Joseph Sutton [Tue, 20 Jun 2023 00:56:45 +0000 (12:56 +1200)]
tests/krb5: Fix RBCD comments
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 20 Jun 2023 00:39:26 +0000 (12:39 +1200)]
tests/krb5: Don’t unnecessarily specify ‘id’
In tests where we have multiple accounts of the same type, we use the
‘id’ parameter to ensure that these accounts are all different, as some
restrictions are bypassed if an account authenticates to the selfsame
account. However, this is unnecessary if we already specify (with
‘use_cache=False’) that the cache is not to be used.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 19 Jun 2023 23:21:27 +0000 (11:21 +1200)]
s4:kdc: Remove unused ‘server’ parameter in pac_verify()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 19 Jun 2023 23:20:44 +0000 (11:20 +1200)]
s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 19 Jun 2023 23:15:50 +0000 (11:15 +1200)]
s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors
Such errors were not logged in the past, either, but that was accidental
— a result of failing too early for an authentication event to be set —
rather than the auditing being deliberately designed that way.
Now that we have added the KDC_AUTH_EVENT_CLIENT_FOUND event, we want to
ensure that PREAUTH_REQUIRED errors continue to go unlogged.
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 19 Jun 2023 23:14:50 +0000 (11:14 +1200)]
s4:kdc: Update Samba KDC plugin to match new Heimdal version
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 21 Jun 2023 04:54:36 +0000 (16:54 +1200)]
tests/krb5: Add test for authenticating with disabled account and wrong password
This shows us that the client’s access is checked prior to passwords
being checked.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 19 Jun 2023 22:11:50 +0000 (10:11 +1200)]
tests/auth_log_pass_change: Fix flapping test
It appears that discardMessages() is still not entirely reliable. Ensure
that we filter out any messages from the Administrator’s authentication.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 19 Jun 2023 00:55:40 +0000 (12:55 +1200)]
netcmd: domain: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 25 Jun 2023 23:03:14 +0000 (11:03 +1200)]
Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c
Commit 6bd3b4528d4b33c8f7ae6341d166bea3a06cd971 diverged the const
declarations in the header, this brings them back in alignnment as
is Samba's normal practice.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 26 00:26:37 UTC 2023 on atb-devel-224
Joseph Sutton [Fri, 16 Jun 2023 01:40:20 +0000 (13:40 +1200)]
s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc()
We may not always want this SID to be present. For example, to enforce
authentication policies as Windows does, we’ll want the client’s
security token without this SID.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 16 Jun 2023 01:13:58 +0000 (13:13 +1200)]
s4:kdc: Have samba_kdc_update_pac_blob() do less
Previously this function obtained the auth_user_info_dc structure, then
used it to update the PAC blob. Now it does only one thing: fetch the
auth_user_info_dc info and return it to the caller, who can then call
samba_get_logon_info_pac_blob().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 15 Jun 2023 23:40:57 +0000 (11:40 +1200)]
tests/krb5: Test more authentication logging of TGT lifetimes
It is useful to test a combination of device restrictions and TGT
lifetime restrictions so that we can check what TGT lifetime values end
up in the logs.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
netcmd: domain: add error handling to domain claims commands
Similar to the auth commands commit prior to this.
Where we wre catching LdbError before we now catch ModelError, all
exceptions that are known and handled in the model layer will have a
user-friendly error message.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: add error handling to domain auth commands
Where we wre catching LdbError before we now catch ModelError, all
exceptions that are known and handled in the model layer will have a
user-friendly error message.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: add model exceptions and error handling
* Only handle what we know, otherwise raise the existing LdbError
* Cutom messages added in the model layer so we don't have to do it in
the commands themselves
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The message is stored in self._apply which also gets called by
self.refresh()
This is the better thing to do than fetching in save.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: man page updates for auth silo and policy cli
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Add tests for model fields to ensure they behave as expected when
calling from_db_value and to_db_value methods.
Add a base class for the tests themselves via a mixin as unittest
doesn't support abstract test case classes.
For each field, from_db_value and to_db_value must either be a list or
a property that returns a list.
The list contains input values and expected values, the expected value
can also be a callback for more complex comparison, this is used for
the possible claim values xml.
It is important that singular values and list values are tested, and
also None to ensure that fields properly get unset when a model is
saved.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: silo member add and remove does not write whole list
Writing the whole list at once can lead to data loss if multiple
administrators are doing this at the same time.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: remove parse_guid and parse_text as they are no longer used
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: claims: base class is no longer required
base.py has been removed as this has all been moved to the model layer
as the auth commands ldb is now just a local variable
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: claims: move claim value type lookup by attribute to model
Also, there was no need for the cached property previously in the
command, as the command only calls this once.
