David Mulder [Wed, 19 Apr 2023 20:11:05 +0000 (14:11 -0600)]
gp: Add site-dn fallback when rpc call fails
In testing I noticed that the rpc call for the
site name is failing when joined via SSSD. This
commit adds a fallback to check using the old
style method found in ads_site_dn_for_machine()
(which works, but doesn't obey the Group Policy
spec) if the rpc call fails.
Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Apr 28 03:14:25 UTC 2023 on atb-devel-224
Noel Power [Thu, 25 Aug 2022 13:29:09 +0000 (14:29 +0100)]
s3/utils: when encoding ace string use "FA", "FR", "FW", "FX" string rights
prior to this patch rights matching "FA", "FR", "FW", "FX" were
outputted as the hex string representing the bit value.
While outputting the hex string is perfectly fine, it makes it harder
to compare icacls output (which always uses the special string values)
Additionally adjust various tests to deal with use of shortcut access masks
as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead
of hex representation of the bit mask.
so various string comparisons of the sddl format now pass
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex
numbers, eg 0x001]
Noel Power [Thu, 25 Aug 2022 12:52:56 +0000 (13:52 +0100)]
s3/utils: value for ace_flags value "FA" is incorrect
value for FA should be 0x001f01ff (instead of 0x00001ff)
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 26 Apr 2023 04:27:38 +0000 (16:27 +1200)]
pytest:sddl Samba had the wrong value for FA, now fix the tests
The tests that were in SddlWindowsFlagsAreDifferent have the behaviour
we want, and as we aim for Samba flags no longer being different, we
shift them to SddlNonCanonical. The tests in SddlSambaDoesItsOwnThing
are removed because they showed Samba's old behaviour around FA.
This will create knownfails, which will be fixed by the commit fixing the
value of "FA".
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Running LOCAL-IDMAP-TDB-COMMON
test_getnewid1: PASSED!
test_setmap1: PASSED!
test_unixid2sid1: PASSED!
test_sid2unixid1: could not create uid map!
TEST LOCAL-IDMAP-TDB-COMMON FAILED!
LOCAL-IDMAP-TDB-COMMON took 0.029819 secs
Freed frame ../../source3/torture/torture.c:15748, expected ../../source3/torture/test_idmap_tdb_common.c:986.
===============================================================
INTERNAL ERROR: Frame not freed in order. in pid 3692106 (4.19.0pre1-DEVELOPERBUILD)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid 3692106): Frame not freed in order. in 4.19.0pre1-DEVELOPERBUILD
BACKTRACE: 11 stack frames:
#0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x32) [0x7f2f39b430ba]
#1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x1dd) [0x7f2f39b43037]
#2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x1c) [0x7f2f39b43056]
#3 bin/shared/libsamba-util.so.0(+0x75309) [0x7f2f3a659309]
#4 bin/shared/private/libtalloc-samba4.so(+0x5cc6) [0x7f2f3a758cc6]
#5 bin/shared/private/libtalloc-samba4.so(+0x6173) [0x7f2f3a759173]
#6 bin/shared/private/libtalloc-samba4.so(_talloc_free+0x10c) [0x7f2f3a75a54b]
#7 /data/samba/samba-review/bin/smbtorture3(main+0xa97) [0x55cb3dc8cedc]
#8 /lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x7f2f396d4d90]
#9 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x7f2f396d4e40]
#10 /data/samba/samba-review/bin/smbtorture3(_start+0x25) [0x55cb3dc59895]
smb_panic(): calling panic action [/data/samba/samba-review/selftest/gdb_backtrace 3692106]
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 22 Mar 2023 02:49:26 +0000 (15:49 +1300)]
libcli/security: SDDL parse tests to run on Windows
The C version tests the public SDDL API on Windows which seems to follow
Active Directory closely, though case in hex numbers is reversed vis-a-vis
defaultSecurityDescriptor.
