[Pkg-samba-maint] [Git][samba-team/samba][master] 501 commits: VERSION: Bump version up to 4.13.6...
Mathieu Parent (@sathieu)
gitlab at salsa.debian.org
Mon Nov 1 08:02:37 GMT 2021
Mathieu Parent pushed to branch master at Debian Samba Team / samba
Commits:
b30c0416 by Karolin Seeger at 2021-03-09T09:16:21+01:00
VERSION: Bump version up to 4.13.6...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
b3f66d56 by Karolin Seeger at 2021-03-19T09:15:36+01:00
VERSION: Bump version up to 4.13.6...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit b30c0416390ce4151a6bf97ea44e18e9d668e596)
- - - - -
99d849ab by Douglas Bagnall at 2021-03-19T09:15:47+01:00
ldb: add tests for ldb_wildcard_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Björn Jacke <bjacke at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry-picked from commit 33a95a1e75b85e9795c4490b78ead2162e2a1f47)
- - - - -
736cdfad by Douglas Bagnall at 2021-03-19T09:15:47+01:00
CVE-2021-20277 ldb tests: ldb_match tests with extra spaces
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry-picked from commit for master)
- - - - -
309b18d5 by Andrew Bartlett at 2021-03-19T09:15:47+01:00
CVE-2021-20277 ldb: Remove tests from ldb_match_test that do not pass
This reverts some of the backport of 33a95a1e75b85e9795c4490b78ead2162e2a1f47
This is done here rather than squashed in the cherry-pick of the expanded testsuite
because it allows this commit to be simply reverted for the backport of bug 14044
if this lands first, or to be dropped if bug 14044 lands first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
e0901deb by Douglas Bagnall at 2021-03-19T09:15:47+01:00
CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
For a string that had N spaces at the beginning, we would
try to move N bytes beyond the end of the string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry-picked from commit for master)
- - - - -
7924431e by Douglas Bagnall at 2021-03-19T09:15:47+01:00
CVE-2020-27840: pytests:segfault: add ldb.Dn validate test
ldb.Dn.validate wraps ldb_dn_explode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2193d840 by Douglas Bagnall at 2021-03-19T09:15:47+01:00
CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
A DN string with lots of trailing space can cause ldb_dn_explode() to
put a zero byte in the wrong place in the heap.
When a DN string has a value represented with trailing spaces,
like this
"CN=foo ,DC=bar"
the whitespace is supposed to be ignored. We keep track of this in the
`t` pointer, which is NULL when we are not walking through trailing
spaces, and points to the first space when we are. We are walking with
the `p` pointer, writing the value to `d`, and keeping the length in
`l`.
"CN=foo ,DC= " ==> "foo "
^ ^ ^
t p d
--l---
The value is finished when we encounter a comma or the end of the
string. If `t` is not NULL at that point, we assume there are trailing
spaces and wind `d and `l` back by the correct amount. Then we switch
to expecting an attribute name (e.g. "CN"), until we get to an "=",
which puts us back into looking for a value.
Unfortunately, we forget to immediately tell `t` that we'd finished
the last value, we can end up like this:
"CN=foo ,DC= " ==> ""
^ ^ ^
t p d
l=0
where `p` is pointing to a new value that contains only spaces, while
`t` is still referring to the old value. `p` notices the value ends,
and we subtract `p - t` from `d`:
"CN=foo ,DC= " ==> ? ""
^ ^ ^
t p d
l ~= SIZE_MAX - 8
At that point `d` wants to terminate its string with a '\0', but
instead it terminates someone else's byte. This does not crash if the
number of trailing spaces is small, as `d` will point into a previous
value (a copy of "foo" in this example). Corrupting that value will
ultimately not matter, as we will soon try to allocate a buffer `l`
long, which will be greater than the available memory and the whole
operation will fail properly.
However, with more spaces, `d` will point into memory before the
beginning of the allocated buffer, with the exact offset depending on
the length of the earlier attributes and the number of spaces.
What about a longer DN with more attributes? For example,
"CN=foo ,DC= ,DC=example,DC=com" -- since `d` has moved out of
bounds, won't we continue to use it and write more DN values into
mystery memory? Fortunately not, because the aforementioned allocation
of `l` bytes must happen first, and `l` is now huge. The allocation
happens in a talloc_memdup(), which is by default restricted to
allocating 256MB.
So this allows a person who controls a string parsed by ldb_dn_explode
to corrupt heap memory by placing a single zero byte at a chosen
offset before the allocated buffer.
An LDAP bind request can send a string DN as a username. This DN is
necessarily parsed before the password is checked, so an attacker does
not need proper credentials. The attacker can easily cause a denial of
service and we cannot rule out more subtle attacks.
The immediate solution is to reset `t` to NULL when a comma is
encountered, indicating that we are no longer looking at trailing
whitespace.
Found with the help of Honggfuzz.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
56a72e25 by Douglas Bagnall at 2021-03-19T09:15:47+01:00
CVE-2020-27840: pytests: move Dn.validate test to ldb
We had the test in the Samba Python segfault suite because
a) the signal catching infrastructure was there, and
b) the ldb tests lack Samba's knownfail mechanism, which allowed us to
assert the failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ef48e861 by Karolin Seeger at 2021-03-19T10:11:37+01:00
WHATSNEW: Add release notes for Samba 4.13.6.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
440b75fd by Karolin Seeger at 2021-03-19T10:14:58+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.13.6 release.
o BUG #14595: CVE-2020-27840: Heap corruption via crafted DN strings.
o BUG #14655: CVE-2021-20277: Out of bounds read in AD DC LDAP server.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
7cb60d42 by Stefan Metzmacher at 2021-03-24T10:21:56+01:00
ldb: version 2.2.1
o BUG #14595: CVE-2020-27840: Heap corruption via crafted DN strings.
o BUG #14655: CVE-2021-20277: Out of bounds read in AD DC LDAP server.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
2afbb6d4 by Stefan Metzmacher at 2021-03-24T10:31:11+01:00
VERSION: Bump version for Samba 4.13.7 release.
o BUG #14595: CVE-2020-27840: Heap corruption via crafted DN strings.
o BUG #14655: CVE-2021-20277: Out of bounds read in AD DC LDAP server.
Note this is exactly the same as 4.13.6, except that it
has a dependency on ldb version 2.2.1, which is needed if
someone builds against a system libldb.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
bf1d38a7 by Karolin Seeger at 2021-03-24T10:59:29+01:00
WHATSNEW: Add release notes for Samba 4.13.7.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
112d5f41 by Stefan Metzmacher at 2021-03-24T11:51:33+01:00
Merge tag 'samba-4.13.7' into HEAD
samba: tag release samba-4.13.7
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
5677103f by Stefan Metzmacher at 2021-03-24T11:52:22+01:00
VERSION: Bump version up to 4.13.8...
GIT_SNAPSHOT is already 'yes'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
4da1c230 by Stefan Metzmacher at 2021-03-31T09:22:17+00:00
third_party: Update socket_wrapper to version 1.3.2
This brings support for fd-passing of INET sockets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11899
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ab943babc3eb454186558f6e863996dfcf7a20ea)
- - - - -
f2be1673 by Stefan Metzmacher at 2021-03-31T09:22:17+00:00
third_party: Update socket_wrapper to version 1.3.3
This fixes a deadlock abort() when SOCKET_WRAPPER_KEEP_PCAP=1
is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14640
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Mar 17 23:53:04 UTC 2021 on sn-devel-184
(cherry picked from commit 10c198827d977e07b411897556578d3aedce2184)
- - - - -
3aa06edf by Christof Schmitt at 2021-03-31T09:22:17+00:00
winbind: Only use unixid2sid mapping when module reports ID_MAPPED
Only consider a mapping to be valid when the idmap module reports
ID_MAPPED. Otherwise return the null SID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit db2afa57e4aa926b478db1be4d693edbdf4d2a23)
- - - - -
af37d5ab by Christof Schmitt at 2021-03-31T09:22:17+00:00
idmap_rfc2307: Do not return SID from unixids_to_sids on type mismatch
The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.
Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
Signed-off-by: Christof Schmitt <cs at samba.org>
(cherry picked from commit 79dd4b133c37451c98fe7f7c45da881e89e91ffc)
- - - - -
3f366878 by Christof Schmitt at 2021-03-31T09:22:17+00:00
idmap_nss: Do not return SID from unixids_to_sids on type mismatch
The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.
Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184
(cherry picked from commit 0e789ba1802ca22e5a01abd6e93ef66cd45566a7)
- - - - -
f8d67bc3 by Ralph Boehme at 2021-03-31T09:22:17+00:00
smbd: reset dangling watch_req pointer in poll_open_done
We just freed subreq and a pointer to subreq is stored in open_rec->watch_req,
so we must invalidate the pointer.
Otherwise if the poll open timer fires it will do a
TALLOC_FREE(open_rec->watch_req);
on the dangling pointer which may crash or do something worse like freeing some
other random talloc memory.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 065ed088b3d5710c288e46a5bf1e063f9a29c8cc)
- - - - -
27cd9103 by Ralph Boehme at 2021-03-31T09:22:17+00:00
smbd: cancel pending poll open timer in poll_open_done()
The retry of the open is scheduled below, avoid rescheduling it a second time in
the open retry timeout function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 171a58ff3e8ee07cf5d7af08eabcb4a7379e7ce5)
- - - - -
42e7b364 by Ralph Boehme at 2021-03-31T10:13:40+00:00
smbd: free open_rec state in remove_deferred_open_message_smb2_internal()
The lifetime of open_rec (struct deferred_open_record) ojects is the time
processing the SMB open request every time the request is scheduled, ie once we
reschedule we must wipe the slate clean. In case the request gets deferred
again, a new open_rec will be created by the schedule functions.
This ensures any timer-event tied to the open_rec gets cancelled and doesn't
fire unexpectedly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843
RN: smbd panic when two clients open same file
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Mar 18 18:04:09 UTC 2021 on sn-devel-184
(cherry picked from commit 591c9196962b695b01c0d86918b8f8a263e9665c)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Wed Mar 31 10:13:40 UTC 2021 on sn-devel-184
- - - - -
890cc945 by Ralph Boehme at 2021-04-01T11:27:17+00:00
pidl: set the per-request memory context in the pidl generator
The talloc memory context referenced by the pipe_struct mem_ctx member is used
as talloc parent for RPC response data by the RPC service implementations..
In Samba versions up to 4.10 all talloc children of p->mem_ctx were freed after
a RPC response was delivered by calling talloc_free_children(p->mem_ctx). Commit
60fa8e255254d38e9443bf96f2c0f31430be6ab8 removed this call which resulted in all
memory allocations on this context not getting released, which can consume
significant memory in long running RPC connections.
Instead of putting the talloc_free_children(p->mem_ctx) back, just use the
mem_ctx argument of the ${pipename}_op_dispatch_internal() function which is a
dcesrv_call_state object created by dcesrv_process_ncacn_packet() and released
by the RPC server when the RPC request processing is finished.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 4c3fb2a5912966a61e7ebdb05eb3231a0e1d6033)
- - - - -
85b5657c by Ralph Boehme at 2021-04-01T11:27:17+00:00
spools: avoid leaking memory into the callers mem_ctx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 481176ec745c14b78fca68e01a61c83405a4b97b)
- - - - -
3644afc3 by Volker Lendecke at 2021-04-01T11:27:17+00:00
rpc_server3: Fix a memleak for internal pipes
state->call should not be talloc'ed off a long-lived context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861
RN: Memory leak in the RPC server
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Mar 31 12:14:01 UTC 2021 on sn-devel-184
(cherry picked from commit 12f516e4680753460e7fe8811e6c6ff70057580c)
- - - - -
a85f7995 by Jeremy Allison at 2021-04-01T11:27:17+00:00
s4: torture. Add smb2.lease.rename_wait test to reproduce regression in delay rename for lease break code.
Passes against Windows 10. Add to knownfail, the
next commit will fix this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875
Back-ported from 8d9a0b8d57713781c72440c7e91746b5d89e6f6a.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7436dde6 by Ralph Boehme at 2021-04-01T12:19:23+00:00
s3: smbd: fix deferred renames
This was broken by c7a9e0e4cdfb22e66533b5c8e20af3cfdb8ae78c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at amba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Mar 31 06:13:39 UTC 2021 on sn-devel-184
(cherry picked from commit 10d753868e810604d8f60673bbd48f55aaff0797)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Thu Apr 1 12:19:23 UTC 2021 on sn-devel-184
- - - - -
56156a8f by Martin Schwenke at 2021-04-13T13:16:05+00:00
build: Only add -Wl,--as-needed when supported
If -Wl,--as-needed is added to EXTRA_LDFLAGS (via ADD_LDFLAGS, as per
commit 996560191ac6bd603901dcd6c0de5d239e019ef4) then on some
platforms (at least CentOS 8 and Fedora 33), any indirect/recursive
dependencies (i.e. private libraries) are added to both the
binary (reqid_test in the CTDB case) and to samba-util.so. However,
only samba-util.so has rpath set to find private libraries.
When ld.so tries to resolve these dependencies for the binary it
fails. This may be a bug on those platforms, but it occurs reliably
and our users will also hit the bug. For binaries that have other
private library dependencies (e.g. bundled talloc) rpath will contain
the private library directory so the duplicate private library
dependencies are then found... that is, when it works, it works by
accident!
For some reason (deep in waf or wafsamba) if -Wl,--as-needed is added to
LINKFLAGS (as is done in conf.add_as_needed()) then it works: the direct
dependencies are only added to samba-util.so and the same depenencies
(indirect dependencies for binaries) are not added incorrectly to the
binaries.
So, without changing 1/2 of waf/wafsamba the simplest fix is to revert
to adding -Wl,--as-needed to LINKFLAGS, which was the case before
commit 996560191ac6bd603901dcd6c0de5d239e019ef4.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14288
RN: Fix the build on OmniOS
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Bjoern Jacke <bj at sernet.de>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(backported from commit ff1c3af603b47a7e8f9faad8d1c2e4a489559155)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Tue Apr 13 13:16:05 UTC 2021 on sn-devel-184
- - - - -
2022e490 by Samuel Cabrero at 2021-04-19T07:53:48+00:00
s3-iremotewinspool: set the per-request memory context
The iremotewinspool service is not using the pidl autogenerated code.
Set the per-request memory context following the changes made is commit
5a7e9ade9a4cdfa68900c6a64b639f53c0da47ad.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1890
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Apr 9 15:20:02 UTC 2021 on sn-devel-184
(cherry picked from commit 1efa9ffd7ae77ebf22b28c12dd642a89991b75d2)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Mon Apr 19 07:53:48 UTC 2021 on sn-devel-184
- - - - -
2f7500d3 by Stefan Metzmacher at 2021-04-26T10:19:43+02:00
VERSION: Bump version up to 4.13.8...
GIT_SNAPSHOT is already 'yes'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5677103fe7b49ed7738d5df5e5231473c673e08c)
- - - - -
32c511d4 by Volker Lendecke at 2021-04-26T10:20:18+02:00
CVE-2021-20254 passdb: Simplify sids_to_unixids()
Best reviewed with "git show -b", there's a "continue" statement that
changes subsequent indentation.
Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(backported from patch from master)
[backport by npower at samba.org as master commit
493f5d6b078e0b0f80d1ef25043e2834cb4fcb87 and
58e9b62222ad62c81cdf11d704859a227cb2902b creates conflicts
due to rename of WBC_ID_TYPE_* -> ID_TYPE_*]
- - - - -
058aaad5 by Karolin Seeger at 2021-04-26T12:45:26+02:00
WHATSNEW: Add release notes for Samba 4.13.8.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
a44be607 by Karolin Seeger at 2021-04-26T13:09:40+02:00
VERSION: Enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
39d9e71c by Volker Lendecke at 2021-04-26T13:09:40+02:00
CVE-2021-20254 passdb: Simplify sids_to_unixids()
Best reviewed with "git show -b", there's a "continue" statement that
changes subsequent indentation.
Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(backported from patch from master)
[backport by npower at samba.org as master commit
493f5d6b078e0b0f80d1ef25043e2834cb4fcb87 and
58e9b62222ad62c81cdf11d704859a227cb2902b creates conflicts
due to rename of WBC_ID_TYPE_* -> ID_TYPE_*]
- - - - -
dc853e70 by Karolin Seeger at 2021-04-26T13:09:40+02:00
WHATSNEW: Add release notes for Samba 4.13.8.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
692d5287 by Karolin Seeger at 2021-04-26T13:39:21+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.13.8 release.
BUG 14571: CVE-2021-20254: Buffer overrun in sids_to_unixids().
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
5e9cd053 by Karolin Seeger at 2021-04-29T11:11:10+02:00
Merge tag 'samba-4.13.8' into v4-13-test
samba: tag release samba-4.13.8
- - - - -
4484b030 by Karolin Seeger at 2021-04-29T11:11:31+02:00
VERSION: Bump version up to 4.13.9.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
bd6f38ed by Andrew Bartlett at 2021-05-03T08:17:13+00:00
debug: Synchronise "log level" in smb.conf with the code
This is done by pasting in the contents of default_classname_table[]
in lib/util/debug.c into
cut -f 2 -d \"| xargs -i sh -c 'echo "\t<listitem><para><parameter moreinfo=\"none\">{}</parameter></para></listitem>"'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0d30d74e89829cc7b4faa6ba835e3d90c1c410aa)
- - - - -
56e4cb8f by Andrew Bartlett at 2021-05-03T08:17:13+00:00
docs: Add missing documentation on dsdb_group_audit and dsdb_group_audit_json
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 2e533664e756ccde8fc1b3e41e70437c9e7bafcd)
- - - - -
78562c46 by Andrew Bartlett at 2021-05-03T08:17:13+00:00
docs: Add proper explination on why transactions need to be audited.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a778a3a6420f094a953563b87f84457fdebd20a3)
- - - - -
ef386397 by Andrew Bartlett at 2021-05-03T08:17:13+00:00
docs: Further discourage the use of the "event notification" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 364b8be9816b34b2a1b07c6259345c406d68c9f2)
- - - - -
83c39f1e by Andrew Bartlett at 2021-05-03T08:17:13+00:00
docs: underline special words in the audit logging part of "log level" in man smb.conf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d03e7ffcff32452bb92f2ced9f06cbeab9843e04)
- - - - -
8feeac11 by Andrew Bartlett at 2021-05-03T08:17:13+00:00
docs: Expand the "log level" docs on audit logging
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 38fe888f95f8d22736080ed521939be932e7bca0)
- - - - -
aae24152 by Jeremy Allison at 2021-05-03T09:06:36+00:00
s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
Missing call to set up req->outbuf means no reply is sent.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14696
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Apr 29 21:27:58 UTC 2021 on sn-devel-184
(cherry picked from commit 47d79d7e7e406f7dd204ded7c72cfed3e0761ad5)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Mon May 3 09:06:36 UTC 2021 on sn-devel-184
- - - - -
6afc37ae by Karolin Seeger at 2021-05-11T09:50:16+02:00
WHATSNEW: Add release notes for Samba 4.13.9.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
37540e4f by Karolin Seeger at 2021-05-11T09:51:07+02:00
VERSION: Disable GIT_SNAPSHOT for the Samba 4.13.9 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
ca362d33 by Karolin Seeger at 2021-05-11T09:52:03+02:00
VERSION: Bump version up to 4.13.10...
and re-enable GIT_SNAPSHOT
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
13061573 by Stefan Metzmacher at 2021-05-11T10:23:11+02:00
Revert "VERSION: Bump version up to 4.13.10..." for now
This reverts commit ca362d33d752459e9f799d49a944247f50e124a2.
- - - - -
1d232e39 by Stefan Metzmacher at 2021-05-11T10:26:38+02:00
Merge branch 'v4-13-stable' into 'v4-13-test' again for the 4.13.9 release
Somehow the samba-4.13.8 was not done in v4-13-stable...
This merge has no changes, but it allows us to sync the
history between v4-13-test and v4-13-stable again.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
46c07154 by Karolin Seeger at 2021-05-11T10:27:07+02:00
VERSION: Bump version up to 4.13.10...
and re-enable GIT_SNAPSHOT
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit ca362d33d752459e9f799d49a944247f50e124a2)
- - - - -
abcddbae by Jeremy Allison at 2021-05-21T08:50:20+00:00
s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14708
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Wed May 19 09:22:56 UTC 2021 on sn-devel-184
(cherry picked from commit b7f62e13933da14c381f70cd46ad13849b108e68)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Fri May 21 08:50:20 UTC 2021 on sn-devel-184
- - - - -
83511576 by Volker Lendecke at 2021-05-25T08:09:12+00:00
ctdb: fix typos
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f188c9d732e4b9b3d37c4cb09608aba747845997)
- - - - -
5e55d2c0 by Volker Lendecke at 2021-05-25T08:09:12+00:00
ctdb: Call run_event_recv() in a callback function
Triggers a different code path in run_event_* and aligns it more what
the ctdb eventd really does.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9398d4b912387be8cde0c2ca30734eca7d547d19)
- - - - -
e70a8cbd by Volker Lendecke at 2021-05-25T08:09:12+00:00
ctdb: Introduce a helper variable in run_event_test.c
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 07ab9b7a71d59f3ff2b9dee662632315062213ab)
- - - - -
87265cef by Volker Lendecke at 2021-05-25T08:09:12+00:00
ctdb: Wait for SIGCHLD if script timed out
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 19290f10c7d39e055847eb45affd9e229a116b18)
- - - - -
037f4b8f by Volker Lendecke at 2021-05-25T08:09:12+00:00
ctdb: Introduce output before and after the 10-second timeout
This will lead to a crash in run_event_test.c soon
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f320d1a7ab0f81eefdb28b36bfe346eacb8980de)
- - - - -
c67dbd55 by Volker Lendecke at 2021-05-25T08:55:59+00:00
ctdb: Fix a crash in run_proc_signal_handler()
If a script times out the caller can talloc_free() the script_list
output of run_event_recv, which talloc_free's proc->output from
run_proc.c as well. If the script generates further output after the
timeout and then exits after a while, the SIGCHLD handler in the
eventd tries to read into proc->output, which was already free'ed.
Fix this by not doing just a talloc_steal but a talloc_move. This way
proc_read_handler() called from run_proc_signal_handler() does not try
to realloc the stale reference to proc->output but gets a NULL
reference.
I don't really know how to do a knownfail in ctdb, so this commit
actually activates catching the signal by waiting long enough for
22.bar to exit and generate the SIGCHLD.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit adef87a621b17baf746d12f991c60a8a3ffcfcd3)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Tue May 25 08:55:59 UTC 2021 on sn-devel-184
- - - - -
37233cbd by Ralph Boehme at 2021-05-26T10:55:14+00:00
torture: add a test that verifies SMB2 close fields without postqueryattrib
The server must set all fields to 0 if postqueryattrib is not set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14714
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ac9042ff4dc6c892764abd23a9445116ad40e62a)
- - - - -
5d4bbaff by Ralph Boehme at 2021-05-26T11:43:14+00:00
smbd: correctly initialize close timestamp fields
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14714
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon May 24 16:56:22 UTC 2021 on sn-devel-184
(cherry picked from commit f96cc29711181b5237a5b92c4bfb5e75fe2a73b9)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Wed May 26 11:43:14 UTC 2021 on sn-devel-184
- - - - -
0b75c272 by Jeremy Allison at 2021-07-12T10:13:08+00:00
s3: lib: Fix talloc heirarcy error in parent_smb_fname().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14722
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c500d99e2f5aaec102bf952b7941a2596b3e35a1)
- - - - -
b0746202 by Jeremy Allison at 2021-07-12T10:13:08+00:00
s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path.
Caller is still using this !
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14736
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power<npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Fri Jun 11 10:17:46 UTC 2021 on sn-devel-184
(cherry picked from commit 4f20d310af2bb1f96dea4810a7130492cc4cfc55)
- - - - -
0484804d by Ralph Boehme at 2021-07-12T10:13:08+00:00
mdssvc: use a helper variable in mds_add_result()
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14740
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e2486d76b611f07b85b26c54fe14da7b76bd01c2)
- - - - -
dce4c5ed by Ralph Boehme at 2021-07-12T10:13:08+00:00
mdssvc: don't fail mds_add_result() if result is not found in CNID set
Just skip adding the result to the pending results set, don't return an
error. Returning an error triggers an error at the MDSSVC RPC error which is NOT
what we want here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14740
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8847f46f75ac5c1a753a0e7da88c522be25ef681)
- - - - -
63ff1e37 by Ralph Boehme at 2021-07-12T10:13:08+00:00
mdssvc: pass messaging context to mds_init_ctx()
This is needed in a subsequent commit. Note that I prefer to do the event
context unwrapping in the caller and pass both the event and messaging context
explicitly to mds_init_ctx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14740
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1ef2828e1025e4c89292df1dfa6161c4453b3afe)
- - - - -
60e091a1 by Ralph Boehme at 2021-07-12T10:13:08+00:00
smbd: pass tevent context to create_conn_struct_as_root()
The next commit will add another caller of create_conn_struct_as_root() that is
going to pass a long-lived tevent context.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14740
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 16c39b81d6f2c7d75cfe72bbbe2f6a5bde42c7b0)
- - - - -
48b2dc3c by Ralph Boehme at 2021-07-12T10:13:08+00:00
smbd: add create_conn_struct_cwd()
Compared to create_conn_struct_tos_cwd() this takes a TALLOC_CTX and
tevent_context as additional arguments and the resulting connection_struct is
stable across the lifetime of mem_ctx and ev.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14740
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 9a2d6bcfd5797dd4db764921548c8dca6dd0eb21)
- - - - -
7c924449 by Ralph Boehme at 2021-07-12T10:13:08+00:00
mdssvc: maintain a connection struct in the mds_ctx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14740
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8b681cfb5d9b1ece03f7e7b9d3a08ae6c461d679)
- - - - -
9f4e3da5 by Ralph Boehme at 2021-07-12T10:13:08+00:00
mdssvc: chdir() to the conn of the RPC request
In preperation of calling VFS functions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14740
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 6de3a88494b5932d0fd10f5c8c8ec57916aeefc5)
- - - - -
a708c9b4 by Ralph Boehme at 2021-07-12T10:13:08+00:00
mdssvc: avoid direct filesystem access, use the VFS
This ensures mdssvc uses the same FileIDs as the fileserver as well as Spotlight
can be used working on a virtual filesystem like GlusterFS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14740
RN: Spotlight RPC service doesn't work with vfs_glusterfs
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Jun 16 05:59:13 UTC 2021 on sn-devel-184
(backported from commit 620b99144359f45aa69c13731db8d793cfbba197)
[slow at samba.org: use path based VFS functions, not the handle based ones]
- - - - -
b01c4526 by Jeremy Allison at 2021-07-12T11:03:04+00:00
s3: smbd: Fix uninitialized memory read in process_symlink_open() when used with vfs_shadow_copy2().
Valgrind trace follows.
==3627798== Invalid read of size 1
==3627798== at 0x483FF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798== by 0x55DE412: strdup (strdup.c:41)
==3627798== by 0x4F4657E: smb_xstrdup (util.c:660)
==3627798== by 0x4C62C2E: vfs_ChDir (vfs.c:988)
==3627798== by 0x4C4A51C: process_symlink_open (open.c:656)
==3627798== by 0x4C4ADE7: non_widelink_open (open.c:862)
==3627798== by 0x4C4AFB7: fd_openat (open.c:918)
==3627798== by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798== by 0x4C48A00: filename_convert_internal (filename.c:2027)
==3627798== by 0x4C48B77: filename_convert (filename.c:2067)
==3627798== by 0x4C32408: call_trans2qfilepathinfo (trans2.c:6173)
==3627798== by 0x4C3C5DA: handle_trans2 (trans2.c:10143)
==3627798== Address 0xda8bc90 is 96 bytes inside a block of size 217 free'd
==3627798== at 0x483DA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798== by 0x4FCA3C9: _tc_free_internal (talloc.c:1222)
==3627798== by 0x4FCA481: _talloc_free_internal (talloc.c:1248)
==3627798== by 0x4FCB825: _talloc_free (talloc.c:1792)
==3627798== by 0xDB248DD: store_cwd_data (vfs_shadow_copy2.c:1473)
==3627798== by 0xDB24BEF: shadow_copy2_chdir (vfs_shadow_copy2.c:1542)
==3627798== by 0x4C662A4: smb_vfs_call_chdir (vfs.c:2257)
==3627798== by 0x4C62B48: vfs_ChDir (vfs.c:940)
==3627798== by 0x4C4A51C: process_symlink_open (open.c:656)
==3627798== by 0x4C4ADE7: non_widelink_open (open.c:862)
==3627798== by 0x4C4AFB7: fd_openat (open.c:918)
==3627798== by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798== Block was alloc'd at
==3627798== at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798== by 0x4FC9365: __talloc_with_prefix (talloc.c:783)
==3627798== by 0x4FC94FF: __talloc (talloc.c:825)
==3627798== by 0x4FCCFDC: __talloc_strlendup (talloc.c:2454)
==3627798== by 0x4FCD096: talloc_strdup (talloc.c:2470)
==3627798== by 0xDB24977: store_cwd_data (vfs_shadow_copy2.c:1476)
==3627798== by 0xDB24BEF: shadow_copy2_chdir (vfs_shadow_copy2.c:1542)
==3627798== by 0x4C662A4: smb_vfs_call_chdir (vfs.c:2257)
==3627798== by 0x4C62B48: vfs_ChDir (vfs.c:940)
==3627798== by 0x4C4A92D: non_widelink_open (open.c:755)
==3627798== by 0x4C4AFB7: fd_openat (open.c:918)
==3627798== by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==
Even though SMB_VFS_CONNECTPATH() returns a const char,
vfs_shadow_copy2() can free and reallocate this whilst
in use inside process_symlink_open().
Take a copy to make sure we don't reference free'd memory.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14721
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu May 27 17:25:43 UTC 2021 on sn-devel-184
(cherry picked from commit 2f0cfe82907516ecf23cc385d41b8d29ed6b8c96)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Mon Jul 12 11:03:04 UTC 2021 on sn-devel-184
- - - - -
6e284db7 by Andrew Bartlett at 2021-07-13T12:31:15+00:00
samba-tool domain backup: Confirm the sidForRestore we will put into the backup is free
Otherwise the administrator might only find there is a problem once they
attempt to restore the domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14575
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit 15609cb91986b3e29c5b1a3b6c69c04829f43eb4)
- - - - -
d0bde570 by Andrew Bartlett at 2021-07-13T12:31:15+00:00
samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14575
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Thu Nov 26 21:15:40 UTC 2020 on sn-devel-184
(cherry picked from commit 8ad82ae66157c893a2b84d353ec4d9feb4815ede)
- - - - -
6569d0b9 by Joseph Sutton at 2021-07-13T12:31:15+00:00
netcmd: Add test for an offline backup of a directory containing hardlinks
This test verifies that when performing an offline backup of a domain
where the directories to be backed up contain hardlinks, only one
instance of each file is backed up, and that files in the private
directory take precedence.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit 0e5738887524b467bfebcf657bcb00ed71827784)
- - - - -
4a68b1cb by Joseph Sutton at 2021-07-13T12:31:15+00:00
netcmd: Add test for an offline backup of nested directories
This test verifies that when performing an offline backup of a domain
where one of the directories to be backed up is nested inside another,
the contained files are only included once in the backup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit f994783f4279884ec4d2ee3e7db80fb7af267d1c)
- - - - -
54c353e9 by Joseph Sutton at 2021-07-13T12:31:15+00:00
netcmd: Determine which files are to be copied for an offline domain backup
The old behaviour attempted to check for and remove files with duplicate
names, but did not do so due to a bug, and would have left undetermined
which files were given priority when duplicate filenames were present.
