[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Tue Mar 20 00:30:08 UTC 2018
The branch, master has been updated
via 9bbabf6 pdb_samba_dsdb: make use of dom_sid_is_valid_account_domain()
via c9c6fa4 s4:rpc_server/lsa: make use of dom_sid_is_valid_account_domain()
via 8a1c930 libcli/security: add dom_sid_is_valid_account_domain()
via 1f1e221 s3:libsmb/samlogon_cache: zero session keys before storing the info3 structure
via 63de04c s4:kdc: make sure we expand group memberships of the local domain
via a5f803e s4:kdc: pass krbtgt and server to samba_kdc_update_pac_blob()
via 396fd8f s4:kdc: remember is_krbtgt, is_rodc and is_trust samba_kdc_entry
via 0f9a09b s4:auth_winbind: make sure we expand group memberships of the local domain
via fd7c918 s4:auth_winbind: only call authsam_logon_success_accounting() for local users
via 4565ac5 s4:auth: add authsam_update_user_info_dc() that implements SID expanding for the local domain
via d6ee065 s4:auth: split out a authsam_domain_group_filter() function
via ef44743 s4:selftest: run samba4.blackbox.trust_token against fl2003dc and fl2008r2dc
via b4dadcf testprogs/blackbox: add test_trust_token.sh
via 7b3a988 selftest/Samba4: create add ${TRUST_DOMSID}-513 to a local group
via 6a0fe7b samba-tool: allow sid strings for 'group {add,remove}members'
via 94bbcb0 selftest: generate a ramdon domain sid during provision and export as SAMSID/[TRUST_]DOMSID
via 6415d6f selftest/Samba4: use DOMAIN/REALM from the dcvars instead of using hardcoded values
via a70c929 dsdb:repl_meta_data: improve error message in get_parsed_dns()
via fb03f9a dsdb:extended_dn_store: add support for FPO (foreignSecurityPrincipal) enabled attributes
via 799c9d1 tests/dsdb.py: test creation of foreignSecurityPrincipal via 'attr: <SID=...>'
via a0813b2 dsdb:samldb: require as_system or provision control to create foreignSecurityPrincipal objects
via 856504c tests/dsdb.py: verify that foreignSecurityPrincipal objects require the provision control
via 470044b provision: use the provision control when adding foreignSecurityPrincipals
via 3f357ad dsdb:extended_dn_store: make sure reject storing references to deleted objects in linked attributes
via b040d32 tests/dsdb.py: prove the difference between linked and non-linked DN references
via 21b17e7 dsdb:extended_dn_store: split out a extended_replace_dn() function
via 18f40ce dsdb:extended_dn_store: rename extended_replace_dn to extended_replace_callback
via 18d9802 dsdb:extended_dn_store: We need to ignore self references on add operation
via 551f54e dsdb:extended_dn_store: pass the full 'struct dsdb_attribute' to extended_store_replace()
via be52754 dsdb:extended_dn_store: we need to pass down our altered request down on NO_SUCH_OBJECT
via c406ecc dsdb:extended_dn_store: ignore DRSUAPI_ATTID_distinguishedName attributes
via 2f1ba31 drsuapi.idl: add DN/fpo-enabled attributes as DRSUAPI_ATTID_* values
via a0c091e s3:auth: support AUTH_SESSION_INFO_NTLM in finalize_local_nt_token()
via 0b261dc s3:auth: make use of create_builtin_guests() in finalize_local_nt_token()
via 6c8cf7b s3:libnet_join: make use of create_builtin_guests()
via c5874b9 s3:passdb: add create_builtin_guests()
via c2480b96 s3:auth: rename "guest" methods to "anonymous"
from f5e3b1e Remove dead code
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9bbabf628efb880512aeb68587698c0240dfabd5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 25 11:23:12 2018 +0100
pdb_samba_dsdb: make use of dom_sid_is_valid_account_domain()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Mar 20 01:29:40 CET 2018 on sn-devel-144
commit c9c6fa45c4ae2d3ffc8407276a9e965e701c8e9a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 25 11:23:12 2018 +0100
s4:rpc_server/lsa: make use of dom_sid_is_valid_account_domain()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8a1c930e1b2452050f4d49a8c54164aa4afdb15f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 25 09:50:17 2018 +0100
libcli/security: add dom_sid_is_valid_account_domain()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1f1e221a8ffbecd3f80073c05d8f194d2dad9b24
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 3 02:23:21 2011 +0100
s3:libsmb/samlogon_cache: zero session keys before storing the info3 structure
The samlogon_cache is only used to get group memberships of the account
without asking the dc.
