Noel Power [Tue, 11 Jun 2024 10:19:50 +0000 (11:19 +0100)]
selftest: Add a python blackbox test for some misc (widelink) DFS tests
On master attempting to chdir into a nested dfs link
e.g. cd dfslink (works)
cd dfslink/another_dfslink (fails)
[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
enabled share
Add knownfails for tests 1 and 3
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224
Douglas Bagnall [Fri, 2 Feb 2024 02:01:21 +0000 (15:01 +1300)]
samba-tool user readpasswords: avoid `assert` for validation
`assert` can be optimised away if python is run with `-O`.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jun 11 05:32:28 UTC 2024 on atb-devel-224
Jo Sutton [Tue, 11 Jun 2024 02:58:11 +0000 (14:58 +1200)]
s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594)
We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 1 May 2024 04:54:01 +0000 (16:54 +1200)]
ldb: Attach appropriate ldb context to returned result
This is done by adding a new API that avoids the problems of
ldb_dn_copy() and makes it clear that a struct ldb_context *
pointer will be stored in the new copy.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Anoop C S [Wed, 29 May 2024 13:22:10 +0000 (18:52 +0530)]
s4/torture: Remove already existing test_dir
In configurations where vfs_acl_xattr is used with 'ignore system acls'
option we encounter NT_STATUS_ACCESS_DENIED while trying to open an
already existing test_dir in smb2.delete-on-close-perms.READONLY. Due
to missing SEC_STD_DELETE permission from the list of allowed ACEs it
couldn't be removed via previous call to smb2_deltree(). Thus as seen
with other tests we now call set_dir_delete_perms() so that subsequent
attempt to remove it can succeed.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jun 10 13:17:58 UTC 2024 on atb-devel-224
Anoop C S [Wed, 29 May 2024 13:11:32 +0000 (18:41 +0530)]
s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL
In shares where acl_xattr vfs module is loaded with 'ignore system acls'
set, smb2.delete-on-close-perms.FIND_and_set_DOC fails to open test_dir
due to NT_STATUS_ACCESS_DENIED as it lacks few permissions for owner
when created using create_dir(). Test case aims to set delete-on-close
for which delete permission is necessary in first place. Therefore we
now perform the creation and subsequent opening of directory using
torture_smb2_testdir() so that the open handle comes with SEC_STD_DELETE
permission.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Andrew Bartlett [Tue, 4 Jun 2024 01:26:18 +0000 (13:26 +1200)]
python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal
This flexiblity in the tests avoids requiring Samba/Heimdal to omit an NTSTATUS error
return and just be consistent between the different authentication paths.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 10 05:32:54 UTC 2024 on atb-devel-224
Andrew Bartlett [Fri, 17 May 2024 05:34:36 +0000 (17:34 +1200)]
kdc: Rotate smart-card only underlying password in 2nd half of lifetime
This is a measure to avoid multiple servers rotating the password
but means that the maximum password age really must be set to
twice the TGT lifetime, eg a default of 20 hours. The internet
suggestions of 1 day for this feature should work fine.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 9 May 2024 04:24:31 +0000 (16:24 +1200)]
kdc: Track the pwdLastSet of expired UF_SMARTCARD_REQUIRED accounts
This is to gracefully deal with races and to avoid additional password
rollover in situations where the TGT lifetime is longer than the
maximum password lifetime. This is not a sensible combination, so
we just avoid the extra DB write, and update it only once per AS-REQ
in this case.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Mon, 20 May 2024 23:14:50 +0000 (11:14 +1200)]
kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords
This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it. As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 29 May 2024 02:51:01 +0000 (14:51 +1200)]
s4-auth: Use consistant externally-supplied time in auth stack
This makes the time during authentication stay consistent in the KDC
and follows the fake time when we are testing gMSA accounts. By having
