s4:kdc: Add asserted identity SID to identify whether S4U2Self has occurred
Because the KDC does not limit protocol transition (S4U2Self), two new
well-known SIDs are available to give this control to the resource
administrator. These SIDs identify whether protocol transition (S4U2Self) has
occurred, and can be used with standard access control lists to grant or limit
access as needed.
See
https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 13 13:54:27 UTC 2022 on sn-devel-184
python:tests: Add krb5 tests for asserted identity
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Samuel Cabrero [Tue, 12 Apr 2022 14:56:25 +0000 (16:56 +0200)]
selftest: Use selftest's TMPDIR to store the krb5 ccache in pam_winbind_setcred test
Using /tmp directly can lead to errors if multiple autobuilds are
running at the same time. Using tempfile.gettempdir() will look for
$TMPDIR environment variable.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Samuel Cabrero [Wed, 13 Apr 2022 11:20:27 +0000 (13:20 +0200)]
selftest: Use selftest's TMPDIR to store the krb5 ccache in pam_winbind tests
Using /tmp directly can lead to errors if multiple autobuilds are
running at the same time. Using tempfile.gettempdir() will look for
$TMPDIR environment variable.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Samuel Cabrero [Wed, 13 Apr 2022 09:01:00 +0000 (11:01 +0200)]
s3:winbind: Do not use domain's private data to store the SAMR pipes
The domain's private_data pointer is also used to store a ADS_STRUCT,
which is not allocated using talloc and there are many places casting
this pointer directly.
The recently added samba.tests.pam_winbind_setcred was randomly failing
and after debugging it the problem was that kerberos authentication was
failing because the time_offset passed to kerberos_return_pac() was
wrong. This time_offset was retrieved from ads->auth.time_offset, where
the ads pointer was directly casted from domain->private_data but
private_data was pointing to a winbind_internal_pipes struct.
../../source3/winbindd/winbindd_pam.c:2879:7: error: variable 'validation_level' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized]
if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:3003:6: note: uninitialized use occurs here
validation_level,
^~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:2879:3: note: remove the 'if' if its condition is always false
if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:2879:7: error: variable 'validation_level' is used uninitialized whenever '||' condition is true [-Werror,-Wsometimes-uninitialized]
if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:3003:6: note: uninitialized use occurs here
validation_level,
^~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:2879:7: note: remove the '||' if its condition is always false
if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:2853:27: note: initialize the variable 'validation_level' to silence this warning
uint16_t validation_level;
^
= 0
1 warning and 2 errors generated.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 12 18:54:50 UTC 2022 on sn-devel-184
Pavel Filipenský [Wed, 16 Mar 2022 08:11:25 +0000 (09:11 +0100)]
tevent:tests: Test queue entry tags
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Apr 11 17:51:08 UTC 2022 on sn-devel-184
Samuel Cabrero [Thu, 31 Mar 2022 10:34:29 +0000 (12:34 +0200)]
examples: Update winbindd.stp and generate script
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Apr 8 21:06:01 UTC 2022 on sn-devel-184
Samuel Cabrero [Wed, 30 Mar 2022 18:55:12 +0000 (20:55 +0200)]
s3:winbind: Refactor log_authentication(), do not take winbindd_cli_state struct parameter
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will not receive a winbindd_cli_state parameter. Avoid
passing this struct around.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Mon, 14 Jun 2021 16:08:21 +0000 (18:08 +0200)]
s3:winbind: Refactor fake_password_policy(), take netr_Validation as argument
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will return a netr_Validation from the child. This
function will be moved to the parent to fill the winbindd_response
struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Later winbindd_dual_pam_auth() will be converted to a local RPC
handler and it will not receive a winbindd_cli_state struct as parameter.
Avoid passing around this struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Thu, 10 Jun 2021 14:15:13 +0000 (16:15 +0200)]
s3:winbind: Refactor winbindd_dual_pam_auth_cached(), return krb5ccname as out parameter
Later winbindd_dual_pam_auth() will be converted to a local RPC
handler and it will not receive a winbindd_cli_state struct as parameter.