But for authentication we always ask the dc.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 63de04c01cb7d53773f96a01473a311e1d4264b8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 18:40:58 2018 +0100
s4:kdc: make sure we expand group memberships of the local domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a5f803e9e9f7655f3a6867401d5d3eb667593a9f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 18:40:58 2018 +0100
s4:kdc: pass krbtgt and server to samba_kdc_update_pac_blob()
This will be used for SID expanding and filtering.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 396fd8f4ff3fd3b5d89109d35b06668bc266143a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 11:44:21 2018 +0100
s4:kdc: remember is_krbtgt, is_rodc and is_trust samba_kdc_entry
This can later be used for sid filtering and similar things.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0f9a09bd3552fe62a98ce40cab6aee2740eb35ce
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 2 12:37:51 2018 +0100
s4:auth_winbind: make sure we expand group memberships of the local domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit fd7c91825646aed612c0df1a641f458aab4f21a5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 9 09:23:26 2018 +0100
s4:auth_winbind: only call authsam_logon_success_accounting() for local users
There's no need to do a crack_name_to_nt4_name(), as the authentication
already provides the nt4 domain and account names.
This should only happen on an RODC, that we use the winbind auth module
for local users. So we should make sure we only try to reset
the badPwdCount for users of our own domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4565ac59984895ba8235a2da5afeaec48e97c41d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 23:12:36 2018 +0100
s4:auth: add authsam_update_user_info_dc() that implements SID expanding for the local domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d6ee0651193f4e3d92d0ece162813eae8e128cb6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 2 04:08:47 2018 +0100
s4:auth: split out a authsam_domain_group_filter() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ef447434cb638563d1031a676ecbf1bf70a5e9ed
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 26 17:46:55 2018 +0100
s4:selftest: run samba4.blackbox.trust_token against fl2003dc and fl2008r2dc
This fails currently as we don't expand groups on the trust boundary.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b4dadcfb373972f34fd847a6f69146d1325b7cce
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 26 17:46:55 2018 +0100
testprogs/blackbox: add test_trust_token.sh
This demonstrates, which SID we expect in a token of
an user of a trusted domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7b3a9880c90fc436510ad69dcee2e10feb7523ad
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 26 17:05:49 2018 +0100
selftest/Samba4: create add ${TRUST_DOMSID}-513 to a local group
This will allow testing expanding groups on the trust boundary.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6a0fe7b0389c2d4ccdcfdadf4dec33ef09759bfd
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 26 17:04:00 2018 +0100
samba-tool: allow sid strings for 'group {add,remove}members'
This makes it possible to add foreign SIDS as group members.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 94bbcb0ea0b4eb9a4f16d7eb4fbf4d363b34ba61
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 26 14:56:27 2018 +0100
selftest: generate a ramdon domain sid during provision and export as SAMSID/[TRUST_]DOMSID
This will be useful for future tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6415d6fc1974efd1da229c965b7d2ac85206abe2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 26 14:19:39 2018 +0100
selftest/Samba4: use DOMAIN/REALM from the dcvars instead of using hardcoded values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a70c929e7b4271a67ea9f85dad043bd5c896e3bd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 28 10:48:59 2018 +0100
dsdb:repl_meta_data: improve error message in get_parsed_dns()
We may have a dn in '<SID=...>' form and ldb_dn_get_linearized()
just gives in empty string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit fb03f9a1de1d8069fcce8710d275371305122bb3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 31 18:00:24 2018 +0100
dsdb:extended_dn_store: add support for FPO (foreignSecurityPrincipal) enabled attributes
This implements the handling for FPO-enabled attributes, see
[MS-ADTS] 3.1.1.5.2.3 Special Classes and Attributes:
FPO-enabled attributes: member, msDS-MembersForAzRole,
msDS-NeverRevealGroup, msDS-NonMembers, msDS-RevealOnDemandGroup,
msDS-ServiceAccount.
