Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Samuel Cabrero [Fri, 17 Feb 2023 16:22:39 +0000 (17:22 +0100)]
selftests: Make sure print queue is empty before printing_var_exp test ends
Although "lpq cache time" is 0 in the test environment the
"print_queue_length()" function can still return cached results. This is
because the print_queue_length() function calls print_queue_update(),
which just sends MSG_PRINTER_UPDATE to the samba-bgqd daemon and returns
without waiting for the daemon to update it.
This behavior causes problems in the selftests between
samba3.blackbox.printing_var_exp and samba3.rpc.spoolss.printserver
because when the later enumerates the printers at different levels and
compares the results the number of jobs can differ depending if samba-bgqd
updates the cache in between print_queue_update() and
get_queue_status() in the print_queue_length() function:
To fix it, make sure the queue is empty before printing_var_exp test
ends.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 20 22:58:44 UTC 2023 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Fix domain_backup test with Python 3.11
Traceback (most recent call last):
File "bin/python/samba/tests/domain_backup.py", line 615, in test_backup_restore_with_conf
self._test_backup_restore_with_conf()
File "bin/python/samba/tests/domain_backup.py", line 244, in _test_backup_restore_with_conf
self.restore_backup(backup_file, ["--configfile=" + smbconf])
File "bin/python/samba/tests/domain_backup.py", line 421, in restore_backup
self.run_cmd(args)
File "bin/python/samba/tests/domain_backup.py", line 384, in run_cmd
self.cleanup_tempdir()
File "bin/python/samba/tests/domain_backup.py", line 370, in cleanup_tempdir
shutil.rmtree(filepath)
File "/usr/lib64/python3.11/shutil.py", line 732, in rmtree
_rmtree_safe_fd(fd, path, onerror)
File "/usr/lib64/python3.11/shutil.py", line 635, in _rmtree_safe_fd
onerror(os.scandir, path, sys.exc_info())
File "/usr/lib64/python3.11/shutil.py", line 631, in _rmtree_safe_fd
with os.scandir(topfd) as scandir_it:
^^^^^^^^^^^^^^^^^
NotADirectoryError: [Errno 20] Not a directory:
'st/tmp/tmp7usvex3t/samba-backup-2023-02-08T10-13-18.461113.tar.bz2'
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 10 Feb 2023 02:53:10 +0000 (15:53 +1300)]
talloc: remove Python 2 #if clauses
Also fix an obsolete related comment.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Feb 17 14:52:26 UTC 2023 on atb-devel-224
baixiangcpp [Fri, 10 Feb 2023 03:01:47 +0000 (11:01 +0800)]
lib:util: File descriptor being closed repeatedly.
In file_load()/file_lines_load(), the file's fd is obtained using
open(), and in fd_load() the fd is converted to a FILE* using
fdopen(). However, after fclose(), the fd is closed again using
close().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15311 Signed-off-by: baixiangcpp baixiangcpp@gmail.com Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 16 12:13:05 UTC 2023 on atb-devel-224
lib:ldb: Print a debug message in case we have a corrupted MDB
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Feb 15 09:05:56 UTC 2023 on atb-devel-224
Martin Schwenke [Mon, 13 Feb 2023 03:59:18 +0000 (14:59 +1100)]
ctdb-scripts: Avoid using testparm to process its own output
When testparm processes the output of "testparm -v" (which includes
default values) it appears to do global checks (or some other sort of
initialisation logic) for all specified values. This includes a DNS
lookup for the node's hostname, as a side-effect of a libldap
ldap_set_option() call when processing "ldap debug level". If DNS
servers are down then this can induce timeouts, possibly resulting in
monitor timeouts.
Avoid this by using sed to extract configuration values from the
testparm cache file.
This is already shown to work when retrieving share paths, where
testparm is basically used as cat. Update the sed pattern to avoid
matching empty values on the right-hand side of the equals ('=') -
this avoids the default empty path value (and "smb ports" never has an
empty value).