Avoid passing around this struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Wed, 30 Mar 2022 16:12:46 +0000 (18:12 +0200)]
s3:winbind: Refactor winbindd_dual_pam_auth_cached(), delay out variable assignment
Delay the assignment of the out varible and assign it only if
returning NT_STATUS_OK, the caller does not use the returned
netr_SamInfo3 if the function does not return NT_STATUS_OK.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Thu, 10 Jun 2021 12:03:43 +0000 (14:03 +0200)]
s3:winbind: Refactor winbindd_dual_pam_auth_kerberos(), do not take winbindd_cli_state struct parameter
Refactor winbindd_dual_pam_auth_kerberos() to do not take a
winbindd_cli_state struct as parameter but its members. The kerberos
ccache name is returned as an out parameter and the caller is
responsible for copying it in the winbindd_response struct.
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will not receive a winbindd_cli_state as argument so
reduce passing this struct around.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Thu, 10 Jun 2021 11:23:23 +0000 (13:23 +0200)]
s3:winbind: Refactor append_afs_token(), do not take winbindd_response struct as parameter
Refactor the append_afs_token() function to do not take a
winbindd_response as a parameter but its members directly. The AFS token
is returned as an out parameter in a DATA_BLOB, and the caller is
responsible for setting it the extra_data winbindd_response field and
extending the winbindd_response length.
Later winbindd_dual_pam_auth() will be converted to a local RPC
call handler and the netr_Validation will be returned in the 'r' struct
from the child to the parent. The parent will then fill the
winbindd_response struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Thu, 10 Jun 2021 11:18:54 +0000 (13:18 +0200)]
s3:winbind: Refactor append_unix_username(), do not take winbindd_response struct as parameter
Refactor the append_unix_username() function to do not take a
winbindd_response struct as parameter but its members. The
unix username is returned as an out parameter and the caller is
responsible for setting it in the winbindd_response struct.
Later winbindd_dual_pam_auth() will be converted to a local RPC
call handler and the netr_Validation will be returned in the 'r' struct
from the child to the parent. The parent will then fill the
winbindd_response struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Thu, 31 Mar 2022 10:32:08 +0000 (12:32 +0200)]
s4:rpc_server: Fix duplicated function name between s3 and s4
It can lead to link errors:
/usr/lib64/gcc/x86_64-suse-linux/11/../../../../x86_64-suse-linux/bin/ld: source3/rpc_server/rpc_server.c.24.o: in function `dcesrv_transport_terminate_connection':
/home/scabrero/workspace/samba/samba/bin/default/../../source3/rpc_server/rpc_server.c:242: multiple definition of `dcesrv_transport_terminate_connection'; source4/rpc_server/dcerpc_server.c.5.o:/home/scabrero/workspace/samba/samba/bin/default/../../source4/rpc_server/dcerpc_server.c:710: first defined here
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Thu, 31 Mar 2022 10:29:14 +0000 (12:29 +0200)]
s4:rpc_server: Fix duplicated function name between s3 and s4
It can lead to link errors:
/usr/lib64/gcc/x86_64-suse-linux/11/../../../../x86_64-suse-linux/bin/ld: source3/rpc_server/rpc_server.c.24.o: in function `dcesrv_assoc_group_find':
/home/scabrero/workspace/samba/samba/bin/default/../../source3/rpc_server/rpc_server.c:229: multiple definition of `dcesrv_assoc_group_find'; source4/rpc_server/dcerpc_server.c.5.o:/home/scabrero/workspace/samba/samba/bin/default/../../source4/rpc_server/dcerpc_server.c:121: first defined here
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Thu, 10 Jun 2021 10:02:08 +0000 (12:02 +0200)]
s3:winbind: Refactor check_info3_in_group() to take a wbint_SidArray struct
Refactor the check_info3_in_group() function to take a wbint_SidArray
struct. The sid strings stored in extra_data are parsed into a
wbint_SidArray in a separated function.
Later, winbindd_dual_pam_auth() will be converted to a local RPC
call handler and the wbint_SidArray containing the required membership
will be part of the 'r' struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 5 Apr 2022 17:32:20 +0000 (10:32 -0700)]
WHATSNEW.txt: Add explaination of --without-smb1-server and --with-smb1-server configure options.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 7 18:33:31 UTC 2022 on sn-devel-184
David Mulder [Mon, 21 Mar 2022 20:18:58 +0000 (14:18 -0600)]
smbd: Remove duplicate read_nttrans_ea_list function prototype
Because this stray prototype was mixed in with
the smb1 code, it caused the smb2-only build to
fail. Instead of duplicating the function
prototype, lets just include the correct header.
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
projects / thirdparty / samba.git / log