Note there's no msDS-ServiceAccount in any schema (only
msDS-HostServiceAccount and that's not an FPO-enabled attribute
at least not in W2008R2)
msDS-NonMembers always generates NOT_SUPPORTED against W2008R2.
See also [MS-SAMR] 3.1.1.8.9 member.
We now create foreignSeurityPrincipal objects on the fly (as needed).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 799c9d1ce31258c6405602c2f8c53b93be582352
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 25 00:10:12 2018 +0100
tests/dsdb.py: test creation of foreignSecurityPrincipal via 'attr: <SID=...>'
[MS-ADTS] 3.1.1.5.2.3 Special Classes and Attributes claims:
FPO-enabled attributes:
member, msDS-MembersForAzRole, msDS-NeverRevealGroup,
msDS-NonMembers, msDS-RevealOnDemandGroup, msDS-ServiceAccount.
'msDS-NonMembers' always generates NOT_SUPPORTED.
'msDS-ServiceAccount' is not defined in any schema
(only msDS-HostServiceAccount).
'msDS-HostServiceAccount' is not an FPO-enabled attribute
and behaves as the 'manager' attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a0813b2a9fe8004e4552a952e3587150f832993e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 22 22:51:46 2018 +0100
dsdb:samldb: require as_system or provision control to create foreignSecurityPrincipal objects
Windows rejects creating foreignSecurityPrincipal objects directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 856504ca26d1769b5db8fe2e220414960349afe9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 22 22:51:19 2018 +0100
tests/dsdb.py: verify that foreignSecurityPrincipal objects require the provision control
Windows rejects creating foreignSecurityPrincipal objects directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 470044bee84bdd798e9ccd0d1989b90e9a84ecaa
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 23 16:04:57 2018 +0100
provision: use the provision control when adding foreignSecurityPrincipals
The next commits will require this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3f357ad8365975f63811ac3effc9a54385217b45
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 25 21:45:06 2018 +0100
dsdb:extended_dn_store: make sure reject storing references to deleted objects in linked attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b040d3289db247cdb8025f283fc30ffc2c2b40e7
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 25 00:10:12 2018 +0100
tests/dsdb.py: prove the difference between linked and non-linked DN references
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 21b17e759922d117ed346e32465201e0689821b8
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 28 10:31:21 2018 +0100
dsdb:extended_dn_store: split out a extended_replace_dn() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 18f40cefe5a1ef609651cc26db26275baab5b48e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 28 10:31:21 2018 +0100
dsdb:extended_dn_store: rename extended_replace_dn to extended_replace_callback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 18d98022326203e63a5fbec23d906002bd1f1261
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 28 08:03:24 2018 +0100
dsdb:extended_dn_store: We need to ignore self references on add operation
We have several schema related tests, which already prove
that for the defaultObjectCategory attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 551f54e0d70e6daf96d40c8e23f44146b35c0220
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 26 13:21:54 2018 +0100
dsdb:extended_dn_store: pass the full 'struct dsdb_attribute' to extended_store_replace()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit be52754b2f41d98f194c17676297dccc585e55a6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 28 10:31:21 2018 +0100
dsdb:extended_dn_store: we need to pass down our altered request down on NO_SUCH_OBJECT
It's quite likely that there're more than one attribute and we may
