct case Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e87d74066af3b552333aa28d4180e11b32e465b9 Author: Rob van der Linde Date: Wed Oct 25 16:02:31 2023 +1300 python: tests: addCleanup is always before create operation This way if it raises during a create, it will still end up running the cleanup. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d19e268221efca4079469c015f0fe3f2d0719f23 Author: Rob van der Linde Date: Thu Oct 12 15:21:08 2023 +1300 python: tests: function to generate a unique name from caller Uses the caller function to generate a unique name from the test function name. Unique name is converted to camel case Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ed245e288756c34c263c37dd3d64203ee1efdaa5 Author: Rob van der Linde Date: Tue Oct 17 18:54:52 2023 +1300 netcmd: tests: make use of addCleanup Makes self.members redundant and tearDown method can go completely. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3e9f74a680bc1d8c0daa133df3c4f8b84e1addc4 Author: Rob
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via b6ae5d66819 codespell: Ignore .git
via b436720e16e s3:rpc_server/wkssvc: Remove get logged on user list
from utmp
from 853ae7a913e smbd: add inode marshalling in
smb3_file_posix_information_init()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit b6ae5d6681919ef600e44fbf613d675f760dde07
Author: Andrew Bartlett
Date: Thu Oct 26 11:17:43 2023 +1300
codespell: Ignore .git
Otherwise the first line of commit messages is checked,
because text is found in .git/logs/HEAD, but only on
autobuild and not in CI (which does a shallow clone),
and not the whole commit message either, which is inconsistent.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15503
Signed-off-by: Andrew Bartlett
Reviewed-by: Andreas Schneider
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Oct 26 23:27:29 UTC 2023 on atb-devel-224
commit b436720e16eeeff0c08cb61fc539b6c53ffdac4a
Author: Samuel Cabrero
Date: Tue Oct 24 11:31:17 2023 +0200
s3:rpc_server/wkssvc: Remove get logged on user list from utmp
utmp is not Y2038 safe.
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
---
Summary of changes:
.codespellrc | 2 +-
source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 163 ++
source3/wscript | 2 +-
3 files changed, 10 insertions(+), 157 deletions(-)
Changeset truncated at 500 lines:
diff --git a/.codespellrc b/.codespellrc
index de4f0fbbbae..1faf9ba9194 100644
--- a/.codespellrc
+++ b/.codespellrc
@@ -1,4 +1,4 @@
[codespell]
-skip =
./bin,./docs-xml/archives,./docs-xml/manpages/vfs_fruit.8.xml,./docs-xml/smbdotconf/browse/preferredmaster.xml,./lib/ldb/ldb_sqlite3/trees.ps,./libcli/util/ntstatus.h,./libcli/util/hresult.c,./python/samba/tests/blackbox/testdata,./source3/include/MacExtensions.h,./source3/selftest/ktest-krb5_ccache-2.txt,./source4/setup/display-specifiers,./source4/ldap_server/devdocs,./source4/selftest/provisions,./source4/setup/adprep/WindowsServerDocs,./source4/setup/display-specifiers,./source4/torture/vfs/fruit.c,./testdata,./third_party,*.IBM-DS,*.config,*.diff,*.dump,*.ldif,*.ldf,*.pdml,*.pem,*.po,*.schema
+skip =
./.git,./bin,./docs-xml/archives,./docs-xml/manpages/vfs_fruit.8.xml,./docs-xml/smbdotconf/browse/preferredmaster.xml,./lib/ldb/ldb_sqlite3/trees.ps,./libcli/util/ntstatus.h,./libcli/util/hresult.c,./python/samba/tests/blackbox/testdata,./source3/include/MacExtensions.h,./source3/selftest/ktest-krb5_ccache-2.txt,./source4/setup/display-specifiers,./source4/ldap_server/devdocs,./source4/selftest/provisions,./source4/setup/adprep/WindowsServerDocs,./source4/setup/display-specifiers,./source4/torture/vfs/fruit.c,./testdata,./third_party,*.IBM-DS,*.config,*.diff,*.dump,*.ldif,*.ldf,*.pdml,*.pem,*.po,*.schema
ignore-regex = \\[t]
ignore-words = .codespellignore
diff --git a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
index 592e8668cd3..0724dd00af5 100644
--- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
+++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
@@ -45,96 +45,6 @@ struct dom_usr {
time_t login_time;
};
-#ifdef HAVE_GETUTXENT
-
-#include
-
-struct usrinfo {
- char *name;
- struct timeval login_time;
-};
-
-static int usr_info_cmp(const struct usrinfo *usr1, const struct usrinfo *usr2)
-{
- /* Called from qsort to compare two users in a usrinfo_t array for
-* sorting by login time. Return >0 if usr1 login time was later than
-* usr2 login time, <0 if it was earlier */
- return timeval_compare(>login_time, >login_time);
-}
-
-/***
- Get a list of the names of all users logged into this machine
- /
-
-static int get_logged_on_userlist(TALLOC_CTX *mem_ctx, char ***pusers)
-{
- char **users;
- int i, num_users = 0;
- struct usrinfo *usr_infos = NULL;
- struct utmpx *u;
-
- while ((u = getutxent()) != NULL) {
- struct usrinfo *tmp;
- if (u->ut_type != USER_PROCESS) {
- continue;
- }
- for (i = 0; i < num_users; i++) {
- /* getutxent can return multiple user entries for the
-* same user, so ignore any dups */
- int cmp = strncmp(u->ut_user, usr_infos[i].name,
sizeof(u->ut_user));
- if (cmp == 0) {
- break;
- }
- }
- if (i < num_users) {
-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d57f3bdcd33 s4:kdc: Simplify principal_comp_strcmp_int() to handle only equality via ea6d2ddb66e s4:kdc: Check for overflow before calling smb_krb5_princ_component() via 12211735772 s4:kdc: Have principal_comp_strcmp_int() properly indicate an error via ddef0e5e1f6 s4:kdc: Consider a single‐component krbtgt principal to be the TGS via 7b68f751be1 third_party/heimdal: Import lorikeet-heimdal-202309250010 (commit b73ae22b9b1c6fc06d0d79afe55517367a5f9670) via 6d7a05bf780 s4:kdc: Make use of smb_krb5_principal_is_tgs() via 865e4f0f8cb s4:kdc: Change signature of is_kadmin_changepw() to accommodate failure cases via 9a0c5ee4aef s4:kdc: Have smb_krb5_principal_get_comp_string() properly indicate an error via 2944bc1e02a s4:dsdb: Initialize pointers to NULL via 800f3203b1d lib/krb5_wrap: Check return value of krb5_principal_get_comp_string() via 3917a1995c3 tests/krb5: Add tests for single‐component krbtgt principals via f266f5c670b tests/krb5: Also consider single‐component krbtgt principals to be TGS principals via 3960eabca78 libutil/iconv: avoid overflow in surrogate pairs via 949fe570777 libutil/iconv: don't allow wtf-8 surrogate pairs via d7481f94e0f util/charset/torture: test convert_string_talloc with emptyish strings via 58011bc64a8 s4/torture/gentest: explain seemingly redundant initialisation via b5a728e81e8 util/convert string: remove inaccurate misspelt comment via 7f870211fbf s4/torture/gentest: remove redundant op entry via 15b7508babf docs/manpages: fix links to mod_ntlm_winbind and squid via ffdd9ddeaea s4:dns_server: loudly warn when a tombstone record has other records via 78658eee76b s4/dsdb: try not to leak on access check failure via acb0a299172 librpc/ndr_basic: attempt only IPv4 addresses in push_ipv4 via 44ce1ad5c8b idl/spoolss: fix spelling of UTF16 charset via df8ab7edfa2 util/charset: disambiguate docs for convert_string twins via 7cf4efe7684 lib/util/charset: @param typos from 704a615521c docs-xml: add manpage for wspsearch cli client https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d57f3bdcd3374b9661571e5e815be93c666a47cf Author: Joseph Sutton Date: Thu Sep 21 11:37:30 2023 +1200 s4:kdc: Simplify principal_comp_strcmp_int() to handle only equality We only ever use the principal comparison functions to check equality. Having these functions only handle equality simplifies their implementation and makes them a bit easier to use. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 26 02:26:02 UTC 2023 on atb-devel-224 commit ea6d2ddb66ec28097c1fe47e2d0a9ab8c1f3e7c6 Author: Joseph Sutton Date: Thu Sep 21 12:01:27 2023 +1200 s4:kdc: Check for overflow before calling smb_krb5_princ_component() smb_krb5_princ_component() takes its component index parameter as ‘int’, not ‘unsigned int’. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 122117357722445526124ec5ecf9e152bc8e2c87 Author: Joseph Sutton Date: Thu Sep 21 11:22:51 2023 +1200 s4:kdc: Have principal_comp_strcmp_int() properly indicate an error We should return error codes rather than silently mask failures. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ddef0e5e1f63775cd22ee3b3febc6f765abbebf8 Author: Joseph Sutton Date: Thu Sep 21 11:14:36 2023 +1200 s4:kdc: Consider a single‐component krbtgt principal to be the TGS This matches the behaviour of Windows. NOTE: This commit finally works again! BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7b68f751be14cfbbab49ffa0084cc72e41d0a3f5 Author: Joseph Sutton Date: Mon Sep 25 13:16:43 2023 +1300 third_party/heimdal: Import lorikeet-heimdal-202309250010 (commit b73ae22b9b1c6fc06d0d79afe55517367a5f9670) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6d7a05bf780481a2792ff87ae635fb91e1f0c640 Author: Joseph Sutton Date: Thu Sep 21 11:22:47 2023 +1200 s4:kdc: Make use of smb_krb5_principal_is_tgs() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
0e45a0cec95 s3:param: Make init_globals() public via e30c404fb7a s3:param: Use the memory context we just created instead of tos via 49424f18b19 s3:param: Use a talloc stackframe in pyparam via e24900ac895 s3:client: Call gfree_all() before exit in smbspool via e48798cbb03 s3:client: Call gfree_all() before exit in smbclient via 4d411cf5cec s3:utils: Call gfree_all() before exit in smbtree via 643e0ae8761 s3:utils: Call gfree_all before exit in smbpasswd via 6aa56331212 s3:utils: Remove trailing white spaces in smbpasswd.c via bbda37e4e3d s3:utils: Call gfree_all() before exit in smbget via 8a873f89773 s3:utils: Call gfree_all() before exit in smbfilter via f849efebb84 s3:utils: Remove trailing white spaces in smbfilter.c via 2eee959fab6 s3:utils: Call gfree_all() before exit in smbcquotas via 6d482485ca9 s3:utils: Call gfree_all() before exit in smbcontrol via 9428fa3599a s3:utils: Call gfree_all() before exit in smbcacls via d7a8e63f1db s3:utils: Call gfree_all() before exit in sharesec via 72add41e2a7 s3:utils: Call gfree_all() before exit in regedit via 66c76976150 s3:utils: Call gfree_all() before exit in pdbedit via 8482d46faba s3:utils: Call gfree_all() before exit in ntlm_auth via 0653f78bcc7 s3:utils: Call gfree_all() before exit in net from 3c4714bc834 s3:rpc_server: Correctly reset DEVMODE bit https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 704a615521cd90693009366fa8ae23a25210d119 Author: Noel Power Date: Tue Oct 25 18:30:31 2022 +0100 docs-xml: add manpage for wspsearch cli client Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Oct 25 23:20:33 UTC 2023 on atb-devel-224 commit a3a7a94ff4303f1c99c10d2dda4cea86574582e3 Author: Noel Power Date: Thu Jul 21 16:53:17 2016 +0100 s3/utils: Add search client Simple cli client for doing a basic windows search. example: wspsearch -U$(USER)%$(PASSWD) //$(SERVER)/$(SHARE) --search='DSC' --kind=Picture Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 387c9f3aa5fd71ece868ad02a9e65669b59ed8b6 Author: Noel Power Date: Mon Oct 17 20:15:32 2022 +0100 libcli/wsp: Add simple client api for wsp client code. Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 47a0dc6fa6c983bed65d2e950845ae47e1f4df64 Author: Noel Power Date: Wed Aug 23 12:06:02 2023 +0100 add accessor for tstream_context Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 2b2fdd5323cd5588e08c16953802a880bcab483e Author: Noel Power Date: Wed Aug 23 11:28:21 2023 +0100 remove problematic include (seems to bring in conflicted definitions) Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 8977d0a5bce25a2a50f8d77f6997bb9b5282bad4 Author: Noel Power Date: Tue Oct 25 11:30:03 2022 +0100 librpc/wsp: Add some util functions needed for wsp client api Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 86d434218063cf0c982015be908681bd9fe91f12 Author: Noel Power Date: Mon Oct 24 20:50:27 2022 +0100 libcli/wsp: Test AQS parser Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 68ce6cf68457aa7f07bc9d9ee8c64906106783fb Author: Noel Power Date: Mon Oct 17 19:14:35 2022 +0100 librpc/wsp: Add functions to dump restriction as string Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit b28fb85a1f88aa55db07a53eae32bd663a3e08d8 Author: Noel Power Date: Wed Jun 29 11:29:54 2016 +0100 libcli/wsp: Add support for simplified Advanced Query Syntax Add support to parse AQS-like (Advanced query syntax) AQS - see https://learn.microsoft.com/en-gb/windows/win32/search/-search-3x-advancedquerysyntax The basic (AQS) syntax is supported e.g. a query is built of a sequence of queries connected by AND, OR and NOT where the query elements are essentially restrictions defined by a property. There are some limitations on the operators supported[1] and additionally some things like enumerated ranges are not supported at all and range values are not delimited as specified [2]. Some special cases that you see in the windows search UI are exceptions [3] which are handled more or less as keywords Some examples: The following are all exactly the same query just expressed using different variations of the syntax 'ALL:($ System.Size:10241-102401' 'ALL:$ System.Size:>=10241 AND System.Size:<102401' 'ALL:$ System.Size:small' The queries above by default select the property System.ItemUrl as the one and only
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 50b8a2de2aa python: getopt: HostOptions and other option groups inherit from samba OptionGroup class via 7c389e19212 netcmd: auth policy: add OptionGroup classes for user, service and computer options via 0667708cef2 python: netcmd: make use of HostOptions for claims and sites commands via e1244ba304a python: getopt: Add HostOptions to avoid need to manually add -H via 0f3d6d80dab python: netcmd: make use of required flag on Option for claims commands via e60f3afcc5f python: getopt: implement required flag on options and OptionParser via 837e1d9fdad python: getopt: subclass OptionParser to populate option_class via 6943a58bff3 netcmd: tests: stop checking for ERROR prefix from CommandError via fb058e7f2ce python: netcmd: remove OptionError alias to OptionValueError via 14b21298687 python: netcmd: catch parent exception class OptParseError instead via f77064c8225 python: getopt: rename SambaOption to Option via d54f52b847f python: netcmd: parser class in getSamDB should set option_class via b7a1946d8b7 python: netcmd: fix import grouping and sorting in base first via 5f8c46d1dec python: netcmd: remove redundant Option subclass via 32032937ed9 python: netcmd: SUPPRESS_HELP constant has no effect here via a930456f0c9 python: netcmd: dbcheck: fix import grouping and order via 3a5a5cae3a6 python: netcmd: ntacl: fix import grouping and order via 90f7ad08b53 python: tests: fix some hidden tab characters in tests.py via 0f93e1d17f8 python: add docstrings to Validator and ValidationError via dc513a82a6a python: move Validator base class and ValidationError to getopt via 29c9991594f python: getopt: move validators logic to parent class via bdad257a312 netcmd: don't turn exception into CommandError in run_validators via 99c93c1e89e netcmd: PEP8: minor whitespace fix, file did not pass PEP8 via c3876242fdf netcmd: move comment above class to docstring via 8b575612975 netcmd: correctly pass Samba option class to OptionParser via 96959b72679 python: getopt: move SambaOption to the top of the file via c688e73358c python: getopt: correctly group and sort imports via 1f8b4913c60 python: getopt: update super calls to python3 style via e209b8d79c2 python: move comment for check_bytes to docstring via 22316fea335 python: PEP8 fixup whitespace in getopt.py first via 029e0457ccc netcmd: tests: make check_run and related methods classmethod for consistency via b543874abc3 tests: minor indentation and whitespace fixes from 7c8dea14da6 smbtorture: add test for fruit:validate_afpinfo option https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 50b8a2de2aadd94386fb0525bfc741867121c929 Author: Rob van der Linde Date: Fri Oct 20 14:46:40 2023 +1300 python: getopt: HostOptions and other option groups inherit from samba OptionGroup class Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Oct 25 00:31:37 UTC 2023 on atb-devel-224 commit 7c389e19212f76aaf9cba8ac8315742c7294e2c8 Author: Rob van der Linde Date: Tue Oct 10 23:31:33 2023 +1300 netcmd: auth policy: add OptionGroup classes for user, service and computer options Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 0667708cef2e4375552860ae67ac24e6b0f593d0 Author: Rob van der Linde Date: Fri Oct 6 15:49:27 2023 +1300 python: netcmd: make use of HostOptions for claims and sites commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e1244ba304a2de598779f9fcf1307244f333ab65 Author: Rob van der Linde Date: Fri Oct 6 15:47:43 2023 +1300 python: getopt: Add HostOptions to avoid need to manually add -H Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 0f3d6d80dab0be046663e8bac2357b20520c70e3 Author: Rob van der Linde Date: Fri Oct 6 14:50:32 2023 +1300 python: netcmd: make use of required flag on Option for claims commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e60f3afcc5fca7ec1d8aacfc7abf19009b3d831c Author: Rob van der Linde Date: Fri Oct 6 12:58:46 2023 +1300 python: getopt: implement required flag on options and OptionParser Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 837e1d9fdad79ea3a7fdce1232d8dd834f181a63 Author: Rob van der Linde Date
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 63aeb64504c s4:kdc: Add device to Authenticated Users for
authentication policy evaluation
via eaffadb8286 s4:kdc: Add a flag indicating that the device should be
added to Authenticated Users
via c91d1618e33 s4:kdc: Add device to default groups for authentication
policy evaluation
via fc2f886441e s4:kdc: Add a flag indicating that the device should be
added to the default groups
via 7728a0622e0 s4:kdc: Make a copy of the device SIDs to be placed in
the security token
via eb21ac87776 tests/krb5: Test whether the device belongs to some
default groups
via 0f5033a1e76 tests/krb5: Work around Samba’s incorrect krbtgt
principal handling
via 4e8fb9706e2 tests/krb5: Remove unnecessary target_creds variables
from 4c291514a9e s4:kdc: Permit RODC‐issued evidence tickets for
constrained delegation
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 63aeb64504cf6b9cbb52ac338129b9930d65f6b3
Author: Joseph Sutton
Date: Fri Oct 20 15:01:30 2023 +1300
s4:kdc: Add device to Authenticated Users for authentication policy
evaluation
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Tue Oct 24 01:59:32 UTC 2023 on atb-devel-224
commit eaffadb8286ef6d68d433f8c8f244f20ad00e9d3
Author: Joseph Sutton
Date: Fri Oct 20 15:00:12 2023 +1300
s4:kdc: Add a flag indicating that the device should be added to
Authenticated Users
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit c91d1618e339da1c29b371866d5ab243e3d3fad6
Author: Joseph Sutton
Date: Thu Oct 19 20:02:43 2023 +1300
s4:kdc: Add device to default groups for authentication policy evaluation
This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.
It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.
Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit fc2f886441e2cd806c26712762a6813f6ce4f924
Author: Joseph Sutton
Date: Thu Oct 19 20:02:32 2023 +1300
s4:kdc: Add a flag indicating that the device should be added to the
default groups
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 7728a0622e0f7a7bf672131b757799e03b99d2dd
Author: Joseph Sutton
Date: Thu Oct 19 20:02:13 2023 +1300
s4:kdc: Make a copy of the device SIDs to be placed in the security token
We shall need to add extra SIDs on the end.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit eb21ac87776d113e40070babadcf104f087c0b1d
Author: Joseph Sutton
Date: Thu Oct 19 17:11:41 2023 +1300
tests/krb5: Test whether the device belongs to some default groups
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 0f5033a1e76a0e079b6dc1859f2cb2d9110e1b1f
Author: Joseph Sutton
Date: Thu Oct 19 16:23:32 2023 +1300
tests/krb5: Work around Samba’s incorrect krbtgt principal handling
These tests fail only because they are using the ‘krbtgt@REALM’ form of
the krbtgt principal that Samba doesn’t handle correctly.
