]> git.ipfire.org Git - thirdparty/samba.git/log
thirdparty/samba.git
4 weeks agosmbd: Align integer types
Volker Lendecke [Mon, 4 Aug 2025 11:54:10 +0000 (13:54 +0200)] 
smbd: Align integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
4 weeks agosmbd: Align an integer type
Volker Lendecke [Thu, 7 Aug 2025 12:11:33 +0000 (14:11 +0200)] 
smbd: Align an integer type

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
4 weeks agolib: tevent_req_set_endtime() can fail
Volker Lendecke [Mon, 18 Aug 2025 08:50:33 +0000 (10:50 +0200)] 
lib: tevent_req_set_endtime() can fail

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
4 weeks agolib: Re-add dlclose(handle) when module initialization failed
Volker Lendecke [Tue, 26 Aug 2025 07:50:04 +0000 (09:50 +0200)] 
lib: Re-add dlclose(handle) when module initialization failed

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Sep  1 17:04:27 UTC 2025 on atb-devel-224

5 weeks agodsdb: Align an integer type
Volker Lendecke [Sat, 30 Aug 2025 12:04:11 +0000 (14:04 +0200)] 
dsdb: Align an integer type

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Aug 31 07:23:20 UTC 2025 on atb-devel-224

5 weeks agodsdb: Fix CID 1665142, Null pointer dereferences (FORWARD_NULL)
Volker Lendecke [Sat, 30 Aug 2025 12:01:59 +0000 (14:01 +0200)] 
dsdb: Fix CID 1665142, Null pointer dereferences (FORWARD_NULL)

Do the ADD/MOD early, don't risk dereferencing msg without assignment.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
5 weeks agos4:dsdb:tests: Add tests for msDS-KeyCredentialLink attribute
Jennifer Sutton [Wed, 20 Aug 2025 07:10:43 +0000 (19:10 +1200)] 
s4:dsdb:tests: Add tests for msDS-KeyCredentialLink attribute

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Aug 27 04:44:59 UTC 2025 on atb-devel-224

5 weeks agos4:dsdb: Implement msDS-KeyCredentialLink attribute
Jennifer Sutton [Thu, 5 Jun 2025 00:28:20 +0000 (12:28 +1200)] 
s4:dsdb: Implement msDS-KeyCredentialLink attribute

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:dsdb:tests: Add get_creds() method
Jennifer Sutton [Tue, 12 Aug 2025 23:41:53 +0000 (11:41 +1200)] 
s4:dsdb:tests: Add get_creds() method

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agolib:compression: Fix code spelling
Jennifer Sutton [Tue, 12 Aug 2025 22:17:46 +0000 (10:17 +1200)] 
lib:compression: Fix code spelling

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:dsdb: Remove outdated comments
Jennifer Sutton [Tue, 12 Aug 2025 21:54:00 +0000 (09:54 +1200)] 
s4:dsdb: Remove outdated comments

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:dsdb:tests: Remove outdated comment
Jennifer Sutton [Tue, 12 Aug 2025 05:19:55 +0000 (17:19 +1200)] 
s4:dsdb:tests: Remove outdated comment

The relevant tests were enabled in commit 8cb416a0b569017e1928a7a1cead723ce64ca314.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:dsdb:acl: Fix LDB flags comparison
Jennifer Sutton [Tue, 12 Aug 2025 01:56:16 +0000 (13:56 +1200)] 
s4:dsdb:acl: Fix LDB flags comparison

LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(el->flags & LDB_FLAG_MOD_MASK) == 0

which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.

Commit 99b805e4cbeec232c65adb1a6f3fb326b55c4496 fixed a similar issue.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:dsdb: Allow an SPN value to match the original dNSHostName with Validated Write
Jennifer Sutton [Tue, 29 Jul 2025 03:59:09 +0000 (15:59 +1200)] 
s4:dsdb: Allow an SPN value to match the original dNSHostName with Validated Write

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:dsdb:tests: Correct unprefixed f‐string
Jennifer Sutton [Tue, 29 Jul 2025 03:02:32 +0000 (15:02 +1200)] 
s4:dsdb:tests: Correct unprefixed f‐string

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:dsdb:tests: Correct test name
Jennifer Sutton [Tue, 29 Jul 2025 03:00:16 +0000 (15:00 +1200)] 
s4:dsdb:tests: Correct test name