Now when hardlinks are present, only one instance of each file is
chosen, with files in the private directory having priority. If one
backup dir is nested inside another, the files contained in the nested
directory are only added once. Additionally, the BIND DNS database is
omitted from the backup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit 3723148e7aa7e6d4a48a1a38112f121f52b6ee6f)
- - - - -
303a0ecd by Joseph Sutton at 2021-07-13T12:31:15+00:00
netcmd: Avoid database corruption by opting not to create database files during an offline domain backup
If backup dirs contain hardlinks, the backup process could previously
attempt to open an LMDB database already opened during the backup,
causing it to be recreated as a new TDB database. This commit ensures
that new database files are not created during this operation, and that
the main SamDB database is not modified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit 4cf773591d49166b8c7ef8d637d7edfe755d48aa)
- - - - -
445fb770 by Joseph Sutton at 2021-07-13T12:31:15+00:00
netcmd: Fix error-checking condition
This condition probably meant to check the argument of the most recently
thrown exception, rather than the previous one again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit e8c242bed19432d96e78dc345ab5f06422c5b104)
- - - - -
00444ac6 by Joseph Sutton at 2021-07-13T12:31:15+00:00
netcmd: Ignore rIDUsedPool attribute in offline domain backup test
The RID Set of the newly created DC account has all its values
initialised to zero. If the rIDUsedPool attribute was previously
non-zero, then the restore process will cause its value to change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 658e5a6cc20b57f48477affd370fe25458178b92)
- - - - -
b3d59842 by Joseph Sutton at 2021-07-13T12:31:15+00:00
netcmd: Add tests for performing an offline backup immediately after joining a domain
This currently fails due to the DC not having a rIDNextRID attribute,
which is required for the restore process.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit b7e6a1c5da7283c49586dc29f85ab19e0e57b0f6)
- - - - -
afad2fd9 by Joseph Sutton at 2021-07-13T12:31:15+00:00
dsdb: Add next_free_rid() function to allocate a RID without modifying the database
If used to generate SIDs for objects, care should be taken, as the
possibility for having duplicate objectSIDs can arise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit cc98e03e7a0f2bf7a1ace2950fe6500f53640c1b)
- - - - -
e5c3a675 by Joseph Sutton at 2021-07-13T12:31:15+00:00
python/tests/dsdb: Add tests for RID allocation functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 7c7cad81844950c3efe9a540a47b9d4e1ce1b2a1)
- - - - -
82e0f3e7 by Joseph Sutton at 2021-07-13T12:31:15+00:00
netcmd: Use next_free_rid() function to calculate a SID for restoring a backup
This means we won't get errors if the DC doesn't have a rIDNextRID
attribute, but we will still error if there is no RID Set or if all its
pools are exhausted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 59d293b60608172ae61551c642d13d3b215924e4)
- - - - -
7065f203 by Stefan Metzmacher at 2021-07-13T12:31:15+00:00
gensec_krb5: restore ipv6 support for kpasswd
We need to offer as much space we have in order to
get the address out of tsocket_address_bsd_sockaddr().
This fixes a regression in commit
43c808f2ff907497dfff0988ff90a48fdcfc16ef.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14750
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0388a8f33bdde49f1cc805a0291859203c1a52b4)
- - - - -
b9b1d98a by Stefan Metzmacher at 2021-07-13T13:18:20+00:00
smbXsrv_{open,session,tcon}: protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records
I saw systems with locking.tdb records being part of:
ctdb catdb smbXsrv_tcon_global.tdb
It's yet unknown how that happened, but we should not panic in srvsvc_*
calls because the info0 pointer was NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Jul 6 11:08:43 UTC 2021 on sn-devel-184
(cherry picked from commit 00bab5b3c821f272153a25ded9743460887a7907)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Tue Jul 13 13:18:20 UTC 2021 on sn-devel-184
- - - - -
22882df5 by Karolin Seeger at 2021-07-14T08:30:52+02:00
WHATSNEW: Add release notes for Samba 4.13.10.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
85bb9588 by Karolin Seeger at 2021-07-14T08:31:24+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.13.10 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
6fa28f4e by Karolin Seeger at 2021-07-14T08:31:55+02:00
VERSION: Bump version up to Samba 4.13.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
e38295a0 by Stefan Metzmacher at 2021-07-19T06:18:12+00:00
s4:torture/smb2: add smb2.read.bug14607 test
This test will use a FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
in order to change the server behavior of READ responses regarding
the data offset.
It will demonstrate the problem in smb2cli_read*() triggered
by NetApp Ontap servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b3c9823d907b91632679e6f0ffce1b7192e4b9b6)
- - - - -
5d98e2f2 by Stefan Metzmacher at 2021-07-19T06:18:12+00:00
s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 5ecac656fde4e81aa6e51e7b3134ea3fb75f564a)
- - - - -
d4d9bc84 by Stefan Metzmacher at 2021-07-19T06:18:12+00:00
s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
This turns the 'smb2.read.bug14607' test from 'skip' into 'xfailure',
as the 2nd smb2cli_read() function will now return
NT_STATUS_INVALID_NETWORK_RESPONSE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ef57fba5dbf359b204ba952451e1e33ed68f1c91)
- - - - -
f47e9965 by Stefan Metzmacher at 2021-07-19T06:18:12+00:00
libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer()
It will be used in smb2cli_read.c soon...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1faf15b3d0f41fa8a94b76d1616a4460ce0c6fa4)
- - - - -
5b58f663 by Stefan Metzmacher at 2021-07-19T06:18:12+00:00
libcli/smb: allow unexpected padding in SMB2 READ responses
Make use of smb2cli_parse_dyn_buffer() in smb2cli_read_done()
as it was exactly introduced for a similar problem see:
commit 4c6c71e1378401d66bf2ed230544a75f7b04376f
Author: Stefan Metzmacher <metze at samba.org>
AuthorDate: Thu Jan 14 17:32:15 2021 +0100
Commit: Volker Lendecke <vl at samba.org>
CommitDate: Fri Jan 15 08:36:34 2021 +0000
libcli/smb: allow unexpected padding in SMB2 IOCTL responses
A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an
offset that's already 8 byte aligned.
RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Pair-Programmed-With: Volker Lendecke <vl at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184
RN: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Jul 15 23:53:55 UTC 2021 on sn-devel-184
(cherry picked from commit 155348cda65b441a6c4db1ed84dbf1682d02973c)
- - - - -
7ecf1650 by Ralph Boehme at 2021-07-19T06:18:12+00:00
smbtorture: verify attributes on fake quota file handle
The expected DOS attributes are taken from a Windows 2016 server. The expected
timestamps are what Samba has returned before commit 572d4e3a56eef00e29f9348:
NTTIME(0), ie no value.
The upcoming fix will restore this behaviour. Windows of course does
return *some* timestamps, but as it's neither documented nor was I able to
figure out where they would be coming from, as well as the Windows client apparently
doesn't care, I didn't bother with implementing some sophisticated heuristic to
return some timestamps.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14731
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1e338d51602a7dca6108e5e8704f5cdde4740713)
- - - - -
a3dea8a0 by Ralph Boehme at 2021-07-19T06:18:12+00:00
smbd: handle fake file handles in dos_mode()
This ensures SMB requests on the quote fake file "$Extend/$Quota" don't hit the
VFS, where specifically in vfs_gpfs we log an error message if we fail to read
the DOS attributes for a file with
vfs_gpfs_get_dos_attributes: Getting winattrs failed for $Extend/$Quota
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14731
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
97c6d6fe by Ralph Boehme at 2021-07-19T07:09:29+00:00
smbd: return correct timestamps for quota fake file
Prior to 572d4e3a56eef00e29f93482daa21647af7310d0 it was sufficient to
initialize struct timespec to zero to return NTTIME 0 (ie not set) over
SMB.
This fixes the same problem from bug 14714 where the timestamps in an SMB2 CLOSE
response.
Windows of course does return *some* timestamps, but as it's neither documented
nor was I able to figure out where they would be coming from, as well as the
Windows client apparently doesn't care, I didn't bother with implementing some
sophisticated heuristic to return some timestamps.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14731
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Jun 9 20:38:02 UTC 2021 on sn-devel-184
(cherry picked from commit 52a421111218d94d2e5cb131648bcdf5411d910b)
Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-13-test): Mon Jul 19 07:09:29 UTC 2021 on sn-devel-184
- - - - -
aa64f02c by Andreas Schneider at 2021-08-09T13:45:32+00:00
configure: Do not put arguments into double quotes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14777
This could create an issue that arguments don't get split by python and then the
following could happen:
./configure --libdir=/usr/lib64 --enable-clangdb
LIBDIR='/usr/lib64 --enable-clangdb'
This ends then up in parameters.all.xml:
<!ENTITY pathconfig.LIBDIR '/usr/lib64 --enable-clangdb'>
The python parser then errors out:
xml.etree.ElementTree.ParseError: not well-formed (invalid token)
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Aug 3 18:36:37 UTC 2021 on sn-devel-184
(cherry picked from commit e2962b4262fc4a7197a3fcbd010fcfaca781baea)
Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-13-test): Mon Aug 9 13:45:32 UTC 2021 on sn-devel-184
- - - - -
7c9aabe2 by Jeremy Allison at 2021-08-17T10:30:21+00:00
s3: smbd: For FSCTL calls that go async, add the outstanding tevent_reqs to the aio list on the file handle.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14769
RN: smbd panic on force-close share during offload write
Back-ported from c013509680742ff45b2f5965a5564015da7d466b.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-13-test): Tue Aug 17 10:30:21 UTC 2021 on sn-devel-184
- - - - -
23ce76e9 by Stefan Metzmacher at 2021-08-26T10:48:45+00:00
s3:libsmb: start encryption as soon as possible after the session setup
For the SMB1 UNIX CIFS extensions we create a temporary IPC$ tcon,
if there's no tcon yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(similar to commit 21302649c46441ea325c66457294225ddb1d6235)
Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-13-test): Thu Aug 26 10:48:45 UTC 2021 on sn-devel-184
- - - - -
f25f3118 by Ralph Boehme at 2021-08-27T07:54:15+00:00
selftest: add a test for the "deadtime" parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14783
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 39db53a1391769fc6476fa55b02add08f1b8cd75)
- - - - -
6be92d44 by Ralph Boehme at 2021-08-27T08:41:19+00:00
s3/rpc_server: track the number of policy handles with a talloc destructor
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14783
RN: smbd "deadtime" parameter doesn't work anymore
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 10 18:41:43 UTC 2021 on sn-devel-184
(cherry picked from commit 45a33b25c4e6b1db5d2dfa6297ccb390220a7c80)
Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-13-test): Fri Aug 27 08:41:19 UTC 2021 on sn-devel-184
- - - - -
16fc7a12 by Ralph Boehme at 2021-09-06T08:55:19+00:00
s3/lib/dbwrap: check if global_messaging_context() succeeded
The subsequent messaging_ctdb_connection() will fail an assert if messaging is
not up and running, maybe it's a bit better to add a check if
global_messaging_context() actually succeeded.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14787
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fd19cae8d2f21977d8285efd3f29e2b480d241e9)
- - - - -
20ef0b16 by Ralph Boehme at 2021-09-06T10:16:27+00:00
registry: check for running as root in clustering mode
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14787
RN: net conf list crashes when run as normal user
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Aug 17 11:23:15 UTC 2021 on sn-devel-184
(cherry picked from commit 4809f4a6ee971bcd9767839c729b636b7582fc02)
Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-13-test): Mon Sep 6 10:16:27 UTC 2021 on sn-devel-184
- - - - -
14acad25 by Jule Anger at 2021-09-07T08:50:15+02:00
WHATSNEW: Add release notes for Samba 4.13.11.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
2119f9f9 by Jule Anger at 2021-09-07T08:52:16+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.13.11 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
a7fe21a0 by Jule Anger at 2021-09-07T08:54:06+02:00
VERSION: Bump version up to Samba 4.13.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
a69c7cb3 by Andrew Bartlett at 2021-09-10T14:14:09+00:00
selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
These now run in the disconnected sets schema_dc/schema_pair_dc and
ad_dc/vampire_dc/promoted_dc. By aiming at different sets ofservers
we can't cause cross-contamination in terms of which servers are
listed as outbound connections.
Also, by running the tests only once we reduce the chaces of trouble
by half.
RN: Address flapping samba_tool_drs_showrepl test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14818
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e8b4599e0935290c5e59df9fd4f695ad8d6f361c)
- - - - -
49a15402 by Andrew Bartlett at 2021-09-10T14:14:09+00:00
selftest: Only run samba_tool_drs_showrepl test once
This test is not slow, but there is no value running it twice.
Running this test twice just increases the chances we might
loose a race as it shows and validates live replication data.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 75a5ed66731e947fa16af81aab7649d1fddec45f)
- - - - -
02c40fd9 by Andrew Bartlett at 2021-09-10T14:14:09+00:00
dsdb: Be careful to avoid use of the expensive talloc_is_parent()
The wrong talloc API was selected while addressing a memory leak.
commit ee2fe56ba0ef6626b634376e8dc2185aa89f8c99
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue Nov 27 11:07:44 2018 +1300
drepl: memory leak fix
Fixes a memory leak where schema reference attached to ldb
instance is lost before it can be freed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14042
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming at samba.org>
Autobuild-Date(master): Wed Jul 17 06:17:10 UTC 2019 on sn-devel-184
By using talloc_get_parent() walking the entire talloc tree is
avoided.
RN: Address a signifcant performance regression in database access in the AD DC since Samba 4.12
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14806
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8affe4a1e625104de4ca024fdc3e9cd96498aff3)
- - - - -
be4f4f4f by Andrew Bartlett at 2021-09-10T14:14:09+00:00
selftest: Add a test for LookupSids3 and LookupNames4 in python
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b40761b42e889369599c5eb355028ba377c43b49)
- - - - -
33ef8947 by Andrew Bartlett at 2021-09-10T14:14:09+00:00
s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
Since 5c0345ea9bb34695dcd7be6c913748323bebe937 this
would not have been implicitly cached via the ldb_wrap
cache, due to the recording of the remote IP address
(which is a good thing).
This creates a more explicit and direct correct
cache on the connection.
The common code, including the SCHANNEL check is
placed into a helper function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807
RN: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sun Sep 5 03:19:26 UTC 2021 on sn-devel-184
(cherry picked from commit ae57d22e45b33537e9fca5969e9b68abd1ad633f)
- - - - -
4ada6c24 by Andrew Bartlett at 2021-09-10T15:09:48+00:00
selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
If two of these unit tests run in the same second they could
select the same name, as the name was only based on the time
and a common prefix.
As observed by Jeremy Allison. Thanks for the report!
RN: Address flapping dsdb_schema_attributes test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14819
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Sep 6 02:32:51 UTC 2021 on sn-devel-184
(cherry picked from commit 6590bb0b77c641f0d4686b39c713c1405ffb64f5)
Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-13-test): Fri Sep 10 15:09:48 UTC 2021 on sn-devel-184
- - - - -
76f8dffb by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-recoverd: Add a helper variable
Improves readability and simplifies subsequent changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 82a075d4d734588a42fca7ebaf529892d1eba853)
- - - - -
e93c8854 by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-recoverd: Update the local node map before pushing out flags
The resulting code structure looks a little weird. However, there is
another condition that requires the flags to be pushed that will be
inserted before the continue statement in a subsequent commit..
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 620d07871420cdbfa055c1ace75ec1ac4c32721d)
- - - - -
74aa5b20 by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-recoverd: Push flags for a node if any remote node disagrees
This will usually happen if flags on the node in question change, so
keeping the code simple and pushing to all nodes won't hurt. When all
nodes come up there might be differences in connected nodes, causing
such "fix ups". Receiving nodes will ignore no-op pushes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 8305f6a7f132f03b0bbdb26692b7491fd3f6c24f)
- - - - -
ac8bbe2d by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-protocol: Add new controls to disable and enable nodes
These are CTDB_CONTROL_DISABLE_NODE and CTDB_CONTROL_ENABLE_NODE.
