Gabriel Nagy [Wed, 16 Aug 2023 09:20:11 +0000 (12:20 +0300)]
gp: Convert CA certificates to base64
I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
to a string fails with the following:
'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte
We found a fix to be encoding the certificate to base64 when
constructing the CA list.
Section 4.4.5.2 of MS-CAESO also suggests that the content of
`cACertificate` is binary (OCTET string).
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: David Mulder <dmulder@samba.org>
Gabriel Nagy [Fri, 18 Aug 2023 14:06:43 +0000 (17:06 +0300)]
gp: Test with binary content for certificate data
This fails all GPO-related tests that call `gpupdate --rsop`.
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: David Mulder <dmulder@samba.org>
Gabriel Nagy [Fri, 11 Aug 2023 15:46:42 +0000 (18:46 +0300)]
gp: Change root cert extension suffix
On Ubuntu, certificates must end in '.crt' in order to be considered by
the `update-ca-certificates` helper.
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: David Mulder <dmulder@samba.org>
Gabriel Nagy [Wed, 16 Aug 2023 22:09:28 +0000 (01:09 +0300)]
gp: Support update-ca-trust helper
This is used on RHEL/Fedora instead of update-ca-certificates. They
behave similarly so it's enough to change the command name.
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: David Mulder <dmulder@samba.org>
Gabriel Nagy [Wed, 16 Aug 2023 22:05:54 +0000 (01:05 +0300)]
gp: Support more global trust directories
In addition to the SUSE global trust directory, add support for RHEL and
Debian-based distributions (including Ubuntu).
To determine the correct directory to use, we iterate over the variants
and stop at the first which is a directory.
In case none is found, fallback to the first option which will produce a
warning as it did previously.
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: David Mulder <dmulder@samba.org>
We use strlcpy() which has been added to glibc recently. This means we
also get fortification for strlcpy() now:
source3/nmbd/nmbd_browsesync.c: In function ‘find_domain_master_name_query_success’:
source3/nmbd/nmbd_browsesync.c:337:9: warning: ‘strlcpy’ writing 257 bytes into a
region of size 16 overflows the destination [-Wstringop-overflow=]
337 | strlcpy(userdata->data, work->work_group, size - sizeof(*userdata));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We allocate memory for the userdata struct + fstring. However the data
pointer we use only is 16 bytes. Also nowadays you would use offsetof()
for the allocation calculation, but it only works correctly on newer
compilers like gcc > 7. We could make use of it in future after CentOS 7
is gone.
As we don't want to touch nmbd anymore, just silence the warnings.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Martin Schwenke [Wed, 26 Jul 2023 10:43:37 +0000 (20:43 +1000)]
util: Avoid logging to multiple backends for stdout/stderr
Commit 83fe7a0316d3e5867a56cfdc51ec17f36ea03889 converted the
stdout/stderr logging types to DEBUG_FILE to get a header when using
DEBUG_SYSLOG_FORMAT_ALWAYS. However, this causes all configured
backends to be invoked. When syslog is one of those backends then
this is almost certainly not what is intended.
Instead, call debug_file_log() directly in that special case and
revert the parts of the above commit that convert to file logging.
Most of the changes to debughdrclass() still seem necessary, since
they handle the change of debug_syslog_format from a bool to an enum.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Aug 28 01:21:07 UTC 2023 on atb-devel-224
Douglas Bagnall [Mon, 21 Aug 2023 22:14:50 +0000 (10:14 +1200)]
selftest:ndrdump: adjust xattr_NTACL test for ACE coda
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 24 03:47:08 UTC 2023 on atb-devel-224
Douglas Bagnall [Wed, 9 Aug 2023 02:15:27 +0000 (14:15 +1200)]
pytest: compare Samba vs Windows SDDL security descriptors
Can Samba understand Windows security descriptors? Does it parse SDDL
the same way?
Here we test on over 7000 SDDL/descriptor pairs and find the answer
is pleasing. In later commits we will add more tests using different
classes of ACE.