The python version is less refined and tests powershell functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 15 Apr 2023 08:32:30 +0000 (20:32 +1200)]
pytest:sddl: SDDL strings where Windows behaviour differs
These ones we might want to match. They are understandable behaviours,
like matching lowercase flags and coping with whitespace in some
places. These tests are set up to document the differences without
overwhelming the knownfails.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 22 Apr 2023 06:11:49 +0000 (18:11 +1200)]
pytest:sddl: tweak some test strings
Adding, diversifying, and disambiguating. The leading portion of the
test stirngs will soon be used in the test name, and strings that
don't differ in the first hundred characters will cause naming
clashes. There is no good reason for them all to test the same flags
in the same order.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 13 Apr 2023 10:18:21 +0000 (22:18 +1200)]
pytest/sddl: split tests into canonical and non-canonical
The examples in the canonical list are already in the form that
Windows and Samba will use for that SD. We check the round trip.
The examples in the non-canonical list will change in a round trip, so
we also give the string we think they should end up as. These have
been checked on Windows.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 21 Mar 2023 00:05:55 +0000 (13:05 +1300)]
pytest/sddl: give test more of a name
I think it worked, but the convention is that tests have a test_ prefix,
and it woudn't be surpoising if something somewhere decides to depend on
that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 11 Apr 2023 22:46:30 +0000 (10:46 +1200)]
libcli/security: disallow sddl access masks greater than 32 bits
Our previous behaviour (at least with glibc) was to clip off the extra
bits, so that 0x123456789 would become 0x23456789. That's kind of the
obvious thing, but is not what Windows does, which is to saturate the
value, rounding to 0xffffffff. The effect of this is to turn on all
the flags, which quite possibly not what you meant.
Now we just return an error.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 Mar 2023 08:17:56 +0000 (21:17 +1300)]
lib/sec/sddl: allow empty non-trailing ACL with flags
The string "S:D:P" is parsed by us and Windows into a valid struct,
which has an empty DACL with the PROTECTED flag, and an empty SACL.
This is reconstructed in canonical order as "D:PS:", which Windows
will correctly parse, but Samba has assumed the "S" is a bad DACL
flag. Now we don't make that assumption.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 Mar 2023 02:46:08 +0000 (15:46 +1300)]
libcli/sec/sddl decode: allow hex numbers in SIDs
These occur canonically when the indentifier authority is > 2^32, but
also are accepted by Windows for any number.
There is a tricky case with an "O:" or "G:" SID that is immediately
followed by a "D:" dacl, because the "D" looks like a hex digit. When
we detect this we need to subtract one from the length.
We also need to do look out for trailing garbage. This was not an
issue before because any string caught by the strspn(...,
"-0123456789") would be either rejected or fully comsumed by
dom_sid_parse_talloc(), but with hex digits, a string like
"S-1-1-2x0xabcxxx-X" would be successfully parsed as "S-1-1-2", and
the "x0xabcxxx-X" would be skipped over. That's why we switch to using
dom_sid_parse_endp(), so we can compare the consumed length to the
expected length.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 21 Apr 2023 03:32:01 +0000 (15:32 +1200)]
libcli/security/dom_sid: use (unsigned char) in isdigit()
The man page notes:
The standards require that the argument c for these functions
is either EOF or a value that is representable in the type
unsigned char. If the argument c is of type char, it must be
cast to unsigned char, as in the following example:
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Apr 2023 23:21:38 +0000 (11:21 +1200)]
pytest:sid_strings: test SIDs as search base
As a way of testing the interpretation of a SID string in a remote
server, we search on the base DN "<SID=x>" where x is a non-existent
or malformed SID.
On Windows some or all malformed SIDs are detected before the search
begins, resulting in a complaint about DN syntax rather than one about
missing objects.
From this we can get a picture of what Windows considers to be
a proper SID in this context.
Samba does not make a distinction here, always returning NO_SUCH_OBJECT.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Apr 2023 01:31:40 +0000 (13:31 +1200)]
pytest:sid_strings: Windows and Samba divergent tests
The Samba side is aspirational -- what we actually do is generally
worse. However the Windows behaviour in these cases seems more
surprising still, and seems to be neither documented nor used.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Apr 2023 23:47:19 +0000 (11:47 +1200)]
pytest:sid_strings: test the strings with local parsing
The reason the existing tests send the SID over the wire as SDDL for
defaultSecurityDescriptor is it is one of the few ways to force the
server to reckon with a SID-string as a SID. At least, that's the case
with Windows. In Samba we make no effort to decode the SDDL until it
comes to the time of creating an object, at which point we don't notice
the difference between bad SDDL and missing SDDL.