already altered values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c406ecce5a5b4151f7cd72f5cce41275d47954de
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 28 08:04:58 2018 +0100
dsdb:extended_dn_store: ignore DRSUAPI_ATTID_distinguishedName attributes
We have several tests which already test that, we can avoid doing
searches at all in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2f1ba314df3e484206ee87841e3f6cf96e8c5c95
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 28 08:04:38 2018 +0100
drsuapi.idl: add DN/fpo-enabled attributes as DRSUAPI_ATTID_* values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a0c091eba764e721cfa419e697700ca7a5695014
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 6 23:42:54 2018 +0100
s3:auth: support AUTH_SESSION_INFO_NTLM in finalize_local_nt_token()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0b261dc4e3f2d04131e1ff76a017aaee6e38e7b1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 6 23:26:28 2018 +0100
s3:auth: make use of create_builtin_guests() in finalize_local_nt_token()
This makes the Builtin_Guests handling more dynamic,
by having a persistent storage for the memberships.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6c8cf7b6ec1b9bc534ddabfc2db8d7d6dac5fe4c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 7 01:37:21 2018 +0100
s3:libnet_join: make use of create_builtin_guests()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c5874b9b68e0795e9dc23b04efa5959ac03ec8dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 6 22:47:42 2018 +0100
s3:passdb: add create_builtin_guests()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c2480b96b5f1cd22c2bc3b26c5846312295566f1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 1 15:04:17 2018 +0100
s3:auth: rename "guest" methods to "anonymous"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/dom_sid.c | 63 ++++
libcli/security/dom_sid.h | 1 +
librpc/idl/drsuapi.idl | 6 +
python/samba/provision/__init__.py | 4 +-
python/samba/samdb.py | 24 +-
python/samba/tests/dsdb.py | 419 ++++++++++++++++++++-
selftest/selftest.pl | 3 +
selftest/target/Samba.pm | 6 +
selftest/target/Samba3.pm | 21 ++
selftest/target/Samba4.pm | 57 ++-
source3/auth/auth.c | 8 +-
source3/auth/auth_builtin.c | 20 +-
source3/auth/token_util.c | 74 +++-
source3/include/passdb.h | 1 +
source3/libnet/libnet_join.c | 12 +
source3/libsmb/samlogon_cache.c | 4 +
...passdb-0.27.0.sigs => samba-passdb-0.27.1.sigs} | 1 +
source3/passdb/pdb_samba_dsdb.c | 36 +-
source3/passdb/pdb_util.c | 52 +++
source3/wscript_build | 2 +-
source4/auth/auth.h | 3 +
source4/auth/ntlm/auth_winbind.c | 61 +--
source4/auth/sam.c | 112 +++++-
source4/dsdb/samdb/ldb_modules/extended_dn_store.c | 409 ++++++++++++++++++--
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 8 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 46 ++-
source4/kdc/db-glue.c | 6 +-
source4/kdc/mit_samba.c | 12 +-
source4/kdc/pac-glue.c | 13 +
source4/kdc/pac-glue.h | 2 +
source4/kdc/samba_kdc.h | 3 +
source4/kdc/wdc-samba4.c | 1 +
source4/rpc_server/lsa/dcesrv_lsa.c | 32 +-
source4/selftest/tests.py | 2 +
testprogs/blackbox/test_trust_token.sh | 93 +++++
35 files changed, 1425 insertions(+), 192 deletions(-)
copy source3/passdb/ABI/{samba-passdb-0.27.0.sigs => samba-passdb-0.27.1.sigs} (99%)
create mode 100755 testprogs/blackbox/test_trust_token.sh
Changeset truncated at 500 lines:
diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index e6beff1..17ac056 100644
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -358,6 +358,69 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid,
return dom_sid_compare_auth(domain_sid, sid) == 0;
}
+bool dom_sid_is_valid_account_domain(const struct dom_sid *sid)
+{
+ /*
+ * We expect S-1-5-21-9-8-7, but we don't
+ * allow S-1-5-21-0-0-0 as this is used
+ * for claims and compound identities.