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:dsdb:tests: Reformat ACEs to be more readable
Jennifer Sutton [Tue, 29 Jul 2025 02:48:23 +0000 (14:48 +1200)] 
s4:dsdb:tests: Reformat ACEs to be more readable

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:dsdb:tests: Use sAMAccountName GUID constant
Jennifer Sutton [Tue, 29 Jul 2025 01:47:20 +0000 (13:47 +1200)] 
s4:dsdb:tests: Use sAMAccountName GUID constant

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agosetup:adprep: Import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller...
Jennifer Sutton [Tue, 17 Jun 2025 05:04:45 +0000 (17:04 +1200)] 
setup:adprep: Import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agopython:samba: Raise an exception if we can’t parse a Markdown operation
Jennifer Sutton [Tue, 12 Aug 2025 00:26:52 +0000 (12:26 +1200)] 
python:samba: Raise an exception if we can’t parse a Markdown operation

Otherwise we would continue with the wrong GUID and filename.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agopidl: Validate Python bytes objects
Jennifer Sutton [Tue, 17 Jun 2025 04:36:16 +0000 (16:36 +1200)] 
pidl: Validate Python bytes objects

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:setup: Fix spelling
Jennifer Sutton [Tue, 17 Jun 2025 04:28:03 +0000 (16:28 +1200)] 
s4:setup: Fix spelling

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agoschema: Add Validated-Write-Computer Extended Right from Windows Server 2016
Jennifer Sutton [Tue, 17 Jun 2025 04:22:56 +0000 (16:22 +1200)] 
schema: Add Validated-Write-Computer Extended Right from Windows Server 2016

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agoldb: Do not return None from __str__()
Jennifer Sutton [Sun, 15 Jun 2025 23:51:14 +0000 (11:51 +1200)] 
ldb: Do not return None from __str__()

Python will complain with “__str__ returned non-string (type NoneType)”.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agotests/krb5: Remove redundant line
Jennifer Sutton [Tue, 10 Jun 2025 00:43:21 +0000 (12:43 +1200)] 
tests/krb5: Remove redundant line

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agolib:crypto: Don’t pass null pointer to memcpy()
Jennifer Sutton [Mon, 26 May 2025 00:00:16 +0000 (12:00 +1200)] 
lib:crypto: Don’t pass null pointer to memcpy()

This results in undefined behaviour.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agolib:crypto: Remove trailing whitespace
Jennifer Sutton [Sun, 25 May 2025 23:59:53 +0000 (11:59 +1200)] 
lib:crypto: Remove trailing whitespace

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agolib:async_req: Initialize variables
Jennifer Sutton [Sun, 18 May 2025 22:31:47 +0000 (10:31 +1200)] 
lib:async_req: Initialize variables

../../lib/async_req/async_sock.c: In function ‘writev_do’:
../../lib/async_req/async_sock.c:360:12: error: ‘written’ may be used uninitialized [-Werror=maybe-uninitialized]
  360 |         if ((written == -1) &&
      |            ^
../../lib/async_req/async_sock.c:343:17: note: ‘written’ was declared here
  343 |         ssize_t written;
      |                 ^~~~~~~
../../lib/async_req/async_sock.c: In function ‘read_packet_do’:
../../lib/async_req/async_sock.c:563:12: error: ‘nread’ may be used uninitialized [-Werror=maybe-uninitialized]
  563 |         if ((nread == -1) && (errno == EINTR)) {
      |            ^
../../lib/async_req/async_sock.c:531:17: note: ‘nread’ was declared here
  531 |         ssize_t nread, more;
      |                 ^~~~~
cc1: all warnings being treated as errors

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos3:lib: Initialize pointer to NULL
Jennifer Sutton [Thu, 20 Feb 2025 02:05:42 +0000 (15:05 +1300)] 
s3:lib: Initialize pointer to NULL

../../source3/lib/netapi/tests/netdisplay.c: In function ‘test_netquerydisplayinformation’:
../../source3/lib/netapi/tests/netdisplay.c:87:45: error: ‘current_name’ may be used uninitialized [-Werror=maybe-uninitialized]
   87 |                                 if (name && strcasecmp(current_name, name) == 0) {
      |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/lib/netapi/tests/netdisplay.c:37:21: note: ‘current_name’ was declared here
   37 |         const char *current_name;
      |                     ^~~~~~~~~~~~
cc1: all warnings being treated as errors

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agolibcli: Fix maybe-uninitialized warning
Jennifer Sutton [Thu, 20 Feb 2025 00:51:24 +0000 (13:51 +1300)] 
libcli: Fix maybe-uninitialized warning

