Joseph Sutton [Sun, 5 Dec 2021 22:10:01 +0000 (11:10 +1300)]
s4:torture: Adapt LSA tests to newer Heimdal version
The Heimdal upgrade results in some changes that affect these tests. The
cname is now non-NULL in certain circumstances, the IO counts are
different due to a change between the ordering of capaths and referrals,
some requests no longer fail, and referral tickets are not cached
anymore, and so cannot be checked.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Thu, 8 Nov 2018 22:20:06 +0000 (00:20 +0200)]
s4:torture: return ETYPE_INFO2 on PREAUTH_FAILED
This is an alternative to 978bc8681e74ffa17f96fd5d4355094c4a26691c
which got overriten by the upgrade merge.
One difference however, is that we don't return ENC_TIMESTAMP like
in PREAUTH_REQUIRED but only ETYPE_INFO2 same as Windows.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 8 Dec 2021 01:56:39 +0000 (14:56 +1300)]
selftest: knownfail updates after Heimdal Upgrade
The Heimdal upgrade brings the new feature of FAST, allowing more tests to pass.
However it causes a regression in FL2003 for the returned salt format in
the AS-REP, but FL 2003 has not been the default since Samba 4.2 as AES
keys are much stronger and should be preferred.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 14 Dec 2021 23:30:28 +0000 (12:30 +1300)]
s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import
This allows us to continue to avoid CVE-2020-25719 in particular
and pass our tests for expected FAST behaviour as the patches
we requested by upstream to be conditional, not hard-coded.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 17 Jun 2021 09:27:06 +0000 (21:27 +1200)]
s4:kdc/heimdal: Always include the salt in the PA-ETYPE-INFO[2]
This matches Windows and is detected by our samba.tests.krb5.as_canonicalization_tests
test as this always expects the salt, which Windows always provides.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Rename and fix as/tgs-use-strongest-key config parameters
Different ticket session key enctype selection options should
distinguish between target principal type (krbtgt vs. not), not
between KDC request types.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
[abartlet@samba.org Researched and updated the commit message] Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4:kerberos: adapt the heimdal send_to_kdc hooks to the send_to_kdc/realm plugin interface
With the recent heimdal upgrade we better try to use the send_to_realm()
hooks as it allows us to handle the KDC lookup as well as only getting
each logical request just once in the testing code, which makes it
let dependend on the heimdal internal kdc lookup logic.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
tests/auth_log: adjust expected authDescription for test_smb_bad_user
With NO_SUCH_USER we don't know if any pre-authentication was requested,
so with the new Heimdal code we now used use "AS-REQ" instead of
assuming ENC-TS Pre-authentication.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 23 Jun 2021 00:08:34 +0000 (12:08 +1200)]
s4:kdc: Adapt wamba_wdc_check_client_access() to modern Heimdal
Modern Heimdal falls back to kdc_check_flags() internally
when KRB5_PLUGIN_NO_HANDLE is returned, avoiding the need
to call back into the internal KDC APIs.
Selected from patch by by Stefan Metzmacher <metze@samba.org>
from his Heimdal upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
See
https://git.samba.org/?p=lorikeet-heimdal.git;a=shortlog;h=refs/heads/lorikeet-heimdal-202201172009
or
https://gitlab.com/samba-team/devel/lorikeet-heimdal/-/tree/lorikeet-heimdal-202201172009
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The Coverity Scan tools are not updated very often and miss support for the
latest gcc build. Lets use Fedora 34 for that and stay behind a bit.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 19 10:49:18 UTC 2022 on sn-devel-184
Volker Lendecke [Sun, 16 Jan 2022 20:50:25 +0000 (21:50 +0100)]
smbd: Remove a duplicate protoype
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 18 21:17:43 UTC 2022 on sn-devel-184
s4:kdc: improve DEBUG messages in samba_wdc_reget_pac2()
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Jan 17 20:55:41 UTC 2022 on sn-devel-184
Joseph Sutton [Wed, 22 Dec 2021 03:08:43 +0000 (16:08 +1300)]
s4:torture: Remove netbios realm and lowercase realm tests
Tests for these are already present in
samba.tests.krb5.as_canonicalization_tests. These tests cause problems
with an upgraded Heimdal version, and we want to stop supporting
non-canonical realm names, so this commit removes them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
David Disseldorp [Fri, 14 Jan 2022 09:38:40 +0000 (10:38 +0100)]
build: reduce printf() calls in generated build_options.c
build_options.c is inefficient in multiple ways:
1) it's generated via one python fp.write() call per line
2) the generated code calls output() for each and every build option
This commit addresses (2), modifying write_build_options_header() and
write_build_options_footer(). write_build_options_section() could also
be collapsed into a single output() call, but this may lead to oversize
string literals, so has been left as is.
I observe no change in smbd --build-options output.
Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Mon Jan 17 13:17:53 UTC 2022 on sn-devel-184
David Disseldorp [Fri, 14 Jan 2022 09:38:40 +0000 (10:38 +0100)]
build: reduce fp.write calls for build_options.c generation
build_options.c is inefficient in multiple ways:
1) it's generated via one python fp.write() call per line
2) the generated code calls output() for each and every build option
This commit reduces fp.write() calls for (1). I observe no change in the
generated build_options.c .
Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
s3:smbd: handle --build-options without parsing smb.conf
The smb.conf is parsed in post mode of a popt callback. The smbd
--build-options parameter should be handled when first encountered
to avoid requiring smb.conf presence.
Martin Schwenke [Fri, 14 Jan 2022 02:39:34 +0000 (13:39 +1100)]
WHATSNEW: Document CTDB leader and cluster lock changes
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Jan 17 11:16:14 UTC 2022 on sn-devel-184
Martin Schwenke [Mon, 10 Jan 2022 02:41:31 +0000 (13:41 +1100)]
ctdb-doc: Remove documentation for recovery process
This is many years out of date and recent changes make it worse. It
is unlikely that anyone has the time to fix this in the near future,
so remove it because it is misleading.
Database recovery steps are well documented in comments in the
recovery helper. Cluster monitoring documentation can be re-added
when things stop changing.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 14 Jan 2022 12:09:38 +0000 (23:09 +1100)]
ctdb-tests: Improve test coverage for leader role yield and elections
Rename test, clean up node selection. Duplicate for for banning and
removing leader capability cases. Repeat all 3 tests without cluster
lock.
All of the standard election triggers are now tested, with and without
cluster lock. Due to test cluster configuration limitations, the
tests without cluster lock are skipped on a real cluster.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 18 Mar 2020 04:14:39 +0000 (15:14 +1100)]
ctdb-recoverd: Use race for cluster lock as election when lock is enabled
If the cluster is partitioned then nodes in one partition can not take
the lock anyway, so election is pointless. It just introduces
unnecessary corner cases.
Instead just race for the lock.
When a node notices a lack of leader and notifies other nodes of an
election via an unknown leader broadcast, the cluster lock election is
hooked into this broadcast.
The test needs to be updated because losing the cluster lock can now
result in a leadership change.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
projects / thirdparty / samba.git / log