+ *
+ * With this structure:
+ *
+ * struct dom_sid {
+ * uint8_t sid_rev_num;
+ * int8_t num_auths; [range(0,15)]
+ * uint8_t id_auth[6];
+ * uint32_t sub_auths[15];
+ * }
+ *
+ * S-1-5-21-9-8-7 looks like this:
+ * {1, 4, {0,0,0,0,0,5}, {21,9,8,7,0,0,0,0,0,0,0,0,0,0,0}};
+ */
+ if (sid == NULL) {
+ return false;
+ }
+
+ if (sid->sid_rev_num != 1) {
+ return false;
+ }
+ if (sid->num_auths != 4) {
+ return false;
+ }
+ if (sid->id_auth[5] != 5) {
+ return false;
+ }
+ if (sid->id_auth[4] != 0) {
+ return false;
+ }
+ if (sid->id_auth[3] != 0) {
+ return false;
+ }
+ if (sid->id_auth[2] != 0) {
+ return false;
+ }
+ if (sid->id_auth[1] != 0) {
+ return false;
+ }
+ if (sid->id_auth[0] != 0) {
+ return false;
+ }
+ if (sid->sub_auths[0] != 21) {
+ return false;
+ }
+ if (sid->sub_auths[1] == 0) {
+ return false;
+ }
+ if (sid->sub_auths[2] == 0) {
+ return false;
+ }
+ if (sid->sub_auths[3] == 0) {
+ return false;
+ }
+
+ return true;
+}
+
/*
Convert a dom_sid to a string, printing into a buffer. Return the
string length. If it overflows, return the string length that would
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 6c3225e..d9f4b3f 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -96,6 +96,7 @@ NTSTATUS dom_sid_split_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
struct dom_sid **domain, uint32_t *rid);
bool dom_sid_in_domain(const struct dom_sid *domain_sid,
const struct dom_sid *sid);
+bool dom_sid_is_valid_account_domain(const struct dom_sid *sid);
#define DOM_SID_STR_BUFLEN (15*11+25)
int dom_sid_string_buf(const struct dom_sid *sid, char *buf, int buflen);
diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl
index 51ef567..cd90500 100644
--- a/librpc/idl/drsuapi.idl
+++ b/librpc/idl/drsuapi.idl
@@ -460,6 +460,7 @@ interface drsuapi
DRSUAPI_ATTID_ou = 0x0000000b,
DRSUAPI_ATTID_description = 0x0000000d,
DRSUAPI_ATTID_member = 0x0000001f,
+ DRSUAPI_ATTID_distinguishedName = 0x00000031,
DRSUAPI_ATTID_instanceType = 0x00020001,
DRSUAPI_ATTID_whenCreated = 0x00020002,
DRSUAPI_ATTID_possSuperiors = 0x00020008,
@@ -549,8 +550,13 @@ interface drsuapi
DRSUAPI_ATTID_transportAddressAttribute = 0x0009037f,
DRSUAPI_ATTID_msDS_Behavior_Version = 0x000905b3,
DRSUAPI_ATTID_msDS_KeyVersionNumber = 0x000906f6,
+ DRSUAPI_ATTID_msDS_NonMembers = 0x00090701,
+ DRSUAPI_ATTID_msDS_MembersForAzRole = 0x0009070e,
DRSUAPI_ATTID_msDS_HasDomainNCs = 0x0009071c,
DRSUAPI_ATTID_msDS_hasMasterNCs = 0x0009072c,
+ DRSUAPI_ATTID_msDS_NeverRevealGroup = 0x00090786,
+ DRSUAPI_ATTID_msDS_RevealOnDemandGroup = 0x00090788,
+ DRSUAPI_ATTID_msDS_HostServiceAccount = 0x00090808,
DRSUAPI_ATTID_isRecycled = 0x0009080a,
DRSUAPI_ATTID_INVALID = 0xFFFFFFFF
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 24c2d55..f36f277 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1509,7 +1509,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
"CONFIGDN": names.configdn,
"WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
- })
+ }, controls=["relax:0", "provision:0"])
if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
setup_modify_ldif(samdb,
@@ -1524,7 +1524,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
"DOMAINSID": str(names.domainsid),
"ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
- })
+ }, controls=["relax:0", "provision:0"])
logger.info("Setting up self join")
setup_self_join(samdb, admin_session_info, names=names, fill=fill,
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index 89014a5..348bd21 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -32,6 +32,7 @@ from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc import drsblobs, misc