The test cases are derived from fuzz seeds, exported to Windows via
the script in the last commit, with the Windows descriptor bytes found
using libcli/security/tests/windows/windows-sddl-test.py.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 11 Aug 2023 10:21:41 +0000 (22:21 +1200)]
libcli/security: test helper script extracts fuzz SDDL
This allows us to try the fuzz seeds as SDDL on Windows, then test
that Samba matches Windows' security descriptors in the cases where
the SDDL compiles. This will find SDDL edge cases that might otherwise
be missed.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 3 Aug 2023 23:52:17 +0000 (11:52 +1200)]
libcli/security: rewrite SDDL tests for running on Windows
This script never worked well because it had to shell out to
Powershell, which never worked well due to syntax conflicts and
Powershell's specialness. The attempted ctypes version did not work,
due to the difficulty in expressing things like "relative
PSECURITY_DESCRIPTOR" in ctypes.
It turns out that pywin32 is easy to install and use, and we can
extract the NDR bytes which is far more useful than just testing if
the SDDL parses.
On Windows:
1. install Python from python.org
2. run `pip install pywin32`
3. copy e.g. libcli/security/tests/data/conditional-aces.txt to Windows
4. run `python windows-sddl-tests.py conditional-aces.txt`
5. add `--help` to see how to export descriptor bytes.
The default output is a whole lot of multi-coloured text, indicating
what failed and what didn't.
With --export-json it writes a JSON file mapping SDDL strings to NDR
byte sequences, which can be used to compare with Samba's attempts. If
you are only interested in --export-json, you might also like --quiet.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 26 Jul 2023 05:50:22 +0000 (17:50 +1200)]
libcli/security: script to turn token/descriptor pairs into sddl
We fuzz security descriptors in a couple of different ways, and this
maps seeds from one form into the other. The SDDL examples can also be
used in Windows tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 13 Jul 2023 09:31:50 +0000 (21:31 +1200)]
librpc/security.idl: adjust size calculations for upcoming ace types
Soon we will get Conditional ACEs and Resource Attribute ACES, each of
which have trailing bytes at the end of the ACE. Here's a diagram:
____ The ACE size field may indicate a size bigger
.type / | than the known parts, even when you take
.flags / | rounding to a multiple of four into account.
.size --' | This extra data is meaningful in some ACEs.
.access_mask |
.trustee (sid) _| <- known data ends here.
:
"coda" ___: <- the trailing part, Zero size unless the size
field points beyond the end of the known data.
Probably empty for ordinary ACE types.
Until now we have thrown away these extra bytes, because they have no
meaning in the ACE types we recognise. But with conditional and
resource attribute ACEs we need to catch and process these bytes, so
we add an extra field for that.
Thus we can drop the manually written ndr_pull_security_ace() that
discarded the trailing bytes, because we just allow it to be pulled
into an unused blob. In the very common case, the blob will be empty.
Microsoft does not use a common name across different ACE types to
describe this end-data -- "coda" is a Samba term.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 21 Jul 2023 04:51:53 +0000 (16:51 +1200)]
libcli/security: sddl ACL decode avoids early splitting on parenthesis
Soon we will have Conditional ACEs and Resource Attribute ACEs. It is
expected --indeed mandatory-- that the SDDL representations of these
ACEs will contain parentheses, so we can't use '(' and ')' to decide
where ACEs stop and start.
This means shifting where we make a mutable copy of the SDDL string
from per-ACE to per-ACL, and allowing sddl_decode_ace() to decide when
its ACE is finished.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 10 Aug 2023 23:08:00 +0000 (11:08 +1200)]
pytest/sddl: replace/export tests based on environment vars
We had a stupid system involving test functions with side-effects,
that needed to be enabled by editing the file. Now you get the same
effects by setting environment variables, the names of which you can
only learn by reading the file closely.
This works better because some stuff needs to happen at class-time
rather than instance-time.