For consistency these match CTDB_CONTROL_STOP_NODE and
CTDB_CONTROL_CONTINUE_NODE. It would be possible to add a single
control but it would need to take data.
The aim is to finally fix races in flag handling. Previous fixes have
improved the situation but they have only narrowed the race window.
The problem is that the recovery daemon on the master node pushes
flags to nodes the same way that disable and enable are implemented.
So the following sequence is still racy:
1. Node A is disabled
2. Recovery master pulls flags from all nodes including A
3. Node A is enabled
4. Recovery master notices A is disabled and pushes a flag update to
all nodes including node A
5. Node A is erroneously marked disabled
Node A can not tell if the MODIFY_FLAGS control is from a "ctdb
disable" command or a flag update from the recovery master.
The solution is to use a different mechanism for disable/enable and
for a node to ignore MODIFY_FLAGS controls for their own flags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 49dc5d8cd2d3767044ac69cbd25c8210d11cadf7)
- - - - -
3d797b57 by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 6845dca87e6ffc5e449fb78d23eb9c7a22698b80)
- - - - -
e3578ea2 by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-daemon: Add a helper variable
Simplifies a subsequent change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit e0a7b5a9e866452b1faaed86a105492fe7b237e2)
- - - - -
65f9b552 by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-daemon: Factor out a function to get node structure from PNN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 1ac7bc7532b2fad791d0e53effa7c64cdc73c4eb)
- - - - -
7aac8fd9 by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
DISABLED is UNHEALTHY | PERMANENTLY_DISABLED, which is not what is
intended here. Luckily, it doesn't do any harm because nodes are
marked unhealthy at startup anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 60c1ef146538d90f97b7823459f7548ca5fa6dd3)
- - - - -
ce58aefb by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 15a6489c288b3adb635a728cb2049621ab1a07f7)
- - - - -
75b8b5de by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-client: Add client code for disable/enable controls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 6fe6a54e7f32e650be6ab36041159081dbde5165)
- - - - -
c89f3081 by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-tools: Use disable and enable controls in tool
Note that there a change from broadcast to a directed control here.
This is OK because the recovery master will push flags if any nodes
disagree with the canonical flags fetched from a node.
Static function ctdb_ctrl_modflags() is no longer used to drop it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 5914054698dab934fd4db5efb9d211b2fdc40bb9)
- - - - -
85372296 by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-daemon: Correct the condition for logging unchanged flags
Don't trust the old flags from the recovery master.
Surrounding code will change in future comments, including the use of
old-style debug macros, so just make this change clear.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit eec44e286250a6ee7b5c42d85d632bdc300a409f)
- - - - -
3d2313dc by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-daemon: Update logging for flag changes
When flags change, promote the message to NOTICE level and switch the
message to the style that is currently generated by
ctdb-recoverd.c:monitor_handler(). This will allow monitor_handler()
to go away in future.
Drop logging when flags do not change. The recovery master now logs
when it pushes flags for a node, so the lack of a corresponding
"changed flags" message here indicates that no update was required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit b6d25d079e30919457cacbfbbfd670bf88295a9c)
- - - - -
c4d7ed5e by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-daemon: Modernise remaining debug macro in this function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 0132bd5a2233193256af434a37506f86ed62c075)
- - - - -
7c4daa7f by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
The code that handles this message is
ctdb_recoverd.c:monitor_handler(). Although it appears to do
something potentially useful, it only logs the flags changes. All
changes made are to local structures - there are no actual
side-effects.
It used to trigger a takeover run when the DISABLED flag changed.
This was dropped back in commit
662f06de9fdce7b1bc1772a4fbe43de271564917.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit e75256767fffc6a7ac0b97e58737a39c63c8b187)
- - - - -
3ab6be4f by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
CTDB_SRVID_SET_NODE_FLAGS is no longer sent so drop monitor_handler()
and replace with srvid_not_implemented(). Mark the SRVID obsolete in
its comment.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 916c5ee131dc5c7f1d9c3540147d1f915c8302ad)
- - - - -
cc3ce341 by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-daemon: Simplify ctdb_control_modflags()
Now that there are separate disable/enable controls used by the ctdb
tool this control can ignore any flag updates for the current nodes.
These only come from the recovery master, which depends on being able
to fetch flags for all nodes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit ae10a8a4b70e53ea3be6257d1f86f2d9a56aa62a)
- - - - -
479fc4fe by Martin Schwenke at 2021-09-13T13:15:15+00:00
ctdb-daemon: Ignore flag changes for disconnected nodes
If this node is not connected to a node then we shouldn't know
anything about it. The state will be pushed later by the recovery
master.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 7f697b1938efb3972f03f25546bf807d5af9a26c)
- - - - -
cea68cbf by Martin Schwenke at 2021-09-13T14:13:00+00:00
ctdb-daemon: Don't mark a node as unhealthy when connecting to it
Remote nodes are already initialised as UNHEALTHY when the node list
is initialised at startup (ctdb_load_nodes_file() calls
convert_node_map_to_list()) and when disconnected (ctdb_node_dead()).
So, drop this code.
RN: Fix CTDB flag/status update race conditions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Thu Sep 9 02:38:34 UTC 2021 on sn-devel-184
(cherry picked from commit 9e7d2d9794af7251c42cb22f23ee9f86c6ea05c1)
Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-13-test): Mon Sep 13 14:13:00 UTC 2021 on sn-devel-184
- - - - -
44841d2b by Gary Lockyer at 2021-09-16T08:07:11+00:00
selftest: add mit kdc specific known fail
Add a MIT kerberos specific known fail, will be needed by subsequent
commits.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 04248f5e868d38498bdc8f9705c9a60fcfe79c09)
- - - - -
71f30ca2 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Make PrincipalName_create a class method
Make PrincipalName_create a class method, so it can be used in helper
classes.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b14dca7c1c063e069517ff01b33c63a000d398c3)
- - - - -
8536b5f4 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Add canonicalize flag to ASN1
Add the canonicalize flag to KerberosFlags, so that it can be used in
python based canonicalization tests.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 41c8aa4b991aad306d731b08d068c480eb5c7fed)
- - - - -
ca83a606 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Add python kerberos canonicalization tests
Add python canonicalization tests, loosely based on the code in
source4/torture/krb5/kdc-canon-heimdal.c. The long term goal is to move
the integration level tests out of kdc-canon-heimdal, leaving it as a
heimdal library unit test.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 005435dc4d7de9d442c7513edec8c782fe20fda3)
- - - - -
d7ebc3b7 by Andrew Bartlett at 2021-09-16T08:07:11+00:00
selftest: Send enterprise principals tagged as such
This test passed against Samba but failed against Windows when
an enterprise principal (user at domain.com@REALM) was encoded as
NT_PRINCIPAL.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d7f731ed3577b407370d8fe7a62b4c3ee2dd9c75)
- - - - -
d08faae8 by Andrew Bartlett at 2021-09-16T08:07:11+00:00
selftest: Fix flipped machine and user constants
This naturally does not change the test, but reduces developer
confusion.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 579a3c641c72b65f6ba39141a55c765b517bd7f8)
- - - - -
0242419a by Andrew Bartlett at 2021-09-16T08:07:11+00:00
selftest: Make as_canonicalization_tests.py easier to run outside "make test"
This takes the realm from the LDAP base DN and so avoids one
easy mistake to make. So far the NT4 domain name is not
auto-detected, so much be read from the smb.conf.
By using .guess() the smb.conf is read for the unspecified
parts (eg workstation for an NTLM login to the LDAP server if
the target server is an IP address).
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d85e71f449037fa035fa2fae6b64caf695c53cb3)
- - - - -
a0705210 by Andrew Bartlett at 2021-09-16T08:07:11+00:00
samdb: Add samdb.domain_netbios_name()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org: Backported from commit
d79218dbba3d0f26d6a0e22b3c91b0731bf641dd as this backport
to Samba 4.13 does not include 07ce48088824bba2054e029edfa6fbae972c1921
(samba-tool: Create unix user with modified template homedir)]
- - - - -
657dde3b by Andrew Bartlett at 2021-09-16T08:07:11+00:00
selftest: Make as_canonicalization_tests.py auto-detect the NT4 domain name
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2693f12fbe321e0f4932b1f74d7006dbac140e8e)
- - - - -
08a296f9 by Andrew Bartlett at 2021-09-16T08:07:11+00:00
selftest: Fix formatting of failure (traceback and options swapped in format string)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ab8c0a181bebe17a597af49790f6e7b17e13c29b)
- - - - -
ed2c276f by Andrew Bartlett at 2021-09-16T08:07:11+00:00
selftest: Add in encrypted-pa-data from RFC 6806
This comes from Windows 2019 which supports FAST.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fc77ece0e2b5fd324809e17a9b208cc7854cee4b)
- - - - -
d8105392 by Andrew Bartlett at 2021-09-16T08:07:11+00:00
selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals
This is documented in MS-KILE.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Wed Nov 11 02:38:46 UTC 2020 on sn-devel-184
(cherry picked from commit f214a3ba5a3e9f129f10062392ae03edd62d8186)
- - - - -
a1420573 by Gary Lockyer at 2021-09-16T08:07:11+00:00
selftest: add heimdal kdc specific known fail
Add a heimdal kerberos specific known fail, will be needed by subsequent
commits.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5cb5134377f099353e0f91c44cc11e45d548d40f)
- - - - -
fb05f155 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Add python kerberos compatability tests
Add new python test to document the differences between the MIT and
Heimdal Kerberos implementations.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1e1d8b9c83f32c06ecab31214a20b77529ee038e)
- - - - -
8610d037 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Add constants module
Extract the constants used in the tests into a separate module.
To reduce code duplication
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 532c941fbb8fc5fc5da4aa2d0e170229076e9aa7)
- - - - -
1543efae by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Refactor canonicalization test constants
Modify tests to use the constants defined in rfc4120_constants.py
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 97b830cbcac53fcf49bbcd272812d1ba019bac51)
- - - - -
7858fd17 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Refactor compatability test constants
Modify tests to use the constants defined in rfc4120_constants.py
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 82a413f48b7ef71feb68fc34f7ca753d45eb8974)
- - - - -
ab09ca1b by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: raw_testcase permit RC4 salts
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes
the check that a salt is not returned. A test for the difference
between MIT and Heimdal will be added in the subsequent commits.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1bab87c50baf0fecb5d4cd09e1a9896730c6377e)
- - - - -
82d2ce2a by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Convert kdc-heimdal to python
Implement the tests in source4/torture/krb5/kdc-heimdal.c in python.
The following tests were not re-implemented as they are client side
tests for the "Orpheus Lyre" attack:
TORTURE_KRB5_TEST_CHANGE_SERVER_OUT
TORTURE_KRB5_TEST_CHANGE_SERVER_IN
TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a00a1c9745033dae05eee17cfa4e2c5354a81e68)
- - - - -
f79c7c32 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: refactor compatability tests
Refactor to aid the adding of tests for the inclusion of a salt when
ARCFOUR_HMAC_MD5 encryption selected
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d492355f293e2da400318665035b056dfaba852c)
- - - - -
f719d74e by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: add arcfour salt tests
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected,
Heimdal does not.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184
(cherry picked from commit 2ba6d596ff0a3580eca9285fd83569bcb147ce77)
- - - - -
bde787c8 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Extra canonicalization tests
Add tests that set the server name to the client name for the machine
account in the kerberos AS_REQ. This replicates the TEST_AS_REQ_SELF
test phase in source4/torture/krb5/kdc-canon-heimdal.c.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184
(cherry picked from commit 7f7e2b0e1e17321d800de787098bb2b2c8259ecd)
- - - - -
c8f1511e by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Add Authorization data ad-type constants
Add constants for the Authorization Data Type values.
RFC 4120 7.5.4. Authorization Data Types
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d74c9dcf3aaa613abfac49288f427484468bf6e1)
- - - - -
81923ea8 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: add test base class
Add a base class for the KDC tests to reduce the amount of code
duplication in the tests.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0f232ed42fb2671d025643cafb19891373562e4a)
- - - - -
f38ba415 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: initial TGS tests
Initial tests on the KDC TGS
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1ed461a142f68f5de5e21b873ebddfcf5ae0ca1e)
- - - - -
d9f914d0 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: Add key usage constants
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d8ed73b75ad67da99be392b2db18fe2e1ffed87f)
- - - - -
03e4bbb8 by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: use key usage constants
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 03676a4a5c55ab5f4958a86cbd4d7be0f0a8a294)
- - - - -
28dee15e by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: PEP8 cleanups
Fix all the PEP8 warnings in samba/tests/krb5. With the exception of
rfc4120_pyasn1.py, which is generated from rfc4120.asn1.
As these tests are new, it makes sense to ensure that they conform to
PEP8. And set an aspirational goal for the rest of our python code.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Mon Dec 21 21:29:28 UTC 2020 on sn-devel-184
(cherry picked from commit c00d537526ca881c540ff66e703ad9c96dd1face)
- - - - -
9e0cf555 by Volker Lendecke at 2021-09-16T08:07:11+00:00
librpc: Add py_descriptor_richcmp() equality function
Only a python3 version. Do we still need the python2 flavor?
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 439b7ccdc1b1c91c66c1a7c83e340fa044c26377)
- - - - -
1748470c by Gary Lockyer at 2021-09-16T08:07:11+00:00
tests python krb5: MS-KILE client principal look-up
Tests of [MS-KILE]: Kerberos Protocol Extensions
section 3.3.5.6.1 Client Principal Lookup
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184
(cherry picked from commit 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2)
- - - - -
427185f8 by Joseph Sutton at 2021-09-16T08:07:11+00:00
auth:creds: Remove unused variable
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1ea2de561839ad948efab5112fbe4c1eae44d9ee)
- - - - -
522ebd8e by Joseph Sutton at 2021-09-16T08:07:11+00:00
auth:creds: Fix parameter in creds.set_named_ccache()
Use the passed-in value for 'obtained' rather than always using
CRED_SPECIFIED.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2d05268aa0904221c452fc650fcdfb680efc20bb)
- - - - -
1854fc55 by Joseph Sutton at 2021-09-16T08:07:11+00:00
pygensec: Fix method documentation
This changes the docstrings to use the correct method names.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 50ade4cadc766a196316fd5c5a57f8c502f0ea22)
- - - - -
a47b37c1 by Joseph Sutton at 2021-09-16T08:07:11+00:00
Revert "s4-test: fixed ndrdump test for top level build"
This essentially reverts commit
b84c0a9ed6d556eb2d3797d606edcd03f9766606, but the datapath is now in the
source4 directory.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6f144d49b5281a08bf7be550b949f4d91e8fe19b)
- - - - -
38d622f3 by Joseph Sutton at 2021-09-16T08:07:11+00:00
krb5ccache.idl: Add definition for a Kerberos credentials cache
Based on specifications found at
https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html
This is primarily designed for parsing and storing a single Kerberos
ticket, due to the limitations of PIDL.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 74fb2cc473cea0eebf641fc4d32d706bac8aa6f2)
- - - - -
98727cd6 by Joseph Sutton at 2021-09-16T08:07:11+00:00
librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
This is the format used by the FILE: credentials cache type.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1f17b1edca9c1638ef404fadce3ca7a4d176de12)
- - - - -
02bfb9e2 by Joseph Sutton at 2021-09-16T08:07:11+00:00
krb5: Add Python functions to create a credentials cache containing a service ticket
This is a FILE: format credentials cache readable by the MIT/Heimdal
Kerberos libraries. This allows us to glue the Python ASN1 Kerberos
system to the MIT/Heimdal one.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2d88a6ff3dbcf650b09ef9c8c37170ca6663b533)
- - - - -
848458d1 by Joseph Sutton at 2021-09-16T08:07:11+00:00
python: Add credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service using the normal
credentials system backed on to MIT/Heimdal Kerberos 5 libraries. This
will allow us to validate the output of the MIT/Heimdal libraries in the
future.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit c15f26ec40860782b22e862f9bdf665745387718)
- - - - -
bb9ff0e1 by Joseph Sutton at 2021-09-16T08:07:11+00:00
python: Add LDAP credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through LDAP.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7663b5c37fa3413f7c67c018107322494e4a6fd9)
- - - - -
c40a90d7 by Joseph Sutton at 2021-09-16T08:07:11+00:00
python: Add RPC credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through RPC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 072451a033da07c0cdaa005dd1020ef1c7951e99)
- - - - -
8e70f0c1 by Joseph Sutton at 2021-09-16T08:07:11+00:00
Revert "libsmb: Use sid_parse()"
This reverts commit afd5d34f5e1d13ba88448b3b94d353aa8361d1a9.