../../libcli/wsp/wsp_aqs.c: In function ‘create_size_range_shortcut’:
../../libcli/wsp/wsp_aqs.c:872:37: error: ‘upper_size’ may be used uninitialized [-Werror=maybe-uninitialized]
  872 |                 right->value.number = upper_size;
      |                 ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~
../../libcli/wsp/wsp_aqs.c:835:18: note: ‘upper_size’ was declared here
  835 |         uint32_t upper_size;
      |                  ^~~~~~~~~~
cc1: all warnings being treated as errors

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agoldb: Fix maybe-uninitialized warning
Jennifer Sutton [Thu, 20 Feb 2025 00:41:48 +0000 (13:41 +1300)] 
ldb: Fix maybe-uninitialized warning

In file included from ../../lib/ldb/include/ldb.h:50,
                 from ../../lib/ldb/include/ldb_private.h:43,
                 from ../../lib/ldb/common/ldb_pack.c:34:
../../lib/ldb/common/ldb_pack.c: In function ‘ldb_filter_attrs’:
../../lib/talloc/talloc.h:1173:48: error: ‘i’ may be used uninitialized [-Werror=maybe-uninitialized]
 1173 | #define talloc_array(ctx, type, count) (type *)_talloc_array(ctx, sizeof(type), count, #type)
      |                                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../lib/ldb/common/ldb_pack.c:1178:34: note: in expansion of macro ‘talloc_array’
 1178 |         filtered_msg->elements = talloc_array(filtered_msg,
      |                                  ^~~~~~~~~~~~
../../lib/ldb/common/ldb_pack.c:1134:22: note: ‘i’ was declared here
 1134 |         unsigned int i;
      |                      ^
cc1: all warnings being treated as errors

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agoCID 1509059 winbind: Fixing print statement for time_t
Rabinarayan Panigrahi [Tue, 26 Aug 2025 06:32:25 +0000 (12:02 +0530)] 
CID 1509059 winbind: Fixing print statement for time_t

Fixing DEBUG output for time_t to uintmax_t

Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Aug 27 02:17:29 UTC 2025 on atb-devel-224

5 weeks agopython:tarfile: notes about extraction_filter
Douglas Bagnall [Fri, 22 Aug 2025 04:23:16 +0000 (16:23 +1200)] 
python:tarfile: notes about extraction_filter

a reminder to delete.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Aug 26 23:43:08 UTC 2025 on atb-devel-224

5 weeks agopytest: safe_tarfile: accept NotADirectoryError as bad path rejection
Douglas Bagnall [Fri, 22 Aug 2025 03:24:34 +0000 (15:24 +1200)] 
pytest: safe_tarfile: accept NotADirectoryError as bad path rejection

After recent upstream Python fixes for various path escape and symlink
CVEs in tarfile, in particular this commit:

  commit 3612d8f51741b11f36f8fb0494d79086bac9390a
  Author: Łukasz Langa <lukasz@langa.pl>
  Date:   Tue Jun 3 12:42:11 2025 +0200

  gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` (#135037)

  Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
our ../../ test that looks for a tarfile.OutsideDestinationError now
meets a NotADirectoryError in recent Python versions (this from 3.13,
Fedora 42):

UNEXPECTED(error): samba.tests.safe_tarfile.samba.tests.safe_tarfile.SafeTarFileTestCase.test_dots(none)
REASON: Exception: Exception: Traceback (most recent call last):
  File "/tmp/samba-testbase/b1/samba-o3/bin/python/samba/tests/safe_tarfile.py", line 48, in test_dots
    self.assertRaises(tarfile.OutsideDestinationError,
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                      stf.extractall,
                      ^^^^^^^^^^^^^^^
                      tarname)
                      ^^^^^^^^
  File "/usr/lib64/python3.13/unittest/case.py", line 795, in assertRaises
    return context.handle('assertRaises', args, kwargs)
           ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.13/unittest/case.py", line 238, in handle
    callable_obj(*args, **kwargs)
    ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.13/tarfile.py", line 2343, in extractall
    tarinfo, unfiltered = self._get_extract_tarinfo(
                          ~~~~~~~~~~~~~~~~~~~~~~~~~^
        member, filter_function, path)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.13/tarfile.py", line 2432, in _get_extract_tarinfo
    self._handle_fatal_error(e)
    ~~~~~~~~~~~~~~~~~~~~~~~~^^^
  File "/usr/lib64/python3.13/tarfile.py", line 2430, in _get_extract_tarinfo
    filtered = filter_function(unfiltered, path)
  File "/usr/lib64/python3.13/tarfile.py", line 842, in tar_filter
    new_attrs = _get_filtered_attrs(member, dest_path, False)
  File "/usr/lib64/python3.13/tarfile.py", line 783, in _get_filtered_attrs
    target_path = os.path.realpath(os.path.join(dest_path, name),
                                   strict=os.path.ALLOW_MISSING)
  File "<frozen posixpath>", line 457, in realpath
NotADirectoryError: [Errno 20] Not a directory: '/tmp/samba-testbase/b1/samba-o3/bin/ab/tmp/tmpbn6e69ci/tar.tar'