Also the environment variables specify the import and export locations.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Aug 23 09:29:51 UTC 2023 on atb-devel-224
MikeLiu [Tue, 22 Aug 2023 02:01:14 +0000 (10:01 +0800)]
vfs_aio_pthread: use SMB_VFS_NEXT_OPENAT() in aio_pthread_openat_fn()
1. Set 'aio_allow_open' to false if fsp->fsp_flags.is_pathref
2. Move !(how->flags & O_CREAT) and !(how->flags & O_EXCL) up and set 'aio_allow_open' to false
3. Use SMB_VFS_NEXT_OPENAT() instead of openat() for disable async opens case.
Signed-off-by: MikeLiu <mikeliu@qnap.com> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 22 17:44:00 UTC 2023 on atb-devel-224
Joseph Sutton [Thu, 17 Aug 2023 01:29:41 +0000 (13:29 +1200)]
selftest: Report time at which testsuite starts
With no call to report_time() preceding it,
PlainFormatter.start_testsuite() would always claim that no time had
elapsed prior to the first testsuite starting to run. This gave a
misleading impression of the time spent running the first testsuite. Now
the time will be consistent with that reported for subsequent
testsuites, and will properly include any time that test environments
took to start up.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug 22 00:36:52 UTC 2023 on atb-devel-224
Joseph Sutton [Thu, 17 Aug 2023 00:46:17 +0000 (12:46 +1200)]
selftest: Fix subunit reporting the time incorrectly
Although report_time() would output the time in UTC, it neglected to
specify the timezone offset. Thus subunithelper.parse_results() would
interpret the time string it was given as being in local time.
TestProtocolClient.time() then converted that *back* into UTC, giving an
incorrect result (unless UTC is your local timezone).
Fix this by having report_time() indicate that the time zone is UTC.
Joseph Sutton [Tue, 15 Aug 2023 22:18:59 +0000 (10:18 +1200)]
s4:kdc: Set SAMBA_KDC_FLAG_PROTOCOL_TRANSITION flag for MIT Kerberos
This flag was set in commit 461dc44e740aacad41bb0df0552560d1eb3c6ea8,
but only in mit_samba_reget_pac(); it was not set in the newer function,
mit_samba_update_pac(), used with MIT Kerberos 1.20 and above.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 15 Aug 2023 03:16:57 +0000 (15:16 +1200)]
s4:kdc: Remove support code for older versions of MIT Kerberos
The oldest version we now support is 1.21. For every supported version
we can be certain that KRB5_KDB_API_VERSION >= 10 and
KRB5_KDB_DAL_MAJOR_VERSION >= 9.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 13 Aug 2023 22:50:37 +0000 (10:50 +1200)]
s4:kdc: Do not panic if authsam_logon_success_accounting() fails
In hdb_samba4_audit(), ERR_GENERIC signals an unexpected situation — if
we encounter that error code while running under selftest, we’ll panic.
In response to an expected event such as the failure of
authsam_logon_success_accounting(), it’s more appropriate to continue to
run.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 17 Aug 2023 01:29:49 +0000 (13:29 +1200)]
python:tests: Reuse policies and silos created by setUp() across all tests
We now create the claims in setUp() only once, preserving them so as to
reuse them across all of the tests using this class. Then we finally
delete them all in tearDownClass().
addClassCleanup() could make this cleaner, but it’s available only in
Python 3.8 and above.
This change reduces the time taken by my machine to run
samba.tests.samba_tool.domain_auth_policy from two minutes to ten
seconds.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 16 Aug 2023 22:27:44 +0000 (10:27 +1200)]
python:tests: Reuse claims created by setUp() across all tests
We now create the claims in setUp() only once, preserving them so as to
reuse them across all of the tests in this class. Then we finally delete
them all in tearDownClass().
addClassCleanup() could make this cleaner, but it’s available only in
Python 3.8 and above.
This change reduces the time taken by my machine to run these tests from
four minutes to twenty seconds.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug 15 19:41:50 UTC 2023 on atb-devel-224
Joseph Sutton [Tue, 15 Aug 2023 00:31:54 +0000 (12:31 +1200)]
claims.idl: Use ‘int64’ instead of ‘dlong’ for INT64 claims
This field is supposed to be aligned to eight bytes, but the ‘dlong’
type is aligned to only four bytes. This discrepancy resulted in claims
being encoded and decoded incorrectly.
Joseph Sutton [Tue, 15 Aug 2023 00:29:03 +0000 (12:29 +1200)]
librpc:ndr: Add ‘int64’ type
This type behaves like a signed variant of ‘hyper’. Unlike the existing
‘dlong’ type, which has four byte alignment, ‘int64’ is aligned to eight
bytes.
projects / thirdparty / samba.git / log