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 4e8fb9706e226fe4f44140c1df64c155c36f22f7
Author: Joseph Sutton
Date: Thu Oct 19 16:22:28 2023 +1300
tests/krb5: Remove unnecessary target_creds variables
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
---
Summary of changes:
auth/common_auth.h | 2 +
python/samba/tests/krb5/conditional_ace_tests.py | 229 ---
python/samba/tests/krb5/kdc_tgs_tests.py | 8 +-
selftest/knownfail_heimdal_kdc | 8 +-
selftest/knownfail_mit_kdc | 9 +-
source4/auth/session.c | 59 +-
source4/kdc/authn_policy_util.c | 5 +
7 files changed, 280 insertions(+), 40 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 58fb2cd0b3d..1afb79eb5df 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -41,6 +41,8 @@ enum auth_password_state {
#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must
have the unix_token and unix_info elements provided */
#define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must
have authenticated
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4c291514a9e s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation via d209cdf4f0c s4:kdc: Add flag to indicate the upper sixteen bits of the kvno are specified via 37594035547 s4:kdc: Use HDB flag constants instead of SDB ones via 4e83dfb6764 s4:kdc: Always regard device info when the client performs RBCD via fc7f64baa35 s4:dsdb: Remove reference to non‐existent code via 053292a7e8d tests/krb5: Delete connection variable via 7ea71c4882e tests/krb5: Make ‘services’ parameter required via ea10d01bfd6 tests/krb5: Remove unreachable exception handlers via e48eb621cd9 tests/krb5: Fix RC4‐only Protected Users tests via f1babf2f3db tests/krb5: Remove unnecessary f‐strings via 137499aef60 tests/krb5: Remove unused imports via d363c7bf55a tests/krb5: Fix DES3CBC random_to_key() via a0d32a39804 tests/krb5: Make ‘keybytes’ a bytes object rather than a list via 69db1b58882 tests/krb5: Don’t expect edata if no error is expected via ee43eed6354 tests/krb5: Add parameter to _tgs() specifying whether FAST is to be used via 991e8f5a7f5 tests/krb5: Use None for the default values of parameters via 2ddd8ca3c72 tests/krb5: Move assignments closer to where the variables are used via 7f860d1cba4 tests/krb5: Remove incorrect functional level check via 11835ed5bbb tests/krb5: Update method names to be consistent with other tests via 88d5ae3218d tests/krb5: Have _modify_tgt() accept only keyword arguments via 59f7052295a tests/krb5: Correctly pass arguments to _modify_tgt() via a365f04d0f3 tests/krb5: Add KDC_ERR_SERVER_NOMATCH error code via fc475b2e209 tests/krb5: Add ‘expect_edata’ parameter to _user2user() via fcdc0101225 tests/krb5: Fix comment via 879e7a3c3e8 tests/krb5: Remove marker via 29176807bc2 s4:torture: Check return values of gnutls functions (CID 1547212) via 07ec3457dc2 s4:torture: Fix leaks via cf30ddb56d2 s4:torture: Check return values of talloc functions from 52fd0d79ab0 smbd: put back code to fill in user and group SID https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4c291514a9e144c84d774120001775005838e80d Author: Joseph Sutton Date: Tue Oct 17 20:24:04 2023 +1300 s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 19 22:39:19 UTC 2023 on atb-devel-224 commit d209cdf4f0c8ab948f59ef4cbe824a6fa9bef4ad Author: Joseph Sutton Date: Tue Oct 17 20:18:28 2023 +1300 s4:kdc: Add flag to indicate the upper sixteen bits of the kvno are specified Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 375940355477e5d564b633d81777a3eba0f162e5 Author: Joseph Sutton Date: Tue Oct 17 20:18:12 2023 +1300 s4:kdc: Use HDB flag constants instead of SDB ones These flags are passed to us by Heimdal, and so they are HDB flags, not SDB flags. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4e83dfb6764325bcb420407929399ff4c2b46656 Author: Joseph Sutton Date: Tue Oct 17 14:24:46 2023 +1300 s4:kdc: Always regard device info when the client performs RBCD Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fc7f64baa35689b860d208702416f85bb212a3be Author: Joseph Sutton Date: Tue Oct 17 11:18:50 2023 +1300 s4:dsdb: Remove reference to non‐existent code Commit 498542be0bbf4f26558573c1f87b77b8e3509371 removed the code in question. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 053292a7e8d2568a06cb6590815039e241d66c52 Author: Joseph Sutton Date: Wed Oct 18 16:07:30 2023 +1300 tests/krb5: Delete connection variable This avoids a ‘variable set but unused’ warning. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7ea71c4882e97c33e1714f8be461aedb57b82aae Author: Joseph Sutton Date: Wed Oct 18 16:06:51 2023 +1300 tests/krb5: Make ‘services’ parameter required We use it unconditionally without a check for None. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ea10d01bfd699b623536ca6fdd8e9b5d5db8d06f Author: Joseph Sutton Date: Wed Oct 18 16:05:17 2023 +1300 tests/krb5: Remove unreachable exception handlers ‘IOError’ is a subclass of ‘error’, which has already been handled. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e48eb621cd92cc3d97b77126512295d5bf14ed49 Author: Joseph Sutton Date: Wed Oct 18 16:03:45 2023 +1300 tests/krb5: Fix RC4‐only Protected
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f392fdfd47f shadow_copy2: Add missing TALLOC_FREE via c6d0df787a1 s4:torture: Increase multichannel timeout via 5ec5496df40 s4:rpc_server/epmapper: use ndr_syntax_id_equal() in dcesrv_epm_Map() to match the request via 53e4fe647ec s4:rpc_server/epmapper: check dcerpc_floor_get_uuid_full() result in dcesrv_epm_Map() via dfdb8736c75 s4:rpc_server: simplify logic in dcesrv_epm_Map matching via 7a7a38b870d librpc/rpc: also get the 2nd half of the ndr_syntax_id from a floor via 1058382d048 librpc/rpc: add dcerpc_floor_pack_uuid_full() helper function via ac392c35e49 s3:rpc_server: let create_policy_hnd() return a pointer via 403bceef914 s4:rpc_server/remote: make use of dcesrv_async_reply() via 06c12033b35 s4:rpc_server/netlogon: make use of dcesrv_async_reply() via d880999480e s4:rpc_server/lsa: make use of dcesrv_async_reply() via eaf3654dd1e s4:rpc_server/common: make use of dcesrv_async_reply() via 27d11803a45 s4:rpc_server/echo: make use of dcesrv_async_reply() via b8eae782251 librpc/rpc: add dcesrv_async_reply() helper that disconnects as needed via 5a6978205ed librpc/rpc: allow dcesrv_context to propose the preferred ndr syntax via f8b76235fe0 s3:rpc_server: distribute clients based on available association group slots via 40e780ad162 dcesrv_core: maintain the number of allocated association groups per dce_ctx via 2c2c2f43688 s3:rpc_server: improve debugging in rpc_host_distribute_clients() via cd2cb49179c s3:rpc_server: simplify rpc_host_find_worker() via eb8cf371b8d s3:rpc_server: correctly allow up to 65536 workers processes via e4bdab659bb rpc_host.idl: change server_index from uint8 to uint32 via 94723b6732a s3:rpc_server: call reopen_logs before we print the copyright notice via f35baa4eb2e s3:rpc_server: make use of dcesrv_register_default_auth_types[_machine_principal]() via ae38cfe6da7 s3:rpc_server: let get_servers() callback of rpc_worker_main() return NTSTATUS via 2d73b1e0618 s3:rpc_server: let register_ep_server() errors result in DBG_ERR() via 2ba5016e4b4 librpc/rpc: add dcesrv_register_default_auth_types[_machine_principal]() helpers via 1d0a5b3ac75 librpc/rpc: implement dcesrv_mgmt_inq_princ_name infrastructure via 9f51379dd73 librpc/rpc: let dcesrv_mgmt_inq_if_ids() filter out the mgmt syntax_id via 6cb12d3955d librpc/rpc: apply some code cleanup and error checks to dcesrv_mgmt.c via a38f58ac85f s4:torture/rpc: let test_inq_princ_name_size also test for princ_name_size = 0 and BAD_STUB_DATA via 2a290dcb945 s3:selftest: also run rpc.mgmt against the nt4_dc (and ad_dc) via 09daeba6962 libcli/util: let win_errstr() fallback to hresult_errstr() from 237b6fc3ad6 s3:tests: Plan test_smbspool_krb.sh for environment ad_member_fips https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f392fdfd47f47e371fe75f5cd4647126922fda19 Author: MikeLiu Date: Fri Oct 13 11:55:52 2023 +0800 shadow_copy2: Add missing TALLOC_FREE Signed-off-by: MikeLiu Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Oct 17 20:22:18 UTC 2023 on atb-devel-224 commit c6d0df787a1f6007e1f4594f68ff1f75a46bd293 Author: Andreas Schneider Date: Tue Oct 17 14:29:03 2023 +0200 s4:torture: Increase multichannel timeout This avoid running into timeouts on Gitlab CI. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 5ec5496df40e6015ec8de6133a406bb50efebe35 Author: Stefan Metzmacher Date: Fri Oct 13 09:18:25 2023 +0200 s4:rpc_server/epmapper: use ndr_syntax_id_equal() in dcesrv_epm_Map() to match the request This matches it much easier to understand. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 53e4fe647ec3f840836340cf9eac4f79b8794aad Author: Stefan Metzmacher Date: Fri Oct 13 09:11:51 2023 +0200 s4:rpc_server/epmapper: check dcerpc_floor_get_uuid_full() result in dcesrv_epm_Map() This already checks for EPM_PROTOCOL_UUID and simplifies the logic. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit dfdb8736c750079bc42d274a416c9f7ea3f820dc Author: Stefan Metzmacher Date: Thu Oct 12 17:19:21 2023 +0200 s4:rpc_server: simplify logic in dcesrv_epm_Map matching Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 7a7a38b870dd8f0b384e290b8e9e18305bf54f90 Author: Stefan Metzmacher Date: Wed Aug 9 19:39:21 2023 +0200 librpc/rpc: also get the 2nd half of the ndr_syntax_id from a floor Signed-off-by: Stefan Metzmacher
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 310629508bf gitignore: add WAF lockfile via e2ace2d6137 build: Add 'make printversion' to provide version string via 53ff61bbddd s4:kdc: Remove unused function int2SDBFlags() via 7405a8fab0d s4:kdc: Explicitly initialize SDBFlags structures via 9fcace5818a s4:kdc: Make ‘struct user_info_dc’ members const via b7b4c7ca8c4 s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667) via c15a9af8e58 tests/krb5: Fix ASN.1 source via 1712449aa67 tests/krb5: Don’t expect groups if we’re expecting an error via a8a186868e4 tests/krb5: Fix tests that crash Windows via 52ea480543b tests/krb5: Expect a status code with policy errors via b5b8b16a50e tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD via 35c7061f97a buildtools: Correctly raise exception via ec23abfe1f7 buildtools: Don’t call normpath() repeatedly from bf79979f847 s4:kdc: fix user2user tgs-requests for normal user accounts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 310629508bfbedecfab9b653b7cba0282f5c0e8b Author: Michael Adam Date: Mon Oct 16 19:04:55 2023 +0200 gitignore: add WAF lockfile BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497 Signed-off-by: Michael Adam Reviewed-by: Christof Schmitt Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Oct 17 04:16:29 UTC 2023 on atb-devel-224 commit e2ace2d613701f3d4a7c7c202f68d2f193c0a64a Author: Christof Schmitt Date: Thu Sep 12 16:11:34 2013 -0700 build: Add 'make printversion' to provide version string BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497 Signed-off-by: Christof Schmitt Reviewed-by: Andrew Bartlett commit 53ff61bbddd5c4db6f0849c833c800f2a792e45f Author: Joseph Sutton Date: Thu Oct 12 11:56:01 2023 +1300 s4:kdc: Remove unused function int2SDBFlags() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7405a8fab0d4a8ba31213abbe2bfaa1197fd3415 Author: Joseph Sutton Date: Thu Oct 12 11:54:50 2023 +1300 s4:kdc: Explicitly initialize SDBFlags structures Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9fcace5818a43770c2f30710fb32e0db8dd599c3 Author: Joseph Sutton Date: Thu Oct 12 13:40:21 2023 +1300 s4:kdc: Make ‘struct user_info_dc’ members const Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b7b4c7ca8c4309e9563ac90378b84e4b83bd1eab Author: Joseph Sutton Date: Fri Oct 6 14:11:24 2023 +1300 s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c15a9af8e58075f364c617578abee9b897abc342 Author: Joseph Sutton Date: Mon Oct 16 15:37:29 2023 +1300 tests/krb5: Fix ASN.1 source It currently fails to compile. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1712449aa67d52ff5f3bb6b673644b25bce41086 Author: Joseph Sutton Date: Mon Oct 16 14:41:51 2023 +1300 tests/krb5: Don’t expect groups if we’re expecting an error Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a8a186868e4f4e8a8d711437747e6af47edb9be9 Author: Joseph Sutton Date: Mon Oct 2 12:20:48 2023 +1300 tests/krb5: Fix tests that crash Windows Expect an actual error code or an outcome, not CRASHES_WINDOWS. I don’t know which error codes Windows might be expected to produce, so I’ve chosen some that seem plausible. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 52ea480543b53173b9f92550b844224d17c14c51 Author: Joseph Sutton Date: Tue Oct 17 14:03:33 2023 +1300 tests/krb5: Expect a status code with policy errors Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b5b8b16a50ecb7225fe1bfa31d3a839efdd9f7d0 Author: Joseph Sutton Date: Tue Oct 17 13:34:29 2023 +1300 tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD If we’re verifying that a ticket was permitted to be issued by an RODC, and not trusting the group SIDs in the ticket, is there any reason to ban its use with RBCD? A client with a ticket issued by an RODC that happens to select a DC to direct an RBCD request at should not have the request mysteriously fail. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 35c7061f97a1f0dd79efe3a567b7054304192f55 Author: Joseph Sutton Date: Fri Oct 13 12:38:35 2023 +1300 buildtools: Correctly raise exception This avoids errors like the following: ‘RuntimeError: No active exception to reraise’ Signed-off-by: Joseph Sutton Reviewed
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 6e862bd3690 s4/torture: fix exit status of raw.bench-lookup
via b76e184c073 gpdupate: Implement Drive Maps Client Side Extension
via 42d03da3063 gpupdate: Test Drive Maps Client Side Extension
from acd9248b13c tevent: version 0.16.0
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 6e862bd3690c041aa061ed8f7ee1d9207381674f
Author: Oleg Kravtsov
Date: Fri Oct 6 12:20:05 2023 +0300
s4/torture: fix exit status of raw.bench-lookup
Use correct value of 'result' when the test passes.
Signed-off-by: Oleg Kravtsov
Reviewed-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Mon Oct 16 02:01:17 UTC 2023 on atb-devel-224
commit b76e184c07333b00daab5969ba4687b8844c1ce3
Author: David Mulder
Date: Fri Mar 10 14:30:17 2023 -0700
gpdupate: Implement Drive Maps Client Side Extension
Signed-off-by: David Mulder
Reviewed-by: Andrew Bartlett
commit 42d03da3063a1ac7c20674312a3d730ac143874b
Author: David Mulder
Date: Fri Mar 10 14:29:24 2023 -0700
gpupdate: Test Drive Maps Client Side Extension
Signed-off-by: David Mulder
Reviewed-by: Andrew Bartlett
---
Summary of changes:
python/samba/gp/gp_drive_maps_ext.py | 169 +++
python/samba/gp/gpclass.py | 67 +
python/samba/tests/bin/gio | 11 ++
python/samba/tests/gpo.py| 188 ++-
source4/scripting/bin/samba-gpupdate | 2 +
source4/torture/raw/lookuprate.c | 1 +
6 files changed, 437 insertions(+), 1 deletion(-)
create mode 100644 python/samba/gp/gp_drive_maps_ext.py
create mode 100755 python/samba/tests/bin/gio
Changeset truncated at 500 lines:
diff --git a/python/samba/gp/gp_drive_maps_ext.py
b/python/samba/gp/gp_drive_maps_ext.py
new file mode 100644
index 000..85aaa56b439
--- /dev/null
+++ b/python/samba/gp/gp_drive_maps_ext.py
@@ -0,0 +1,169 @@
+# gp_drive_maps_user_ext samba gpo policy
+# Copyright (C) David Mulder 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import json
+from samba.gp.gpclass import gp_xml_ext, gp_misc_applier, drop_privileges, \
+expand_pref_variables
+from subprocess import Popen, PIPE
+from samba.gp.gp_scripts_ext import fetch_crontab, install_crontab, \
+install_user_crontab
+from samba.gp.util.logging import log
+from samba.gp import gp_scripts_ext
+gp_scripts_ext.intro = '''
+### autogenerated by samba
+#
+# This file is generated by the gp_drive_maps_user_ext Group Policy
+# Client Side Extension. To modify the contents of this file,
+# modify the appropriate Group Policy objects which apply
+# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
+#
+
+'''
+
+def mount_drive(uri):
+log.debug('Mounting drive', uri)
+out, err = Popen(['gio', 'mount', uri],
+ stdout=PIPE, stderr=PIPE).communicate()
+if err:
+if b'Location is already mounted' not in err:
+raise SystemError(err)
+
+def unmount_drive(uri):
+log.debug('Unmounting drive', uri)
+return Popen(['gio', 'mount', uri, '--unmount']).wait()
+
+class gp_drive_maps_user_ext(gp_xml_ext, gp_misc_applier):
+def parse_value(self, val):
+vals = super().parse_value(val)
+if 'props' in vals.keys():
+vals['props'] = json.loads(vals['props'])
+if 'run_once' in vals.keys():
+vals['run_once'] = json.loads(vals['run_once'])
+return vals
+
+def unapply(self, guid, uri, val):
+vals = self.parse_value(val)
+if 'props' in vals.keys() and \
+vals['props']['action'] in ['C', 'R', 'U']:
+unmount_drive(uri)
+others, entries = fetch_crontab(self.username)
+if 'crontab' in vals.keys() and vals['crontab'] in entries:
+entries.remove(vals['crontab'])
+install_user_crontab(self.username, others, entries)
+self.cache_remove_attribute(guid, uri)
+
+def apply(self, guid, uri, props, run_once, entry):
+old_val = self.cache_get_attribute_value(guid, uri)
+
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d895c98c507 wintest: Fix invalid escape sequences via 3f70da665bd selftest: Use now() instead of utcnow() via 44958f363ee s4:torture: Use assertEqual() instead of assertEquals() via 9e3a858969a s4:dsdb:tests: Use loadTestsFromTestCase() instead of makeSuite() via bb77f36f49c s4:dsdb:tests: Fix assertion messages via 1513a4592c0 s4:dsdb:tests: Remove unused variables via 079306cf34f s4:dsdb:tests: Remove unused imports via 39a4d27a83c s3:script: Remove semicolons via 1a4ec25b327 tests/krb5: Fix assertion messages via 2f5833cbb3a tests/krb5: Use assertEqual() instead of assertEquals() via f7009e2a35c python:tests: Use now() instead of utcnow() via af61444d7a5 python:tests: Remove semicolons via 7efe6b0ab42 python:tests: Correct search expression via ed97b15fe97 python:tests: Fix comment via d2196545bb0 python:tests: Fix exception message via 2fa838d4395 python:tests: Use assertEqual() instead of assertEquals() via 08dbb35e7e4 python:subunit: Use now() instead of utcnow() via 7c89c5880ea python:colour: Fix exception message via 876ee3fb849 examples: Fix invalid escape sequences via 1f3d49edc6d examples: Don’t use deprecated method ‘has_key()’ via 2870ef951e9 buildtools: Remove semicolons from afb335664c9 s4-torture: add another test to demonstrate identical functions https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d895c98c507a72116ef414e07da4dab7c8f61504 Author: Joseph Sutton Date: Mon Sep 11 11:59:55 2023 +1200 wintest: Fix invalid escape sequences Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 13 04:55:06 UTC 2023 on atb-devel-224 commit 3f70da665bd7e4946cc5e777c52fdaa1954119d3 Author: Joseph Sutton Date: Mon Oct 2 13:58:18 2023 +1300 selftest: Use now() instead of utcnow() utcnow() is deprecated and will be removed in a future version of Python. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 44958f363eef97c3bbc9c69a78d89f53df21edda Author: Joseph Sutton Date: Mon Oct 2 13:35:32 2023 +1300 s4:torture: Use assertEqual() instead of assertEquals() assertEquals() was removed in Python 3.12. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9e3a858969a035518ed5b1a87c378e2371efd3b5 Author: Joseph Sutton Date: Mon Oct 2 15:07:54 2023 +1300 s4:dsdb:tests: Use loadTestsFromTestCase() instead of makeSuite() makeSuite() is deprecated and will be removed in Python 3.13. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit bb77f36f49c7866f8353b68129202a1e7793bc14 Author: Joseph Sutton Date: Mon Oct 2 14:25:52 2023 +1300 s4:dsdb:tests: Fix assertion messages Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1513a4592c0aa95d52dc5adce45be602cdacc354 Author: Joseph Sutton Date: Mon Oct 2 14:25:16 2023 +1300 s4:dsdb:tests: Remove unused variables Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 079306cf34fb460d87ad1109ff32e889667f7086 Author: Joseph Sutton Date: Mon Oct 2 14:24:49 2023 +1300 s4:dsdb:tests: Remove unused imports Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 39a4d27a83cb59474fc349ae3e68c10374c296d6 Author: Joseph Sutton Date: Thu Aug 17 11:20:40 2023 +1200 s3:script: Remove semicolons Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1a4ec25b3270544c1611ee7f876be43dd68b9806 Author: Joseph Sutton Date: Mon Oct 2 15:06:45 2023 +1300 tests/krb5: Fix assertion messages Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2f5833cbb3adc0e3cc666edb62fa860288bf6a36 Author: Joseph Sutton Date: Mon Oct 2 13:32:10 2023 +1300 tests/krb5: Use assertEqual() instead of assertEquals() assertEquals() was removed in Python 3.12. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f7009e2a35ce6dc0113cf373db06f5f9938f6748 Author: Joseph Sutton Date: Mon Oct 2 13:58:00 2023 +1300 python:tests: Use now() instead of utcnow() utcnow() is deprecated and will be removed in a future version of Python. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit af61444d7a58d1b05aa8cad552ac778dc56b552a Author: Joseph Sutton Date: Thu Aug 17 11:09:31 2023 +1200 python:tests: Remove semicolons Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7efe6b0ab42f7b6af5c82a8f6d412f9da16a963b Author: Joseph Sutton Date: Mon Oct 2 15:07:16 2023 +1300 python:tests
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via afb335664c9 s4-torture: add another test to demonstrate identical
functions
via e05c83408f7 s3-iremotewinspool: check for correct object_uuid in
dispatch fn.