In this commit, we say that a NotADirectoryError is OK.

When we started safe_tarfile we were acting in advance of upstream
Python, but now they are well ahead of us. If we trust their work in
recent versions and accept the error conditions they choose, we can
more easily get rid of our safe_tarfile when the time is right.

For the moment we still support as far back as Python 3.6 for some old
enterprise distros, and it is for those that we continue to maintain
safe_tarfile. In versions before 3.11 we will see
tarfile.ExtractError, and the test for that is unaffected by this
change.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5 weeks agos4:libsocket: better diagnostics for no interfaces
Douglas Bagnall [Fri, 7 Feb 2025 00:37:37 +0000 (13:37 +1300)] 
s4:libsocket: better diagnostics for no interfaces

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agos3:smbd: slightly improve no sockets panic message
Douglas Bagnall [Fri, 7 Feb 2025 00:36:24 +0000 (13:36 +1300)] 
s3:smbd: slightly improve no sockets panic message

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agowinbindd:migrate_secrets_tdb_to_ldb() handles no client password
Douglas Bagnall [Wed, 5 Feb 2025 03:50:28 +0000 (16:50 +1300)] 
winbindd:migrate_secrets_tdb_to_ldb() handles no client password

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agos4:smb_composite: session_setup_old() handles no password
Douglas Bagnall [Wed, 5 Feb 2025 03:49:21 +0000 (16:49 +1300)] 
s4:smb_composite: session_setup_old() handles no password

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agos4:smb_composite: session_setup_nt1() handles no password
Douglas Bagnall [Wed, 5 Feb 2025 03:49:01 +0000 (16:49 +1300)] 
s4:smb_composite: session_setup_nt1() handles no password

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agoutils/smbtree: do not crash with no password (-N)
Douglas Bagnall [Wed, 5 Feb 2025 03:47:39 +0000 (16:47 +1300)] 
utils/smbtree: do not crash with no password (-N)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15170

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agoauth: avoid strcmp(x, NULL)
Douglas Bagnall [Wed, 5 Feb 2025 03:45:06 +0000 (16:45 +1300)] 
auth: avoid strcmp(x, NULL)

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agoauth: fix docs for cli_credentials_get_password_and_obtained()
Douglas Bagnall [Wed, 5 Feb 2025 03:40:47 +0000 (16:40 +1300)] 
auth: fix docs for cli_credentials_get_password_and_obtained()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agodomsid: be less alarmed by non-SID
Douglas Bagnall [Sat, 4 May 2024 01:07:26 +0000 (13:07 +1200)] 
domsid: be less alarmed by non-SID

This has been causing log noise when something is trying to parse an
identifier using a sequence of parsers, to see if it is a SID, a DN,
an account name, etc.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agodsdb:password_hash.c: restrict crypt hash to proper forms
Douglas Bagnall [Thu, 30 Jan 2025 20:24:53 +0000 (09:24 +1300)] 
dsdb:password_hash.c: restrict crypt hash to proper forms

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agopython:build: do not allow sizeof(int) != 4
Douglas Bagnall [Thu, 29 May 2025 00:58:48 +0000 (12:58 +1200)] 
python:build: do not allow sizeof(int) != 4

A non-32 bit int will (if the compiler allows it) result in code
where we write into memory adjacent to a target uint32_t value in
many python bindings using the python arg-parsing API. The more
correct thing to do would be to always parse into an unsigned long
long and error if it is greater than UINT32_MAX, but we do this in
so many places that there is reason to believe we'll just keep
adding more.

Note, we already check in lib/replace/wscript that int is at least
32 bits; here we are effectively just checking that it is not more.