This code originally used ndr_pull_struct_blob() to pull one SID from a
buffer potentially containing multiple SIDs. When this was changed to
use sid_parse(), it was now attempting to parse the whole buffer as a
single SID with ndr_pull_struct_blob_all(), which would cause it to fail
if more than one SID was present.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2b487890d946df88abce67c3d07d74559f70f069)
- - - - -
1a3cc9a4 by Joseph Sutton at 2021-09-16T08:07:11+00:00
libsmb: Remove overflow check
Pointer overflow is undefined, so this check does not accomplish
anything.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit db5b34c7682e36630908356cf674fddd18d8fa1f)
- - - - -
e80ad4c0 by Joseph Sutton at 2021-09-16T08:07:11+00:00
libsmb: Avoid undefined behaviour when parsing whoami state
If num_gids is such that the gids array would overflow the rdata buffer,
'p + 8' could produce a result pointing outside the buffer, and thus
result in undefined behaviour. To avoid this, we check num_gids against
the size of the buffer beforehand.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9d8aeed33d8edf7a5dc96dbe35e4e164e2baeeeb)
- - - - -
1208a4dc by Joseph Sutton at 2021-09-16T08:07:11+00:00
libsmb: Check to see that whoami is not receiving more data than it requested
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9e414233c84d2f2fa4a9415be9ee975eca8b9bfd)
- - - - -
d75226b9 by Joseph Sutton at 2021-09-16T08:07:11+00:00
libsmb: Ensure that whoami parses all the data provided to it
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9b96ebea5c6966b096cf1100a0895a9c41f2aa1d)
- - - - -
ff4d3973 by Joseph Sutton at 2021-09-16T08:07:11+00:00
pylibsmb: Add posix_whoami()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org backport from commit
482559436f12a85adb3409433aac3ab06baa82b1 as the 4.13 backport
doesn't have ealier pylibsmb changes including
752a8f870de2bb087802a1287d7fb6c7624ac631
(s3:pylibsmb: remove unused SECINFO_DEFAULT_FLAGS)]
- - - - -
b32c1932 by Joseph Sutton at 2021-09-16T08:07:11+00:00
python: Add SMB credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through SMB.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 78a0b57b51642df07deed8aeb6e39e608fafda60)
- - - - -
73bba60d by Joseph Sutton at 2021-09-16T08:07:11+00:00
python: Ensure reference counts are properly incremented
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 290c1dc0975867a71c02e911708323d1f38b6f96)
- - - - -
9bf0f33a by Joseph Sutton at 2021-09-16T08:07:11+00:00
python: Fix erroneous increments of reference counts
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 66695f0f94775c4db24fb625fe78ff44d964b5ad)
- - - - -
3a586a81 by Joseph Sutton at 2021-09-16T08:07:11+00:00
python: Fix ticket timestamp conversion when local timezone is not UTC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b9006f33343ba8bb82ef8ffe1fd90c780961b41e)
- - - - -
8737c731 by Joseph Sutton at 2021-09-16T08:07:11+00:00
python: Make credentials cache test run against Windows
Windows, unlike Samba, requires the service principal name to be set
when requesting a ticket to that service.
Additionally, default_realm from the libdefaults section of krb5.conf
should be set so that the correct realm is used.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed May 19 02:22:01 UTC 2021 on sn-devel-184
(cherry picked from commit 7791acb074b84ec7b571a81f15b56d33e2214ce9)
- - - - -
019b77db by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
auth/credentials: allow credentials.Credentials to act as base class
In tests it's useful to add more details.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1f413b2b2977687884781ca2399dadf6611ab461)
- - - - -
9d32cb48 by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
This is a clearer name for the script
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fef08add9ec324fb0c3902e96c2a91c07646d499)
- - - - -
a83ea43c by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
Update and re-generate the ASN.1 to allow an improved testsuite.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162)
- - - - -
ce264474 by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
These helpful functions allow us to build the various credentials
that we will use in validating the KDC responses in this test.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit c3222870b92db7f867557c2896b7bf39915d469a)
- - - - -
5e69e2d7 by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
We should write tests as strict as possible in order to let them run
against Windows servers.
But at the same time we want to allow tests to be useful for Samba
too...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dff611976d6a067614e37add99edae214815a68b)
- - - - -
bf799b23 by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: add assertElement*()
These helper functions make writing subsequent Kerberos test
clearer.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 61e1b179812e48797146584998afc5bd0168beae)
- - - - -
159384d0 by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 34e079ce9a232a765fb3a2b25441434df35df54c)
- - - - -
1ec0efe2 by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3abb3b41368666535a216a98c3e7d15a5d498f7e)
- - - - -
697edd2e by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
This allows us to reuse body in future and calculate checksums on it.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb)
- - - - -
38c4f77b by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
This allows building the pre-authentication data that encodes
the request for the KDC (or more likely a request not to include)
the KRB5 PAC in the resulting ticket.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d)
- - - - -
e6682e51 by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
It's often useful to run tests over a lot of input parameter
permutations.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e3905035847a5268c1a65366830cc739280ae437)
- - - - -
1b36e3bd by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
This will allow building test_as_req_enc_timestamp()
It also introduces ways to specify keys in hex formated environment
variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 69ce2a6408f78d41eb865b89726021ad7643b065)
- - - - -
ec49afa5 by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
This will allow us to write tests, which will all cross check almost
every aspect of the KDC response (including encrypted parts).
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6e2f2adc8e825634780077e24a9e437bdc68155a)
- - - - -
99acba0b by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
Example commands:
Windows 2012R2:
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Windows 2008R2:
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Samba 4.14:
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 01d86954d217e38be333aa1ce7db1d3d9059cd4c)
- - - - -
d371e868 by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
selftest: run new as_req_tests against fl2008r2dc and fl2003dc
There are a lot of things we should improve in our KDC
in order to work like a Windows KDC.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d91665d33130aed11fa82d8d2796ab1627e04dc4)
- - - - -
fa1a2eb7 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
This allows accounts created for permutation tests to be reused, rather
than having to be recreated for every test.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5412bffb9b4fc13023e650bbc9436a79b60b6fa2)
- - - - -
051487c6 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Add get_admin_creds()
This method allows obtaining credentials that can be used for
administrative tasks such as creating accounts.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5afae39da0ab408bb36dde3a7801634bd9cc24f6)
- - - - -
807773d3 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/kdc_base_test.py: Create database connection only when needed
Now the database connection is only created on its first use, which
means database credentials are no longer required for tests that don't
make use of it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4f5566be4839838e0e3e501a030bcf6e85ff5159)
- - - - -
113fa4ec by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
Credentials for tests are now obtained using the get_user_creds()
method.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 364f1ce8d8221cb8926635fc864db782cee61cf9)
- - - - -
768f1d71 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/kdc_base_test.py: Create loadparm only when needed
Now the .conf file is only loaded on its first use, which means that
SMB_CONF_PATH need not be defined for tests that don't make use of it..
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 210e544016a3a4de1cdb76ce28a2148811ff07eb)
- - - - -
1c0c89ac by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
This is done based on the domain functional level, which corresponds to
the logic Samba uses to decide whether or not to generate a
Primary:Kerberos-Newer-Keys element for the supplementalCredentials
attribute.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7d4a0ed21be49d13c2b815582f2d04f0c058bf3a)
- - - - -
44018e61 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
This requires admin credentials, and removes the need to pass these keys
as environment variables.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1f2ddd3c97e3ff243c8bd0c17299f27b761f5e7f)
- - - - -
5b209e40 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
This allows it to be used elsewhere in the tests.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 948bbc9cecbfc1b33a338891d26a4a706864b9c6)
- - - - -
7bd0c7f5 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
This allows us to require encryption keys in the case that a password
would not be required, such as for the krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6a77c2b93315503008627ce786388f281bd6bb87)
- - - - -
23496bb7 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Cache obtained credentials
If credentials are used more than once, we can now use the credentials
that we already obtained and so avoid fetching them again.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 22a90aea82ba6ef86bde835f2369daa6e23ed2fd)
- - - - -
d88603f8 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
This allows us to use other methods of obtaining credentials if getting
them from the environment fails.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e1601f2b56f09a944c5cfb119502fdcf49a03c99)
- - - - -
ea9083df by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Simplify conditionals
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ec5c2b040b63d06a17bcd7bd133c2d68d07df587)
- - - - -
56b5ceb0 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
Now if the client credentials are not supplied in the environment, we
can fall back to creating a new user account. Similarly, if the krbtgt
credentials are not supplied, we can fetch the credentials of the
existing krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fd45bea7a88837cbe4f99adf3a6b3f69ce32f34c)
- - - - -
9db32a6a by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/as_req_tests.py: Automatically obtain credentials
The credentials for the client and krbtgt accounts are now fetched
automatically rather than using environment variables, and the client
account is now automatically created.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0fd71ed3c37c8cf326f9f676b7fddda3d2d24072)
- - - - -
02f3bd6a by Stefan Metzmacher at 2021-09-16T08:07:11+00:00
tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
Example commands:
Windows 2012R2:
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=4 python/samba/tests/krb5/as_req_tests.py
Windows 2008R2:
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
Samba:
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d5e350a4a490fecf570f1c248c9dde1466796166)
- - - - -
75f534c0 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/as_req_tests.py: Check the client kvno
Ensure we have the correct kvno for the client, rather than an 'unknown'
value.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d4c38678e0cc782965edfe40a0423fafb7d5a5ff)
- - - - -
c76c9f15 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
This is clearer than using the constant zero, which could be mistaken
for a valid kvno value.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 381223117e0bae4c348d538bffaa8227b18ef3d1)
- - - - -
5a0af3e5 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5: Deduplicate 'host' attribute initialisation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3e621dcb6966f75034bb948a2705358d43454202)
- - - - -
09d0e892 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5/as_canonicalization_tests.py: Refactor account creation
Making this test a subclass of KDCBaseTest allows us to make use of its
methods for obtaining credentials and creating accounts, which helps to
eliminate some duplicated code.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fc857ea60e2a66d20d4174cb121e0a6949f8a0c1)
- - - - -
07610622 by Joseph Sutton at 2021-09-16T08:07:11+00:00
tests/krb5: Use admin creds for SamDB rather than user creds
This makes the purpose of each set of credentials more consistent, and
makes some tests more convenient to run standalone as they no longer
require user credentials.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ab221c1b3e24696aa0eed6aa970f310447657069)
- - - - -
e1a4921d by Joseph Sutton at 2021-09-16T08:07:12+00:00
s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
This enables us to more easily switch to a different algorithm to find
the strongest key in _kdc_find_etype().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bf71fa038e9b97f770e06e88226e885d67342d47)
- - - - -
63be6022 by Andrew Bartlett at 2021-09-16T08:07:12+00:00
selftest: add space after --list in output of selftesthelpers.py
Selected and backported from:
commit b113a3bbcd03ab6a62883fbca85ee8749e038887
Author: Volker Lendecke <vl at samba.org>
Date: Mon Apr 19 16:04:00 2021 +0200
torture: Show sddl_decode() failure for "GWFX" access mask
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(This allows subsequent patches to be cherry-picked cleanly)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e6de4d85 by Andreas Schneider at 2021-09-16T08:07:12+00:00
selftest: Re-format long lines in selftesthelpers.py
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 18976a9568b23759060377d09304e9d7badb143a)
- - - - -
f5e4fc45 by Andreas Schneider at 2021-09-16T08:07:12+00:00
selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3db299e586fd9464b6e1b145f29b10c8ae325d3a)
- - - - -
a5a26564 by Andreas Schneider at 2021-09-16T08:07:12+00:00
selftest: Add support for setting ENV variables in plantestsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 48289b6964d28e153fec885aceca02c6a9b436ef)
- - - - -
3e013f04 by Björn Baumbach at 2021-09-16T08:07:12+00:00
selftest: add option to pass args to tests to planpythontestsuite()
The logic is basically a copy from planoldpythontestsuite().
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Björn Baumbach <bb at sernet.de>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3e9f0e97255de1b4235c4dca6912635386328746)
- - - - -
52898d56 by Joseph Sutton at 2021-09-16T08:07:12+00:00
pygensec: Fix memory leaks
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 814df05f8c10e9d82e6082d42ece1df569db4385)
- - - - -
11cf6255 by Joseph Sutton at 2021-09-16T08:07:12+00:00
pygensec: Don't modify Python bytes objects
gensec_update() and gensec_unwrap() can both modify their input buffers
(for example, during the inplace RRC operation on GSSAPI tokens).