via e6b07d42538 s4-torture: add testcase to iremotewinspool suite to
explore object_uuid handling
via e7a4c86878a s3-iremotewinspool: properly map incoming PAR to RPRN
requests.
via 7f3f6530d45 s3-iremotewinspool: add PAR->RPRN mapping table
via 240b082dc4b s4:rpc_server: Check return values of gnutls functions
(CID 1452111)
via ca2a97b729d s4:rpc_server: Check mkdir() return value (CID 1034649)
via c2daa3564a1 s4:ntvfs: Correctly acknowledge PVFS_FLAG_STRICT_SYNC
flag (CID 241154)
via bea908cf604 s4:ntvfs: Remove dead code path
via 4bb18ece5bf s4:ntvfs: Remove unneeded NULL check (CID 240771)
via c65411eab58 s4:messaging: Remove redundant code
via 61534dd22d9 s4:libcli: Check return value of
convert_string_talloc() (CID 1272839)
via 077a7e41341 s4:libcli: Remove unnecessary casts
via 20d1578 s4:dsdb: Don’t overwrite existing error code (CID
1445263)
via b60604b1379 s4:dsdb: Log correct ldb error
via ea561fea6fb s4:dsdb: Replace early ‘continue’ with ‘if’ statement
(CID 1414738)
via d4042e880f6 s4:dsdb: Check return value of ldb_msg_add_empty() (CID
1272827)
via b098eb82bf4 s4:dsdb: Fix unreachable code (CID 1435967)
via 4cf9f43e431 s4:dsdb: Remove unreachable code (CID 1034686)
via 7e8c38604ab s4:dsdb: Check return code (CID 1444824/1444844)
via 61037a85bf8 s4:dsdb: Permit forward link to be missing in
linked_attributes_fix_forward_link()
via d0db0ff268b s4:dsdb: Check whether ‘p’ is NULL before dereferencing
it (CID 240875)
via 1ad4dd92882 s4:dns_server: Check return value of
ldb_transaction_commit() (CID 1034631)
via d3b1aa6359d s4:dns_server: Merge similar code paths
via fa68f26167e s4:auth: Remove event context on failure
via 79a9a07c799 s4:auth: Fix resource leak (CID 1107222)
via ac00851fc9f s3:utils: Check return value of cli_RNetServiceEnum()
(CID 1273313)
via 59e16873210 s3:utils: Avoid integer overflow (CID 1035488)
via 7eaad46f8c3 smb2_server: Check status codes (CID 1474441)
via 7774ca87e7d smb2_server: Remove unreachable code (CID 1444981)
via 68fb12cb797 Revert "smbd: Fix CID 1504457 Resource leak"
via dbf96126cb2 s3:smbd: Avoid integer overflow (CID 1035487)
via 1e4d4e6abd3 s3:rpcclient: Do not pass uninitialized pointer to
printf() (CID 1476170)
via 67b2dc725da s3:nmbd: Remove redundant code (CID 1414756)
via c30aa741ee9 s3:modules: Initialize mask_permset (CID 1435850)
via 86b0755a4b7 s3:modules: Remove unreachable code (CID 1508998)
via d53483a5405 s3:libsmb: Fix array traversal (CID 1034683)
via 0c2d2f833eb s3:libnet: Remove always‐false comparison (CID 241309)
via 728177088cc Revert "s3:libads: Don’t do first loop iteration if
‘attr’ is NULL"
via 7eb47179b57 s3:lib: Rearrange preprocessor directives to avoid
structurally dead code (CID 242032)
via 3179fc2a703 s3:client: Correctly call setgroups() (CID 1449449)
via b28a268b459 smbXcli: Remove unreachable code (CID 1444978)
via 86f8cde6b34 lib:util: Remove always‐false comparison (CID 242193)
via 700754b0961 util: Remove redundant assertion (CID 1497841)
via 757cd49b844 tdb: Do not pass non–null‐terminated strings to
strcmp() (CID 1449485)
via 8f4aa3508c0 lib:replace: Properly check result of write() and
read() (CID 1034925)
via fe86989fcc1 lib:printer_driver: Check return value of
gp_inifile_enum_section() (CID 1444835)
via 03ca8c25d09 lib:compression: Correctly fix sign extension of long
matches (CID 1517275)
from a2d96f5e291 s4:kdc: Always regard device info when checking a
server authentication policy
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit afb335664c9f01f3a3b6f98712b31e4289d58aaf
Author: Günther Deschner
Date: Thu Sep 28 22:01:36 2023 +0200
s4-torture: add another test to demonstrate identical functions
Create a spoolss_EnumPrinters request and send it to both endpoints and
verify they deliver identical replies.
Guenther
Signed-off-by: Guenther Deschner
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Oct 13 03:19:59 UTC 2023 on atb-devel-224
commit e05c83408f7e39c5359865394b629579abbeb4b4
Author: Günther Deschner
Date: Mon Sep 25 20:31:24 2023 +0200
s3-iremotewinspool: check for correct object_uuid in dispatch fn.
Guenther
Signed-off-by: Guenther Deschner
Reviewed-by: A
[SCM] Samba Shared Repository - branch master updated
() via 0ed6d11e582 s4:kdc: Check parameters of samba_kdc_get_user_info_from_db() via d02f37b489f s4:kdc: Rename local variable ‘user_info_dc’ to ‘info’ via 024d8cf500d s4:kdc: Pass ‘samdb’ into samba_kdc_get_user_info_from_db() via 8b518817e3f s4:kdc: Add ‘samdb’ parameter to samba_kdc_get_device_info_blob() via 29c230531c6 s4:kdc: Add ‘samdb’ parameter to samba_kdc_verify_pac() via 16cb8c47872 s4:kdc: Make boolean members into bit‐fields via a57d973d804 s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code via 54cd2af2de7 s4:kdc: Pass Kerberos context into samba_kdc_get_device_info_blob() via d51c505d355 s4:kdc: Rename samba_kdc_entry::user_info_dc to samba_kdc_entry::info_from_db via 64326818ebd s4:kdc: Rename samba_kdc_get_user_info_dc() to samba_kdc_get_user_info_from_db() via c35d1fe593f s4:kdc: Inline samba_kdc_get_user_info_from_db() into its only caller via 0a61dc6ce98 s4:kdc: Replace calls to samba_kdc_get_user_info_from_db() with calls to samba_kdc_get_user_info_dc() via 96ab35bb911 s4:kdc: Add ‘msg’ parameter to samba_kdc_get_user_info_dc() via ce7c543ffcb s4:kdc: Rename ‘user_info_dc_out’ parameter of samba_kdc_get_user_info_dc() to ‘info_out’ via 9c4647436cf s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_dc() to ‘entry’ via f03b14f8b8b s4:kdc: Rename ‘user_info_dc’ parameter of samba_kdc_get_user_info_from_db() to ‘info_out’ via a7323d704e2 s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_from_db() to ‘entry’ via 704c71daf50 libcli/security: Initialize conditional ACE token from 4b9b7f70f25 libsmb: Use cli_smb2_qpathinfo_send() for SMB_QUERY_FILE_ALT_NAME_INFO https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a2d96f5e29149dd3951e3a19ec52cc070ccc069a Author: Joseph Sutton Date: Mon Oct 9 18:20:53 2023 +1300 s4:kdc: Always regard device info when checking a server authentication policy Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224 commit c0ef3b4292d2985807f8a203901b3f623357e5db Author: Joseph Sutton Date: Tue Oct 10 16:19:53 2023 +1300 s4:dsdb: Skip allocation of empty device SIDs array Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4b19a707f2ac78ee7ce45ec93c47edaca9d94e47 Author: Joseph Sutton Date: Tue Oct 10 15:41:40 2023 +1300 s4:kdc: Use claims to evaluate RBCD conditions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f7064f6fd26e2ee302141fec77c3b98ad4c236ae Author: Joseph Sutton Date: Tue Oct 10 15:40:13 2023 +1300 s4:kdc: Use device info to evaluate RBCD conditions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9b4dbaecfe5678c3270cf71b97d8abda78bc91ff Author: Joseph Sutton Date: Tue Oct 10 15:38:29 2023 +1300 s4:kdc: Pass claims and device info into samba_kdc_check_s4u2proxy_rbcd() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 51d516cc2f8ab3357b3aa625d6fd4d9420ff2976 Author: Joseph Sutton Date: Tue Oct 10 15:22:28 2023 +1300 s4:kdc: Rename ‘user_info_dc’ to ‘client_info’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 310c537ffa15b85cc83c1c4ccb5adb55333574b6 Author: Joseph Sutton Date: Tue Oct 10 15:19:47 2023 +1300 s4:kdc: Call samba_kdc_get_user_info_dc() to get client information Among other things, this function can deal with RODC‐issued PACs. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6c02e9ac62fc527c7af34214a7253631ae89de51 Author: Joseph Sutton Date: Tue Oct 10 15:16:24 2023 +1300 s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b13701ac1810d98b43fa8fbe9fba603cddcbc286 Author: Joseph Sutton Date: Tue Oct 10 15:12:30 2023 +1300 s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into its callers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 390be7d332588d58472d51bb31458e84d285e86a Author: Joseph Sutton Date: Tue Oct 10 15:03:22 2023 +1300 s4:kdc: Adapt interface to new Heimdal revision NOTE: This commit finally works again! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 204b1f0c12172eac0d39c7cfebd4f6d87a615ea3 Author: Andrew Bartlett Date: Fri Oct 13 11:14:55 2023 +1300 third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627b5b203e471b8d761dcfbb) NOTE: THIS COMMIT WON’T
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 90ba53eee4a samba-tool: Fix for gpo restore not working without --tmpdir via 5ff80465975 libcli/security: fix talloc context for integer values (CID 1545156) via b2107889332 libcli/security: test_run_condtional_ace: va_end() on errors via 272f26e3ad0 libcli/security: conditional ACEs check again for NULL/empty claims via 6af1a71752b netcmd: auth: manpage documentation for conditional ace fields via 12a98ab4fc7 netcmd: tests: add some tests for valid and invalid SDDL in cli commands via 645b77342f4 netcmd: auth: add new SDDL fields to create and modify auth policy commands via 385029fbc67 netcmd: models: add SDDL fields to AuthenticationPolicy model via 1325e013034 netcmd: models: add SDDL model field via 83d321e764a netcmd: models: add FieldError subclass which stores the field via 950a70a190a netcmd: models: field to_db_value needs ldb param via 27cd5982085 netcmd: tests: modify auth silo cli tests setup their own test data via 2a333554594 netcmd: tests: modify auth policy cli tests setup their own test data via c01e9431276 netcmd: tests: modify claim cli tests setup their own test data via f1d5f93f3d4 netcmd: tests: test that create objects make use of addCleanup via 91fa5088b56 netcmd: tests: tests tidyup and make use of setUpTestData via 16c19c470ee netcmd: tests: make _run a classmethod in SambaToolCmdTest via 71c191ca9fc python: tests: implement setUpTestData overridable class method via f9d406dca60 netcmd: tests: bugfix: argument -U was already in creds so listed twice via 7f4db71025e netcmd: tests: avoid the need to create a random command in GetSamDB from 08b9d5c7b9f tests/krb5: Add samba.tests.krb5.conditional_ace_tests https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 90ba53eee4a3614da81ee562be2a55c01888c2cf Author: Kacper Date: Wed Aug 30 14:33:49 2023 +0200 samba-tool: Fix for gpo restore not working without --tmpdir cmd_restore depends on cmd_create but the later cleans up required temp files for cmd_restore to function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15462 RN: Fix for gpo restore not working without --tmpdir Signed-off-by: Kacper Boström Reviewed-by: Andrew Bartlett Reviewed-by: David Mulder Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Sep 29 03:15:18 UTC 2023 on atb-devel-224 commit 5ff804659758e3aae2dc38645d7ab26cefb0c533 Author: Douglas Bagnall Date: Fri Sep 29 12:35:10 2023 +1300 libcli/security: fix talloc context for integer values (CID 1545156) Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b2107889332135fc39c092a8d44ff5b9a0ecdcfb Author: Douglas Bagnall Date: Fri Sep 29 12:25:21 2023 +1300 libcli/security: test_run_condtional_ace: va_end() on errors CID 1545154, CID 1545155. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 272f26e3ad01a6017b52a992123106777ed3aaa3 Author: Douglas Bagnall Date: Fri Sep 29 12:24:14 2023 +1300 libcli/security: conditional ACEs check again for NULL/empty claims CID 1545152. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6af1a71752b715120075323dbcd1326c79df7ace Author: Rob van der Linde Date: Thu Sep 21 11:41:02 2023 +1200 netcmd: auth: manpage documentation for conditional ace fields Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 12a98ab4fc7765f8b58f115f90ef399c26a2fb77 Author: Rob van der Linde Date: Thu Sep 28 15:33:18 2023 +1300 netcmd: tests: add some tests for valid and invalid SDDL in cli commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 645b77342f42a55b8693e867ec92da2ea5a3b31c Author: Rob van der Linde Date: Wed Sep 20 13:04:14 2023 +1200 netcmd: auth: add new SDDL fields to create and modify auth policy commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 385029fbc672cd6e3a37ff6a7ad09dc6ad1eb542 Author: Rob van der Linde Date: Wed Sep 20 13:02:21 2023 +1200 netcmd: models: add SDDL fields to AuthenticationPolicy model Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1325e01303499b7d94e3b781bee3672c2a94f190 Author: Rob van der Linde Date: Wed Sep 20 12:52:31 2023 +1200 netcmd: models: add SDDL model field Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 08b9d5c7b9f tests/krb5: Add samba.tests.krb5.conditional_ace_tests via 0e7e46c396b tests/krb5: Add method to replace client or device claims in a PAC via 6f5368dd326 tests/krb5: Add method to replace the device SIDs in a PAC via 2d0bdb5ce92 tests/krb5: Have set_pac_sids() accept lone RIDs as well as full SIDs via cc1dd00d0fb tests/krb5: Make optional ‘domain_sid’ parameter to set_pac_sids() via 9fb0380cb82 tests/krb5: Make optional ‘user_rid’ parameter to set_pac_sids() via 34e721030df tests/krb5: Make set_pac_sids() parameters keyword‐only via d6ec0e4f405 tests/krb5: Allow passing mapping=None to map_to_sid() via dfd2027d7e5 tests/krb5: Don’t bother regenerating the PAC if modify_pac_fn or update_pac_checksums are false via d054f583ead tests/krb5: Allow multiple ticket modification functions via 60e479d855d tests/krb5: Allow filter for tests that crash Windows via 939a74e39b0 tests/krb5: Allow variation in PADATA_PW_SALT via c33ce174547 tests/krb5: Sort imports from ad76bb2e0c6 streams_depot: Goto done if FSETXATTR SAMBA_XATTR_MARKER failed https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 08b9d5c7b9f0d25a278f46c567b3703a1f90ecc6 Author: Joseph Sutton Date: Thu Sep 28 14:10:16 2023 +1300 tests/krb5: Add samba.tests.krb5.conditional_ace_tests This is a test using conditional ACEs and claims to confirm that we understand the full end-to-end network behaviour of these all the way from the PAC to the application in the access check of the KDC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Pair-programmed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 28 04:35:05 UTC 2023 on atb-devel-224 commit 0e7e46c396b973e5d49e0f6eb17ad30135db5c05 Author: Joseph Sutton Date: Thu Sep 28 16:13:08 2023 +1300 tests/krb5: Add method to replace client or device claims in a PAC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6f5368dd32689019fff8071ec4601971712dd1d2 Author: Joseph Sutton Date: Thu Sep 28 16:12:46 2023 +1300 tests/krb5: Add method to replace the device SIDs in a PAC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2d0bdb5ce92ea87f7228d6bb8918ec2fcf414af7 Author: Joseph Sutton Date: Thu Sep 28 16:09:06 2023 +1300 tests/krb5: Have set_pac_sids() accept lone RIDs as well as full SIDs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cc1dd00d0fb89997b31dcef181fba16c3732a816 Author: Joseph Sutton Date: Thu Sep 28 16:08:25 2023 +1300 tests/krb5: Make optional ‘domain_sid’ parameter to set_pac_sids() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9fb0380cb8239ba9421f14ce23f12c133f716eb6 Author: Joseph Sutton Date: Thu Sep 28 16:07:43 2023 +1300 tests/krb5: Make optional ‘user_rid’ parameter to set_pac_sids() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 34e721030dffe3ffad98e1a9b7c581897c9436eb Author: Joseph Sutton Date: Thu Sep 28 16:06:01 2023 +1300 tests/krb5: Make set_pac_sids() parameters keyword‐only Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d6ec0e4f4053549193248a6b6974af993130f264 Author: Joseph Sutton Date: Thu Sep 28 16:03:09 2023 +1300 tests/krb5: Allow passing mapping=None to map_to_sid() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit dfd2027d7e57e64b7b477706ce214cfec77586bb Author: Joseph Sutton Date: Thu Sep 28 15:51:35 2023 +1300 tests/krb5: Don’t bother regenerating the PAC if modify_pac_fn or update_pac_checksums are false Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d054f583ead4c4a41d235db463dc968d67039313 Author: Joseph Sutton Date: Thu Sep 28 14:52:11 2023 +1300 tests/krb5: Allow multiple ticket modification functions This means that callers can specify a stack of possible modifications. Signed-off-by: Andrew Bartlett Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 60e479d855d0e28ec27f28610d6cb1f5617bdfac Author: Joseph Sutton Date: Thu Sep 28 14:50:39 2023 +1300 tests/krb5: Allow filter for tests that crash Windows Set CRASH_WINDOWS=0 when running against a Windows DC. These crashes are only possible because we can modify the PAC, but having these tests allows us to lock down Samba behaviour, so we include them. Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Andrew Bartlett commit 939a74e39b06535fa5f25a6933825366325fbc62 Author: Joseph Sutton Date: Thu Sep 28 14:49:11 2023 +1300
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c8b90d8d200 librpc: Fix typos in error messages via 464d86cac56 pidl: Use INT_MAX as enum constant for portability via acc614f28a3 librpc: Use portable format specifiers via 267464f6c6d librpc/ndr: Use portable format specifiers via fb39bb1953e pidl: Use portable format specifiers via ce43dd0571d ndr: Display values for failed range checks via 0078a330dc3 testdata: Mark compression test data as binary via 4839adf9da1 s4:auth: Add functions to convert between different claims formats via 58aa8d99c4f s4:auth: Include missing headers via 5e164cc2d66 s4:kdc: Move encode_claims_set() into the auth_session subsystem via ab227bbe8e4 s4:auth: Fix ‘user_info_dc_out’ leak via 0a9f2486420 s4:auth: Return a talloc‐allocated resource groups structure via 219ee05d6e6 s4:auth: Introduce helper variable ‘resource_groups_in’ via 842f845c8ac s4:auth: Make returning resource groups the last thing we do via a2700cf685f s4:torture: Initialize ‘tm’ structure via 9bd9b9bfd95 s4:kdc: Fix ldb_msg_find_krb5time_ldap_time() via bdf0e1be35a s4:kdc: Initialize ‘tm’ structure via 8ce4e3729f0 s3:smbd: Initialize ‘tm’ structure via c278a1d3e1c s3:rpc_server: Initialize ‘tm’ structure via 67f3fead5fe s3:passdb: Initialize ‘tm’ structure via 955fd832534 s3:modules: Initialize ‘tm’ structure via 31c7d7cfb32 s3:lib: Initialize ‘tm’ structure via 2f6083f59f0 lib:audit_logging: Initialize ‘tm’ structure via 58bd2f525b0 lib/krb5_wrap: Simplify assignments via 0bd7863ec0f lib/krb5_wrap: Make use of smb_krb5_make_data() via 48969305595 libcli/security: Test hex‐escapes that should be literals via c755bbd6bc6 libcli/security: Fix code formatting via ac34f48ab1a libcli/security: Use ACL revision constants via 37ed208701b libcli/security: Refer to UTF‐16 code units rather than to codepoints via a064e2f2589 libcli/security: Remove unused flag SDDL_FLAG_IS_FAKE_OP via 8d4f60c8449 libcli/security: Remove unused flag SDDL_FLAG_IS_LITERAL via 55e198fc6d1 libcli/security: Remove unused flag SDDL_FLAG_IS_ATTR via e1a45ec341e libcli/security: Remove unused flag SDDL_FLAG_EXPECTING_END via 21f765c1b97 libcli/security: Remove unused macro via 37a32d3b40a python:tests: Remove unused import via c94db7d2e83 s4:auth: Correct error message via dc731603811 s4:torture: Use SID constants via 8b496331b9e s4:rpc_server: Use Builtin SID constant via 4bef3fd7e98 s4:ntvfs: Use World and System SID constants via 4405e709c05 s4:dsdb: Use Builtin SID constant via e6bb3a347f0 s4:auth: Use Anonymous and System SID constants via b1b7d33bd50 s4:kdc: Use Compounded Authentication and Claims Valid SID constants via 56def24b4c0 libcli:security: Add Compounded Authentication and Claims Valid SID constants via 89985f6fec2 s4:kdc: Use Asserted Identity SID constants via dcca6bba2aa s4:dsdb: Use NULL SID constant via 214f6c64621 libcli:security: Correct Asserted Identity SID definitions via 2782df62ad5 libcli:security: Use SELF SID constant via cdbb5ab7d0f libcli:security: Add SELF SID constant via 26ff87dcfea python:tests: Fix invalid escape sequences via c0795c807a0 tests/krb5: Match filter after transforming test name via 9cb3beee75c libcli/security: Emit error message if program is too large via f035985dbd2 libcli/security: Add function to convert token claims to security attribute claims via a4010c9b65f libcli/security: Add some missing declarations via 48606c8aedd libcli/security: Const‐qualify function parameters via f5568a0a5e5 libcli/security: Remove bool_value member via 40c5ed60baa libcli/security: Use correct union member via c9aab312b7f libcli/security: Add header guard from 3b6c1f1a9c4 libcli/security: condtional ACE recursive composites are not supported https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c8b90d8d2003f2c27431874ac76bbc7f18bb7abf Author: Joseph Sutton Date: Tue May 4 15:08:53 2021 +1200 librpc: Fix typos in error messages Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Sep 27 03:38:00 UTC 2023 on atb-devel-224 commit 464d86cac5656c227b7cc1047f3f4b0d27340dea Author: Joseph Sutton Date: Fri Apr 23 16:37:01 2021 +1200 pidl: Use INT_MAX as enum constant for portability Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit acc614f28a39315a3d304919187dae2372fe60f9 Author: Joseph Sutton Date: Tue May 11 10:29:31 2021
[SCM] Samba Shared Repository - branch master updated
48d1a6 libcli/security: windows-sddl-test: fix read of text
examples
via ee386021706 libcli/security: windows-sddl-test: fix typo in --help
via 28d23377741 pytest:security_descriptors: test collected conditional
ACEs
via a392b40328e pytest:security descriptors: hack to capture results as
json
via 901f77c5436 pytest: security descriptors: test some conditional and
RA ACEs
via 7b9462faf05 pytest: security_descriptors: tests without revision
number hack
via afec8524bcd libcli/security: use sec_object_ace() in
size_security_ace
via b6a665cc8e8 librpc/ndr:ndr_sec_helper: fix a typo
via 63be8401201 pytest: security_descriptors test for repetitive ACLs
via 5569c17741f pytest: security_descriptors comparison is quieter
via 829d77b4a02 s4/librpc: build conditional ace Python bindings
via 295c609f5a2 lib/fuzzing: fuzz SDDL conditional ACEs
via e4865a3ba15 libcli/security: test SDDL compilation in cmocka
via b08093ed9d2 lbcli/security: callback object ACES fall back with no
GUID
via 2923898e88d libcli/security/create_descriptor: calc_inherited
handles new types
via 1ccb549 libcli/security: SDDL: add callback and resource ace
type flags
via 3959fba37a7 libcli/security: sddl_encode_ace encodes resource
attribute ACEs
via ed52c9ed36b libcli/security: sddl_encode_ace encodes conditional
ACEs
via 6683d611e14 libcli/security: sdd_decode_ace handles resource
attribute types
via 84fa39722fe libcli/security: sdd_decode_ace handles callback types
via e88ea32c21e libcli/security: add conditional ace files to
samba-security
via d6bd491efcb libcli:security: add code to interpret conditional ACES
via 4b8e9e3f0ca libcli:security: add functions to decode and decode RA
ACEs
via 969cb79daef libcli/security: add conditional ACE SDDL functions
via 6f588a1fc50 libcli:security: helpers for converting claim types
via 94f0a1083a4 libcli:security: outline for sddl_conditional_ace.c
via 140f7466a45 libcli/security: add stub of conditional ACE code.