There was apparently a version of 64 bit Solaris in the 1990s that
had 64 bit ints.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
5 weeks agos4:lib/tls: add additional dns hostnames as GNUTLS_SAN_DNSNAME for self-signed certif...
Stefan Metzmacher [Tue, 26 Aug 2025 13:22:10 +0000 (15:22 +0200)] 
s4:lib/tls: add additional dns hostnames as GNUTLS_SAN_DNSNAME for self-signed certificates

It's better to include X509v3 Subject Alternative Name with
DNS names also for additional dns hostnames.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug 26 22:00:26 UTC 2025 on atb-devel-224

5 weeks agos4:lib/tls: set GNUTLS_SAN_DNSNAME for self-signed certificates
Stefan Metzmacher [Tue, 26 Aug 2025 09:55:40 +0000 (11:55 +0200)] 
s4:lib/tls: set GNUTLS_SAN_DNSNAME for self-signed certificates

It's better to include X509v3 Subject Alternative Name with
DNS names in the self-signed certificate...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
5 weeks agos4:lib/tls: let tstream_tls_params_server_lpcfg() use lpcfg_dns_hostname() internally
Stefan Metzmacher [Tue, 26 Aug 2025 09:22:43 +0000 (11:22 +0200)] 
s4:lib/tls: let tstream_tls_params_server_lpcfg() use lpcfg_dns_hostname() internally

This is simpler and the next step will also make use of
lpcfg_additional_dns_hostnames() too...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
5 weeks agowinbindd: CID 1508963 Fixing print statement for time_t
Rabinarayan Panigrahi [Mon, 25 Aug 2025 07:09:10 +0000 (12:39 +0530)] 
winbindd: CID 1508963 Fixing print statement for time_t

Fixing DEBUG output for time_t to uintmax_t

Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Vinit Agnihotri <vagnihot@redhat.com>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Aug 26 15:40:41 UTC 2025 on atb-devel-224

5 weeks agos3:eventlog: Fix print statement CID#1509023
Vinit Agnihotri [Thu, 21 Aug 2025 08:47:50 +0000 (14:17 +0530)] 
s3:eventlog: Fix print statement CID#1509023

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
5 weeks agoauth:creds: Update the documentation for set_principal and set_realm
Andreas Schneider [Wed, 6 Aug 2025 05:54:52 +0000 (07:54 +0200)] 
auth:creds: Update the documentation for set_principal and set_realm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Mon Aug 25 12:08:22 UTC 2025 on atb-devel-224

5 weeks agoauth:creds: Make sure to uppercase the realm of a principal
Andreas Schneider [Wed, 6 Aug 2025 14:33:21 +0000 (16:33 +0200)] 
auth:creds: Make sure to uppercase the realm of a principal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
5 weeks agoauth:creds: Validate realm names in set_realm and set_principal
Andreas Schneider [Tue, 5 Aug 2025 13:25:54 +0000 (15:25 +0200)] 
auth:creds: Validate realm names in set_realm and set_principal

See also
https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#realm-name

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
5 weeks agos3:utils: Keep password secret in ntlm_auth get_password()
Andreas Schneider [Thu, 7 Aug 2025 11:48:26 +0000 (13:48 +0200)] 
s3:utils: Keep password secret in ntlm_auth get_password()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
5 weeks agoauth:creds: Keep password secret in cmdline_get_userpassword()
Andreas Schneider [Thu, 7 Aug 2025 11:48:04 +0000 (13:48 +0200)] 
auth:creds: Keep password secret in cmdline_get_userpassword()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
5 weeks agoauth:creds: Keep the password secret
Andreas Schneider [Thu, 7 Aug 2025 11:45:48 +0000 (13:45 +0200)] 
auth:creds: Keep the password secret

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
5 weeks agoauth:creds: Allow to reset the principal by passing NULL to set_principal
Andreas Schneider [Wed, 6 Aug 2025 12:42:51 +0000 (14:42 +0200)] 
auth:creds: Allow to reset the principal by passing NULL to set_principal

We do that e.g. in cli_credentials_set_anonymous()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
5 weeks agoauth:creds: Also uppercase realm set via a callback
Andreas Schneider [Thu, 7 Aug 2025 11:32:47 +0000 (13:32 +0200)] 
auth:creds: Also uppercase realm set via a callback

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
5 weeks agoauth:creds: Allow to reset the realm by passing NULL
Andreas Schneider [Wed, 6 Aug 2025 12:40:34 +0000 (14:40 +0200)] 
auth:creds: Allow to reset the realm by passing NULL

This is e.g. done by cli_credentials_set_anonymous().