Corresponding test changes:
* 50.samba.monitor.111.sh no longer expects a failure from being
unable to set smb ports, since testparm is no longer used in that
code path.
* smb ports needs to be set in fake smb.conf so it is in the default
output and can be extracted using sed.
* Although testparm --parameter-name is no longer used in
50.samba.script, update the stub implementation (in case it is ever
used again) to extract from fake smb.conf, since "smb ports" is now
set there. The change from $parameter to $param allows a long line
to stay below 80 columns.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Feb 14 08:43:53 UTC 2023 on atb-devel-224
Volker Lendecke [Tue, 7 Feb 2023 08:49:54 +0000 (09:49 +0100)]
vfs: Fix whitespace in vfs_aixacl_util.c
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb 13 21:23:43 UTC 2023 on atb-devel-224
John Mulligan [Fri, 3 Feb 2023 18:09:18 +0000 (13:09 -0500)]
vfs_ceph: use fsp_get_pathref_fd in ceph fstatat and close vfs calls
Replace fsp_get_io_fd with fsp_get_pathref_fd as these calls do use
pathref fsps. fsp_get_io_fd asserts that the fsp is not pathref and
asserts (on a debug build) or returns -1 (non debug build).
Prior to these changes running ls on the root of the share failed.
Logging from the failure case:
```
openat_pathref_fsp: smb_fname [.]
openat_pathref_fullname: smb_fname [.]
fsp_new: allocated files structure (1 used)
file_name_hash: //. hash 0x3dfcc1c2
check_reduced_name: check_reduced_name [.] [/]
cephwrap_realpath: [CEPH] realpath(0x55604da9a030, .) = //.
check_reduced_name realpath [.] -> [//.]
check_reduced_name: . reduced to //.
cephwrap_openat: [CEPH] openat(0x55604da9a030, ., 0x55604da81f00, 133120, 0)
cephwrap_openat: [CEPH] open(...) = 10
cephwrap_fstat: fsp_get_io_fd: fsp [.] is a path referencing fsp
[CEPH] fstat(0x55604da9a030, -1)
fsp_get_io_fd: fsp [.] is a path referencing fsp
cephwrap_fstat: [CEPH] fstat(...) = -9
fd_openat: name ., flags = 04000 mode = 00, fd = 10. NT_STATUS_INVALID_HANDLE
openat_pathref_fullname: Opening pathref for [.] failed: NT_STATUS_INVALID_HANDLE
```
This change also seems to match the recommendations in the `When to use
fsp_get_io_fd() or fsp_get_pathref_fd()` section of The_New_VFS.txt
document.
Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Gunther Deschner <gdeschne@redhat.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb 13 20:04:38 UTC 2023 on atb-devel-224
Add gitleaks configuration file to avoid false positives
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Feb 13 18:45:21 UTC 2023 on atb-devel-224
Volker Lendecke [Wed, 11 Jan 2023 10:02:11 +0000 (11:02 +0100)]
smbd: Remove smbXsrv_open_global0->db_rec
The only user by now was net serverid wipedbs, and there it was easy to replace
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Feb 13 10:49:43 UTC 2023 on atb-devel-224
Volker Lendecke [Thu, 5 Jan 2023 15:18:37 +0000 (16:18 +0100)]
smbd: Simplify smbXsrv_open_global_store()
Avoid the dependency on global->db_rec. This makes the callers more
verbose, but it makes the data dependencies much more obvious. This
will enable removing smbXsrv_open_global0->db_rec at some point.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 11 08:48:05 UTC 2023 on atb-devel-224
David Mulder [Thu, 9 Feb 2023 17:43:42 +0000 (10:43 -0700)]
gp: gp_sudoers_ext warn w/out visudo installed
Rather than print an ugly error message from
Popen, display a warning to the user if visudo
is missing.
Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Fri Feb 10 20:31:37 UTC 2023 on atb-devel-224
Andrew Bartlett [Tue, 7 Feb 2023 21:59:56 +0000 (10:59 +1300)]
s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc()
It is up to the caller to choose if it wants to clean up the user_info_dc
memory early, we do so only in the KDC as was allocated on a context
provided to samba_kdc_update_pac_blob(), whereas auth_winbind uses
a locally managed tevent state as the memory context.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 8 01:05:47 UTC 2023 on atb-devel-224
Joseph Sutton [Mon, 19 Dec 2022 00:43:08 +0000 (13:43 +1300)]
tests/krb5: Use consistent ordering for etypes
The 'etype' field in a Kerberos request is ordered. Make this fact
clearer by using a tuple or an array to represent etypes rather than a
set.
get_default_enctypes() now returns encryption types in order of
strength. As a consequence, the encryption type chosen by the MIT KDC
matches up with that chosen by Windows, and more tests begin to pass.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 15 Dec 2022 01:06:59 +0000 (14:06 +1300)]
tests/krb5: Test groups returned by SamLogon
Levels NetlogonValidationSamInfo2 and NetlogonValidationSamInfo4 behave
as might be expected, so we pass those tests. NetlogonValidationSamInfo
returns no resource groups and doesn't set the NETLOGON_EXTRA_SIDS flag,
and we fail its test.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 12 Dec 2022 20:04:47 +0000 (09:04 +1300)]
auth: Correct primary group handling
Heretofore we have treated the primary group SID specially, storing it
in a fixed position as the second element of the user_info_dc->sids
array, and filtering out other copies in the PAC_LOGON_INFO base
structure. This filtering has made it difficult to distinguish between
the case where the primary group is a universal or global group, located
in the base RIDs, and the case where it is a domain-local group, missing
from the base RIDs; especially since the attributes of a domain-local
primary group are lost by being stored in the PAC. Domain-local primary
groups are normally disallowed by Windows, but are allowed by Samba, and
so it is reasonable to support them with at least some measure of
consistency.
The second element of user_info_dc->sids is still reserved for the
primary group's SID, but we no longer filter out any other copies in the
array. The first two elements are no more than the SIDs of the user and
the primary group respectively; and the remaining SIDs are as if taken
without modification from arrays of SIDs in the PAC. user_info_dc->sids
should therefore become a more faithful representation of the SIDs in
the PAC. After adding resource SIDs to it with
dsdb_expand_resource_groups(), we should have a result that more closely
and in more cases matches that of Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 15 Dec 2022 23:47:41 +0000 (12:47 +1300)]
tests/krb5: Add tests for the primary group
Primary groups are handled differently from normal groups of which a
user is simply a member. Of particular note is the case where a
domain-local group is made a primary group; a case normally disallowed
by Windows, but not by Samba. Therefore we want tests for it.
Our testing framework must be able to set the user's primary group, and
to clean up afterwards; to set the primary group RID of a PAC; and to
check that the primary group RID is as expected in the PAC returned to
us.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 15 Dec 2022 23:45:29 +0000 (12:45 +1300)]
s4-dsdb: Simplify search expression
We want to find objects for which the groupType attribute has at least
one of GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_UNIVERSAL_GROUP set. For
this the OR comparator is perfectly suited. It produces a true result if
at least one set bit is shared between both operands.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 15 Dec 2022 23:08:41 +0000 (12:08 +1300)]
auth: Make more liberal use of SID index constants
Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 1 Dec 2022 21:49:20 +0000 (10:49 +1300)]
s4:kdc: Add resource SID compression
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.