from samba.common import normalise_int32
from samba.compat import text_type
+from samba.dcerpc import security
__docformat__ = "restructuredText"
@@ -270,25 +271,40 @@ changetype: modify
for member in members:
filter = ('(&(sAMAccountName=%s)(|(objectclass=user)'
'(objectclass=group)))' % ldb.binary_encode(member))
+ foreign_msg = None
+ try:
+ membersid = security.dom_sid(member)
+ except TypeError as e:
+ membersid = None
+
+ if membersid is not None:
+ filter = '(objectSid=%s)' % str(membersid)
+ dn_str = "<SID=%s>" % str(membersid)
+ foreign_msg = ldb.Message()
+ foreign_msg.dn = ldb.Dn(self, dn_str)
+
targetmember = self.search(base=self.domain_dn(),
scope=ldb.SCOPE_SUBTREE,
expression="%s" % filter,
attrs=[])
+ if len(targetmember) == 0 and foreign_msg is not None:
+ targetmember = [foreign_msg]
if len(targetmember) != 1:
raise Exception('Unable to find "%s". Operation cancelled.' % member)
+ targetmember_dn = targetmember[0].dn.extended_str(1)
- if add_members_operation is True and (targetgroup[0].get('member') is None or str(targetmember[0].dn) not in targetgroup[0]['member']):
+ if add_members_operation is True and (targetgroup[0].get('member') is None or str(targetmember_dn) not in targetgroup[0]['member']):
modified = True
addtargettogroup += """add: member
member: %s
-""" % (str(targetmember[0].dn))
+""" % (str(targetmember_dn))
- elif add_members_operation is False and (targetgroup[0].get('member') is not None and str(targetmember[0].dn) in targetgroup[0]['member']):
+ elif add_members_operation is False and (targetgroup[0].get('member') is not None and targetmember_dn in targetgroup[0]['member']):
modified = True
addtargettogroup += """delete: member
member: %s
-""" % (str(targetmember[0].dn))
+""" % (str(targetmember_dn))
if modified is True:
self.modify_ldif(addtargettogroup)
diff --git a/python/samba/tests/dsdb.py b/python/samba/tests/dsdb.py
index fd9919f..b3cf697 100644
--- a/python/samba/tests/dsdb.py
+++ b/python/samba/tests/dsdb.py
@@ -23,8 +23,9 @@ from samba.auth import system_session
from samba.tests import TestCase
from samba.tests import delete_force
from samba.ndr import ndr_unpack, ndr_pack
-from samba.dcerpc import drsblobs, security
+from samba.dcerpc import drsblobs, security, misc
from samba import dsdb
+from samba import werror
import ldb
import samba
import uuid
@@ -214,19 +215,57 @@ class DsdbTests(TestCase):
c = "9"
else:
c = "0"
- sid = str(dom_sid)[:-1] + c + "-1000"
+ sid_str = str(dom_sid)[:-1] + c + "-1000"
+ sid = ndr_pack(security.dom_sid(sid_str))
basedn = self.samdb.get_default_basedn()
- dn = "CN=%s,CN=ForeignSecurityPrincipals,%s" % (sid, basedn)
+ dn = "CN=%s,CN=ForeignSecurityPrincipals,%s" % (sid_str, basedn)
+
+ #
+ # First without control
+ #
+
+ try:
+ self.samdb.add({
+ "dn": dn,
+ "objectClass": "foreignSecurityPrincipal"})
+ self.fail("No exception should get ERR_OBJECT_CLASS_VIOLATION")
+ except ldb.LdbError as e:
+ (code, msg) = e.args
+ self.assertEqual(code, ldb.ERR_OBJECT_CLASS_VIOLATION, str(e))
+ werr = "%08X" % werror.WERR_DS_MISSING_REQUIRED_ATT
+ self.assertTrue(werr in msg, msg)
+
+ try:
+ self.samdb.add({
+ "dn": dn,
+ "objectClass": "foreignSecurityPrincipal",
+ "objectSid": sid})
+ self.fail("No exception should get ERR_UNWILLING_TO_PERFORM")
+ except ldb.LdbError as e:
+ (code, msg) = e.args
+ self.assertEqual(code, ldb.ERR_UNWILLING_TO_PERFORM, str(e))
+ werr = "%08X" % werror.WERR_DS_ILLEGAL_MOD_OPERATION