via 672fc0a1abb libcli/security: find SDDL coda for RA and conditional
ACEs
via cdd9424e4f3 libcli/security: whitespace repair in sddl.c
via a8e3f5d33f6 ndr_sec_helper: ace length should be multiple of 4
via 5e1ed7b71f0 ndr_sec_helper: ndr_size_security_ace: do less work
via df8eec384fe librpc:security.idl: add conditional ace coda
via e8192dddf3b libcli/sec: reformat long line in wscript_build
via 40d9b08db4b librpc:security.idl: ace->coda can be resource attribute
via 498c4110173 libcli/security: callback object aces are object aces
via 762646b5aaa libcli/security: use tabs in sec_ace_object()
via e81e98c4854 libcli/security: helper to find ACEs with meaningful
codas
via 41e1b6957ae libcli/security: helper to find resource attribute ACEs
via 617cfa0e965 libcli/security: helper to find callback/conditional
aces
via 34aa33a1a4f security.idl: use sec_ace_object() in object switch
via 4ef7845b570 security.idl: extend security token with device SIDs
from d7394a90f51 testparm: Allow idmap ranges overlap for idmap_nss
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 3b6c1f1a9c47d8d76a7cd946468c1c42e4fb097a
Author: Douglas Bagnall
Date: Fri Sep 22 16:29:51 2023 +1200
libcli/security: condtional ACE recursive composites are not supported
We can't add them via SDDL on Windows, and they aren't useful for
claims.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Wed Sep 27 00:41:26 UTC 2023 on atb-devel-224
commit 38247d39e1e98cab50d9911b0aa0ee4eb309114b
Author: Douglas Bagnall
Date: Fri Sep 22 16:31:36 2023 +1200
libcli/security: conditional ace sddl: do not read nested composites
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 96dbc71e137ea65df11d1a8cec089fde2d070ba6
Author: Douglas Bagnall
Date: Fri Sep 22 16:30:41 2023 +1200
libcli/security: conditional ace sddl: do not write nested composites
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 3be69fc3dcedee77d8eacf7cf82d0f33df2d42fe
Author: Douglas Bagnall
Date: Fri Sep 22 15:19:32 2023 +1200
fuzzing: fuzz_sddl_parse forgives bad utf-8
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit e4da279b1c06711c27e2aa1a4e36f35b674eaca4
Author: Douglas Bagnall
Date: Thu Jul 6 15:31:52 2023 +1200
util/str: helper to check for utf-8 validity
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 65674cde60ca21d2f451f5e68f6b7cb7d1e339a4
Author: Douglas Bagna
[SCM] Samba Shared Repository - branch master updated
invalid escape sequence via 3fca94cd691 python:tests: Remove unused variables via fb071bc33db docs-xml: Add missing paragraph section via 30db01269c1 s4:kdc: Fix leaks via bac02f087c9 s4:kdc: Don’t operate directly on caller‐owned pointer via 2981a7f0598 s4:kdc: Allocate contents of PAC blobs on blob talloc contexts via 3387140df83 s4:kdc: Inline samba_get_requester_sid_pac_blob() via afd48f8dcde s4:kdc: Fix error message via e427b5b796e s4:kdc: Initialize pointers to NULL via acda12a7e2c s4:kdc: Correct error message via 1f4438c5a2f s4:kdc: Check return value of smb_krb5_principal_get_comp_string() via 2d929f1391c s4:kdc: Remove unused talloc context via 49b96243b52 s4:kdc: Check return value of samdb_result_dom_sid() via ba1750082ad claims.idl: Be more lenient in our expectations for the compression of claims via 571ff5f3141 claims.idl: Allow empty claim value buffers via 7ac99b197f7 s4:kdc: Make functions to add special SIDs non‐static via 1f20e557fc6 s4:kdc: Check result of talloc_realloc() via 3ef5e6554b9 s4:kdc: Handle invalid enum values via 39340f65189 s4:kdc: Check result of dom_sid_parse() via 716bf29d2d8 s4:kdc: Remove unused flags via ffbd95e6f19 s4:kdc: Use smb_krb5_data_from_blob() via 97906d275d0 s4:kdc: Remove duplicate function signature via c92fac94cd6 s4:kdc: Prefer explicit initialization to ZERO_STRUCT() via b208c8e8489 libcli:security: Prefer explicit initialization to ZERO_STRUCTP() via 9846da6f4be s4:scripting: Remove unused imports via 9f5667032c2 python:tests: Remove unused imports via 9f78cc3b11c librpc:ndr: Avoid overflow in size calculation via c86038095e3 libgpo: Remove unnecessary cast via 0bcf44c8b77 lib:tdr: Remove unnecessary cast via 74e1bb05712 lib:mscat: Remove unnecessary casts from 4af3faace48 nsswitch/wb_common.c: fix socket fd and memory leaks of global state https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 96e18e17748d851fc785178fdcc3e38ddeea2fe0 Author: Andreas Schneider Date: Tue Sep 5 10:06:24 2023 +0200 s3:param: Remove unused lp_set_cmdline() Signed-off-by: Andreas Schneider Reviewed-by: Pavel Kalugin Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 14 22:30:06 UTC 2023 on atb-devel-224 commit c839a25d2cf1e9d7d232687ce9cfa3caaa6cc93e Author: Andreas Schneider Date: Wed Aug 2 09:23:44 2023 +0200 s3:client: Use lpcfg_set_cmdline() This lp_set_cmdline() leaks memory and we want to get rid of it. Signed-off-by: Andreas Schneider Reviewed-by: Pavel Kalugin Reviewed-by: Andrew Bartlett commit f7a06f3a5db2694b0bb3f44b019a70e595e6a8af Author: Pavel Kalugin Date: Sun Sep 3 23:21:35 2023 +0300 s3:libsmb: Use lpcfg_set_cmdline() Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 04d20c3aebd229ba6150950ad46356189b3384bb Author: Pavel Kalugin Date: Sun Aug 20 23:50:38 2023 +0300 s3:netapi: Fix a leak in libnetapi_net_init() Allow libnetapi_net_init() to be called more than once without leaking libnetapi_ctx allocated on a previous call, which is currently the case in the `net rpc` code. Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 9b6246737b98a3f84d3f6aa54296d5a60477e4ef Author: Pavel Kalugin Date: Sun Aug 20 23:06:56 2023 +0300 libnetapi: Use lpcfg_set_cmdline() Replace lp_set_cmdline() with lpcfg_set_cmdline() in netapi.c. For this purpose: 1. Add loadparm_context to the libnetapi_ctx because we need it in libnetapi_set_debuglevel() and libnetapi_set_logfile(). 2. Move loadparm_context creation from libnetapi_net_init() to libnetapi_init() and add the lp_ctx parameter to the former. Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit ea59632b3a704f883dfafa709d1eb2f729d71e9b Author: Pavel Kalugin Date: Mon Aug 14 06:57:27 2023 +0300 s3:utils: Use lpcfg_set_cmdline() in smbpasswd Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 6f00a088266d71f1ee94ee3c78ca695edc457467 Author: Pavel Kalugin Date: Mon Aug 14 06:01:28 2023 +0300 s3:torture: Use lpcfg_set_cmdline() Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit b6e4643274dcdb58ca1706ba6cfd512ef0c31974 Author: Pavel Kalugin Date: Mon Aug 14 04:37:16 2023 +0300 s3:notifyd: Use lpcfg_set_cmdline() Signed-off-by: Pavel Kalugin
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 65b2110937c auth:credentials: Check if password_obtained > obtained via 8cdb4f29850 netapi: Pass net's cmdline credentials to libnetapi_net_init() via 5cad8278109 netapi: Pass loadparm_context to libnetapi_net_init() via da841a80e3b s3:rpc: bump named_pipe_auth_req_info version number via a842c14dc8a .gitlab-ci.yml: Move coverity build to internal Heimdal via ebdaaf92238 s4:wrepl_server: Fix code spelling via 39a88a83f3d s4:torture: Fix code spelling via 882a4674c0e s4:samba: Fix code spelling via 36ccc9cf26b s4:rpc_server: Fix code spelling via b1e2315528d s4:ntvfs: Fix code spelling via 1bb5cfef875 s4:libnet: Fix code spelling via 0cef5dafdc4 s4:libcli: Fix code spelling via 0834b30921d s4:kdc: Fix code spelling via 65c26c0b725 s4:dsdb: Fix code spelling via 8a93a4fa6c0 s4:dns_server: Fix code spelling via 20ab21e698f s4:client: Fix code spelling via 354eff14eb2 s4:auth: Fix code spelling via 4e74350fbbd s3:winbindd: Fix code spelling via c6c1b55ac4e s3:utils: Fix code spelling via b60f86a0b8c s3:smbd: Fix code spelling via 72e79e13095 s3:rpc_server: Fix code spelling via 32a1e7428c7 s3:rpc_client: Fix code spelling via c4a02d8ee14 s3:registry: Fix code spelling via 47dcdb31263 s3:nmbd: Fix code spelling via bbd9fabf5f5 s3:librpc: Fix code spelling via d7331a68215 s3:libnet: Fix code spelling via 06816117efa s3:libads: Fix code spelling via 2a4d35edee1 s3:lib: Fix code spelling via 9e2a93d54b3 s3:auth: Fix code spelling via 26fd734d566 selftest: Fix code spelling via bb79de4cbe9 python:tests: Fix code spelling via c87504289f5 pidl: Fix code spelling via df24eced484 librpc: Fix code spelling via 5292c774a57 libgpo: Fix code spelling via 87749b5518e libcli: Fix code spelling via dd2b568721d lib:charset: Fix code spelling via 6a303be56c1 tevent: Fix code spelling via 53caec3c36b tdb: Fix code spelling via 9d699895adc lib:printer_driver: Fix code spelling via 5fbbf9b9ba1 ldb: Fix code spelling via 7d9edb82c47 lib:krb5_wrap: Fix spelling in documentation via 74580daac96 lib:crypto: Fix code spelling via 1c35195ff76 lib:compression: Fix code spelling via f6ff6f7cdf8 docs-xml: Fix spelling via c62491473a5 ctdb: Fix code spelling via e69ba9a0a38 auth: Fix code spelling via f51efc4008d Makefile: Fix spelling from ebb6eb9c2fc libsmb: Fix parsing symlink reparse points https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 65b2110937c4b97be4030ecb49aa0801fc940bf8 Author: Samuel Cabrero Date: Thu Sep 7 14:51:15 2023 +0200 auth:credentials: Check if password_obtained > obtained Fixes reading the password from STDIN or environment vars if it was already given in the command line: $ export PASSWD_FD=0 $ ./bin/net offlinejoin composeodj <...> --password=FOO Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Sep 11 03:36:28 UTC 2023 on atb-devel-224 commit 8cdb4f2985075b12201d3295f640bddcfbfe5962 Author: Samuel Cabrero Date: Thu Sep 7 14:53:22 2023 +0200 netapi: Pass net's cmdline credentials to libnetapi_net_init() Avoid unnecessary credentials allocation and initialization by passing the net's cmdline creds to libnetapi_net_init() directly. Fixes the problem of running cli_credentials_guess() (which runs password callbacks) twice, one for the net's cmdline creds and a second time for the creds initialized in libnetapi_net_init(), just to override them immediately after. Example: $ export PASSWD_FD=0 $ ./bin/net offlinejoin composeodj <...> foo bar Password is read from STDIN twice. Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit 5cad827810975084f061f56548006fdd2d15dc7b Author: Samuel Cabrero Date: Thu Sep 7 14:34:36 2023 +0200 netapi: Pass loadparm_context to libnetapi_net_init() The net's tool cmdline lp_ctx can be reused, no need to init a new one except for external library users. Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit da841a80e3b9a3560488c3ddcb0b366b33eb14c1 Author: Douglas Bagnall Date: Fri Sep 8 09:35:51 2023 +1200 s3:rpc: bump named_pipe_auth_req_info version number This is because commit f893cf85cc387b66c496661e11073b1215270022 changed the security token in secuirty.idl, and bumping the version was missed. Signed-off-by: Douglas Bagnall R
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f893cf85cc3 security.idl: extend security token for claims via 7f57b5ed5b6 librpc:security.idl: add Resource Attribute claim types via 0d6c7bea422 librpc:security.idl: add enums for resource attribute aces via 895893478eb libcli:sec:display: use macro for more ace types via 601d60e3915 libcli:sec:display: print callback ace types via 416f6ef7262 librpc:security.idl: add more ACE enum types, with annotations via a84e89aa712 libcli/security: create_descriptor handles unknown ACE types via 676a7152d14 librpc/idl: add conditional ACE structures and constants via 2bf404eb5a9 libcli/security: make sddl_encode_sid an external function via 6d012757a07 libcli/security: make sddl_decode_sid an external function via 1de2af9f30a pytests:security: don't use invalid domain SID S-2-0-0 via a420aa919cc s4:samdb: Avoid memory leaks in partition_metadata_get_uint64() from 3fc35827569 smb2_server: move struct msghdr to smbd_smb2_send_queue https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f893cf85cc387b66c496661e11073b1215270022 Author: Douglas Bagnall Date: Wed Aug 23 12:04:29 2023 +1200 security.idl: extend security token for claims A security token contains the context needed to make access decisions for a particular client, which has until now been a number of SIDs and flags. Claims are arbitrary attributes that can be tacked onto the security token. Typically they will arrive via a Kerberos PAC, but we don't need to worry about that now -- only that they are stored on the token. The security token in [MS-DTYP] 2.5.2 is described in abstract terms (it is not transmitted on the wire) as behaving *as if* it held claims in three arrays of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures. We take that suggestion literally. This is *almost* the same as storing the [MS-ADTS] 2.2.18 claims wire structures that the claims are presumably derived from, and doing that might seem like a small optimisation. But we don't do that because of subtle differences and we already need CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 in security.idl for resource attribute ACEs. The three stored claim types are user claims, device claims, and local claims. Local claims relate to local Windows accounts and are unlikely to occur in Samba. Nevertheless we have the array there just in case. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 7 05:50:24 UTC 2023 on atb-devel-224 commit 7f57b5ed5b6300ed631033cff4f49a4e0cae5573 Author: Douglas Bagnall Date: Wed Aug 23 12:03:53 2023 +1200 librpc:security.idl: add Resource Attribute claim types This will be used in Resource Attribute ACEs, and in security tokens when security tokens become claim-aware. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 0d6c7bea4227b88328c407f630bc638909c3f036 Author: Douglas Bagnall Date: Thu Jul 13 21:31:50 2023 +1200 librpc:security.idl: add enums for resource attribute aces Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 895893478ebd71708477b49ca1102515fc512d8f Author: Douglas Bagnall Date: Wed Sep 6 09:36:45 2023 +1200 libcli:sec:display: use macro for more ace types Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 601d60e391598f9115abce947e06820a1e72cb34 Author: Douglas Bagnall Date: Wed Dec 14 10:56:42 2022 +1300 libcli:sec:display: print callback ace types Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 416f6ef72626bfc5619f2a17b8eb551e5e30602e Author: Douglas Bagnall Date: Fri Dec 2 12:44:54 2022 +1300 librpc:security.idl: add more ACE enum types, with annotations The callback types are used for conditional ACEs. The others are just there and we might as well know them. Several ACE types are "reserved for future use" by Microsoft. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit a84e89aa712bfb0ed2b0ba64d98dc919193d8055 Author: Douglas Bagnall Date: Fri Jul 21 14:36:20 2023 +1200 libcli/security: create_descriptor handles unknown ACE types Because we're going to add more ACE types. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 676a7152d141ca576fe2f0a75bc9c3e3ad197481 Author: Douglas Bagnall Date: Thu Feb 9 10:44:46 2023 +1300 librpc/idl: add conditional ACE structures and constants This will be used to decode the expressions on conditional ACEs. At the moment it changes nothing. Signed-off-by: Dougl
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via f3c632e74ba testprogs: Add net offlinejoin composeodj tests
via e92e4b95442 testprogs: Cleanup machine account in net offlinejoin
tests
via c14a4f51443 s3:net: Allow to load ODJ blob from stdin
via b2399b6994c s3:net: Load ODJ blob from file only if "loadfile"
parameter is present
via 4a1f2071a60 s3:net: Add "net offlinejoin composeodj" command
via a8bd8f22aac s3:libnetapi: Implement NetComposeOfflineDomainJoin_l()
via 7cabbec2eaf s3:libnetapi: Add NetComposeOfflineDomainJoin() to API.