Fetching all value types seems excessive now with the new model layer,
we just fetch the one we need and get a model object back.
Use the method lookup, it's consistent with the rest, and raise either
LookupError or ValueError.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: claims: make use of AttributeSchema and ClassSchema models
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: add models for ClassSchema and AttributeSchema
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
And since the model layer has dramatically simplified the code in the
commands, ldb can just be a local variable.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: add test for silo if policy is a dn
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: move get_policy method from base class to the model
There isn't much left of the base class, the next thing is to remove
it.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: move method print_json to command base class
This is used in quite a few commands, move to base class.
This ensures the correct encoder class and settings are always used,
and they are only defined in one place.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: fix import sort/grouping as per python standard
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This method is needed by just about every command and moving it here
is another step towards elinimanting the base classes in domain/auth
and domain/claim.
The base classes are almost empty now, since introducing the model
layer. The next step is to get rid of these base classes completely.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: claims: use consistent naming for options
The name of the option should be the same as the attribute name.
You can still tell where it's being used (display_name), especially
now with the model layer:
ClaimType.get(ldb, display_name=name)
The silo commands tend to use the `cn` field, while the claims
commands use the `displayName` field, but the option is always called
`name` for consistency.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: claim commands use the model layer
This makes it consistent with the auth silo code, both should now make
use of the models.
Claims commands are now using the model layer with one exception and
that is the get_attribute_from_schema and get_class_from_schema
methods in the base class.
These will be made into models in another commit.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: fix claims constant name was wrong should be claim type CN
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: fix attributes created by test setUp method
Discovered this while converting the claims cli commands to use the
models, some tests failed.
The reason for this was that they relied on the attributes in the list
ATTRIBUTES to exist.
However, then we have to also prefix the attributes we create in the
test_claim_type_create test.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: claim: show err if assertIsNone fails
Other tests do this too, this is very useful if things fail
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: rename claim tests for consistency
The domain_auth tests are also prefixed with domain, it matches the
cli command "samba-tool domain claim".
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: domain: tests for auth silo command line tools
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* samba-tool domain auth silo member list
* samba-tool domain auth silo member add
* samba-tool domain auth silo member remove
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The ORM is somewhat inspired by Django, but it has some key
differences that make it work better with the Ldb database.
A field can be a singular value or a list, so a BooleanField can
either be True, or [True, False, True], or None.
The only thing that many=True does is say that the field "prefers" to
be a list, but really any field can be a list. For example when
creating a new object, it initialises the field as an empty list
rather than None if many=True.
When saving an object, if it is an update operation, only write the
fields that have actually changed.
When updating an object, any fields that are unset (set to None, or an
empty list) will be treated as a REMOVE operation.
Note that silo members should not be saved this way, writing the whole
list can lead to data loss if multiple admins are saving the silo at
the same time. Silo members will need to be handled differently, just
removing one member but not writing the whole list.
Unlike Django, there is no .objects class, instead there are a bunch
of static methods for querying:
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: add custom json encoder for object type fields
The custom JSONEncoder class is also capable of encoding Dn objects to
str, and any object that has a __json__ method.
The __json__ method is not an official dunder method, but this has
been used by other frameworks too (like Pyramid).
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
netcmd: add optparse validators and Range validator
Add the ability to the add validators to optparse Option fields.
The Option class was already subclassed in `netcmd/__init__.py` so
adding some functionality to this was relatively easy.
Added the ability to add Validator classes to a field so that this can
be used for anything else in the future, but for now there is a Range
validator required by upcoming auto silo commands.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Christof Schmitt [Wed, 31 May 2023 18:29:49 +0000 (11:29 -0700)]
vfs_gpfs: Move call to load GPFS library
Load the GPFS library from the connect function and leave the module
init for only the module registration.
Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jun 25 16:06:37 UTC 2023 on atb-devel-224
Christof Schmitt [Wed, 31 May 2023 18:13:51 +0000 (11:13 -0700)]
vfs_gpfs: Register smbd process with GPFS
Issue API call to tell the file system that this is a Samba process.
This fixed the GPFS handling of Samba since the rename of smbd processes
in commit 5955dc1e4fd.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 24 07:18:03 UTC 2023 on atb-devel-224
s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0)
This demonstrates the pre-authentication failures with passwords from
the password history don't incremend badPwdCount, similar to the
NTLMSSP and simple bind cases. But it's still an interactive logon,
which doesn't use 'old password allowed period'.
Volker Lendecke [Tue, 20 Jun 2023 10:42:52 +0000 (12:42 +0200)]
vfs: Remove "sbuf" from readdir_fn()
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 23 18:29:40 UTC 2023 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 23 14:51:14 UTC 2023 on atb-devel-224
projects / thirdparty / samba.git / log