We can't call TALLOC_FREE(cred->realm), as this would break
cli_credentials_shallow_copy().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
6 weeks agolibsmb: Avoid smb-level encryption if quic is trusted
Volker Lendecke [Thu, 21 Aug 2025 10:17:55 +0000 (12:17 +0200)] 
libsmb: Avoid smb-level encryption if quic is trusted

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Aug 22 14:55:47 UTC 2025 on atb-devel-224

6 weeks agolibsmb: Add "smb_encryption_over_quic" to smb311_capabilities
Volker Lendecke [Thu, 21 Aug 2025 10:15:25 +0000 (12:15 +0200)] 
libsmb: Add "smb_encryption_over_quic" to smb311_capabilities

Put here from the "client smb encryption over quic" settings

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agoparam: Add "client smb encryption over quic"
Volker Lendecke [Thu, 21 Aug 2025 08:42:15 +0000 (10:42 +0200)] 
param: Add "client smb encryption over quic"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Don't request SMB-level encryption over trusted quic
Volker Lendecke [Mon, 18 Aug 2025 15:13:59 +0000 (17:13 +0200)] 
smbd: Don't request SMB-level encryption over trusted quic

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Reply with SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY if we trust quic
Volker Lendecke [Fri, 8 Aug 2025 10:06:13 +0000 (12:06 +0200)] 
smbd: Reply with SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY if we trust quic

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Add the "server smb encryption over quic" parameter
Volker Lendecke [Thu, 14 Aug 2025 13:32:12 +0000 (15:32 +0200)] 
smbd: Add the "server smb encryption over quic" parameter

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Pass smbXsrv_connection to lp_server_smb_encrypt()
Volker Lendecke [Mon, 18 Aug 2025 15:06:05 +0000 (17:06 +0200)] 
smbd: Pass smbXsrv_connection to lp_server_smb_encrypt()

We'll modify the value of "server smb encrypt" when we have a trusted
quic transport

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agoparam: Fix whitespace
Volker Lendecke [Mon, 18 Aug 2025 14:25:38 +0000 (16:25 +0200)] 
param: Fix whitespace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Switch from a != to a ==
Volker Lendecke [Tue, 12 Aug 2025 13:06:39 +0000 (15:06 +0200)] 
smbd: Switch from a != to a ==

Simpler to read for me

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Avoid an "else"
Volker Lendecke [Wed, 13 Aug 2025 13:27:39 +0000 (15:27 +0200)] 
smbd: Avoid an "else"

We return in the if-branch

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Modernize DEBUGs
Volker Lendecke [Wed, 13 Aug 2025 13:06:54 +0000 (15:06 +0200)] 
smbd: Modernize DEBUGs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Add a comment matching the other flags
Volker Lendecke [Wed, 13 Aug 2025 11:55:42 +0000 (13:55 +0200)] 
smbd: Add a comment matching the other flags

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Make a few encryption-related functions static to smbstatus
Volker Lendecke [Mon, 11 Aug 2025 15:02:52 +0000 (17:02 +0200)] 
smbd: Make a few encryption-related functions static to smbstatus

Only referenced there, I got confused by them being part of smbd

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Fix a typo
Volker Lendecke [Mon, 11 Aug 2025 13:16:54 +0000 (15:16 +0200)] 
smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agosmbd: Shed a nested if-expression
Volker Lendecke [Mon, 11 Aug 2025 13:12:31 +0000 (15:12 +0200)] 
smbd: Shed a nested if-expression

Review with "git show -w". This is easier to read for me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agodocs: Fix "server smb encrypt" for SMB3+
Volker Lendecke [Mon, 11 Aug 2025 12:40:16 +0000 (14:40 +0200)] 
docs: Fix "server smb encrypt" for SMB3+

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agolibsmb: Negotiate SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY over quic
Volker Lendecke [Thu, 7 Aug 2025 10:35:23 +0000 (12:35 +0200)] 
libsmb: Negotiate SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY over quic

If we trust quic, indicate to the server that we do so.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agolib: tstream_tls_verify_peer_trusted()
Volker Lendecke [Thu, 7 Aug 2025 06:56:08 +0000 (08:56 +0200)] 
lib: tstream_tls_verify_peer_trusted()