In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 11 Dec 2022 21:50:01 +0000 (10:50 +1300)]
auth: Pass through entire PAC flags value in auth_user_info
Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 22 Dec 2022 04:48:26 +0000 (17:48 +1300)]
named_pipe_auth: Bump info5 to info6
In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 11 Dec 2022 22:20:18 +0000 (11:20 +1300)]
tests/krb5: Add tests of NETLOGON_RESOURCE_GROUPS flag handling
This lets us test what happens in TGS-REQ exchanges to the KDC, when the
flags and resource groups are simply passed through into the new PAC,
regardless of what value the flags hold.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 11 Dec 2022 22:20:53 +0000 (11:20 +1300)]
tests/krb5: Add group tests simulating PACs from a trusted domain
Crucially, in these tests the user's domain and its SID are different
from our domain and its SID. These tests will assert that in such a case
resource groups are added to the PAC and handled correctly.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 11 Dec 2022 21:57:42 +0000 (10:57 +1300)]
tests/krb5: Remove tests of KDCs without resource SID compression support
As part of mitigations of CVE-2022-37966, we no longer regard the
msDS-SupportedEncryptionTypes attribute of the KDC when determining its
supported encryption types. Thus, these tests that try to disable SID
compression support by setting this attribute run to no purpose.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 7 Nov 2022 06:27:24 +0000 (19:27 +1300)]
auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set
MS-PAC section 2.5 states that if the resource_groups member is
non-NULL, or resource_groups.groups.count is not zero, the
NETLOGON_RESOURCE_GROUPS flag MUST be set. Thus, there's no need to
process resource groups if the flag is not set.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 7 Nov 2022 06:37:12 +0000 (19:37 +1300)]
auth: Remove early return from make_user_info_dc_pac()
'rg' is never NULL, so this codepath is never taken. But if it were, we
would return early and entirely neglect filling in the UPN_DNS_INFO from
the 'pac_upn_dns_info' parameter. So remove the early return.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 27 Sep 2022 01:51:54 +0000 (14:51 +1300)]
auth: Exclude resource groups from a TGT
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 27 Sep 2022 02:13:12 +0000 (15:13 +1300)]
auth: Store group attributes in auth_user_info_dc
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.
Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 7 Nov 2022 01:28:21 +0000 (14:28 +1300)]
s4-dsdb: Add samdb_result_dom_sid_attrs()
This function is modelled on samdb_result_dom_sid(). It allocates,
rather than a dom_sid, an auth_SidAttr object, which we can pass to
other functions accepting an auth_SidAttr.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These functions are modelled on add_sid_to_array() and
add_sid_to_array_unique(). They differ in that they operate not on an
array of dom_sid, but of auth_SidAttr, and take an additional 'attrs'
parameter of type uint32_t.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 27 Sep 2022 02:12:19 +0000 (15:12 +1300)]
auth.idl: Add auth_SidAttr type
This type incorporates, alongside a SID, a group attributes member,
through which attributes from a PAC or the AD database can be conveyed
into the completed PAC. A useful benefit this provides is the ability to
distinguish and exclude domain-local groups, which only belong in
service tickets, from the PAC of a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 8 Nov 2022 00:34:07 +0000 (13:34 +1300)]
s4:torture: Skip over asserted identity SIDs when comparing groups
We've already tested for the existence of these SIDs, and the assumption
that they are always the last element in a PAC is false. We must check
all the SIDs in each array, skipping over ones that were found to be
asserted identity SIDS.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 11 Dec 2022 22:01:20 +0000 (11:01 +1300)]
tests/krb5: Declare supported encryption types of service account
If SID compression support is disabled for a created account,
msDS-SupportedEncryptionTypes will be set to a value that includes the
RESOURCE_SID_COMPRESSION_DISABLED bit, but no actual encryption type
bits. Since stricter encryption type handling was introduced to address
CVE-2022-37966, this combination has been interpreted as an expression
of no encryption type support, and trying to make a Kerberos request to
a service with such a combination of bits will fail with
ERR_ETYPE_NOSUPP.
To allow us to make Kerberos requests to test service accounts again, we
must set some actual encryption type bits.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This currently only works with binaries. As there is no shared library for
MSAN it only is statically linked against binaries. This means if we have e.g.
a python script trying to load ldb, it will fail with undefined symbols.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb 6 23:49:04 UTC 2023 on atb-devel-224
projects / thirdparty / samba.git / log