the account expiry follow exactly the same clock as the password expiry
we can hope for less supprises.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 29 May 2024 23:23:01 +0000 (11:23 +1200)]
ldb_wrap: Provide a way to avoid Samba using ldb_wrap()
ldb_wrap is a caching mechansim, and it should probably be removed
but for now provide a way to avoid it in specific cases where we
know it is harmful.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Mon, 20 May 2024 01:51:23 +0000 (13:51 +1200)]
dsdb: Prepare to handle smartcard password rollover
We do this by allowing the password change control to indicate
that the password is to be randomised, bypassing the quality
checks (as true random passwords often fail these) and
re-randomising with the same code as is used for the KDC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Fri, 17 May 2024 03:10:18 +0000 (15:10 +1200)]
dsdb: Use dsdb_gmsa_current_time() in construct_msds_user_account_control_computed
This both allows the time to be overriden in some future unit tests
(which is incredibly helpful in testing) and gets a full NTTIME
rather than just a time_t based time, so we do not need to wait
an extra second for the NTTIME to change.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Tue, 2 Apr 2024 21:53:11 +0000 (10:53 +1300)]
python/samba/krb5: Add test for password rotation on UF_SMARCARD_REQUIRED accounts
This demonstrates behaviour against a server presumed to be in FL 2016
what the impact of the msDS-ExpirePasswordsOnSmartCardOnlyAccounts
attribute is.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 2 May 2024 04:02:58 +0000 (16:02 +1200)]
python/tests/krb5: Expect AES keys for UF_SMARTCARD_REQUIRED
Windows 2022 at April 2024 has change and now includes the
AES keys for accounts with UF_SMARTCARD_REQUIRED, so revert
part of the change in b2fe1ea1c6aba116b31a1c803b4e0d36ac1a32ee.
(This is an improvement to Windows security).
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Mon, 27 May 2024 06:53:42 +0000 (18:53 +1200)]
python/samba/tests/krb5: Extend PKINIT tests to show kpasswd still works
We have had confirmed from MS that this behaviour is both deliberate
and required. Possession of the credential is (by the returned PAC
containing the NT hash) possession of the password, and it must be
possible to change the password to a known value otherwise DPAPI
(local keychain) secured by this value can fail on the client.
Signed-off-by: MikeLiu <mikeliu@qnap.com> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 7 18:30:34 UTC 2024 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 6 21:32:53 UTC 2024 on atb-devel-224
s3:utils: Remove overwrite of opt_workgroup in rpc_trustdom_establish()
This is not used anywhere in that functions or the functions we are
calling. It was replaced by command line cli credentials stored in
c->creds. This fixes a memory leak.
Direct leak of 12 byte(s) in 1 object(s) allocated from:
#0 0x7f17fdaf5830 in strdup ../../../../libsanitizer/asan/asan_interceptors.cpp:578
#1 0x7f17fc7e7339 in smb_xstrdup ../../lib/util/util.c:752
#2 0x55f079bf0723 in rpc_trustdom_establish ../../source3/utils/net_rpc.c:6591
#3 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#4 0x55f079bdbecf in rpc_trustdom ../../source3/utils/net_rpc.c:7483
#5 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#6 0x55f079bfe7de in net_rpc ../../source3/utils/net_rpc.c:8413
#7 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#8 0x55f079baa0a8 in main ../../source3/utils/net.c:1436
#9 0x7f17f8a2a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224
Andrew Bartlett [Sun, 26 May 2024 21:24:13 +0000 (09:24 +1200)]
build: Make "samba4" public libraries provided (mostly) for OpenChange private
These libraries, mostly with ABI versions of 0.0.1 were made public in
the early development of Samba4 and have not been seriously considered
since. Most are to allow OpenChange to build.
While the OpenChange server is no longer actively used, the MAPI
client is used and we need to allow packages to be built that will
allow the Evolution MAPI client to still work.
Some appear to be mistakes (dcerpc-samr), historical abberations
(tevent-util) or ideas that did not go very far (the samba-policy
library for example).
