s3:libads: move ads->auth.time_offset to ads->config.time_offset
There's no reason to pass the LDAP servers time to the kerberos
libraries, as we may talk to a KDC different than the LDAP server!
Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and
retries with the time from the krb-error.
MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response
in order to use the KDCs time.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
This is just a temporary change until the highlevel caller
will pass in a cli_credentials structure and we'll get rid of
ads->auth.{user_name,realm,password}.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
s3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password
This happened implicitly as the gse_krb5 module always used the default
krb5 ccache, but that will change soon.
If kerberos is requested without a fallback to ntlm AND
the caller doesn't provide a password we'll use the
default ccache. This will keep our the following tests
happy once the gse_krb5 module changes the behavior:
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224
Earl Chew [Sat, 16 Dec 2023 16:48:36 +0000 (08:48 -0800)]
Combine ICU libraries icu-i18n and icu-uc into a single dependency
Rather than probing for icu-i18n, icu-uc, and icudata libraries
separately, only probe for icu-i18n, and icu-uc, as direct dependencies
This avoids overlinking with icudata, and allows the package
to build even when ICU is not installed as a system library.
RN: Only use icu-i18n and icu-uc to express ICU dependency
Earl Chew [Sun, 17 Dec 2023 01:47:09 +0000 (17:47 -0800)]
Improve CHECK_LIB interaction with CHECK_PKG
When checking for shared libraries, only name the target library
if it was not previously discoverd by pkg-config --libs and now
available from uselib_store. This avoids using both sources of
information which results in the library being named twice on
the command line.
Once the library is confirmed by CHECK_LIB, append the library if
not already present, to avoid dropping libraries that were
previously discovered by CHECK_PKG.
selftest: add test for User.get_primary_group method
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
python: models: add get_primary_group method to User model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This argument is actually an instance of SamDB (which inherits from Ldb).
This should have been called samdb.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative
This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 4 May 2024 01:40:35 +0000 (13:40 +1200)]
ldb-samba: ldif_read_objectSid avoids VLA
I don't think this variable length array is any trouble, but people
complain about them (e.g. https://nullprogram.com/blog/2019/10/27/)
because they make things more complex at run-time, and this is a
somewhat performance sensitive path.
DOM_SID_STR_BUFLEN + 1 is 191 -- if that stack allocation is going to
cause trouble, then so was the VLA <= that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 8 00:26:42 UTC 2024 on atb-devel-224
Douglas Bagnall [Sat, 4 May 2024 01:32:39 +0000 (13:32 +1200)]
ldb-samba: ldif_read_objectSid() short-circuits without 'S'
This avoids a memcpy, and level 3 debug verbosity from
dom_sid_parse_endp().
In other places we have something like `|| in->data[1] != '-'`, but
that is not useful here -- the value is either a string SID, or a
binary SID that starts with '\1', or some awful value that we *do*
want to get messages about.
This replaces the work of ldif_comparision_objectSid_isString().
Douglas Bagnall [Fri, 26 Apr 2024 03:58:44 +0000 (15:58 +1200)]
ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold
If two strings are invalid UTF-8, the string is first compared with
memcmp(), which compares as unsigned char.
If the strings are of different lengths and one is a substring of the
other, the memcmp() returns 0 and a second comparison is made which
assumes the next character in the shorter string is '\0' -- but this
comparison was done using SIGNED chars (on most systems). That leads
to non-transitive comparisons.
Consider the strings {"a\xff", "a", "ab\xff"} under that system.
"a\xff" < "a", because (char)0xff == -1.
"ab\xff" > "a", because 'b' == 98.
"ab\xff" < "a\xff", because memcmp("ab\xff", "a\xff", 2) avoiding the
signed char tiebreaker.
(Before c49c48afe09a1a78989628bbffd49dd3efc154dd, the final character
might br arbitrarily cast into another character -- in latin-1, for
example, the 0xff here would have been seen as 'ÿ', which would be
uppercased to 'Ÿ', which is U+0178, which would be truncated to
'\x78', a positive char.
On the other hand e.g. 0xfe, 'þ', would have mapped to 0xde, 'Þ',
remaining negative).
This is unused because it does things badly, by just guessing and
not allowing valid sids that start with "s-". All the places that used
to use it were calling ldif_read_objectSid() or similar which correctly
check for string SIDs by actually trying to parse them. That begins
with looking for the "S-"/"s-", so this shortcut is not saving any real
work.
Douglas Bagnall [Wed, 17 Apr 2024 12:38:17 +0000 (00:38 +1200)]
ldb-samba: simplify ldif_comparison_objectSid()
The ldif_comparision_objectSid_isString() call is both wrong
(disallowing "s-") and redundant, because ldif_read_objectSid() calls
dom_sid_parse(), which does the check properly.
Douglas Bagnall [Thu, 2 May 2024 23:24:02 +0000 (11:24 +1200)]
pytest: sid_strings: adjust to match Windows 2016
9 hex-digit subauths like '0xABCDef123' will not fit in 32 bits, so
should be rejected on parsing.
In other situations, such as defaultSecurityDescriptor, overflowing
SID subauths on Windows will saturate to 0xffffffff, resulting in a
valid but probably meaningless SID. It is possible that in previous
testing we saw that here, but it is more likely I got confused. In any
case, now I see them being rejected, and that is good.
The saturating defaultSecurityDescriptor case is tested in
SidStringBehavioursThatWindowsAllows.
Douglas Bagnall [Thu, 2 May 2024 23:19:16 +0000 (11:19 +1200)]
pytest: sid_strings: Windows does allow lowercase s-1-... SIDs
And so should we.
Right now, these tests won't pass against Windows because they rely on
ldb pre-parsing of the SIDs, so they fail before Windows gets to see
them. Running them against Windows looks something like this, BTW:
Douglas Bagnall [Thu, 2 May 2024 02:24:18 +0000 (14:24 +1200)]
pytest: sid_strings: use more reliable well known SID
It seems as if the well-known SID S-1-5-32-579
(DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS) is
not always present -- specifically, it was not there on the
Windows machine used to develop these tests, but it is there on
the one I am now using.
S-1-5-32-545 (DOMAIN_ALIAS_RID_USERS) is surely going to exist,
so we use that instead.
That changes some of the assertions, making some NO_SUCH_OBJECTs
into successes.
For these tests we are only interested in the parsing of the SIDs, not
their meaning, so it's OK to change it.
Douglas Bagnall [Tue, 16 Apr 2024 11:31:45 +0000 (23:31 +1200)]
ldb:tests: add a test for dotted i uppercase
This didn't fail in the tr_TR locale before recent changes for
https://bugzilla.samba.org/show_bug.cgi?id=15637, because this is a
different casefold codepath. But it could fail if that other path goes
wrong, so we might as well have the test.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 7 May 2024 10:32:08 +0000 (22:32 +1200)]
.gitlab-ci: Remove tags no longer provided by gitlab.com
GitLab.com removed a number of tags from their hosted
runners and this meant our CI was being redirected to
our private runners at a larger cost to the Samba Team.
The new infrastructure is much larger than when we last
selected runners so we can just use the default, even for
the code coverage build.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 7 13:40:55 UTC 2024 on atb-devel-224
s3:libsmb: let cli_session_creds_init() keep the value from 'client use kerberos'
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 7 12:33:29 UTC 2024 on atb-devel-224
projects / thirdparty / samba.git / log