However, buffers obtained from Python bytes objects must not be modified
in any way. Create a copy of the input buffer so the original isn't
modified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159)
- - - - -
7b16ffcb by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Fix ms_kile_client_principal_lookup_test errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4797ced89095155c01e44727cf8b66ee4fb39710)
- - - - -
c76cf2bc by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Fix comment typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4)
- - - - -
fa26a95d by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Fix method name typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2)
- - - - -
70f6cf7a by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: formatting
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit df6623363a7ec1a13af48a09e1d29fa8784e825c)
- - - - -
c3ffa232 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Remove unneeded statements
A return statement is redundant as the last statement in a method, as
methods will otherwise return None. Also, code blocks consisting of a
single 'pass' statement can be safely omitted.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d)
- - - - -
80757c65 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 38b3a361819c716adb773fb3b4507c28d7d26c0d)
- - - - -
cd3b4785 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Simplify Python syntax
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 41c3e410344280d691e5a21fa5240ef52e71bd2d)
- - - - -
d4c3e11e by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a2b183c179e74634438c85a4b35518836ba59e47)
- - - - -
254bd5ad by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Fix including enc-authorization-data
Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 67ff72395cec2e5170c0ebae8db416a1f226df72)
- - - - -
a4e70d45 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Fix callback_dict parameter
Items contained in a default-created callback_dict should not be carried
over between unrelated calls to {as,tgs}_as_exchange_dict().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf)
- - - - -
2f127141 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Fix encpart_decryption_key with MIT KDC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1)
- - - - -
e79061f0 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b)
- - - - -
e2d952cf by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check Kerberos protocol version number
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d6a242e20004217a0ce02dc4ef620a121e5944da)
- - - - -
2ae49840 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Use credentials kvno when creating password key
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 17d5a267298ccd7272e86fd24c2c608511cf46b7)
- - - - -
70dd144a by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Allow cf2 to automatically use the enctype of the first key
RFC6113 states: "Unless otherwise specified, the resulting enctype of
KRB-FX-CF2 is the enctype of k1." This change means the enctype no
longer has to be specified manually.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a5e5f8fdfe8b6952592d7d682af893c79080826f)
- - - - -
ca5b9aff by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Refactor get_pa_data()
The function now returns a single padata object rather than a list,
making it easier to combine multiple padata elements into a request. The
new name 'get_enc_timestamp_pa_data' also makes it clearer as to what
the method generates.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731)
- - - - -
11001fca by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add get_enc_timestamp_pa_data_from_key()
This makes it easier to create encrypted timestamp padata when the key
has already been obtained.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit f5a906f74f9665a894db3c13722022f732180620)
- - - - -
ce7b1d71 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add method to return dict containing padata elements
This makes checking multiple padata elements easier.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit cb332d83008aa97a60eaca9e008054f641d514d6)
- - - - -
2e42112e by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Make _test_as_exchange() return value more consistent
Always return the reply and the kdc_exchange_dict so that the caller has
more potentially useful information.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fe8912e4a85c5fd614ad3079b041c0e1975958e3)
- - - - -
5cada922 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add get_EpochFromKerberosTime()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bab7503e3043002b1422b00f40cd03a0a29538aa)
- - - - -
34faed89 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Use encryption with admin credentials
This ensures that account creation using admin credentials succeeds.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ce379edf2e135b105b18d35e24d732389de94291)
- - - - -
caca311a by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Allow specifying additional details when creating an account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c)
- - - - -
afcf48e7 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add more methods for obtaining machine and service credentials
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb)
- - - - -
dcd9320c by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add method to calculate account salt
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5)
- - - - -
235873ff by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add check_reply() method to check for AS or TGS reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329)
- - - - -
d82d3a20 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Always specify expected error code
Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 21c64fda8f98d451e028ea483dbe351b1280390c)
- - - - -
cc1f6fcd by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Include kdc_options in kdc_exchange_dict
Make kdc_options an element of kdc_exchange_dict instead of a parameter
to _generic_kdc_exchange(). This allows testing code to adjust the reply
checking based on the options that were specified in the request.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95)
- - - - -
81408702 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
This means that there can no longer be surprises where a test receives a
reply when it was expecting an error, or vice versa.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 78818655505b3183251940e86270cd40bae73206)
- - - - -
db6495a2 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Ensure in assertElementPresent() that container elements are not empty
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ba3c92f77b20e1e0d298cd92399dc69535739c27)
- - - - -
1e451d72 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Assert that more variables are not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3d1066e923815782036bd11524fda110a2528951)
- - - - -
ee9b0a02 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check version number of obtained ticket
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b)
- - - - -
d81a88a7 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Make checking less strict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc)
[abartlet at samba.org Adapted to add knownfail because in this
Samba 4.14 backport we do not include
b3ee034b4d457607ef25a5b01da64e1eaf5906dd
(s4:kdc: prefer newer enctypes for preauth responses)]
- - - - -
d9f40651 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check nonce in EncKDCRepPart
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4951a105b0448854115a7ecc3d867be6f34b0dcf)
- - - - -
a9e421c4 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add generate_ap_req() method
This method will be useful to generate an AP-REQ for use as FAST armor.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7)
- - - - -
04a6c902 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Ensure generated padata is not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b6f96dd6395a30e15fa906959cbe665757aaba8d)
- - - - -
1ce82cbc by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 025737deb5325d25b2ae4c57583c24ae1d0eca33)
- - - - -
dbeafd15 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add more ASN1 definitions for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ec702900295100ae4e48ba57242eee6670bf30d6)
- - - - -
0e33a066 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add more methods to create ASN1 objects for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d)
- - - - -
b7562c87 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add method to generate FAST encrypted challenge padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit aafc86896969d02ff1daecdf2668bfa642860082)
- - - - -
6264ed42 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add methods to calculate keys for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 080894067469d60e2c71961c2d1c1990ba15b917)
- - - - -
a57e79c5 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
This method will also be useful in checking TGS-REP error replies.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 74f332c6f9e31b933837cefee69b219054970713)
- - - - -
25b6681c by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
This is needed for FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d554b6dc0f4e14d154e487dc2a842321aa746155)
- - - - -
52eb693a by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e)
- - - - -
3be408a3 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0df385fc49cc2693c195209936a29e31216df16d)
- - - - -
de8fbf93 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Allow specifying parameters specific to the outer request body
This is useful for testing FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb)
- - - - -
b551c801 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add method to check PA-FX-FAST-REPLY
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b62488113f6053755f9be9faa9b757e7193074fa)
- - - - -
5d39d4b3 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add method to verify ticket checksum for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4ca05402b36ba13a987b07b2402906764d3cd49b)
- - - - -
cedfc67e by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check FAST response
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e)
- - - - -
64b5183a by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add functions to get dicts of request padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6)
- - - - -
701e5c98 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add methods to determine whether elements were included in the request
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2)
- - - - -
8a3b41f0 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check encrypted-pa-data
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0c029e780cf16a49c674593e8329eaf3b87aec69)
- - - - -
8eaa8e10 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
This is useful for testing the 'hide client names' FAST option.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d)
- - - - -
bef5024d by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Include authdata in kdc_exchange_dict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ea1ed63e8819926db1cf15974009601c7d37e944)
- - - - -
efe112df by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1389ba346df81c9ea1e1143c4e819212939f6aeb)
- - - - -
087cf5f9 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add check_rep_padata() method to check padata in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab)
- - - - -
fef9198a by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 705e45e37f4752e283a80626be10c38b29232359)
- - - - -
be497724 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5edbabeb26e110648d4588c90843e4715ec1ac5c)
- - - - -
2356b4d9 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add get_krbtgt_sname() method
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dbe98005d5873440063b91e56679937149535be7)
- - - - -
ee892fac by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check sname is krbtgt for FAST generic error
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7a27b75621908a4a6449efaecb54eb20fa45aca0)
- - - - -
0febff53 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check reply FAST padata if request included FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 056fb71832e7aa16132c58ff393ab8b752ef6a93)
- - - - -
40da4ffb by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Adjust reply padata checking depending on whether FAST was sent
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 44a44109db96eab08a3da3683c34446bc13b295b)
- - - - -
2391eabf by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd)
- - - - -
e1c4d715 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check PADATA-FX-COOKIE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7)
- - - - -
8fa99e31 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Make check_rep_padata() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ab4e7028a6ac01eab9531c8a26507a912df54278)
- - - - -
48199d18 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 29070e74baa18d94642efcd36930b9bab216e10c)
- - - - -
83073237 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check PADATA-PAC-OPTIONS in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07)
- - - - -
1fd611e9 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 66e1eb58bedf036ad25a868993d44480c4e0e055)
- - - - -
e7e79028 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check PADATA-FX-ERROR in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit aa2c221f4e1bfc3403de857e62eaeaee1577560c)
- - - - -
576e5ca2 by Gary Lockyer at 2021-09-16T08:07:12+00:00
initial FAST tests
Currently incomplete, and tested only against MIT Kerberos.
[abartlet at samba.org
Originally "WIP inital FAST tests"
Samba's general policy that we don't push WIP patches, we polish
into a 'perfect' patch stream.
However, I think there are good reasons to keep this patch distinct
in this particular case.
Gary is being modest in titling this WIP (now removed from the title
to avoid confusion). They are not WIP in the normal sense of
partially or untested code or random unfinished thoughts. The primary
issue is that at that point where Gary had to finish up he had
trouble getting FAST support enabled on Windows, so couldn't test
against our standard reference. They are instead good, working
initial tests written against the RFC and tested against Samba's AD DC
in the mode backed by MIT Kerberos.
This preserves clear authorship for the two distinct bodies of work,
as in the next patch Joseph was able to extend and improve the tests
significantly. ]
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b7b62957bdce9929fabd3812b9378bdbd6c12966)
- - - - -
27e96423 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add FAST tests
Example command:
SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
(cherry picked from commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854)
- - - - -
17c7bc10 by Andrew Bartlett at 2021-09-16T08:07:12+00:00
selftest: Remove knownfail for no_etypes FAST tests
These test pass because b3ee034b4d457607ef25a5b01da64e1eaf5906dd
(s4:kdc: prefer newer enctypes for preauth responses) is not included
in the 4.13 backport.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
- - - - -
497b4612 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Make e-data checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[abartlet at samba.org Backported from commit
79dda329f2a8382f1e46b50f4b9692e78d687826 as knownfail needed splitting
into only failing in the Heimdal case due likely because
b3ee034b4d457607ef25a5b01da64e1eaf5906dd
(s4:kdc: prefer newer enctypes for preauth responses) is not included
in the 4.14 backport. ]
- - - - -
95de6d13 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Make cname checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org backported from commit
36798f5b651a02b74b6844c024101f7a026f1f68 as Samba 4.14 is tested
on MIT 1.16 and so the knownfails need to match this version]
- - - - -
a67cda71 by Luke Howard at 2021-09-16T08:07:12+00:00
CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]
RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0cb4b939f192376bf5e33637863a91a20f74c5a5)
- - - - -
d3a61137 by Joseph Sutton at 2021-09-16T08:07:12+00:00
CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b8e2515552ffa158fab1e86a39004de4cc419da5)
- - - - -
bd76f6d4 by Andrew Bartlett at 2021-09-16T08:07:12+00:00
tests/krb5: Remove harmful and a-typical return in as_req testcase
A test in a TestCase class should not return a value, the
test is determined by the assertions raised.
Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.
This also fixes a *lot* of tests against the MIT KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5)
- - - - -
8a8872f7 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check e-data element for TGS-REP errors without FAST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a)
- - - - -
cabc5b11 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Check PADATA-PW-SALT element in e-data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1e4d757394a0bbda587d5ff91801f88539b712b1)
- - - - -
b5e11c10 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Add tests for omitting sname in request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b)
- - - - -
57800189 by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Allow specifying parameters specific to the inner FAST request body
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340)
- - - - -
1e27b45f by Joseph Sutton at 2021-09-16T08:07:12+00:00
tests/krb5: Allow expected_error_mode to be a container type
This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ebd673e976aea5dd481a75f180fd526995c4fda0)
- - - - -
7a2a6e0b by Luke Howard at 2021-09-16T08:07:12+00:00
kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour.
[abartlet at samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd
and knownfail added. Further adapted knownfail for 4.14 due to conflicts
as the patch that adds a test which crashes old MIT versions is
omitted]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
b7d16fdc by Andrew Bartlett at 2021-09-16T08:54:13+00:00
tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
This allows our code to still pass with the error code that
MIT and Heimdal have chosen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184
[abartlet at samba.org: Backported from 10baaf08523200e47451aa1862430977b0365b59
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-13-test): Thu Sep 16 08:54:13 UTC 2021 on sn-devel-184
- - - - -
4703acc8 by Jule Anger at 2021-09-22T08:56:02+02:00
WHATSNEW: Add release notes for Samba 4.13.12.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
aa756f3f by Jule Anger at 2021-09-22T08:56:40+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.13.12 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
2b97c11b by Jule Anger at 2021-09-22T08:57:14+02:00
VERSION: Bump version up to Samba 4.13.13...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
0e62cfec by Stefan Metzmacher at 2021-10-27T22:37:08+00:00
wafsamba: add support git worktree to vcs_dir_contents()
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 2e2d2eaa10499537c9af07dd866ac8e613c3da02)
- - - - -
3ba31fd4 by Stefan Metzmacher at 2021-10-27T22:37:08+00:00
script/bisect-test.py: add support git worktree
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c7f85146cb50795afcbb1c607e87d163d241c79a)
- - - - -
beaae4c5 by Stefan Metzmacher at 2021-10-27T22:37:08+00:00
wscript: fix installing pre-commit with 'git worktree'
.git is not always a directory, with 'git worktree' it's a file.
'git rev-parse --git-path hooks' is the generic way to find the
patch for the githooks.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Aug 12 08:56:13 UTC 2021 on sn-devel-184
(cherry picked from commit 8858cf72af1cc15784749e58f184559a839dd4ef)
- - - - -
283a1281 by David Mulder at 2021-10-27T22:37:08+00:00
python: Move dsdb_Dn to samdb
The import dsdb needed for dsdb_Dn causes import
errors when trying to import get_bytes/get_string
in some places.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[abartlet at samba.org backported from commit 85d2ff2f0003b106ca84866b7e7893723f1dd93c
as the PY2 compat code is still in place in Samba 4.13]
- - - - -
d4872f50 by Douglas Bagnall at 2021-10-27T22:37:08+00:00
python/join: use the provided krbtgt link in cleanup_old_accounts
Before we were putting it in an otherwise unused variable, and
deleting the previous krbtgt_dn, if any.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 98f6ece5ad03a822180796873197383c17c3c6d9)
- - - - -
6882fb5c by Andrew Bartlett at 2021-10-27T22:37:08+00:00
autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
This allows making a push to do a full test ignoring errors without
needing "HACK!!!" commits on top.