To allow any remaining users to access them, they are not made private
in the build system but are instead listed so that they can be made
public again via ./configure with the same --private-libraries='!LIB'
syntax introduced to make ldb private by default.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 5 21:47:24 UTC 2024 on atb-devel-224
Andrew Bartlett [Mon, 27 May 2024 07:44:38 +0000 (19:44 +1200)]
s4-libnet: Split up samba-net into samba-net and samba-net-join
samba-net-join links to python and so needs the variable name
with the python ABI tag, while samba-net is a normal C library
and can be included in a package without python dependencies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Jo Sutton [Tue, 28 May 2024 04:59:30 +0000 (16:59 +1200)]
tests/krb5: Calculate correct gMSA password to fix flapping test
If this test happens to be run in the five minute window prior to the
next ten‐hour GKDI interval — about once every one hundred and twenty
runs — the ‘current’ password requested from LDAP will actually be the
future password, which won’t match what’s in the database.
Instead of taking the password from LDAP, calculate it ourselves with
expected_gmsa_password_blob().
[330(7038)/334 at 43m51s] samba.tests.krb5.gmsa_tests(ad_dc:local)
UNEXPECTED(failure): samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update(ad_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
File "/builds/samba-testbase/samba-def-build/bin/python/samba/tests/krb5/gmsa_tests.py", line 1091, in test_retrieving_managed_password_triggers_keys_update
self.assertEqual(creds.get_nt_hash(), nt_hash)
AssertionError: b'\xcf[\xe8:\xc7-\xd4V\xce\t\xfc\xcd\x06.T\x8a' != b'c\xc5\x97k\x17"G\x1e\x81>\xacV\x9d.*\x14'
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jun 4 20:52:09 UTC 2024 on atb-devel-224
s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.
Volker Lendecke [Mon, 2 Jan 2023 15:35:16 +0000 (16:35 +0100)]
smbd: list reparse tag in QUERY_DIRECTORY
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 4 17:39:21 UTC 2024 on atb-devel-224
Volker Lendecke [Mon, 2 Jan 2023 15:01:28 +0000 (16:01 +0100)]
tests: Check that query_directory lists the reparse tag
With the source3/ based clilist.c, we can't test all infolevels where
this matters (see callers of get_dirent_ea_size()). But porting the
source4 based all-infolevel search code into source3/libsmb or doing
this one the reparse point test in the source4 infrastructure to me
seems like a lot of effort for moderate gain.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Jo Sutton [Tue, 28 May 2024 03:12:36 +0000 (15:12 +1200)]
s3:rpc_server: Check query level according to MS-NRPC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465 Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jun 4 09:39:42 UTC 2024 on atb-devel-224
Jo Sutton [Tue, 28 May 2024 03:10:51 +0000 (15:10 +1200)]
s3:rpc_server: Check function code according to MS-NRPC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465 Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Noel Power <noel.power@suse.com>
Noel Power [Mon, 25 Sep 2023 08:58:33 +0000 (09:58 +0100)]
s3/rpc_server: Fix dereference of client pointer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Noel Power [Sun, 24 Sep 2023 00:03:37 +0000 (01:03 +0100)]
s4/torture: Test with level 4 with NETLOGON_CONTROL_SET_DBFLAG function
Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG
This change triggers a core dump in the server and so we add a knownfail
here. Following commit will fix (and remove known fail)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Noel Power [Mon, 25 Sep 2023 09:30:30 +0000 (10:30 +0100)]
s4/torture: Prepare to handle Level 4 check with unknown func code
A future (next) commit will change the NETLOGON_CONTROL_SET_DBFLAG test
to use levels 1 - 4 (current test just tests 1 - 3). A side affect of
this test is that the following test will now test passing an unknown
function code against against Level 4 (previously level 3).
Unfortunately s4 and s3 netlogon server results differ when handling
a level 4 request with an unknown function code.
s3 server returns WERR_NOT_SUPPORTED and
s4 server returns WERR_INVALID_PARAMETER.
For level 3 both return WERR_NOT_SUPPORTED.
MS-NRPC doesn't seem to specifically indicate the required response in
this case.
this commit modifies the test to cater for either response (for either
level) A future commit could explore the test response combinations more
thorougly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
projects / thirdparty / samba.git / log