via 532701e3cce s3:libnetapi: Add NetComposeOfflineDomainJoin()
boilerplate
via 740e704bd68 s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL
via bdab834dfad s3:libnetapi: Add some comments to document ODJ blob
charset conversions
via e4afb211fe3 s3:libnetapi: Return error from RequestOfflineJoin
via d3f3c40141d pidl/tests: Add tests for hang with nested struct.
via 3f3fccab05d pidl/lib: Add recursion detection logic to prevent
looping.
from 171171565f1 .gitlab-ci: Do builds under /builds as this is never an
overlayfs
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit f3c632e74ba100b455eeac66e8914b11d1d9b0a0
Author: Samuel Cabrero
Date: Mon Sep 4 16:49:52 2023 +0200
testprogs: Add net offlinejoin composeodj tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Tue Sep 5 22:11:46 UTC 2023 on atb-devel-224
commit e92e4b9544231c15eaf0bdbba4505345cd0f6ab5
Author: Samuel Cabrero
Date: Mon Sep 4 16:18:35 2023 +0200
testprogs: Cleanup machine account in net offlinejoin tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit c14a4f51443f67bc46a670a342eed8cb9e81f37d
Author: Samuel Cabrero
Date: Wed Aug 30 20:53:18 2023 +0200
s3:net: Allow to load ODJ blob from stdin
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit b2399b6994c89404f245e1a97ba1c1cf13d7fc86
Author: Samuel Cabrero
Date: Wed Aug 30 20:25:17 2023 +0200
s3:net: Load ODJ blob from file only if "loadfile" parameter is present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit 4a1f2071a6028a761bbe7efee20e9654851b51f0
Author: Samuel Cabrero
Date: Thu Aug 31 12:46:52 2023 +0200
s3:net: Add "net offlinejoin composeodj" command
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit a8bd8f22aac2c223e85e318dba7af8b64052b053
Author: Samuel Cabrero
Date: Thu Aug 31 12:45:42 2023 +0200
s3:libnetapi: Implement NetComposeOfflineDomainJoin_l()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit 7cabbec2eaf5aefd3751c635c12556eca590f506
Author: Samuel Cabrero
Date: Thu Aug 31 12:44:26 2023 +0200
s3:libnetapi: Add NetComposeOfflineDomainJoin() to API.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit 532701e3cce9d15e95166ee7c24cd1e4af51fcc4
Author: Samuel Cabrero
Date: Thu Aug 31 12:43:22 2023 +0200
s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit 740e704bd68a6b618b62336ba1583c0edeb82d6f
Author: Samuel Cabrero
Date: Thu Aug 31 12:39:04 2023 +0200
s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit bdab834dfad55776155915f7ec410b5a192406fa
Author: Samuel Cabrero
Date: Mon Sep 4 10:47:06 2023 +0200
s3:libnetapi: Add some comments to document ODJ blob charset conversions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit e4afb211fe32f2aa92cc903df948874046f60305
Author: Samuel Cabrero
Date: Wed Aug 30 19:59:04 2023 +0200
s3:libnetapi: Return error from RequestOfflineJoin
The error code must be returned to caller even if the error string is not
set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero
Reviewed-by: Andrew Bartlett
commit d3f3c40141d9d
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 70dea37d063 wscript: Refer to correct ConfigSet variable via 54ebd103c85 wscript: Remove semicolons via 8f430492c8e wscript: Remove unused imports via c6d0323bf15 wscript: Use ‘is’ to compare with singletons via b5cc15fdf16 wscript: Remove unused variable via 752a1c409e0 third_party/heimdal_build: Use ‘is’ to compare with singletons via a6c442acea1 third_party/heimdal_build: Remove semicolons via dfe25969f31 third_party/heimdal_build: Remove unused imports via 0898329b8d7 selftest: Don’t use invalid escape sequences via 0fe4a12b3f3 selftest: Remove star imports via 6db02afab81 selftest: Remove unused imports via 3c7ef6d0415 s4:dsdb:tests: Fix usage lines via fec8d228ad1 s4:dsdb:tests: Remove unused imports via 6e20afeb42a s4:dsdb:tests: Fix spelling via 357b520b37f tests/krb5: Have modified_ticket() not modify its arguments via b4a2e64110f tests/krb5: Add KerberosCredentials.get_rid() via 7b4b03e5e79 tests/krb5: Re-raise any LdbError other than ERR_ENTRY_ALREADY_EXISTS via 3f01cf91699 tests/krb5: Correctly assert that we found a LOGON_INFO PAC buffer via 04cdb13c080 tests/krb5: Remove local variable via 1def8f04f34 tests/krb5: Move KDC TGT tests to new file via e390e674ecb tests/krb5: Remove test of pre-1.20 MIT Kerberos behaviour via 2b566979acf gp: Use read_file() instead of readfp() via 34042677b7d gp: Fix resource leaks via 928f2bbc6b5 gp: Use assertEqual() instead of assertEquals() via 953bc91851c gp: Check correct variables via 036a523e516 gp: Prefer ‘x not in y’ to ‘not x in y’ via 94afa3b1946 gp: Don’t shadow imports via 5755b4a4905 gp: Add missing import via de04333b4d5 pytest/dns_aging: Assert that the name of the node to search for is a string via 472d80c1c9f pytest/dns_aging: Correctly check that record is tombstoned via 8e5c998b1d3 pytest/dns_aging: Check value of ‘dtime’ via d3bc6faa7a5 python:tests: Rename test method so as not to mask previously-defined method via bbd0e35f11f python:tests: Complete assertion messages via c4e0d4fbd17 python:tests: Fix usage line via 83230577ece python: Fix reference to undefined name ‘samba’ via 5c5045eeb44 samba-tool: Remove useless return via b076cad4b26 python:join: Fix references to undefined variables via b068592dd0d python: Fix invalid escape sequences via 12f1c7825db python: Remove redundant backslashes via fce882ab671 python: Remove unused imports via 6c6db88ddac python: Fix spelling via 5de640fc581 ldb: Heed return code from Python testsuite via b440732e7fc ldb: Remove unused import via e4ab1de4e41 lib:ldb:tests: Remove explicit comparison with False via 84dc7129ead buildtools: Properly set global variable via 8d61d3f8e02 buildtools: Prefer ‘x not in y’ to ‘not x in y’ via 6df81630af8 buildtools: Use ‘is’ to compare with singletons via 94f46f0cbbc buildtools: Fix comments and documentation via 6668d213e77 pyldb: Fix leaks via 5e9187baf92 pyldb: Check return values of Python functions via e5794b8c8a6 pyldb: Check return values of talloc functions via 93d37f8bfca pyldb: Check whether Python object is a list from 7dc181757c7 gp: Send list of keys instead of dict to remove https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 70dea37d063fea3e72f5a04c29e6bbd5e11d20b0 Author: Joseph Sutton Date: Tue Aug 29 12:18:27 2023 +1200 wscript: Refer to correct ConfigSet variable LIB_GSSAPI appears to be an error of copy-and-pasting. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Aug 30 03:15:05 UTC 2023 on atb-devel-224 commit 54ebd103c859333e96c1b609ada42de52029b18a Author: Joseph Sutton Date: Tue Aug 29 12:15:19 2023 +1200 wscript: Remove semicolons Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8f430492c8e92a542d0d3a92bb82d1f7e1bb105c Author: Joseph Sutton Date: Tue Aug 29 12:14:45 2023 +1200 wscript: Remove unused imports Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c6d0323bf1535f41d11a1df3561128cdd84e6848 Author: Joseph Sutton Date: Tue Aug 29 12:11:39 2023 +1200 wscript: Use ‘is’ to compare with singletons Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b5cc15fdf16dbfa64b6808dca5c0ac6701f1a553 Author: Joseph Sutton Date: Tue Aug 29 12:11:08 2023 +1200 wscript: Remove unused variable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7dc181757c7 gp: Send list of keys instead of dict to remove via ee814f7707a gp: Test disabled enrollment unapplies policy via 2a6ae997f24 gp: Template changes should invalidate cache via 2d6943a8644 gp: Test adding new cert templates enforces changes via 157335ee93e gp: Convert CA certificates to base64 via 1ef722cf66f gp: Test with binary content for certificate data via bce3a892045 gp: Change root cert extension suffix via fa80d1d8643 gp: Support update-ca-trust helper via a1b285e485c gp: Support more global trust directories via 776597bce92 samba-tool: Allow LDB URL to be None via 8e7a62b6ffa waf: Build nmbd with -Wno-error=stringop-overflow from c7672779128 util: Avoid logging to multiple backends for stdout/stderr https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a Author: Gabriel Nagy Date: Wed Aug 16 12:33:59 2023 +0300 gp: Send list of keys instead of dict to remove `cache_get_all_attribute_values` returns a dict whereas we need to pass a list of keys to `remove`. These will be interpolated in the gpdb search. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224 commit ee814f7707a8ddef2657212cd6d31799501b7bb3 Author: Gabriel Nagy Date: Fri Aug 18 17:26:59 2023 +0300 gp: Test disabled enrollment unapplies policy For this we need to stage a Registry.pol file with certificate autoenrollment enabled, but with checkboxes unticked. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1 Author: Gabriel Nagy Date: Wed Aug 16 12:37:17 2023 +0300 gp: Template changes should invalidate cache If certificate templates are added or removed, the autoenroll extension should react to this and reapply the policy. Previously this wasn't taken into account. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit 2d6943a864405f324c467e8c3464c31ac08457b0 Author: Gabriel Nagy Date: Fri Aug 18 17:16:23 2023 +0300 gp: Test adding new cert templates enforces changes Ensure that cepces-submit reporting additional templates and re-applying will enforce the updated policy. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit 157335ee93eb866f9b6a47486a5668d6e76aced5 Author: Gabriel Nagy Date: Wed Aug 16 12:20:11 2023 +0300 gp: Convert CA certificates to base64 I don't know whether this applies universally, but in our case the contents of `es['cACertificate'][0]` are binary, so cleanly converting to a string fails with the following: 'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte We found a fix to be encoding the certificate to base64 when constructing the CA list. Section 4.4.5.2 of MS-CAESO also suggests that the content of `cACertificate` is binary (OCTET string). Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70 Author: Gabriel Nagy Date: Fri Aug 18 17:06:43 2023 +0300 gp: Test with binary content for certificate data This fails all GPO-related tests that call `gpupdate --rsop`. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit bce3a89204545dcab5fb39a712590f6e166f997b Author: Gabriel Nagy Date: Fri Aug 11 18:46:42 2023 +0300 gp: Change root cert extension suffix On Ubuntu, certificates must end in '.crt' in order to be considered by the `update-ca-certificates` helper. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit fa80d1d86439749c44e60cf9075e84dc9ed3c268 Author: Gabriel Nagy Date: Thu Aug 17 01:09:28 2023 +0300 gp: Support update-ca-trust helper This is used on RHEL/Fedora instead of update-ca-certificates. They behave similarly so it's enough to change the command name. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f Author: Gabriel Nagy Date: Thu Aug 17 01:05:54 2023 +0300 gp: Support more global trust directories In addition to the SUSE global trust directory, add support for RHEL and Debian-based distributions (including Ubuntu). To determine the correct directory to use, we iterate over the variants and stop
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via aba7eb094b9 selftest: Report time at which testsuite starts via fc41a35a9bd selftest: Fix subunit reporting the time incorrectly via cbc0ff187a0 selftest: Remove leftover from debugging via 7ce6e3c9cac selftest: Remove unused variable via c2126e08f47 selftest: Remove semicolon via 892c1b0a0c9 s4:torture: Fix code spelling via 783f09cc37f s4:smb_server: Fix code spelling via 4b03aabe451 s4:kdc: Use smb_krb5_make_data() via 6d2c7c45ca4 s4:kdc: Use ‘krb5_error_code’ for return types via 9166d01b19f s4:kdc: Set SAMBA_KDC_FLAG_PROTOCOL_TRANSITION flag for MIT Kerberos via bbfa98ec05c s4:kdc: Remove support code for older versions of MIT Kerberos via 6b580f73688 s4:kdc: Do not panic if authsam_logon_success_accounting() fails via 448cc122a8f s3:rpc_server: Remove unnecessary cast via b3c47b65836 s3:libnet: Fix reference to incorrect function names via 4004ded906d s3:libnet: Remove unnecessary cast via 683dab11024 python:tests: Save files with intended contents via 2d6b10da225 python:tests: Fix spelling via 981c3413893 python:tests: Reuse policies and silos created by setUp() across all tests via f71893c1a3e python:tests: Reuse claims created by setUp() across all tests via a985873c46f python:tests: Make getSamDB() a static method via b7e00680102 python:subunit: Use ‘is’ to compare variables with singletons via c052b17556b python:subunit: Fix docstring via 859bbef4722 python:netcmd: Remove semicolon via d40293e0df5 python:netcmd: Add missing newlines to error messages via a836b433ed7 pidl: Use non-existent function dissect_ndr_int64() via d5cbb542d0f librpc:ndr: Use portable integer types via 593a7fb6382 libcli/auth: Remove unnecessary casts via d608dc175e0 lib:krb5_wrap: Fix references to incorrect function names via 02b546778f0 lib:krb5_wrap: Fix code spelling from 37fdd79cc0b tests/krb5: Remove incorrect comments https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit aba7eb094b978f69a632ec6e9080d55b788c9001 Author: Joseph Sutton Date: Thu Aug 17 13:29:41 2023 +1200 selftest: Report time at which testsuite starts With no call to report_time() preceding it, PlainFormatter.start_testsuite() would always claim that no time had elapsed prior to the first testsuite starting to run. This gave a misleading impression of the time spent running the first testsuite. Now the time will be consistent with that reported for subsequent testsuites, and will properly include any time that test environments took to start up. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Aug 22 00:36:52 UTC 2023 on atb-devel-224 commit fc41a35a9bd8706d8a3770a2b8f1467cd00452b8 Author: Joseph Sutton Date: Thu Aug 17 12:46:17 2023 +1200 selftest: Fix subunit reporting the time incorrectly Although report_time() would output the time in UTC, it neglected to specify the timezone offset. Thus subunithelper.parse_results() would interpret the time string it was given as being in local time. TestProtocolClient.time() then converted that *back* into UTC, giving an incorrect result (unless UTC is your local timezone). Fix this by having report_time() indicate that the time zone is UTC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15162 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cbc0ff187a0cc54dddfe60235a555676a546cc6f Author: Joseph Sutton Date: Thu Aug 17 13:42:47 2023 +1200 selftest: Remove leftover from debugging Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7ce6e3c9cac1653579d7f4efdfca76491c1fa5e7 Author: Joseph Sutton Date: Wed Aug 16 15:20:48 2023 +1200 selftest: Remove unused variable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c2126e08f4764da3d1033ec72f704e7abe54ba67 Author: Joseph Sutton Date: Wed Aug 16 15:19:05 2023 +1200 selftest: Remove semicolon Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 892c1b0a0c97e09a553a4084a1819827a437126a Author: Joseph Sutton Date: Wed Aug 2 14:52:13 2023 +1200 s4:torture: Fix code spelling Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 783f09cc37fcd4ec31ca6ba7d268f8aa11ea832b Author: Joseph Sutton Date: Tue Aug 1 15:52:07 2023 +1200 s4:smb_server: Fix code spelling Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4b03aabe451bae6bbeadcaaf8c2ff62041511ca3 Author: Joseph Sutton Date: Wed Aug 16 15:57:53
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 61d97ebf7d4 gitlab-ci: Add running codespell via e54939c8453 scripts: Add codespell check via 45e17b70004 wintest: Fix code spelling via be56ec0a6b9 tests: Fix code spelling via a7ed7405af9 testprogs: Fix code spelling via 5f024d57b31 s4:wrepl_server: Fix code spelling via dbfc239f5b5 s4:wrepl_server: Remove trailing white spaces via 920ffe5dc9a s4:torture: Fix code spelling via 0d241305b4e s4:torture:smb2: Fix code spelling via 085cfe0c4a3 s4:torture:rpc: Fix code spelling via ff2f813b68c s4:torture:raw: Fix code spelling via 428c1556460 s4:torture:nbt: Fix code spelling via c4ed99a2231 s4:torture:nbench: Fix code spelling via 664f69617df s4:torture:libnetapi: Fix code spelling via faa06e5ed21 s4:torture:ldb: Fix code spelling via 1c4e84fd2a0 s4:torture:ldap: Fix code spelling via 3f023d74143 s4:torture:ldap: Remove trailing white spaces via 56fdc3c5882 s4:torture:krb5: Fix code spelling via e2c952cfea0 s4:torture:dns: Fix code spelling via 5850ea63386 s4:torture:basic: Fix code spelling via 69b7876965a s4:torture:drs: Fix code spelling via 3dd7625ab97 s4:torture:dfs: Fix code spelling via 5dd07a44a24 s4:torture:auth: Fix code spelling via e1da1fc9d97 s4:smb_server: Fix code spelling via 5a0201e8b48 s4:setup: Fix code spelling via 541f4d08a36 s3:ldap_server: Fix code spelling via 9ebd645e63f s4:selftest: Fix code spelling via 9c13765f2d9 s4:scripting: Fix code spelling via ee1bc66e025 s4:samba: Fix code spelling via 8d85b9987ee s4:rpc_server: Fix code spelling via 6427dafe702 s4:ntvfs: Fix code spelling via 42f094afde1 s4:librpc: Fix code spelling via 37664f4ce7d s4:libnet: Fix code spelling via 950f0b47d94 s4:libcli: Fix code spelling via a749d885f3a s4:libcli: Remove tailing white spaces via 783eff3f76d s4:lib: Fix code spelling from 42e4691cf55 audit_logging: Simplify json_add_stringn() with json_stringn() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 61d97ebf7d4c46b1a0946634b6e3fe69f44dd01c Author: Andreas Schneider Date: Wed Mar 22 10:15:54 2023 +0100 gitlab-ci: Add running codespell Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Aug 14 22:44:58 UTC 2023 on atb-devel-224 commit e54939c8453c518ec121f02912d95c9143e6bd3f Author: Andreas Schneider Date: Tue Mar 14 08:51:03 2023 +0100 scripts: Add codespell check Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 45e17b700049f6672149b14216a30818df2bd4b7 Author: Andreas Schneider Date: Thu Aug 3 15:50:30 2023 +0200 wintest: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit be56ec0a6b9b8ed07416c3f1f2805f4c6622b9da Author: Andreas Schneider Date: Thu Aug 3 15:50:07 2023 +0200 tests: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit a7ed7405af938e757d895464028345a1b669ccfb Author: Andreas Schneider Date: Thu Aug 3 15:49:45 2023 +0200 testprogs: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 5f024d57b313d608660aac240500796dd2dc7eb0 Author: Andreas Schneider Date: Thu Aug 3 15:48:16 2023 +0200 s4:wrepl_server: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit dbfc239f5b51e9142d96d3d2e34ba10b630385b0 Author: Andreas Schneider Date: Thu Aug 3 15:49:06 2023 +0200 s4:wrepl_server: Remove trailing white spaces Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 920ffe5dc9a2a12f9bacd9c7eb2ce629207c4863 Author: Andreas Schneider Date: Thu Aug 3 15:46:43 2023 +0200 s4:torture: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 0d241305b4e445a543375a93f0f5485a1ad0ae34 Author: Andreas Schneider Date: Thu Aug 3 15:45:39 2023 +0200 s4:torture:smb2: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 085cfe0c4a3b9ec8a9d37d7f29ad6ae4950e63ee Author: Andreas Schneider Date: Thu Aug 3 15:45:20 2023 +0200 s4:torture:rpc: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit ff2f813b68ca3db3b73df5d62c9181b844d05c17 Author: Andreas Schneider Date: Thu Aug 3 15:45:05 2023 +0200 s4:torture:raw: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 428c15564600dc45da2649e74497f7421b5849b0