Use like this:
git push -o ci.variable='AUTOBUILD_FAIL_IMMEDIATELY=0'
RN: Samba CI runs can now continue past the first error if AUTOBUILD_FAIL_IMMEDIATELY=0 is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14841
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org
Reviewed-by: Noel Power <npower at samba.org>
[abartlet at samba.org backported from commit b81f6f3d71487085bb355392ce7f8eff2db5bb4d
due to changes in 4.15 and later for the autobuild dependent jobs work
that avoids rebuilding Samba in each task]
Autobuild-User(v4-14-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-14-test): Thu Sep 23 08:54:03 UTC 2021 on sn-devel-184
(cherry picked from commit f53c532c2292d07ab3374920bd83c1266663038e)
- - - - -
0d0d609d by Joseph Sutton at 2021-10-27T22:37:08+00:00
krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
- - - - -
d5572676 by Joseph Sutton at 2021-10-27T22:37:08+00:00
security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
- - - - -
efb8340f by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Calculate expected salt if not given explicitly
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit c6badf818e9db44461979a931c74fc5ab6e80132)
- - - - -
a91f36d7 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Add methods to obtain the length of checksum types
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9924dd976183ea62b08f116f8b8bacc698bb9b95)
- - - - -
20df014f by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Use signed integers to represent key version numbers in ASN.1
As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses
signed 32-bit integers to represent key version numbers. This makes a
difference for an RODC with a msDS-SecondaryKrbTgtNumber greater than
32767, where the kvno should be encoded in four bytes rather than five.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 448b661bf8815a05f534926d8ee8d6f57d123c2c)
- - - - -
735d514e by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Add KDCOptions flag for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 08086c43987abecc588ebd32ec846ff7e27a83b6)
- - - - -
c978fcdf by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 3fd73b65a3db405db5a0a82cca6c808763d4f437)
- - - - -
4892fa13 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Replace expected_cname_private with expected_anon parameter
This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
the cname, and makes the reply checking logic easier to follow. This
also removes the need to fetch the client credentials in the test
methods.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit bf55786fcd9a96daa9002661d6f5d9b3502ed8a7)
- - - - -
9b75a279 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Allow specifying an OU to create accounts in
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 7aae0e9b100b8cb7d1da78b8cb9a4a5c20acffbd)
- - - - -
a2d8713c by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Allow specifying additional User Account Control flags for account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9aa900857441ea7e1c2d6c60bfa1ddeb142bf3e3)
- - - - -
1837ddb3 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Keep track of account DN in credentials object
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9973b51e48a5d5f3e33c6e0da46e6231a42bd77a)
- - - - -
dcde84d9 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Move padata generation methods to base class
This allows them to be used directly from RawKerberosTest.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 1f23b16ef3a900a1bda01bf2a5a3a3847e2e79d1)
- - - - -
99702d5d by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit c0db1ba54d238d4b2da8895215d8314b068ce09c)
- - - - -
36eb76b6 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Don't create PAC request manually in as_req_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit bc21ba2592093c765751ed3e8083dcd3512997f8)
- - - - -
e4c5a3ea by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Don't create PAC request or options manually in fast_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 7556a4dfa64650939aef14a2fc4d10b9ed3d29f7)
- - - - -
f86766af by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 571265257f335ba7f6f1b46daa0d657b8a8dff2b)
- - - - -
af38bdc0 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Allow specifying ticket flags expected to be set or reset
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 85ddfc1afcf21797dab15431a5f375444c4d316e)
- - - - -
9bd79bfe by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Make time assertion less strict
This assertion could fail if there was a time difference between the KDC
and the client.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 1974b872fb5a7da052305d01e2f1efc8d0637078)
- - - - -
829de7f8 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
refer to the hostnames of the DC and RODC respectively, and this commit
allows either one of them to be used as the KDC for Kerberos exchanges.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 0afb548a0a3221730c4a81d51bc31e99ec90e334)
- - - - -
eef81ead by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Check for presence of 'renew-till' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9cba5f9a1b098e49315e2e3d4c0b626884c04a64)
- - - - -
39541dfa by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Check 'caddr' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit d3106a8d35225e826d548d3bea0d42edc3998c38)
- - - - -
26b6b6e6 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Check for presence of 'key-expiration' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit c3b746290278f7b5c1dea676e3fa28b9f15bcf94)
- - - - -
a57391cf by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Create testing accounts in appropriate containers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184
(cherry picked from commit 01378a52a1cf0b6855492673455013d5719be45b)
- - - - -
36f8c708 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Allow specifying status code to be checked
This allows us to check the status code that may be sent in an error
reply to a TGS-REQ message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 4ba5e82ae53410ec9a0bc7d47b181a88c15d9387)
- - - - -
ac14815f by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Get expected cname from TGT for TGS-REQ messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a5186f92803009c81eca2957e1bf2eb0ff7b6dff)
- - - - -
9926198b by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Get encpart decryption key from kdc_exchange_dict
Instead of using check_padata_fn to get the encpart decryption key, we
can get the key from the AS-REQ preauth phase or from the TGT, depending
on whether the message is an AS-REQ or a TGS-REQ. This allows removal of
check_padata_fn and some duplicated code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 0e99382d73f44eed7e19e83e430938d587e762d0)
- - - - -
860f7704 by Joseph Sutton at 2021-10-27T22:37:08+00:00
tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit c9fd8ffd8927ef42fd555e690f966f65aa01332e)
- - - - -
c2cbe6e9 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Generate padata for FAST tests
This gives us access to parameters of kdc_exchange_dict and enables us
to simplify the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 943079fd94fec66cdc2ba4ea1b2beb2971473004)
- - - - -
7d6ad51b by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Sign-extend kvno from 32-bit integer
This helps to avoid problems with RODC kvnos that have the high bit set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 7bc52cecb442c4bcbd39372a8b98bb033e4d1540)
- - - - -
9b151de2 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add method to get RODC krbtgt credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a5bf7aad54b7053417a24ae0918ee42ceed7bf21)
- - - - -
329fcc65 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit af633992e31e839cdd7f77740c1f25d129be2f79)
- - - - -
c7491a9e by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow replicating accounts to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 3cc9e77f38f6698aa01abca4285a520c7c0cd2ac)
- - - - -
8c7d0544 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Create RODC account for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit ef5666bc51ca80e1acdadd525a9c61762756c8e3)
- - - - -
b68eae66 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow replicating accounts to the created RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 35292bd32225b39ad7a03c3aa53027458f0671eb)
- - - - -
4b9b3e92 by Joseph Sutton at 2021-10-27T22:37:09+00:00
python: Don't leak file handles
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit cde38d36b98f1d40e7b58cd4c4b4bedfab76c390)
- - - - -
3f2c977d by Joseph Sutton at 2021-10-27T22:37:09+00:00
python/join: Check for correct msDS-KrbTgtLink attribute
Previously, the wrong case was used when checking for this attribute,
which meant krbtgt accounts were not being cleaned up.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 21a7717359082feaddfdf42788648c3d7574c28e)
- - - - -
b2f98011 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add helper method for modifying PACs
This method can remove or replace a PAC in an authorization-data
container, while additionally returning the original PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a281ae09bcf35277c830c4112567c72233fd66b8)
- - - - -
286d69da by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Check correct flags element
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0061fa2c2a26d990ed2e47441bca8797fc9be356)
- - - - -
c106983b by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2a4d53dc12aa785f696e53ae3376f67375ce455f)
- - - - -
2850771d by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow tgs_req() to send additional padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1f0654b8facf3b9b2288d2569a573ff3a5ca4a82)
- - - - -
d97a975e by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow tgs_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a3426da54463c3e454c1b76c3df4e96882e6aa9)
- - - - -
e93ed34f by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow tgs_req() to send requests to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6403a09d94ab54f89d6e50601ae6b19ab7e6aae7)
- - - - -
bb236fc2 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow as_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a5e62d681d81a422bac7bd89dc27ef2314d77457)
- - - - -
cb35919a by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Use PAC buffer type constants from krb5pac.idl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3504e99dc5bcc206ca2964012b7fdca541555416)
- - - - -
a8c139de by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Don't manually create PAC request and options in fast_tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c226029655ca361560d93298a6729a021f2f6b75)
- - - - -
e3806269 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Set DN of created accounts to ldb.Dn type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7645dfa5bedee7ef3f7debbf0fa7600bd1c4bd79)
- - - - -
b619f4cb by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5d3a135c2326edc9ca8f56bea24d2f52320f4fd6)
- - - - -
7446e1cd by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow get_tgt() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2d69805b1e3a8022f1418605e5f29ae0bbaa4a06)
- - - - -
1c05c3f7 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow get_tgt() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3)
- - - - -
a5462935 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce)
- - - - -
c6a2b7f1 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 59c1043be25b92db75ab5676601cb15426ef37a3)
- - - - -
3fdc4274 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
The encpart is already contained in ticket_creds, so it no longer needs
to be returned as a separate value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6193f7433b15579aa32b26a146287923c9d3844d)
- - - - -
b1466890 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Cache obtained tickets
Now tickets obtained with get_tgt() and get_service_ticket() make use of
a cache so they can be reused, unless the 'fresh' parameter is specified
as true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 419e4061ced466ec7e5e23f815823b540ef4751c)
- - - - -
454a8a7e by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add methods for creating zeroed checksums and verifying checksums
Creating a zeroed checksum is needed for signing a PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a562882b15125902c5d89f094b8c9b1150f5d010)
- - - - -
891195fa by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
Signatures created by an RODC have an RODCIdentifier appended to them
identifying the RODC's krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184
(cherry picked from commit ec95b3042bf2649c0600cafb12818c27242b5098)
- - - - -
0eccbbc2 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add method to verify ticket PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 12b5e72a35d632516980f6c051a5d83f913079e7)
- - - - -
bce8a8bd by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add method for modifying a ticket and creating PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fcde7cb6ce50e0a08097841e92476f320560664)
- - - - -
3d1e55d0 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4c67a53cdca206a118e82b356db0faf0ddc011ab)
- - - - -
74b4bcc2 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Make get_default_enctypes() return a set of enctype constants
This is often more convenient than a bitfield.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cedd383bcc1b5652ea65817b464d6e0485c7b8b)
- - - - -
68da6272 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add methods to convert between enctypes and bitfields
These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 432eba9e09849e74f4c0f2d7826d45cbd2b7ce42)
- - - - -
4c561dbb by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Get supported enctypes for credentials from database
Look up the account's msDS-SupportedEncryptionTypes attribute to get the
encryption types that it supports. Move the fallback to RC4 to when the
ticket decryption key is obtained.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b6eaf2cf44fb66d8f302d4cab050827a67de3ea4)
- - - - -
e238315b by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 14cd933a9d6af08deb680c9f688b166138d45ed9)
- - - - -
6d3e996b by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Set key version number for all accounts created with create_account()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 054ec1a8cc4ae42918c7c06ef9c66c8a81242655)
- - - - -
1e4e8d88 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 38b4b334caf1b32f1479db3ada48b2028946f5e6)
- - - - -
466f694f by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add method to get DC credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d01043042f1caac98a23cf4d9aa9a02a31a9239)
- - - - -
5b2c7c09 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix checking for presence of authorization data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f9284d8517edd9ffd96f0c24166a16366f97de8f)
- - - - -
dc44a5b6 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Provide ticket enc-part key to tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f2f1f3a1e9269f0e7b93006bba2368a6ffbecc7c)
- - - - -
74f90d6b by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Simplify account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 394e8db261b10d130c5e5730989bf68f9bf4f85f)
- - - - -
65ff3ff1 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1458cd9065de34c42bd5ec63feb2f66c25103982)
- - - - -
279bb102 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Verify checksums of tickets obtained from the KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ea7b550a500d9e458498d37688b67dafd3d9509d)
- - - - -
0b5f8ac5 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add method to determine if principal is krbtgt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c0b81f0dd54d0d71b5d0f5a870b505e82d0e85b8)
- - - - -
ab9034dd by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add classes for testing invalid checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184
(cherry picked from commit 5b331443d0698256ee7fcc040a1ab8137efe925d)
- - - - -
b047ed0c by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Rename method parameter
For class methods, the name given to the first parameter is generally 'cls'
rather than 'self'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d501ddca3b7b9c39c0b3eccf19176e3122cf5b9d)
- - - - -
5c1ab0b2 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Remove unused parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8e4b21590836dab02c1864f6ac12b3879c4bd69c)
- - - - -
82606cd6 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ce433ff868d3cdf8e8a6e4995d89d6e036335fb6)
- - - - -
7ba4cad1 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
These padata were not being sent if other FAST padata was not specified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 6f1282e8d34073d8499ce919908b39645b017cb8)
- - - - -
528c950e by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix PA-PAC-OPTIONS checking
Make the check work correctly if bits other than the claims bit are
specified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fd00135fa4dff4331d86b228ccc01f834476997)
- - - - -
39bba78a by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
This helps to distinguish resourced-based and non-resource-based
constrained delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 31817c383c2014224b1397fde610624663313246)
- - - - -
1506b1c2 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow created accounts to use resource-based constrained delegation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bba8cb8dce19e47a7b813efd9a7527e38856435e)
- - - - -
501d5e76 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add assertion to make failures clearer
These failures may occur if tests are not run against an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cda50b5c505072989abf84c209e16ff4efe2e628)
- - - - -
91d385ab by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Introduce helper method for creating invalid length checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d142dc3a452b0f06efc66f422402ee6e553ee7c)
- - - - -
d310714c by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix method for creating invalid length zeroed checksum
Previously the base class method was being used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ae09219c3a1c6d47817f51baf3784e8986c7478d)
- - - - -
2052395d by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix checksum generation and verification
The KDC and server checksums may be generated using the same key, but
only the KDC checksum should have an RODCIdentifier. To fix this,
instead of overriding the existing methods, add additional ones for
RODC-specific signatures, so that both types of signatures can be
generated or verified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a927cecafdd5ad6dc5189fa98cb42684c9c3b033)
- - - - -
e3cd9b36 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow excluding the PAC server checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dcf45a151a198f7165cd332a26db78a5d8e8f8c5)
- - - - -
0e33a8d8 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix handling authdata with missing PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a4bc712ee02f32c2d04dfc2d99d58931344e5ceb)
- - - - -
8a6c15b4 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix status code checking
The type used to encode the status code is actually KERB-ERROR-DATA,
rather than PA-DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 012b6fcd1976c6570e9b92c133d8c21e543e5a4f)
- - - - -
4f6e02bf by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Make expected_sname checking more explicit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit 8f6d369d709614e2f5c0684882c62f0476bcafa2
as Samba 4.14 as the test which crashes older MIT KDC versions is
omitted]
- - - - -
896eea26 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix assertElementFlags()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 788b3a29eea62f9f38ca8865c7cb7860bdc94bec)
- - - - -
f1fad85f by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Remove unneeded parameters from ticket cache key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7fba83c6c6309a525742c38e904d3e473db99ef1)
- - - - -
86e97e83 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix checking for presence of error data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ab92dc16d20b0996b8c46714652c15019c795095)
- - - - -
33436150 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cfc225b549108739bd86e222f2f35eb96af4ea3)
- - - - -
cb49059a by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit aa2e583fdea4fd93e4e71c54630e32a1035d1e2a)
- - - - -
e56da60d by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Check constrained delegation PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0e232fa1c9e5760ae6b9a99b5e7aa5513b84aa8b)
- - - - -
129772e0 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Save account SPN
This is useful for testing delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bb58b4b58c66a6ada79e886dd0c44401e1c5878c)
- - - - -
5bc46c83 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Allow specifying options and expected flags when obtaining a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 34020766bb7094d1ab5d4fc4c0ee89ccb81f39f1)
- - - - -
b0f9a838 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Supply supported account enctypes in tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 248249dc0acac89d1495c3572cbd2cbe8bdca362)
- - - - -
7f3d6f9d by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add parameter to enforce presence of ticket checksums
This allows existing tests to pass before this functionality is
implemented.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ef24fe982d750a42be81808379b0254d8488c559)
- - - - -
5f72fd09 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add compatability tests for ticket checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org: Backported from ec4b264bdf9ab64a728212580b344fbf35c3c673
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
- - - - -
07e242da by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Use correct principal name type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 687c8f94c68af9f1e44771dfd7219eeb41382bba)
- - - - -
d82e7716 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Clarify checksum type assertion message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ee2b7e2c77f021984ec583fa0c4c756979197b0f)
- - - - -
8ee28d96 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Fix padata checking at functional level 2003
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 72265227e9c2037b63cdfb01a456a86ac8932f59)
- - - - -
54fb144f by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Add environment variable to specify KDC FAST support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backportd from commit 238f52bad811688624e9fd4b1595266e2149094a
because tests.py changed in more recent releases with new tests nearby]
- - - - -
07ace448 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Check padata types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit bd22dcd9cc4dfda827f892224eb2da4a16564176
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
- - - - -
b08fd85b by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Check logon name in PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e7c39cc44f2e16aecb01c0afc195911a474ef0b9)
- - - - -
90d58c72 by Joseph Sutton at 2021-10-27T22:37:09+00:00
tests/krb5: Simplify padata checking
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cf3ca6ac4567d7c7954ea4ecc8cc9dd5effcc094)
- - - - -
d46f0d17 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Disable debugging output for tests
This reduces the time spent running the tests in a testenv.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dfd613661eec4b81e162f2d86a8fa9266c2fdc03)
- - - - -
2c6b918a by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Provide clearer assertion messages for test failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5233f002000f196875af488b4f4d1df26fca90de)
- - - - -
1ca795a0 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Fix sha1 checksum type
Previously, sha1 signatures were being designated as rsa-md5-des3
signatures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ebe729786806c69e95b26ffc410e887e203accb8)
- - - - -
518e990f by Joseph Sutton at 2021-10-27T22:37:10+00:00
selftest/dbcheck: Fix up RODC one-way links
Test accounts were replicated to the RODC and then deleted, causing
state links to remain in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 40e5db4aabcd32834ee524857b77d36921f6bdfe)
- - - - -
91faad4e by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Add TKT_SIG_SUPPORT environment variable
This lets us indicate that service tickets should be issued with ticket
checksums in the PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit ae2c57fb0332f94ac44d0886c5edbed707ef52fe
due to changes in other tests nearby in tests.py]
- - - - -
6a1549a4 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Require ticket checksums if decryption key is available
We perform this check conditionally, because MIT doesn't currently add
ticket checksums.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bf63221722903665e7b20991021fb5cdf4e4327e)
- - - - -
61ec92dc by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Verify tickets obtained with get_service_ticket()
We only require the ticket checksum with Heimdal, because MIT currently
doesn't add it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d86eee2fd0fb72e52d878ceba0c476ca58abe6cf)
- - - - -
2373c1ac by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Add constrained delegation tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 56ccdba54e0c7cf3409d8430ea1012e5d3d9b092)
- - - - -
8b947965 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Don't include empty AD-IF-RELEVANT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a08399cd8169a525cc9e7aed99da84ef20e5b9c)
- - - - -
f3c36a06 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Allow bypassing cache when creating accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3948701f1d0f3ccd06f6dad56ca72833d66b1d84)
- - - - -
0e53c435 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Fix duplicate account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3dede18c5a1801023a60cc55b99022b033428350)
- - - - -
8b363a63 by Joseph Sutton at 2021-10-27T22:37:10+00:00
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7149eeaceb426470b1b8181749d2d081c2fb83a4)
- - - - -
1486a8a0 by Joseph Sutton at 2021-10-27T22:37:10+00:00
s4:kdc: Fix debugging messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c14c61748b5a2d2a4f4de00615c476fcf381309e)
- - - - -
6afc41b2 by Joseph Sutton at 2021-10-27T22:37:10+00:00
s4/torture: Expect ticket checksum PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d5002c34ce1ffef795dc83af3175ca0e04d17dfd
due to missing tests in Samba 4.14 that crashed the MIT KDC]
- - - - -
ff31503b by Isaac Boukris at 2021-10-27T22:37:10+00:00
kdc: remove KRB5SignedPath, to be replaced with PAC
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
- Removed tests
- Removed auditing hook (only present in Heimdal master)
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ccabc7f16cca5b0dcb46233e934e708167f1071b)
- - - - -
4114e57a by Isaac Boukris at 2021-10-27T22:37:10+00:00
kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d7b03394a9012960d71489e775d40d10fd6f5232
due to conflicts in knownfail due to missing tests that crash the
MIT KDC]
- - - - -
c17bfba3 by Isaac Boukris at 2021-10-27T22:37:10+00:00
krb5: allow NULL parameter to krb5_pac_free()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
b295167208a96e68515902138f6ce93972892ec5]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2d09de5c41e729bccc2d7949d8a3568a95e80e76)
- - - - -
c73825d0 by Isaac Boukris at 2021-10-27T22:37:10+00:00
krb5: rework PAC validation loop
Avoid allocating the PAC on error.