So here we add a set of dynamic tests that push the strings through our
SDDL parsing code. This doesn't tell us very much more, but it is very
quick and sort of confirms that the other tests are on the right track.
To run against Windows without also running the internal Samba tests,
add `SAMBA_SID_STRINGS_SKIP_LOCAL=1` to your environment variables.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 5 Apr 2023 03:16:21 +0000 (15:16 +1200)]
pytest:sid_strings: same timestamp for all tests in the run
We don't care about the exact time of the test, just that we
disambiguate between different runs (each run leaves an immutable scar
on the target server).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 22 Apr 2023 20:41:23 +0000 (08:41 +1200)]
pytest:upgradeprovision: don't use misleading SDDL in tests
The ACE string "(A;CI;RP LCLORC;;;AU)", with a space after "RP", is
currently not parsed well by Samba.
At the moment we parse only the "RP" and ignore the " LCLORC". What
Windows would do is parse it as if it said "RPLCLORC", without the
space, thus using all the flags. It seems very likely we thought this
was happening with Samba.
Soon Samba will have Windows' behaviour here and it will be tested in
python/samba/tests/sddl.py. That means this test can relax and focus
on whatever it was trying to do with upgradeprovision. We thank it for
finding this discrepency.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s3:lib: Give better warnings about corrupted AppleDobule files
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 27 09:25:50 UTC 2023 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 27 08:22:58 UTC 2023 on atb-devel-224
\314\066 and \3146 are the same as \066 translates into the char '6'. In order
to address this we should do byte comparison in python.
Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Alexander Bokovoy <ab@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s3:torture: Fix possible array out of bounds access
In function ‘test_one’,
inlined from ‘retest’ at source3/torture/locktest2.c:401:8:
source3/torture/locktest2.c:331:37: error: array subscript 2 is above array bounds of ‘int[2][2][2]’ [-Werror=array-bounds=]
331 | fnum[server][fstype][conn][f] = try_open(cli[server][conn], nfs[server], fstype, FILENAME,
| ~~~~~~~~~~~~^~~~~~~~
source3/torture/locktest2.c: In function ‘retest’:
source3/torture/locktest2.c:390:23: note: while referencing ‘fnum’
390 | int fnum[NSERVERS][NUMFSTYPES][NCONNECTIONS][NFILES],
| ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘test_one’,
inlined from ‘retest’ at source3/torture/locktest2.c:401:8:
source3/torture/locktest2.c:316:62: error: array subscript 2 is above array bounds of ‘int[2][2][2]’ [-Werror=array-bounds=]
316 | fnum[server][fstype][conn][f],
| ~~~~~~~~~~~~^~~~~~~~
source3/torture/locktest2.c: In function ‘retest’:
source3/torture/locktest2.c:390:23: note: while referencing ‘fnum’
390 | int fnum[NSERVERS][NUMFSTYPES][NCONNECTIONS][NFILES],
| ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘test_one’,
inlined from ‘retest’ at source3/torture/locktest2.c:401:8:
source3/torture/locktest2.c:300:60: error: array subscript 2 is above array bounds of ‘int[2][2][2]’ [-Werror=array-bounds=]
300 | fnum[server][fstype][conn][f],
| ~~~~~~~~~~~~^~~~~~~~
source3/torture/locktest2.c: In function ‘retest’:
source3/torture/locktest2.c:390:23: note: while referencing ‘fnum’
390 | int fnum[NSERVERS][NUMFSTYPES][NCONNECTIONS][NFILES],
| ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dfs_server: Fix debug statement if searched_site is NULL
In file included from source4/include/includes.h:61,
from dfs_server/dfs_server_ad.c:21:
dfs_server/dfs_server_ad.c: In function ‘get_dcs.constprop’:
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
200 | && (dbgtext body) )
| ~^~~~~~~~~~~~~
dfs_server/dfs_server_ad.c:462:25: note: in expansion of macro ‘DEBUG’
462 | DEBUG(2,(__location__ ": Site: %s %s\n",
| ^~~~~
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Missed two more places originally when introduced ROLE_IPA_DC.
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Tue Apr 25 07:46:36 UTC 2023 on atb-devel-224
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Apr 24 14:13:35 UTC 2023 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 20 12:56:53 UTC 2023 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 19 22:30:19 UTC 2023 on atb-devel-224
projects / thirdparty / samba.git / log