[SCM] Samba Shared Repository - branch master updated
Use portable format specifier via 329bfe47d9e auth: Remove unnecessary casts from 57672e45e36 bootstrap: Install codespell https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c01c206d7652e5bc5d4134f786522a17729de403 Author: Joseph Sutton Date: Fri Aug 11 10:54:52 2023 +1200 s4:kdc: Add get_claims_set_for_principal() Add a new function, get_claims_set_for_principal(), that returns the claims as a CLAIMS_SET structure rather than as a blob. To accommodate this, move the call to encode_claims_set() out of get_all_claims() and into get_claims_blob_for_principal(). Being able to get the unencoded claims will save us from having to decode claims that we just needlessly encoded. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Aug 14 05:51:45 UTC 2023 on atb-devel-224 commit 21e0c2589549daba3b0b211641c23ed0039adc30 Author: Joseph Sutton Date: Fri Aug 11 12:21:16 2023 +1200 s4:kdc: Rename ‘claims_blob’ parameter to ‘claims_blob_out’ Just to make perfectly clear that it is an out parameter. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 504a36f3208e020e6959f272b472ce2b9366141e Author: Joseph Sutton Date: Fri Aug 11 12:20:09 2023 +1200 s4:kdc: Rename get_claims_for_principal() to get_claims_blob_for_principal() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e6b78ef7f7ef2d9fc16aee3f7edfc31163fdf284 Author: Joseph Sutton Date: Fri Aug 11 12:15:05 2023 +1200 s4:kdc: Ensure that we don’t dereference a NULL pointer Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 58371c33e924ecb793f71871712025424f3e80b5 Author: Joseph Sutton Date: Fri Aug 11 12:10:46 2023 +1200 s4:kdc: Properly allocate claims set on a talloc context Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c6cd6b25ff1edf6b1983916087bef227ecb1a3cf Author: Joseph Sutton Date: Fri Aug 11 12:06:00 2023 +1200 s4:kdc: Remove ldb_context parameter as being no longer needed Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 78fc6fbb61c40efe6cd20b83270acb11348eb5aa Author: Joseph Sutton Date: Fri Aug 11 12:04:02 2023 +1200 s4:kdc: Have encode_claims_set return NTSTATUS This change will simplify things later. Probably. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 365455b6a14b1f1e7e0b831ae28bb7996b5138a6 Author: Joseph Sutton Date: Fri Aug 11 10:36:04 2023 +1200 s4:dsdb: Check for overflow in security_token_create() Overflow is unlikely ever to occur, but you never know. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 479ebdd041a0992e443f0590822eb57c8063157d Author: Joseph Sutton Date: Fri Aug 11 10:35:43 2023 +1200 s4:dsdb: Make ‘sids’ parameter const Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 37c8c3432860f08f4324f3072d3804056a3db809 Author: Joseph Sutton Date: Fri Aug 11 10:34:47 2023 +1200 s4:dsdb: Use uint32_t for ‘num_sids’ This matches the use of uint32_t for security_token::num_sids. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c1061ae8a7b99175ac13612f86156717f8c73284 Author: Joseph Sutton Date: Fri Aug 11 10:25:08 2023 +1200 s4:kdc: Free error message returned by krb5_get_error_message() Also check whether the message is NULL. Passing NULL to vasprintf() is undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9d485b262a57439dfba6deff5e8c4fb7023a5d1f Author: Joseph Sutton Date: Fri Aug 11 10:23:10 2023 +1200 s4:kdc: Use common out path in mit_samba_kpasswd_change_password() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ab098c24314eb2b0745f71af62d8c396e5f8e8bf Author: Joseph Sutton Date: Fri Aug 11 10:21:07 2023 +1200 s4:kdc: Inline samba_get_claims_blob() Wrapping a function this simple doesn’t gain us very much. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 63f798442ce48c0b35ada165a1421f6ae7f0a640 Author: Joseph Sutton Date: Fri Aug 11 10:15:56 2023 +1200 s4:kdc: Don’t enforce a server authentication policy for the krbtgt As the server authentication policy will be non-NULL only for entries looked up as servers, the krbtgt shouldn’t have an authentication policy anyway. But we might as well be explicit. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 914f1700991cca15fe9fd3d9e3174b044963049c Author: Joseph Sutton Date: Fri Aug 11 10:13:38 2023 +1200 s4:kdc: Switch to using samdb_result
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 57672e45e36 bootstrap: Install codespell via b896da351c8 krb5: Increase the minimum MIT Krb5 version to 1.21 via 4ae3e9b208d selftest: Allow MIT Krb5 1.21 to still start to fl2000dc via 8744e5df777 bootstrap: Heimdal no longer requires perl-JSON via 26329a69cd7 WHATSNEW: Remove unusual box around 'REMOVED FEATURES' from 58260e1e4fe python/samba/netcmd/domain/schemaupgrade.py: fix missing newline https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 57672e45e36bac567876eb1ebc098f1d33aaa1bc Author: Andreas Schneider Date: Wed Mar 22 10:17:13 2023 +0100 bootstrap: Install codespell Signed-off-by: Andreas Schneider Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Aug 14 04:40:03 UTC 2023 on atb-devel-224 commit b896da351c8b27440dfb895e866d5a5ce0320b21 Author: Andrew Bartlett Date: Tue Jul 18 14:34:47 2023 +1200 krb5: Increase the minimum MIT Krb5 version to 1.21 This is the version we test with in CI after the image update in the next commit. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. The hooks to allow these expectations to be disabled in the tests are kept for now, to allow this to be reverted or to test older servers. With MIT 1.21 as the new test standard for the MIT KDC build we update the knownfail_mit_kdc - this was required regadless after the CI image update. Any update to the CI image, even an unrelated one, brings in a new MIT Krb5, version 1.21-3 in this case. This has new behaviour that needs to be noted in the knownfail files or else the tests, which haven't changed, will fail and pipelines won't pass. (The image generated by the earlier bootstrap commit brought in krb5-1.21-2 which was buggy with CVE-2023-39975) Further tweaks to tests or the server should reduce the number of knownfail entries, but this keeps the pipelines passing for now. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 4ae3e9b208d4badee5765eddd832b258e84665b2 Author: Andrew Bartlett Date: Tue Jul 18 14:50:55 2023 +1200 selftest: Allow MIT Krb5 1.21 to still start to fl2000dc This is the simplest way to keep this test environment alive. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 8744e5df7779692862b0f6508e83290c35d267a5 Author: Andrew Bartlett Date: Tue Jul 18 09:53:26 2023 +1200 bootstrap: Heimdal no longer requires perl-JSON Heimdal after lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde) includes Heimdal master commit f62e2f278437ff6c03d2d09bd628381c795bba78. This has PR https://github.com/heimdal/heimdal/pull/1176 and no longer requires the external JSON module, as JSON::PP is builtin. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15394 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 26329a69cd7120cc640a3dbb9c4c48c6feb573a8 Author: Andrew Bartlett Date: Wed Aug 9 07:37:30 2023 +1200 WHATSNEW: Remove unusual box around 'REMOVED FEATURES' We do not normally put the above the titles, per recent practice. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- Summary of changes: .gitlab-ci-main.yml|2 +- WHATSNEW.txt | 23 +- bootstrap/config.py|5 +- bootstrap/generated-dists/centos7/bootstrap.sh |2 - bootstrap/generated-dists/centos7/packages.yml |2 - bootstrap/generated-dists/centos8s/bootstrap.sh|1 - bootstrap/generated-dists/centos8s/packages.yml|1 - .../generated-dists/debian11-32bit/bootstrap.sh|1 - .../generated-dists/debian11-32bit/packages.yml|1 - bootstrap/generated-dists/debian11/bootstrap.sh|1 - bootstrap/generated-dists/debian11/packages.yml|1 - .../generated-dists/debian12-32bit/bootstrap.sh|1 - .../generated-dists/debian12-32bit/packages.yml|1 - bootstrap/generated-dists/debian12/bootstrap.sh|1 - bootstrap/generated-dists/debian12/packages.yml|1 - bootstrap/generated-dists/fedora38/bootstrap.sh|3 +- bootstrap/generated-dists/fedora38/packages.yml|3 +- bootstrap/generated-dists/opensuse155/bootstrap.sh |3 +- bootstrap/generated-dists/opensuse155/packages.yml |3 +- .../generated-dists/ubuntu1804-32bit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 58260e1e4fe python/samba/netcmd/domain/schemaupgrade.py: fix missing newline via 79ca6ef28a6 s4-rpc_server/drsupai: Avoid looping with Azure AD Connect by not incrementing temp_highest_usn for the NC root via 17359afa627 s4-rpc_server/drsuapi: Ensure logs show DN for replicated objects, not (null) via 2aba9e230ea s4-rpc_server/drsuapi: Update getnc_state to be != NULL via 2ed9815eeac s4-rpc_server/drsuapi: Rename ncRoot -> untrusted_ncRoot to avoid misuse via 548f141f11e s4-rpc_server/drsuapi: Avoid modification to ncRoot input variable in GetNCChanges via fe7418e1765 s4-rpc_server/drsuapi: Fix indentation in GetNCChanges() via 99579e70631 s4-rpc_server/drsuapi: Only keep and invalidate replication cycle state for normal replication via 87414955212 s4-torture/drs: Add test showing that if present in the set the NC root leads and tmp_highest_usn moves via b323169d6ff s4-torture/drs: Add test demonstrating that a GetNCChanges REPL_OBJ will not reset the replication cookie via db16366b0bb s4-torture/drs: Add a test matching Azure AD Connect REPL_OBJ behaviour via 40f831e67e1 s4-torture/drs: Use addCleanup() in getchanges.py for OU handling via 628eab11b3c s4-torture/drs: Create temp OU with a unique name per test via c30bb8769ff s4-torture/drs: Save the server dnsname on the DcConnection object via 0550e469eda s4-rpc_server/drsuapi: Remove rudundant check for valid and non-NULL ncRoot_dn via 63843a22c8d s4-dsdb: Improve logging for drs_ObjectIdentifier_to_dn_and_nc_root() via a12bcce89d2 s4-rpc_server/drsuapi: Improve debug message for drs_ObjectIdentifier_to_dn_and_nc_root() failure via d0c1ce53add s4-rpc_server/drsuapi: Improve debugging of invalid DNs via 0d9ea6c5593 s4-rpc_server/drsuapi: Add tmp_highest_usn tracking to replication log from 5ec660160e4 smbclient3: Get all reparse data for allinfo https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 58260e1e4fe9af44bb0c93df969a07466d65d2ca Author: Michael Tokarev Date: Fri Aug 4 07:40:02 2023 +0300 python/samba/netcmd/domain/schemaupgrade.py: fix missing newline Signed-off-by: Michael Tokarev Reviewed-by: Andrew Bartlett Reviewed-by: Volker Lendecke Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sun Aug 13 22:54:55 UTC 2023 on atb-devel-224 commit 79ca6ef28a6f94965cb030c4a7da8c1b9db7150b Author: Andrew Bartlett Date: Wed Jul 26 14:27:16 2023 +1200 s4-rpc_server/drsupai: Avoid looping with Azure AD Connect by not incrementing temp_highest_usn for the NC root We send the NC root first, as a special case for every chunk that we send until the natural point where it belongs. We do not bump the tmp_highest_usn in the highwatermark that the client and server use (it is meant to be an opauqe cookie) until the 'natural' point where the object appears, similar to the cache for GET_ANC. The issue is that without this, because the NC root was sorted first in whatever chunk it appeared in but could have a 'high' highwatermark, Azure AD Connect will send back the same new_highwatermark->tmp_highest_usn, and due to a bug, a zero reserved_usn, which makes Samba discard it. The reserved_usn is now much less likely to ever be set because the tmp_higest_usn is now always advancing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 17359afa627a3086ec8d6862f007a3479574a8b4 Author: Andrew Bartlett Date: Wed Jun 28 15:57:47 2023 +1200 s4-rpc_server/drsuapi: Ensure logs show DN for replicated objects, not (null) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15407 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 2aba9e230ea62efcbd829f6f073894dfa3180c91 Author: Andrew Bartlett Date: Tue Jun 27 17:01:28 2023 +1200 s4-rpc_server/drsuapi: Update getnc_state to be != NULL This is closer to our READDME.Coding style BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 2ed9815eeacfcf3a58871bafe0212398cc34c39e Author: Andrew Bartlett Date: Tue Jun 27 14:43:39 2023 +1200 s4-rpc_server/drsuapi: Rename ncRoot -> untrusted_ncRoot to avoid misuse Because of the requirement to echo back the original string, we can not force this to be a trustworthy value. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher
[SCM] Samba Shared Repository - branch master updated
cd ndr/dns-utils: Make error message slightly more readable
via 872164137c3 ndr_string: Remove dodgy-looking casts
via dd53e0524f8 ndr_string: Fix typo
via 2a2604bfb30 ndr_string: Add overflow check in
ndr_pull_charset_to_null()
via 448ed84c361 librpc/ndr: Remove unneeded casts
via e69968d248f librpc/rpc: Add missing newline to logging message
via 748cbac2fa7 libcli/security: Cast isupper() argument to ‘unsigned
char’
via 60f4d873b75 libcli/security: Remove unnecessary code
via 2b33c919c59 libcli/auth: Fix code spelling
via 0e653af8d62 libcli: Add missing newlines to logging messages
via 731e233acab s4:auth: Add missing newlines to logging messages
via 8090e595415 lib/ldb-samba: Add missing newline to logging message
via 5c67b452217 lib/util: Add missing newlines to logging messages
via a8085b3dd5e ctdb: Add missing newlines to logging messages
via 50c6ca69424 auth: Fix code spelling
via aa0d17a79bc auth: Add missing newlines to logging messages
via aa9ca519467 lib/replace: Const-qualify sys_errlist
via 8ed6955365d lib:dbwrap: Remove unneeded space in debug message
from f87f02f6f99 ctdb-doc: Fix documentation for ctdb event status
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 269738d6ce42a2e4979bfca33328fbf0bf0e6d10
Author: Douglas Bagnall
Date: Fri Jul 28 15:36:21 2023 +1200
lib/replace: fix strlcat/strlcpy compile for Honggfuzz
Otherwise we getthis kind of thing:
../../lib/replace/replace.c:837:3: error: implicit declaration of function
'strlcpy' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
strlcpy(buf, s, buflen);
../../third_party/heimdal/lib/roken/getarg.c:288:6: error: implicit
declaration of function 'strlcat' is invalid in C99
[-Werror,-Wimplicit-function-declaration]
strlcat(buf, "]", sizeof(buf));
because we found the symbol names in libc, but didn't check that the
functions are declared in . We already include
whenever we have it.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Tue Aug 8 05:35:08 UTC 2023 on atb-devel-224
commit f0e0ff262ab720e2e0cd48aa82549ad9c5ed69ec
Author: Douglas Bagnall
Date: Sun Dec 20 12:17:56 2020 +1300
tldap: avoid infinite loop when filter contains "\)"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14600
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 17e35c269141bcefbe31ff8be0c343b6b13165f9
Author: Douglas Bagnall
Date: Sat Mar 6 12:40:17 2021 +1300
fuzz: add fuzzer for ldb_comparison_fold
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 019bee54c6b3521daef72b266b69c9c40a8fd278
Author: Douglas Bagnall
Date: Fri Dec 18 17:56:29 2020 +1300
fuzz: add fuzzer for sess_crypt_blob
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit f404ef3c2aa06c801826db7d3a4cca08a60e3a0e
Author: Douglas Bagnall
Date: Sat May 14 15:05:16 2022 +1200
libcli:auth:sess_crypt_blob: ensure key has 7 bytes
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 5c007600dcdfd60b0ef8f164716573ee644869a1
Author: Douglas Bagnall
Date: Fri May 13 10:59:24 2022 +1200
util/base64: add a note about zero length strings
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit c3ded9d934358260af9251c7c42e903d37a1bdd4
Author: Douglas Bagnall
Date: Sat Aug 5 14:18:46 2023 +1200
lib/fuzzing:fuzz_sddl_access_check fix nul-term check
We were wanting to ensure the string contains a zero byte, but
instead were checking for a non-zero byte.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 5c81f349354cffdf6cfd3f2983634a85da474543
Author: Douglas Bagnall
Date: Sat Aug 5 14:30:24 2023 +1200
lib/fuzzing: LLVMFuzzerTestOneInput() takes const uint8_t*
We have been using `uint8_t *`, which works fine as far as
linking goes, but leads fuzz target developers to sometimes
forget why they can't just modify the passed in string instead of
copying it for modification (e.g. to NUL-terminate).