Closes: #836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
6df8be5091363a1c9a9165465ab8292f817bec81]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2773379603a5a625c5d1c6e62f29c442942ff570)
- - - - -
49bcbcbb by Luke Howard at 2021-10-27T22:37:10+00:00
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d6a472e953545ec3858ca969c1a4191e4f27ba63)
- - - - -
58bc0a4b by Luke Howard at 2021-10-27T22:37:10+00:00
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit db30b71f79864a20b38a1f812a5df833f3a92de8)
- - - - -
61fb0ba8 by Luke Howard at 2021-10-27T22:37:10+00:00
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
3b0856cab2b25624deb1f6e0e67637ba96a647ac
- Renamed variable to avoid shadowing existing variable
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 75d1a7cd14b134506061ed64ddb9b99856231d2c)
- - - - -
e5ca4a51 by Luke Howard at 2021-10-27T22:37:10+00:00
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris at gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 91e684f5dcb48b76e6a322c15acb53cbce5c275a)
- - - - -
6fbde548 by Joseph Sutton at 2021-10-27T22:37:10+00:00
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1)
- - - - -
9d3419c3 by Joseph Sutton at 2021-10-27T22:37:10+00:00
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
This lets us call it from Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3bdce12789af1e7a7aba56691f184625a432410d)
- - - - -
5919475d by Joseph Sutton at 2021-10-27T22:37:10+00:00
s4:kdc: Check ticket signature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 02fa69c6c73c01d82807be4370e838f3e7c66f35)
- - - - -
cb044703 by Nicolas Williams at 2021-10-27T22:37:10+00:00
krb5: Fix PAC signature leak affecting KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
54581d2d52443a9a07ed5980df331f660b397dcf]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f6adfefbbb41b9100736134d0f975f1ec0c33c42)
- - - - -
4ff8af7d by Andrew Bartlett at 2021-10-27T22:37:10+00:00
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.
These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
(cherry picked from commit a7ad665e65f0701eb75cac5bc10a366ccd9689f4)
- - - - -
543478fe by Joseph Sutton at 2021-10-27T22:37:10+00:00
heimdal:kdc: Fix ticket signing without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d23d8e859357b0fac4d1f4a49f1dce6cf60d6216)
- - - - -
33537398 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Allow get_tgt() to request including or omitting a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5)
- - - - -
033249c5 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0dc69c1327f72384628a869a00482f6528b8671b)
- - - - -
473278c1 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Add method to get the PAC from a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 288355896a2b6f460c42559ec46ff980ab57782e)
- - - - -
fa32948c by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
[abartlet at samba.org backported from commit 9d3a691920205f8a9dc05d0e173e25e6a335f139
as the MIT KDC 1.16 seen on the reference Ubuntu 18.04 does not fail
test_remove_pac]
- - - - -
106dc4a0 by Andrew Bartlett at 2021-10-27T22:37:10+00:00
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org backported from commit 92e8ce18a79e88c9b961dc20e39436c4cf653013
as there was a knownfail conflict with the test_remove_pac case
which succeeds on this branch]
- - - - -
3eb78cd4 by Andrew Bartlett at 2021-10-27T22:37:10+00:00
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 031a8287642e3c4b9d0b7c6b51f3b1d79b227542)
- - - - -
999208d3 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Ensure PAC is not present if expect_pac is false
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf)
- - - - -
e9b12d2d by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
(cherry picked from commit 83a654a4efd39a6e792a6d49e0ecf586e9bc53ef)
- - - - -
f7d6826a by Viktor Dukhovni at 2021-10-27T22:37:10+00:00
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
(cherry picked from commit 7e961f3f7a815960ae25377d5b7515184d439690)
- - - - -
a203de48 by Douglas Bagnall at 2021-10-27T22:37:10+00:00
pytest/rodc_rwdc: try to avoid race.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a169e013e66bab15e594ce49b805edebfcd503cf)
- - - - -
a64c25ff by Joseph Sutton at 2021-10-27T22:37:10+00:00
selftest: Increase account lockout windows to make test more realiable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 6292f0597f208d7953382341380921cf0fd0a8a8)
- - - - -
18bce6fc by Douglas Bagnall at 2021-10-27T22:37:10+00:00
pytest: dynamic tests optionally add __doc__
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit aacb18f920349e13b562c7c97901a0be7b273137)
- - - - -
38ebe186 by Joseph Sutton at 2021-10-27T22:37:10+00:00
selftest: krb5 account creation: clarify account type as an enum
This makes the code clearer with a symbolic constant rather
than a True/False boolean.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 49306f74eb29a2192019fab9260f9d242f9d5fd9)
- - - - -
2bf0e422 by Andrew Bartlett at 2021-10-27T22:37:10+00:00
selftest: Remove duplicate setup of $base_dn and $ldbmodify
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 2c0658d408f17af2abc223b0cb18d8d33e0ecd1a)
- - - - -
f01e4e19 by Andrew Bartlett at 2021-10-27T22:37:10+00:00
selftest: Improve error handling and perl style when setting up users in Samba4.pm
This catches errors and avoids using global varibles (the old
style file handles are global).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 459200caba04fd83ed650b9cdfe5b158cf9a149f)
- - - - -
c9e54bbe by Andreas Schneider at 2021-10-27T22:37:10+00:00
waf: Allow building with MIT KRB5 >= 1.20
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5d8e794551b5df835f07e2bd8348fef746144601)
- - - - -
88f824ae by Stefan Metzmacher at 2021-10-27T22:37:10+00:00
selftest/Samba3: remove unused close(USERMAP); calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d998f7f8df215866ab32e05be772e24fc0b2131c
as offline login tests are not in Samba 4.14]
- - - - -
89b9cb8b by Stefan Metzmacher at 2021-10-27T22:37:10+00:00
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
- - - - -
4056198f by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Decrease length of test account prefix
This allows us more room to test with different account names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a5a6296e57cab2b53617d997c37b4e92d4124cc7)
- - - - -
a2a173d7 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Allow specifying prefix or suffix for test account names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 7e39994ed341883ac4c8c257220c19dbf70c7bc5)
- - - - -
3f376eea by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Allow creating machine accounts without a trailing dollar
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f4785ccfefe7c89f84ad847ca3c12f604172b321)
- - - - -
a742af32 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Allow specifying the UPN for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 889476d1754f8ce2a41557ed3bf5242c1293584e)
- - - - -
d3b491c3 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Fix account salt calculation to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe)
- - - - -
ae6d74c9 by Joseph Sutton at 2021-10-27T22:37:10+00:00
tests/krb5: Add tests for account salt calculation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org backported from commit 46039baa81377df10e5b134e4bb064ed246795e4
as the no_preauth side of the testsuite shows differences in enctypes
in Samba 4.14. The change is only in salt calculation so this is
not vital]
- - - - -
274f1610 by Andrew Bartlett at 2021-10-27T22:37:10+00:00
dsdb: Allow special chars like "@" in samAccountName when generating the salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
(cherry picked from commit 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed)
- - - - -
0cea7f53 by Andrew Bartlett at 2021-10-27T23:29:34+00:00
lib/krb5_wrap: Fix missing error check in new salt code
CID 1492905: Control flow issues (DEADCODE)
This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
(cherry picked from commit 5094d986b7686f057195dcb10764295b88967019)
Autobuild-User(v4-13-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-13-test): Wed Oct 27 23:29:34 UTC 2021 on sn-devel-184
- - - - -
f47f0f9f by Joseph Sutton at 2021-10-28T08:58:16+00:00
pytest:segfault: Add test for ldb.msg_diff()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14645
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
[abartlet at samba.org backported form from commit
a99a76722d6046a5d63032e3d2bb3f791da948a6 due to conflicts
with other new segfault tests]
- - - - -
400d0453 by Joseph Sutton at 2021-10-28T08:58:16+00:00
ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14645
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit c2bbe774ce03661666a1f48922a9ab681ef4f64b)
- - - - -
0c36416e by Joseph Sutton at 2021-10-28T08:58:16+00:00
pyldb: Avoid use-after-free in msg_diff()
Make a deep copy of the message elements in msg_diff() so that if either
of the input messages are deallocated early, the result does not refer
to non-existing elements.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14645
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
[abartlet at samba.org backported from commit
19a2af02f57d99db8ed3c6b028c3abdf4b553700 due to conflicts in
the knownfail.d/python-segfaults file]
Autobuild-User(v4-14-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-14-test): Wed Sep 29 13:14:22 UTC 2021 on sn-devel-184
- - - - -
c7c10298 by Joseph Sutton at 2021-10-28T08:58:16+00:00
Fix Python docstrings
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 4 00:55:32 UTC 2021 on sn-devel-184
(cherry picked from commit 02b187303369d3ce0c19dfb72ffa78f86a3911f0)
- - - - -
d2189833 by Joseph Sutton at 2021-10-28T08:58:16+00:00
pytest:segfault: Add test for deleting an ldb.Message dn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit 6a041f6a99c39632d5c32e9d53b06719c20bef2c
as other segfaulting tests are listed in knownfail.d/python-segfaults
and @no_gdb_backtrace is not in 4.14]
- - - - -
a2e0682d by Joseph Sutton at 2021-10-28T08:58:16+00:00
pyldb: Fix deleting an ldb.Message dn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d7af772de88885f46708329ff7bb5798da91d2c7
due to conflicts in knownfail.d/python-segfaults]
- - - - -
5e9441d5 by Joseph Sutton at 2021-10-28T08:58:16+00:00
pytest:segfault: Add test for deleting an ldb.Control critical flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit b1adaa517c1237a473bdcf818523f5107df3d6b0
as @no_gdb_backtrace is not in Samba 4.14]
- - - - -
4d1c5cc7 by Joseph Sutton at 2021-10-28T08:58:16+00:00
pyldb: Fix deleting an ldb.Control critical flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d25a21d6024c6c2f8e4634f45e3944d8acbf8b8)
- - - - -
f45e89e4 by Joseph Sutton at 2021-10-28T08:58:16+00:00
s4/torture/drs/python: Fix attribute existence check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fb758c32e7633178f42dc2c031667b10c2ca6e90)
- - - - -
4ff0a23a by Joseph Sutton at 2021-10-28T08:58:16+00:00
pyldb: Add test for an invalid ldb.Message index type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06)
- - - - -
65f3e987 by Joseph Sutton at 2021-10-28T08:58:16+00:00
pyldb: Raise TypeError for an invalid ldb.Message index
Previously, a TypeError was raised and subsequently overridden by a
KeyError.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7)
- - - - -
64c41d30 by Joseph Sutton at 2021-10-28T08:58:16+00:00
pyldb: Add tests for ldb.Message containment testing
These tests verify that the 'in' operator on ldb.Message is consistent
with indexing and the get() method. This means that the 'dn' element
should always be present, lookups should be case-insensitive, and use of
an invalid type should result in a TypeError.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8)
- - - - -
c532b425 by Joseph Sutton at 2021-10-28T08:58:16+00:00
pyldb: Make ldb.Message containment testing consistent with indexing
Previously, containment testing using the 'in' operator was handled by
performing an equality comparison between the chosen object and each of
the message's keys in turn. This behaviour was prone to errors due to
not considering differences in case between otherwise equal elements, as
the indexing operations do.
Containment testing should now be more consistent with the indexing
operations and with the get() method of ldb.Message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69)
- - - - -
74e65d7c by Andrew Bartlett at 2021-10-28T09:49:45+00:00
ldb: Release ldb 2.2.1
* Corrected python behaviour for 'in' for LDAP attributes
contained as part of ldb.Message (bug 14845)
* Fix memory handling in ldb.msg_diff (bug 14836)
* Corrected python docstrings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(v4-14-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184
Autobuild-User(v4-13-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-13-test): Thu Oct 28 09:49:45 UTC 2021 on sn-devel-184
- - - - -
665022c7 by Jule Anger at 2021-10-29T08:11:05+02:00
WHATSNEW: Add release notes for Samba 4.13.13.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
88d73d0b by Jule Anger at 2021-10-29T08:11:43+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.13.13 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
a8bd2f0b by Mathieu Parent at 2021-10-30T21:47:34+02:00
libwbclient0: Add Breaks+Replaces: libsamba-util0 (<< 2:4.0.0)
Closes: #988170
- - - - -
86433881 by Mathieu Parent at 2021-11-01T08:10:23+01:00
Changelog for previous commits
- - - - -
2eb95f63 by Mathieu Parent at 2021-11-01T08:22:18+01:00
New upstream version 4.13.13+dfsg
- - - - -
3e04909f by Mathieu Parent at 2021-11-01T08:23:11+01:00
Merge tag 'upstream/4.13.13+dfsg'
Upstream version 4.13.13+dfsg
# gpg: Signature faite le lun. 01 nov. 2021 08:23:01 CET
# gpg: avec la clef RSA AAA58B842E882CF414E0BAB1A7C72A1C782B8C3F
# gpg: issuer "math.parent at gmail.com"
# gpg: Bonne signature de « Mathieu Parent <math.parent at gmail.com> » [inconnu]
# gpg: alias « Mathieu Parent <sathieu at debian.org> » [inconnu]
# gpg: Attention : cette clef n'est pas certifiée avec une signature de confiance.
# gpg: Rien n'indique que la signature appartient à son propriétaire.
# Empreinte de clef principale : AAA5 8B84 2E88 2CF4 14E0 BAB1 A7C7 2A1C 782B 8C3F
- - - - -
facadf41 by Mathieu Parent at 2021-11-01T08:26:36+01:00
Remove CVE-2021-20254.patch
- - - - -
7ac8dc28 by Mathieu Parent at 2021-11-01T08:35:42+01:00
Bump build-depends ldb >= 2.2.0
- - - - -
8a4248b8 by Mathieu Parent at 2021-11-01T08:59:23+01:00
Release 2:4.13.13+dfsg-1
- - - - -
30 changed files:
- VERSION
- WHATSNEW.txt
- auth/credentials/credentials_krb5.c
- auth/credentials/pycredentials.c
- buildtools/wafsamba/samba_dist.py
- buildtools/wafsamba/samba_third_party.py
- configure
- ctdb/client/client_control_sync.c
- ctdb/client/client_sync.h
- ctdb/common/run_proc.c
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1
- ctdb/doc/ctdbd_wrapper.1
- ctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1
- ctdb/doc/ping_pong.1
- ctdb/include/ctdb_private.h
- ctdb/protocol/protocol.h
- ctdb/protocol/protocol_api.h
- ctdb/protocol/protocol_client.c
- ctdb/protocol/protocol_control.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/e5301db19e817af0bf86bdd385422a6d286eec8a...8a4248b8c66b355dcc76b0bc4fbbbb6ce617b8e6
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/e5301db19e817af0bf86bdd385422a6d286eec8a...8a4248b8c66b355dcc76b0bc4fbbbb6ce617b8e6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20211101/06387ca7/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list