We can only trust a tls connection if at connection setup we checked
the certificates

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agolibcli: Add tls_verify_peer_state to smbXcli_transport
Volker Lendecke [Mon, 4 Aug 2025 12:59:15 +0000 (14:59 +0200)] 
libcli: Add tls_verify_peer_state to smbXcli_transport

We have to carry a copy over from the tstream_tls_params used to
connect, we can't get this information out once the tls-protected
tstream is established

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agotls: Add tstream_tls_params_verify_peer()
Volker Lendecke [Mon, 4 Aug 2025 11:53:49 +0000 (13:53 +0200)] 
tls: Add tstream_tls_params_verify_peer()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agolibcli: Introduce helper var in smbXcli_negprot_smb2_subreq()
Volker Lendecke [Thu, 7 Aug 2025 09:53:59 +0000 (11:53 +0200)] 
libcli: Introduce helper var in smbXcli_negprot_smb2_subreq()

Saves a few bytes of code

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
6 weeks agothird_party:quic_ko_wrapper Fix compilation with clang-20
Gary Lockyer [Thu, 14 Aug 2025 21:38:07 +0000 (09:38 +1200)] 
third_party:quic_ko_wrapper Fix compilation with clang-20

Rework the code to remove the non portable variable length array in the union.
Based on the code in wrap_msghdr_add_cmsghdr().

NOTE: this removes the 64 bit alignment, which I think should be ok.

./../third_party/quic_ko_wrapper/quic_ko_wrapper.c:3523:11: error:
   fields must have a constant size: 'variable length array in structure'
   extension will never be supported
  3523 |                 uint8_t cmbuf[cmspace];
       |                         ^
1 error generated.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Wed Aug 20 15:04:34 UTC 2025 on atb-devel-224

6 weeks agothird_party:quic Fix compilation with clang-20
Gary Lockyer [Thu, 14 Aug 2025 21:33:24 +0000 (09:33 +1200)] 
third_party:quic Fix compilation with clang-20

Add -Wno-error=format-nonliteral so that quic builds with clang 20

../../third_party/quic/libquic/handshake.c:106:35: error:
   format string is not a string literal [-Werror,-Wformat-nonliteral]
  106 |         rc = vsnprintf(msg, sizeof(msg), fmt, arg);
      |                                          ^~~
../../third_party/quic/libquic/handshake.c:135:35: error:
   format string is not a string literal [-Werror,-Wformat-nonliteral]
  135 |         rc = vsnprintf(msg, sizeof(msg), fmt, arg);
      |                                          ^~~
../../third_party/quic/libquic/handshake.c:164:35: error:
   format string is not a string literal [-Werror,-Wformat-nonliteral]
  164 |         rc = vsnprintf(msg, sizeof(msg), fmt, arg);
      |                                          ^~~

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 weeks agothird_party: fix libquic build on older systems
Björn Baumbach [Fri, 8 Aug 2025 15:31:34 +0000 (17:31 +0200)] 
third_party: fix libquic build on older systems

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15896

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 weeks agopytest:samba-tool group: remove unused imports
Douglas Bagnall [Fri, 1 Aug 2025 04:25:13 +0000 (16:25 +1200)] 
pytest:samba-tool group: remove unused imports

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Aug 20 05:35:03 UTC 2025 on atb-devel-224

6 weeks agopytest: run user_keytrust tests as computer keytrust tests
Douglas Bagnall [Sun, 17 Aug 2025 09:59:07 +0000 (09:59 +0000)] 
pytest: run user_keytrust tests as computer keytrust tests

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agopytest: adapt user_keytrust tests to be objectclass agnostic
Douglas Bagnall [Sun, 17 Aug 2025 09:58:39 +0000 (09:58 +0000)] 
pytest: adapt user_keytrust tests to be objectclass agnostic

We will reuse the tests for the computer keytrust command.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agosamba-tool: copy user_keytrust to computer keytrust
Douglas Bagnall [Sun, 17 Aug 2025 09:57:55 +0000 (09:57 +0000)] 
samba-tool: copy user_keytrust to computer keytrust

This is exactly a copy of user/keytrust.py to computer_keytrust.py
with a title-case-preserving `s/user/computer/`.