REF: https://llvm.org/docs/LibFuzzer.html#fuzz-target
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 43b44827d63949162d1ffebdc71aaa09b93dba42
Author: Joseph Sutton
Date: Wed Aug 2 14:52:13 2023 +1200
s4:torture: Fix code spelling
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
commit 3ec0c61c4d38518bdba0b529e37ff3a1df9a2bb8
Author: Joseph Sutton
Date: Tue Aug 1 15:52:07 2023 +1200
s4:smb_server: Fix code spelling
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3452b0d2cec netcmd: user: readpasswords: move syncpasswords command to readpasswords via 1929cca223d netcmd: user: readpasswords: move getpassword command to readpasswords via 24c567610ab netcmd: user: readpasswords: move common.py to readpasswords via 6319df10b7b netcmd: user: readpasswords: move show command to readpasswords via fab69e47ef8 netcmd: user: readpasswords: turn getpassword.py into readpasswords module via 10aa17a4039 netcmd: user: move user sensitive command via 8c4a6e55495 netcmd: user: move user add_unix_attrs command via 95f6abebeab netcmd: user: move user unlock command via 44a974e1edc netcmd: user: move user rename command via 41492dadcc1 netcmd: user: move user move command via 4a34b6813dc netcmd: user: move user show command via d08f726065f netcmd: user: move user edit command via b51456836d2 netcmd: user: move user getpassword and syncpasswords commands via 65fc1472053 netcmd: user: move user setpassword command via a6e1b5694f1 netcmd: user: move user setprimarygroup command via f20b5f6052f netcmd: user: move user getgroups command via 9b47a424337 netcmd: user: move user password command via 84c13a8696b netcmd: user: move common code used by various password commands via c621183c652 netcmd: user: move user setexpiry command via 69536ff70f2 netcmd: user: move user list command via 0385e4a97e9 netcmd: user: move user disable command via 970c2bcb8e7 netcmd: user: move user enable command via e85070b01d9 netcmd: user: move user delete command via 87aae028900 netcmd: user: move user add command via 5949adab16b netcmd: user: turn user.py into module netcmd.user from 85c8222bdb7 s4:kdc: Fix code spelling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3452b0d2cec399f7a512877efb02c3e262e2940e Author: Rob van der Linde Date: Tue Aug 1 13:28:33 2023 +1200 netcmd: user: readpasswords: move syncpasswords command to readpasswords Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Aug 4 05:27:53 UTC 2023 on atb-devel-224 commit 1929cca223dc1521458d5c0029de15d5487f2560 Author: Rob van der Linde Date: Tue Aug 1 13:25:54 2023 +1200 netcmd: user: readpasswords: move getpassword command to readpasswords Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 24c567610abdb65cdd645ab82e590142636f9dcf Author: Rob van der Linde Date: Tue Aug 1 13:19:51 2023 +1200 netcmd: user: readpasswords: move common.py to readpasswords it only contains code relating to the getpassword module Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6319df10b7bcc810d83491ced9a11e0fdbe7db0b Author: Rob van der Linde Date: Tue Aug 1 13:09:06 2023 +1200 netcmd: user: readpasswords: move show command to readpasswords Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit fab69e47ef899a86d5cb65fb4a8578fcc4f63c3e Author: Rob van der Linde Date: Tue Aug 1 13:05:28 2023 +1200 netcmd: user: readpasswords: turn getpassword.py into readpasswords module Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 10aa17a40394cca55941f0eada4967f01bbd7644 Author: Rob van der Linde Date: Thu Jul 27 17:30:14 2023 +1200 netcmd: user: move user sensitive command Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8c4a6e55495d1647a4d2a1f84a9104679f81f4d1 Author: Rob van der Linde Date: Thu Jul 27 17:28:10 2023 +1200 netcmd: user: move user add_unix_attrs command Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 95f6abebeab06d4490930359997d8f8f04ece05f Author: Rob van der Linde Date: Thu Jul 27 17:26:06 2023 +1200 netcmd: user: move user unlock command Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 44a974e1edc1f02a70d8b4e0cf7854d8dea3e26d Author: Rob van der Linde Date: Thu Jul 27 17:22:55 2023 +1200 netcmd: user: move user rename command Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 41492dadcc1f727f2ab530a86e8312ccfd880111 Author: Rob van der Linde Date: Thu Jul 27 17:19:34 2023 +1200 netcmd: user: move user move command Signed-off-by: Rob van der
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 16eaf7fd52e gp: Cleanup some unused code via ab2cda79280 gp: Ensure centrify crontab user policy performs proper cleanup via 8cc706c1025 gp: Ensure script user policy performs proper cleanup via b278f15890a gp: Ensure smb.conf policy preforms proper cleanup via a330ad7b2cc gp: Ensure MOTD policy preforms proper cleanup via 8bdb1b65332 gp: Ensure Issue policy preforms proper cleanup via 8a24829093e gp: Ensure Messages policy preforms proper cleanup via 03d796c6778 gp: Ensure Firefox policy preforms proper cleanup via 8f59ce543a8 gp: Add a misc applier, to assist some gp exts via 6ac22de7493 gp: Ensure Firewalld preforms proper cleanup via 7db3b63e769 gp: Test modifying centrify crontab user policy enforces changes via 70d3601fc64 gp: Test modifying script user policy enforces changes via 5c2dc0cce46 gp: Test modifying smb.conf policy enforces changes via c5571718006 gp: Test modifying Issue policy enforces changes via ae752b8c0b3 gp: Test modifying Messages policy enforces changes via ef0c54d7c24 gp: Test modifying MOTD policy enforces changes via 32a70df7e4e gp: Test modifying firefox policy enforces changes via b49d150db9a gp: Test modifying firewalld policy enforces changes via 217beca6e9d gp: Ensure Firewalld tests don't flop from 5571ce9619d dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 16eaf7fd52e91ed8cfb39ac98e6d9bf470bfc358 Author: David Mulder Date: Tue Jan 10 10:07:33 2023 -0700 gp: Cleanup some unused code Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Jul 31 10:55:26 UTC 2023 on atb-devel-224 commit ab2cda79280e3a3ce4b806f96a5896d2a463b5ea Author: David Mulder Date: Tue Jul 25 13:23:10 2023 -0600 gp: Ensure centrify crontab user policy performs proper cleanup This resolves cleanup issues for user and group centrify compatible policies. It also ensures the crontab policies use functions from the scripts policy, to avoid code duplication and simplify cleanup. Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8cc706c1025ec521f7f878bba8a48e6d66750fe0 Author: David Mulder Date: Tue Jan 10 13:21:49 2023 -0700 gp: Ensure script user policy performs proper cleanup This resolves cleanup issues for scripts user policy. Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b278f15890a3625f2b1663ea543e032ef411fac1 Author: David Mulder Date: Tue Jan 10 09:57:21 2023 -0700 gp: Ensure smb.conf policy preforms proper cleanup Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit a330ad7b2cc163f34eb2d379e6ef98e7e449d477 Author: David Mulder Date: Mon Jan 9 17:19:44 2023 -0700 gp: Ensure MOTD policy preforms proper cleanup Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8bdb1b65332342da4d28af3b9d9fbcfca15a869e Author: David Mulder Date: Mon Jan 9 17:12:53 2023 -0700 gp: Ensure Issue policy preforms proper cleanup Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8a24829093ef234a5044fab1e9f9992a41e29be1 Author: David Mulder Date: Mon Jan 9 16:33:59 2023 -0700 gp: Ensure Messages policy preforms proper cleanup Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 03d796c6778e1499b0a753ffd371d0437c9a27f8 Author: David Mulder Date: Mon Jan 9 15:20:57 2023 -0700 gp: Ensure Firefox policy preforms proper cleanup Now uses gp_misc_applier to ensure old settings are properly cleaned up. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 8f59ce543a88607ca244c1982238f4d01e173a4c Author: David Mulder Date: Mon Jan 9 15:19:48 2023 -0700 gp: Add a misc applier, to assist some gp exts Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6ac22de74938862b489e29090f4e6ec17c643dd8 Author: David Mulder Date: Fri Jan 6 14:48:12 2023 -0700 gp: Ensure Firewalld preforms proper cleanup Now uses gp_applier to ensure old settings are properly cleaned up. Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 7db3b63e769baa7d485e12556351bf4533987c8e Author: David Mulder Date: Tue Jul 25 13:48:25
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e86e0da9de6 WHATSNEW: Add TLS cert reload feature via a1b1f8ffd20 doc-xml: Add entry for reload-certs for new LDAP certificate reload function via 9facc2e1d85 docs-xml: Fix invalid XML in smbcontrol manpage via 4516fee9b52 testprogs/blackbox: add test_ldap_tls_reload.sh via 0c7cfb7a115 s4:ldap_server: reload tls certificates on smbcontrol reload-certs via 321162c9bfc s4:ldap_server: remember dns_host_name in ldap_service via cc4995d932d s4:ldap_server: don't store task_server in ldapsrv_service via 7804bf55ad0 s4:tls_tstream: create tstream_tls_params_internal via bed915d098e s3:smbcontrol: improve destination resolution using names db via 1472e4c9dbf s4:process_prefork: create new messaging context for the master process via 3af6ad6eea7 s4:process: add method called before entering the tevent_loop_wait via c8ee3d45252 s4:process_prefork: avoid memory leaks caused by messaging_post_self from dd998cc1633 s3:winbindd: Fix double close(fd) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e86e0da9de6a7d108348ad37f1ae9885ebb74c37 Author: Andrew Bartlett Date: Fri Jul 21 16:56:49 2023 +1200 WHATSNEW: Add TLS cert reload feature Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Jul 25 21:02:35 UTC 2023 on atb-devel-224 commit a1b1f8ffd20dac0c04959abe056ce8265f3b5d66 Author: Andrew Bartlett Date: Fri Jul 21 16:44:54 2023 +1200 doc-xml: Add entry for reload-certs for new LDAP certificate reload function Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9facc2e1d85c408b18c1551fcb32ef09b3039423 Author: Andrew Bartlett Date: Fri Jul 21 16:42:23 2023 +1200 docs-xml: Fix invalid XML in smbcontrol manpage This was picked by a mode in Emacs. Reviewed-by: Douglas Bagnall Signed-off-by: Andrew Bartlett commit 4516fee9b5265f62388f927f188634525e4f489c Author: Jule Anger Date: Mon Jun 5 15:23:11 2023 +0200 testprogs/blackbox: add test_ldap_tls_reload.sh This tests the reload (and if needed regeneration) of tls certificates. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0c7cfb7a11516ac685c4283d080701346e0d5a70 Author: Jule Anger Date: Wed Mar 1 09:53:53 2023 + s4:ldap_server: reload tls certificates on smbcontrol reload-certs Reload certificates with the command 'smbcontrol ldap_server reload-certs'. The message is send to the master process, who forwards it to the workers processes. The master process reload and, if necessary, create the certificates first, then the workers processes reload them. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 321162c9bfc7c0385d894171cc145eb52f6f1a2a Author: Jule Anger Date: Tue Jan 31 13:50:06 2023 +0100 s4:ldap_server: remember dns_host_name in ldap_service Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit cc4995d932d4566f12735bcad9bcc4cd96bfc151 Author: Jule Anger Date: Wed Mar 1 09:53:53 2023 + s4:ldap_server: don't store task_server in ldapsrv_service We store individual pointers we need and adjust them as needed in ldapsrv_post_fork() and the newly added ldapsrv_before_loop(). This will be required for the next steps. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 7804bf55ad036336c357be117a3282d15d633a84 Author: Jule Anger Date: Tue Jan 31 15:08:31 2023 +0100 s4:tls_tstream: create tstream_tls_params_internal The following commits will implement the reloading of tls certificates. Therefore we need to overwrite the interal memory. Note we need to make sure x509_cred and dh_params from tstream_tls_params_internal stay alive for the whole lifetime of this session! See 'man gnutls_credentials_set' and 'man gnutls_certificate_set_dh_params'. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit bed915d098e27bb21249227e671146ef42f52129 Author: jule Date: Mon Feb 6 13:28:36 2023 + s3:smbcontrol: improve destination resolution using names db With this change it's possible to use 'smbcontrol ldap_server ...' instead
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 76ad44f446c lib/cmdline: Also redact --newpassword in
samba_cmdline_burn()
via 414b3803bb6 lib/cmdline: Also burn the --password2 parameter if
given
via a53ebc288f4 samba-tool: Use samba.glue.get_burnt_cmdline rather
than regex
via 3f9e4558985 python: Add glue.burn_commandline() method
via 5afd206d1d8 python: Remove const from PyList_AsStringList()
via fd81759e2ed python: Move PyList_AsStringList to common code so we
can reuse
via 848fea1a01a lib/cmdline: Return if the commandline was redacted in
samba_cmdline_burn()
from 0da6cc71054 claims.idl: Fix AD claims encoding
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 76ad44f446c42832e87b2c60a4731a8de3a0018f
Author: Andrew Bartlett
Date: Fri Jul 21 15:39:28 2023 +1200
lib/cmdline: Also redact --newpassword in samba_cmdline_burn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Jul 21 06:16:30 UTC 2023 on atb-devel-224
commit 414b3803bb6a1b12c44b52ab1ff64a8b7f61fd03
Author: Andrew Bartlett
Date: Fri Jul 21 14:35:20 2023 +1200
lib/cmdline: Also burn the --password2 parameter if given
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit a53ebc288f47329c997d52325eeeb5e91ce43b75
Author: Andrew Bartlett
Date: Fri Jul 21 13:30:39 2023 +1200
samba-tool: Use samba.glue.get_burnt_cmdline rather than regex
This use avoids having two different methods to match on command-line
passwords. We already have a dependency on the setproctitle python
module, and this does not change as the (C) libbsd setproctitle()
can't be run from within a python module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 3f9e455898554b726bf1689f743b2d9cb6b59537
Author: Andrew Bartlett
Date: Fri Jul 21 13:29:22 2023 +1200
python: Add glue.burn_commandline() method
This uses samba_cmdline_burn() to as to have common
command line redaction code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 5afd206d1d8f0344a2f1fa7a238204d1fb164eda
Author: Andrew Bartlett
Date: Fri Jul 21 14:32:46 2023 +1200
python: Remove const from PyList_AsStringList()
The returned strings are not owned by python, so need not be const.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit fd81759e2ed44cac3bc67243a39256f953969103
Author: Andrew Bartlett
Date: Fri Jul 21 14:31:30 2023 +1200
python: Move PyList_AsStringList to common code so we can reuse
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 848fea1a01a4ddc1598150823d5d0784d3ef0be4
Author: Andrew Bartlett
Date: Fri Jul 21 15:27:00 2023 +1200
lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
---
Summary of changes:
lib/cmdline/cmdline.c | 17 +--
lib/cmdline/cmdline.h | 4 ++-
python/modules.c | 35 +
python/modules.h | 7 +
python/pyglue.c| 60
python/samba/getopt.py | 69 --
python/samba/tests/cred_opt.py | 14 ++---
python/wscript | 1 +
source4/auth/pyauth.c | 38 ++-
source4/auth/wscript_build | 4 ++-
10 files changed, 156 insertions(+), 93 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c
index de34a798aaf..db962146bd2 100644
--- a/lib/cmdline/cmdline.c
+++ b/lib/cmdline/cmdline.c
@@ -135,8 +135,9 @@ void samba_cmdline_set_machine_account_fn(
cli_credentials_set_machine_account_fn = fn;
}
-void samba_cmdline_burn(int argc, char *argv[])
+bool samba_cmdline_burn(int argc, char *argv[])
{
+ bool burnt = false;
bool found = false;
bool is_user = false;
char *p = NULL;
@@ -146,9 +147,13 @@ void samba_cmdline_burn(int argc, char *argv[])
for (i = 0; i < argc; i++) {
p = argv[i];
if (p == NULL) {
- ret
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0da6cc71054 claims.idl: Fix AD claims encoding via 3109899299e lib/fault: During smb_panic() print process comment and setprocname() title via e401ae44b2f python/samba: Adjust tarfile extraction filter via 5e473cba0d3 WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction via 3f253002280 WHATSNEW: mention KDC auditing via b9667bc29a6 WHATSNEW: FAST support, Claims compression, SID compression via 6844def6675 WHATSNEW: Mention Heimdal updates via fbed6d80b1f WHATSNEW: Expand detail on what of 2012, 2012R2 and 2016 support is implemented via 29310f27d49 WHATSNEW: PKINIT testing via fb27e01b36f WHATSNEW: Include info on new samba-tool features via 0ee8c263f61 WHATSNEW: Add text on PKINIT Certificate Revocation via 980c1565ed1 s4:param: replace calls to deprecated Python methods from ca5cc05b22b s3:script: Replace --merge by --merge-by-timestamp in samba-log-parser https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0da6cc710542f534c82d9694e8d85d1fb376e536 Author: Joseph Sutton Date: Thu Jul 20 11:14:23 2023 +1200 claims.idl: Fix AD claims encoding Up to now we have been absorbing the discriminant in the NDR padding, and setting it to zero in the push. But if the discriminant is not set correctly, Windows will refuse to regard any of the claims. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Jul 21 02:19:48 UTC 2023 on atb-devel-224 commit 3109899299e28884261f54363e84b1090b574e39 Author: Andrew Bartlett Date: Thu Jul 20 14:10:43 2023 +1200 lib/fault: During smb_panic() print process comment and setprocname() title The purpose of this is to make it clear which part of the AD DC (in particular) has faulted without having to deduce it from the stacktrace. Signed-off-by: Andrew Bartlett Reviewed-by: Ralph Boehme commit e401ae44b2f952fc2686065fbfb3a563e3d4066a Author: Noel Power Date: Fri Jul 14 14:53:29 2023 +0100 python/samba: Adjust tarfile extraction filter The 'data_filter' is far too restrictive, this filter doesn't apply any mode bits to directories which in turn will result in unexpected directory permissions of the amongst others msg.[ls]ock directories. With 'data_filter' and a 'patched' python at best we experience CI failures with samba-ad-back1 & samba-ad-back2 CI jobs due to server startup failures, at worst user/admins will need to adjust directory permissions post backup. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390 Signed-off-by: Noel Power Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 5e473cba0d3dd842a41789f5d61d8234db54d6b7 Author: Andrew Bartlett Date: Thu Jul 20 15:49:08 2023 +1200 WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 3f253002280fa562de1c317e616d72ab8b6773c4 Author: Andrew Bartlett Date: Thu Jul 20 15:48:40 2023 +1200 WHATSNEW: mention KDC auditing Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit b9667bc29a63179b302a6610848df241239da7a7 Author: Andrew Bartlett Date: Thu Jul 20 15:36:09 2023 +1200 WHATSNEW: FAST support, Claims compression, SID compression Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 6844def66754b87dc4b2647b65ac106382005fa7 Author: Andrew Bartlett Date: Thu Jul 20 15:19:51 2023 +1200 WHATSNEW: Mention Heimdal updates Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit fbed6d80b1fc4bb22896a1850ef9f15ddd0bc259 Author: Andrew Bartlett Date: Thu Jul 20 15:01:43 2023 +1200 WHATSNEW: Expand detail on what of 2012, 2012R2 and 2016 support is implemented Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 29310f27d49b7b1a15a2db5966969fd0756484c4 Author: Andrew Bartlett Date: Thu Jul 20 15:01:07 2023 +1200 WHATSNEW: PKINIT testing Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit fb27e01b36f6741d88bfc739e693d6d273383100 Author: Andrew Bartlett Date: Thu Jul 20 14:54:02 2023 +1200 WHATSNEW: Include info on new samba-tool features Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 0ee8c263f615baa3b839eeb94236b3f54862233b Author: Andrew Bartlett Date: Wed Jul 19 15:50:43 2023 +1200 WHATSNEW: Add text on PKINIT Certificate Revocation BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall co
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bb6fecd9ac5 netcmd: sites: add sites and subnet list and view commands to manpage via 7f7d68573c3 netcmd: sites: add missing subnet commands to samba-tool manpage via 5e4a6cd75a1 netcmd: sites: tests for list and view sites and subnet via 3cf81e98f36 netcmd: sites: make use of ldb_connect from base class via 752eae68c2a netcmd: add list and view commands for sites and subnets via b9d01c64207 netcmd: add Subnet and Site models via 5f69220f0af WHATSNEW: Update minimum GnuTLS version via f050124a96c lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds via 9ea606dad11 lib/fuzzing: adapt fuzz_sddl_access_check for AD variant via 89b02bad3e2 lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant via eb2bed3899b lib/fuzzing: add fuzzer for arbitrary token/sd access checks via 5ad28bd7605 lib/fuzzing: add fuzz_sddl_access_check via 3ed1ba6fedd s4:provision: use better values for operatingSystem[Version] via 9a79bed41e2 s4:pydsdb: add dc_operatingSystemVersion() helper via b058b39f38b s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version] via 16865d6d439 upgradeprovision: handle operatingSystem similar to operatingSystemVersion via 85080ba9ea0 ldapcmp: also ignore operatingSystem similar to operatingSystemVersion via 56ee153cae3 netlogon.idl: add some comments to netr_OsVersionInfoEx from 81058c60136 third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bb6fecd9ac5ff803e2c74e2a5cc6596c9eb5107c Author: Rob van der Linde Date: Thu Jul 13 00:42:56 2023 +1200 netcmd: sites: add sites and subnet list and view commands to manpage Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jul 19 04:29:15 UTC 2023 on atb-devel-224 commit 7f7d68573c3c39825be89e127f6de37764200319 Author: Rob van der Linde Date: Thu Jul 13 00:42:03 2023 +1200 netcmd: sites: add missing subnet commands to samba-tool manpage Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 5e4a6cd75a144a8232e3b7302ca74ecb67fc5efd Author: Rob van der Linde Date: Wed Jul 5 17:40:48 2023 +1200 netcmd: sites: tests for list and view sites and subnet Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 3cf81e98f3677a45c3cf12319668262345515a3b Author: Rob van der Linde Date: Tue Jul 4 22:02:01 2023 +1200 netcmd: sites: make use of ldb_connect from base class Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 752eae68c2ae1d64cee9452df7b4f87d35458090 Author: Rob van der Linde Date: Tue Jul 4 21:47:46 2023 +1200 netcmd: add list and view commands for sites and subnets * samba-tool sites list * samba-tool sites view * samba-tool sites subnet list * samba-tool sites subnet view Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit b9d01c6420760e65012af8beaf46f2bfb5a7b33e Author: Rob van der Linde Date: Tue Jul 4 21:34:38 2023 +1200 netcmd: add Subnet and Site models Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 5f69220f0afc578a49e7049d6ffba1ef12bc2fe5 Author: Andrew Bartlett Date: Tue Jul 18 10:29:50 2023 +1200 WHATSNEW: Update minimum GnuTLS version Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit f050124a96cbd0e3ab73255834126df150ff8525 Author: Douglas Bagnall Date: Tue Jul 18 12:54:40 2023 +1200 lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds If this patch is applied, and an environment variable is set, all access_check calls will be recorded as seeds for fuzz_security_token_vs_descriptor. See the patch for details. You probably will never want to apply this patch, but it is here just in case. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 9ea606dad1147734c1877dd054dc769c4df4e005 Author: Douglas Bagnall Date: Tue Jul 18 08:56:40 2023 +1200 lib/fuzzing: adapt fuzz_sddl_access_check for AD variant Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 89b02bad3e2db7a9a3aceed7122c1d680cef728d Author: Douglas Bagnall Date: Mon Jul 17 16:20:58 2023 +1200 lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 81058c60136 third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498) via 90b240be086 tests/krb5: Add a test for PK-INIT with a revoked certificate via 2ab15cf1172 tests/krb5: Allow passing a pre-created certificate into _pkinit_req() via b73a01eefd2 tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key via 01196cc741d tests/krb5: Factor out a method to fetch the CA certificate and private key via ce9786748b7 tests/krb5: Factor out a method to create a certificate via db64b2762c4 s4:kdc: Add auth_data_reqd flag to SDBFlags via 7340351097a third_party/heimdal_build: Make Heimdal version strings const via a25f549e9a0 third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde) via 5bfccbb7643 tests/krb5: Test Windows 2000 variant of PK-INIT via af97579f161 tests/krb5: Add ASN.1 definitions for Windows 2000 PK-INIT via ecc62bc1207 tests/krb5: Add tests for PK-INIT Freshness Extension (RFC 8070) via f7393da2c07 tests/krb5: Remove unused methods via 97ead77767c tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer via 3ea1c559213 tests/krb5: Add PK-INIT testing framework via 699d211084f tests/krb5: Allow KerberosCredentials to have associated RSA private key via 7584e7a3a13 tests/krb5: Add helper methods for PK-INIT testing via 7f9547fda79 tests/krb5: Refactor encryption type selection via ef9ffbacb9c tests/krb5: Add PK-INIT ASN1 definitions and include licence via 477fbd7bb4c tests/krb5: Add PKINIT pre-authentication types via 8a0bde46a25 tests/krb5: Add PKINIT typed data errors via d818ed644a5 tests/krb5: Add PKINIT error codes via 7d2c267ae1a s4:kdc: Fix wrong debug message via 97cde6f97b4 tests/krb5: Remove unused variables from 7d2c68f2e25 s3:nmbd: Fix code spelling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 81058c60136fba9af2dd7de8f15baef5e7e97bde Author: Joseph Sutton Date: Wed Jul 5 16:21:07 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498) BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jul 19 02:41:25 UTC 2023 on atb-devel-224 commit 90b240be08629ab6cad7651c59df1d9f533797c0 Author: Joseph Sutton Date: Mon Jul 3 14:31:03 2023 +1200 tests/krb5: Add a test for PK-INIT with a revoked certificate BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2ab15cf11721eaec95950b634b4782d7cae0d311 Author: Joseph Sutton Date: Wed Jul 5 16:12:42 2023 +1200 tests/krb5: Allow passing a pre-created certificate into _pkinit_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b73a01eefd2a526936f11e08a5a32dd2f1106359 Author: Joseph Sutton Date: Wed Jul 5 12:55:41 2023 +1200 tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key These are useful to keep around for other purposes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 01196cc741ddf611794ba6eb1b5f3a0bcff2f0da Author: Joseph Sutton Date: Wed Jul 5 12:53:45 2023 +1200 tests/krb5: Factor out a method to fetch the CA certificate and private key BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ce9786748b7b594ca0864158ba49ca4def1b593c Author: Joseph Sutton Date: Wed Jul 5 12:43:52 2023 +1200 tests/krb5: Factor out a method to create a certificate BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit db64b2762c49ce4f155e6a98b2ea868578503d58 Author: Joseph Sutton Date: Mon Jun 26 13:07:44 2023 +1200 s4:kdc: Add auth_data_reqd flag to SDBFlags This is to adapt to Heimdal: commit 3c4548025c0a239ff580e7974939185eadf1856b Author: Nicolas Williams Date: Sun Jun 4 22:54:03 2023 -0500 hdb: Add auth-data-reqd flag NOTE: This commit finally works again! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7340351097a95f8e52d48365d4619c32080ebd30 Author: Joseph Sutton Date: Thu Jun 22 16:46:09 2023 +1200 third_party/heimdal_build
[SCM] Samba Shared Repository - branch master updated
ecff09d75df52df8bd062e55e75d42d76e25d66e Author: Andrew Bartlett Date: Mon Jun 26 11:03:14 2023 +1200 Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c Commit 6bd3b4528d4b33c8f7ae6341d166bea3a06cd971 diverged the const declarations in the header, this brings them back in alignnment as is Samba's normal practice. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Jun 26 00:26:37 UTC 2023 on atb-devel-224 commit b1006c773be1d28a15eeab37c7e49675d3a1dedd Author: Joseph Sutton Date: Fri Jun 16 15:02:35 2023 +1200 s4:kdc: Use talloc_get_type_abort() We subsequently dereference the result without performing a NULL check. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ad1234d5ee80d157573681a0d60fc2a7a399c5ae Author: Joseph Sutton Date: Fri Jun 16 15:00:29 2023 +1200 s4:kdc: Create a temporary talloc context on which to allocate ‘client->context’ is too long-lived to use for allocating short-term data. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cf139d14218ab1423949fbc952ae056943858dc8 Author: Joseph Sutton Date: Fri Jun 16 14:49:11 2023 +1200 s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d0d52262f781b8acddc4f50e09e2daa1198b8a3e Author: Joseph Sutton Date: Fri Jun 16 14:32:09 2023 +1200 s4:kdc: Flip sense of condition A negative condition incurs more cognitive load. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f49ebef003587a89e7ce1698c53bc53243ff2d53 Author: Joseph Sutton Date: Fri Jun 16 14:30:00 2023 +1200 s4:kdc: Unify common code paths Perhaps view with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6bb7aad16316d3f55b9af30a69b2d6b27f34e262 Author: Joseph Sutton Date: Fri Jun 16 14:04:43 2023 +1200 s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case This will help to reduce code duplication and the number of branching code paths. View with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7485638e0266a9a46c4ceb719a0a38abe5c8cd81 Author: Joseph Sutton Date: Fri Jun 16 13:40:20 2023 +1200 s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc() We may not always want this SID to be present. For example, to enforce authentication policies as Windows does, we’ll want the client’s security token without this SID. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6be1a397dacea1e31d9c1b24a07d3e91a715fc59 Author: Joseph Sutton Date: Fri Jun 16 13:13:58 2023 +1200 s4:kdc: Have samba_kdc_update_pac_blob() do less Previously this function obtained the auth_user_info_dc structure, then used it to update the PAC blob. Now it does only one thing: fetch the auth_user_info_dc info and return it to the caller, who can then call samba_get_logon_info_pac_blob(). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e6c442224095352ff11fc936207022298a08d57d Author: Joseph Sutton Date: Fri Jun 16 13:06:24 2023 +1200 s4:kdc: Remove unused PAC_SIGNATURE_DATA parameters Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8c10776398030c1bab32a195a3c7f5ee4c9623a3 Author: Joseph Sutton Date: Fri Jun 16 13:04:17 2023 +1200 s4:kdc: Log errors in samba_kdc_update_pac_blob() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ea007ef718889245e923efcd29ee3560ab744961 Author: Joseph Sutton Date: Fri Jun 16 12:57:38 2023 +1200 s4:kdc: Have samba_kdc_update_pac_blob() return krb5_error_code This gives it more control over the final Kerberos error code, so that we won’t always get ERR_GENERIC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit baf03e3f11442b94a3c4b3ecb93847d1d4bc50ff Author: Joseph Sutton Date: Fri Jun 16 12:53:07 2023 +1200 s4:kdc: Add singular out path to samba_kdc_update_pac_blob() This ensures that we always clean up resources. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d2a6c69940cf28c2ea901cc0d8d8d317c32db986 Author: Joseph Sutton Date: Fri Jun 16 12:17:50 2023 +1200 s4:kdc: Make krb5_principal parameters const The ‘const’ is entirely unnecessary in a function declaration, but we add it just to be consistent. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f857967427f78cce6ffda117e9afab572707286d Author: Joseph Sutton Date: Fri Jun
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via a75378e3542 s4:kdc: translate sdb_entry->old[er]_keys into
hdb_add_history_key()
via d4007b0ef9f s4:dsdb/tests: also verify too old, older password
interaction with badPwdCount
via 28cf6c70676 s4:dsdb/tests: Test Kerberos login with old password
fails (but badPwdCount=0)
via 370ba4ad527 s4:kdc: handle passwords from the history in
hdb_samba4_auth_status()
from 4a8cfe1650a vfs: Remove "sbuf" from readdir_fn()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit a75378e354286d095d82f644d645768345cd00fb
Author: Stefan Metzmacher
Date: Mon Feb 7 19:32:08 2022 +0100
s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key()
It means that using the old or older password no longer
changes badPwdCount for Kerberos authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Sat Jun 24 07:18:03 UTC 2023 on atb-devel-224
commit d4007b0ef9f745a4881588ef1b8185d6b53025ee
Author: Stefan Metzmacher
Date: Fri Jun 23 13:42:31 2023 +0200
s4:dsdb/tests: also verify too old, older password interaction with
badPwdCount
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 28cf6c706760894b7c0c65d4f5307d333d194154
Author: Stefan Metzmacher
Date: Fri Feb 25 05:16:36 2022 +0100
s4:dsdb/tests: Test Kerberos login with old password fails (but
badPwdCount=0)
This demonstrates the pre-authentication failures with passwords from
the password history don't incremend badPwdCount, similar to the
NTLMSSP and simple bind cases. But it's still an interactive logon,
which doesn't use 'old password allowed period'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 370ba4ad527b67555f69c2bc4b92effe0cc7169d
Author: Stefan Metzmacher
Date: Thu Feb 17 07:12:10 2022 +0100
s4:kdc: handle passwords from the history in hdb_samba4_auth_status()
This is important in order to prevent ACCOUNT_LOCKED_OUT
with cached credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
---
Summary of changes:
selftest/knownfail_mit_kdc| 5 ++
source4/dsdb/tests/python/login_basics.py | 97 ---
source4/kdc/hdb-samba4.c | 11
source4/kdc/sdb_to_hdb.c | 45 ++
4 files changed, 149 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 9c5b76cac5a..8196f4f4d6b 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -2221,3 +2221,8 @@
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_bad_pwd_allowed_from_user_deny.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_denied_no_fast.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_min.ad_dc
+#
+# MIT does not support password history in order to avoid badPwdCount changes
+# with the last password, see https://bugzilla.samba.org/show_bug.cgi?id=14054
+#
+^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5
diff --git a/source4/dsdb/tests/python/login_basics.py
b/source4/dsdb/tests/python/login_basics.py
index b186e723f39..babe04879b1 100755
--- a/source4/dsdb/tests/python/login_basics.py
+++ b/source4/dsdb/tests/python/login_basics.py
@@ -122,7 +122,7 @@ class BasicUserAuthTests(BasePasswordTestCase):
lastLogon = int(res[0]["lastLogon"][0])
# check that the user can change its password
-new_password = "thatsAcomplPASS2"
+too_old_password = "thatsAcomplTooOldPass1!"
user_ldb.modify_ldif("""
dn: %s
changetype: modify
@@ -130,28 +130,74 @@ delete: userPassword
userPassword: %s
add: userPassword
userPassword: %s
-""" % (userdn, userpass, new_password))
+""" % (userdn, userpass, too_old_password))
+
+# change the password again
+older_password = "thatsAcomplOlderPass1!"
+user_ldb.modify_ldif("""
+dn: %s
+changetype: modify
+delete: userPassword
+userPass
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 91eb3f1d223 testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh via 11741791cc6 testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh via 619f097b7d4 testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh via 16b9b508af4 samba-tool/ntacl: implement set --recursive via 27b29cfa766 samba-tool/ntacl: add set --verbose and print out the file/directory name via 6327fd9cdba samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all via 4ca5b78f5b7 samba-tool/ntacl: let changedomsid ignore symlinks via 3694f2ce620 vfs_aio_pthread: don't crash without a pthreadpool via 0e9f1eec5a2 samba-tool: print default (domain) for --dns-directory-partition option in help message via b26dcfba10e tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime via 489cdefa6ab tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey() from 0ef8083cca0 WHATSNEW: Mention new default schema and Functional Level prep https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 91eb3f1d2236ad88eb3cf6ad036ae16ea2eac6b8 Author: Stefan Metzmacher Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Jun 22 00:22:47 UTC 2023 on atb-devel-224 commit 11741791cc6ae339efd71b122ea9313b710bf1ac Author: Stefan Metzmacher Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 619f097b7d4c0fa4614ab12042292c1e9a8fe234 Author: Stefan Metzmacher Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 16b9b508af4432abe5717da129b1be921c0227c6 Author: Stefan Metzmacher Date: Tue May 2 16:18:51 2023 +0200 samba-tool/ntacl: implement set --recursive Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 27b29cfa766099252b417da06599aee585a228bc Author: Stefan Metzmacher Date: Tue May 2 16:18:26 2023 +0200 samba-tool/ntacl: add set --verbose and print out the file/directory name Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 6327fd9cdbaf3dad4b09ce291de1f42259e11d2b Author: Stefan Metzmacher Date: Tue May 2 16:18:26 2023 +0200 samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 4ca5b78f5b7c35e6276d92f7948334dad7a59456 Author: Stefan Metzmacher Date: Tue May 16 13:57:51 2023 +0200 samba-tool/ntacl: let changedomsid ignore symlinks Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 3694f2ce6205a647eb5dab2115785fb45decaf0b Author: Stefan Metzmacher Date: Tue May 2 15:15:16 2023 +0200 vfs_aio_pthread: don't crash without a pthreadpool During 'samba-tool ntacl sysvolreset' and similar. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0e9f1eec5a2e484d947a433cc854d9903de8537f Author: Björn Baumbach Date: Wed Jun 21 20:52:03 2023 +0200 samba-tool: print default (domain) for --dns-directory-partition option in help message Signed-off-by: Björn Baumbach Reviewed-by: Andrew Bartlett commit b26dcfba10e3e38c04f3fe20dbf49e7e6ef4f0ed Author: Stefan Metzmacher Date: Thu Mar 24 00:12:47 2022 +0100 tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime This demonstrates that we use the correct authtime when doing constrained delegation. The actual fix for the problem is already in place via commit 75ec66c729faad60fa18b9504ba4053b3e2f47bc third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de) The related patch is: 006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 489cdefa6ab1bf7bd5cf3ea0ea64c03dc08fa8bd Author: Stefan Metzmacher Date: Thu Mar 17 14:46:55 2022 +0100 tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey() This demonstrates that we use the correct key for EncAuthorizationData together with constrained
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 0ef8083cca0 WHATSNEW: Mention new default schema and Functional
Level prep
via a9d543cdfce s4:kdc: Gate claims, auth policies and NTLM restrctions
behind 2012/2016 FLs
via c95813374a4 testprogs/blackbox: also raise the levels to
2012_R2/2016 in functionalprep.sh
via d2777d47d1e testprogs/blackbox: also prepare for to 2016
(schema=2019) in functionalprep.sh
via 205ee77c2fe samba-tool: let 'domain level raise' call
check_and_update_fl() in a transaction
via 3724ae3e108 samba-tool: move some parts of 'domain level
[show|raise]' in to subfunctions
via e92988ec946 samba-tool: move some parts of 'domain level
[show|raise]' in to try/except
via ea2712336b2 samba-tool: let 'domain level raise --domain-level' use
the correct crossRef dn
via f9f9771a55f samba-tool: check for invalid 'domain level'
subcommands first
via 1b1895a0d84 samba-tool: Fix missing import for "domain level raise
--forest-level=2016"
via 48cc2862c28 docs-xml/smbdotconf: also allow 2012[_R2] for 'ad dc
functional level'
from ad98643fbd9 s4:kdc: Replace FAST cookie with dummy string
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 0ef8083cca0ffdf20d98545fb7e3aa576e661222
Author: Andrew Bartlett
Date: Wed Jun 14 16:14:51 2023 +1200
WHATSNEW: Mention new default schema and Functional Level prep
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Wed Jun 21 20:01:06 UTC 2023 on atb-devel-224
commit a9d543cdfce1d0ff2976a20bb8f15f68d9de0a41
Author: Joseph Sutton
Date: Mon Apr 3 16:49:50 2023 +1200
s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs
Samba security features like AD claims, Authentication Policies and
Authentication Silos are enabled once the DC is at the required functional
level.
We comment at the callers of of dsdb_dc_functional_level() to explain
why we do this.
Signed-off-by: Joseph Sutton
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit c95813374a4fa92b446041696baf617d7b19a7f2
Author: Stefan Metzmacher
Date: Wed Jun 21 10:21:32 2023 +0200
testprogs/blackbox: also raise the levels to 2012_R2/2016 in
functionalprep.sh
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit d2777d47d1e3beda4295ece6d1c438fab2621925
Author: Stefan Metzmacher
Date: Wed Jun 21 10:21:32 2023 +0200
testprogs/blackbox: also prepare for to 2016 (schema=2019) in
functionalprep.sh
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 205ee77c2fe812b71138bbf72ce5b17f238696f1
Author: Stefan Metzmacher
Date: Wed Jun 21 12:07:08 2023 +0200
samba-tool: let 'domain level raise' call check_and_update_fl() in a
transaction
This makes it possible to raise the levels without starting
'samba' first, which is very useful for blackbox tests.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 3724ae3e1089136e7d3d3f111ab3420be71a7730
Author: Stefan Metzmacher
Date: Wed Jun 21 12:07:08 2023 +0200
samba-tool: move some parts of 'domain level [show|raise]' in to
subfunctions
This will make it easier to use transactions in the following changes...
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit e92988ec9467e603e5c1aa7f8d337deebbf282dd
Author: Stefan Metzmacher
Date: Wed Jun 21 12:07:08 2023 +0200
samba-tool: move some parts of 'domain level [show|raise]' in to try/except
This just adds indentation for now, the following changes will
add transactions...
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit ea2712336b28ffda938b4d0b1b17d8eaafb7714d
Author: Stefan Metzmacher
Date: Wed Jun 21 11:57:12 2023 +0200
samba-tool: let 'domain level raise --domain-level' use the correct
crossRef dn
We should not rely on lp.get('workgroup')...
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit f9f9771a55ffa5cd99b8c3d9228bae6f73938b5d
Author: Stefan Metzmacher
Date: Wed Jun 21 11:07:17 2023 +0200
samba-tool: check for invalid 'domain level' subcommands first
This will simplify further changes...
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 1b1895a0d84fb9fc07411adc648527180476bacd
Author: Andrew Bartlett
Date: Wed Jun 21 11:43:01 2023 +1200
samba-tool: Fix missing import for "domain level raise --forest-level=2016"
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit 48cc2862c289f2b3cf027037fe071fe2e5d81202
Author: Stefan Metzmacher
Date: Wed Jun 21
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 6640cf5e32f samba-tool: add new --dns-directory-partition option to
dns zonecreate command
via 3a9e0b318db s3:tests: Do not export UID_WRAPPER_ROOT in
test_smbXsrv_client_cross_node.sh
via 3799074b30e s3:tests: Do not export UID_WRAPPER_ROOT in
test_smbXsrv_client_dead_rec.sh
via 9cbd4a3abdd s3:tests: Do not export UID_WRAPPER_ROOT in
test_net_machine_account
via e013d70e8ed testprogs: Do not export UID_WRAPPER_ROOT in
test_net_rpc_oldjoin.sh
via 457a83e7abc testprogs: Do not export UID_WRAPPER_ROOT in
test_kpasswd_heimdal.sh
via b41ff81a783 testprogs: Do not export UID_WRAPPER_ROOT in
test_kpasswd_mit.sh
via ea566a825a0 testprogs: Do not export UID_WRAPPER_ROOT in
test_pdbtest.sh
via 579182372a1 testprogs: Do not export UID_WRAPPER_ROOT in
test_net_ads_dns.sh
via 1fb0b3684ea testprogs: Do not export UID_WRAPPER_ROOT in
test_samba-tool_ntacl.sh
via 3b612dc64a6 testprogs:subunit: Fix integer comparisons
via e4b77dc38bf testprogs:subunit: Fix assigning an array to a string
via 8fb833fc759 vfs_default.c: use DBG* macros instead of static log
level numbers
via 5c37615efa2 smbXsrv_tcon.c: use DBG* macros instead of static log
level numbers
via 659e88544aa dcesrv_drsuapi.c:use DBG* macros instead of static log
level numbers
via c257b0a2e1c smb2_service.c: use DBG* macros instread of static log
level numbers
via 6003090d5f8 smbXsrv_session.c: use DBG* macros instead of static
log level numbers
via fa700369a96 dns_update.c: use DBG* macros instead of static log
level numbers
via a33df1250cb oplock_linux.c: use DBG macros instead of static log
level
via 1186ec227da nmbd_become_lmb.c: use DBG* macros instead of static
log level numbers
via 2fbd773a515 nmbd/asyncdns.c: use DBG* macros instead of static log
level numbers
via 5181b1c8cb6 nmbd_sendannounce.c: use DBG* macros instead of static
log level numbers
via b6049a30127 nmbd: use DBG_ macros and raise some log levels
from 96a64fb smbd: smbd_dirptr_lanman2_match_fn(): Remove
"exact_match" handling
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 6640cf5e32fd8c0561aa8bb4a48fe0fc73740403
Author: Björn Baumbach
Date: Thu Jun 15 18:24:50 2023 +0200
samba-tool: add new --dns-directory-partition option to dns zonecreate
command
The new --dns-directory-partition chooses the directory partition for
the new zone - "domain" or "forest". Defaults to the current default
"domain".
Signed-off-by: Björn Baumbach
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Jun 16 21:23:28 UTC 2023 on atb-devel-224
commit 3a9e0b318db7a3888e9b5c60f2748edd704630a1
Author: Andreas Schneider
Date: Tue Apr 11 15:30:23 2023 +0200
s3:tests: Do not export UID_WRAPPER_ROOT in
test_smbXsrv_client_cross_node.sh
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
commit 3799074b30e1791c68efb50ccb4519b365d0e7fc
Author: Andreas Schneider
Date: Tue Apr 11 15:29:41 2023 +0200
s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_dead_rec.sh
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
commit 9cbd4a3abdd7d4065da312b6ce7bbb5ff4615a61
Author: Andreas Schneider
Date: Tue Apr 11 15:29:01 2023 +0200
s3:tests: Do not export UID_WRAPPER_ROOT in test_net_machine_account
Just set it for the test.
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
commit e013d70e8ed5cbdd8b1ea357d1f9ba7b23d91816
Author: Andreas Schneider
Date: Tue Apr 11 15:27:31 2023 +0200
testprogs: Do not export UID_WRAPPER_ROOT in test_net_rpc_oldjoin.sh
This is already set for smbpasswd.
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
commit 457a83e7abc8cd179eda38ddf3a24b5129a9ba3d
Author: Andreas Schneider
Date: Tue Apr 11 15:26:52 2023 +0200
testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_heimdal.sh
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
commit b41ff81a783339ef0d68c70916ef800d5dec421b
Author: Andreas Schneider
Date: Tue Apr 11 15:26:21 2023 +0200
testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_mit.sh
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
commit ea566a825a0e13dd5cff54370b6769f9f644d0cf
Author: Andreas Schneider
Date: Mon Mar 27 10:17:39 2023 +0200
testprogs: Do not export UID_WRAPPER_ROOT in test_pdbtest.sh
We already set root for smbpasswd.
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
commit 579182372a106044c138c784cd7df6012dccf87