It works. The Computer model differs from the User model in that it
appends a '$' to the end of account names if it senses the lack,
otherwise these commands are using the same code paths.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agosamba-tool computer: remove unused imports
Douglas Bagnall [Sun, 17 Aug 2025 08:39:38 +0000 (20:39 +1200)] 
samba-tool computer: remove unused imports

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agosamba-tool: add user keytrust command
Douglas Bagnall [Wed, 6 Aug 2025 02:01:14 +0000 (14:01 +1200)] 
samba-tool: add user keytrust command

This allows manipulation of key credential links for users.

See `man -l bin/default/docs-xml/manpages/samba-tool.8` for
documentation.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agosamba-tool: Command.message() can print multiple lines
Douglas Bagnall [Wed, 13 Aug 2025 04:21:14 +0000 (16:21 +1200)] 
samba-tool: Command.message() can print multiple lines

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agopy:key_credential_link: filter_kcl_list helper for samba-tool
Douglas Bagnall [Sun, 17 Aug 2025 08:34:57 +0000 (08:34 +0000)] 
py:key_credential_link: filter_kcl_list helper for samba-tool

This will be used in `samba-tool user keytrust delete` and `samba-tool
computer keytrust delete` and is mainly to deduplicate that code.

Potentially it could also be used in `keytrust view`.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agopy:key_credential_list: add kcl_in_list function
Douglas Bagnall [Fri, 15 Aug 2025 05:36:11 +0000 (17:36 +1200)] 
py:key_credential_list: add kcl_in_list function

This compares the key material and DN of a KeyCredentialLinkDn with a
list of others, which is a different sense of equality than the
default (which considers GUIDs and binary equality).

This will be used by samba-tool to check whether a link is in fact a
duplicate even if it seems not to be due to some insignificant field
being non-identical.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agopy:key_credential_links: allow encoding=='auto'
Douglas Bagnall [Fri, 15 Aug 2025 05:35:33 +0000 (17:35 +1200)] 
py:key_credential_links: allow encoding=='auto'

'auto' is the same as None. This is helpful to samba-tool.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agosamba-tool: add verbose flag to @exception_to_command_error
Douglas Bagnall [Wed, 13 Aug 2025 22:33:00 +0000 (10:33 +1200)] 
samba-tool: add verbose flag to @exception_to_command_error

Helpful in development.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agopy:tests: test key_credential_link module
Douglas Bagnall [Fri, 8 Aug 2025 03:04:51 +0000 (15:04 +1200)] 
py:tests: test key_credential_link module

These tests use the samba.key_credential_link module and a real samdb.

The existing key_credential_link tests address the IDL generated
structures more directly.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agopython:key_credential_link: add descriptive methods
Douglas Bagnall [Wed, 11 Jun 2025 04:16:54 +0000 (16:16 +1200)] 
python:key_credential_link: add descriptive methods

In samba-tool we are going to want a KeyCredentialLinkDn to be able
to describe itself. We're adding the methods here because
`samba-tool user` and `samba-tool computer` will both want to use
them.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agopython:models: do not re-use mutable defaults
Douglas Bagnall [Wed, 13 Aug 2025 05:19:16 +0000 (17:19 +1200)] 
python:models: do not re-use mutable defaults

This ensures that model.save works when a field has the many flag set,
but the object has no attribute of that name, and the caller appends
to the attribute list, like this:

      user.key_credential_link.append(link)

When we get to save, and are doing this:

      value = getattr(self, attr)
      old_value = getattr(existing_obj, attr)
      if value != old_value:
         # commit the change

the .append() will have added the item to both value and old_value
because they are the same list. But not any more.

This was a problem because the Field instance is attached to the
model class, not the model instance.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agosamba-tool: add decorator to catch exception types
Douglas Bagnall [Sat, 9 Aug 2025 04:27:42 +0000 (16:27 +1200)] 
samba-tool: add decorator to catch exception types

Often we [think we] know that all exceptions of a certain type should
be formatted as CommandErrors (i.e., the traceback is suppressed, and
the message is assumed intelligible). Rather than riddling .run() with
try...except blocks to do this, we can

@exception_to_command_error(ModelError)
def run(...)

which makes any ModelError into a CommandError in that samba-tool command.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agoman samba-tool: computer keytrust
Douglas Bagnall [Mon, 18 Aug 2025 09:02:57 +0000 (21:02 +1200)] 
man samba-tool: computer keytrust

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
6 weeks agoman samba-tool: user keytrust
Douglas Bagnall [Wed, 11 Jun 2025 02:20:51 +0000 (14:20 +1200)] 
man samba-tool: user keytrust

This documentation anticipates changes that will occur over the next
~20 commits.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>