+ self.assertTrue(werr in msg, msg)
+
+ #
+ # We need to use the provision control
+ # in order to add foreignSecurityPrincipal
+ # objects
+ #
+
+ controls = ["provision:0"]
self.samdb.add({
"dn": dn,
- "objectClass": "foreignSecurityPrincipal"})
+ "objectClass": "foreignSecurityPrincipal"},
+ controls=controls)
self.samdb.delete(dn)
try:
self.samdb.add({
"dn": dn,
- "objectClass": "foreignSecurityPrincipal"})
+ "objectClass": "foreignSecurityPrincipal"},
+ controls=controls)
except ldb.LdbError as e:
(code, msg) = e.args
self.fail("Got unexpected exception %d - %s "
@@ -235,6 +274,232 @@ class DsdbTests(TestCase):
# cleanup
self.samdb.delete(dn)
+ def _test_foreignSecurityPrincipal(self, obj_class, fpo_attr):
+
+ dom_sid = self.samdb.get_domain_sid()
+ lsid_str = str(dom_sid) + "-4294967294"
+ bsid_str = "S-1-5-32-4294967294"
+ fsid_str = "S-1-5-4294967294"
+ basedn = self.samdb.get_default_basedn()
+ cn = "dsdb_test_fpo"
+ dn_str = "cn=%s,cn=Users,%s" % (cn, basedn)
+ dn = ldb.Dn(self.samdb, dn_str)
+
+ res = self.samdb.search(scope=ldb.SCOPE_SUBTREE,
+ base=basedn,
+ expression="(objectSid=%s)" % lsid_str,
+ attrs=[])
+ self.assertEqual(len(res), 0)
+ res = self.samdb.search(scope=ldb.SCOPE_SUBTREE,
+ base=basedn,
+ expression="(objectSid=%s)" % bsid_str,
+ attrs=[])
+ self.assertEqual(len(res), 0)
+ res = self.samdb.search(scope=ldb.SCOPE_SUBTREE,
+ base=basedn,
+ expression="(objectSid=%s)" % fsid_str,
+ attrs=[])
+ self.assertEqual(len(res), 0)
+
+ self.addCleanup(delete_force, self.samdb, dn_str)
+
+ self.samdb.add({
+ "dn": dn_str,
+ "objectClass": obj_class})
+
+ msg = ldb.Message()
+ msg.dn = dn
+ msg[fpo_attr] = ldb.MessageElement("<SID=%s>" % lsid_str,
+ ldb.FLAG_MOD_ADD,
+ fpo_attr)
+ try:
+ self.samdb.modify(msg)
+ self.fail("No exception should get LDB_ERR_UNWILLING_TO_PERFORM")
+ except ldb.LdbError as e:
+ (code, msg) = e.args
+ self.assertEqual(code, ldb.ERR_UNWILLING_TO_PERFORM, str(e))
+ werr = "%08X" % werror.WERR_DS_INVALID_GROUP_TYPE
+ self.assertTrue(werr in msg, msg)
+
+ msg = ldb.Message()
+ msg.dn = dn
+ msg[fpo_attr] = ldb.MessageElement("<SID=%s>" % bsid_str,
+ ldb.FLAG_MOD_ADD,
+ fpo_attr)
+ try:
+ self.samdb.modify(msg)
+ self.fail("No exception should get LDB_ERR_NO_SUCH_OBJECT")
+ except ldb.LdbError as e:
+ (code, msg) = e.args
+ self.assertEqual(code, ldb.ERR_NO_SUCH_OBJECT, str(e))
+ werr = "%08X" % werror.WERR_NO_SUCH_MEMBER
+ self.assertTrue(werr in msg, msg)
+
+ msg = ldb.Message()
+ msg.dn = dn
+ msg[fpo_attr] = ldb.MessageElement("<SID=%s>" % fsid_str,
+ ldb.FLAG_MOD_ADD,
+ fpo_attr)
+ try:
+ self.samdb.modify(msg)
+ except ldb.LdbError as e:
+ self.fail("Should have not raised an exception")
+
+ res = self.samdb.search(scope=ldb.SCOPE_SUBTREE,
+ base=basedn,
+ expression="(objectSid=%s)" % fsid_str,
+ attrs=[])
+ self.assertEqual(len(res), 1)
+ self.samdb.delete(res[0].dn)
+ self.samdb.delete(dn)
+ res = self.samdb.search(scope=ldb.SCOPE_SUBTREE,
+ base=basedn,
+ expression="(objectSid=%s)" % fsid_str,
+ attrs=[])
+ self.assertEqual(len(res), 0)
+
+ def test_foreignSecurityPrincipal_member(self):
+ return self._test_foreignSecurityPrincipal(
+ "group", "member")
+
+ def test_foreignSecurityPrincipal_MembersForAzRole(self):
+ return self._test_foreignSecurityPrincipal(
+ "msDS-AzRole", "msDS-MembersForAzRole")
+
+ def test_foreignSecurityPrincipal_NeverRevealGroup(self):
+ return self._test_foreignSecurityPrincipal(
+ "computer", "msDS-NeverRevealGroup")
+
+ def test_foreignSecurityPrincipal_RevealOnDemandGroup(self):
+ return self._test_foreignSecurityPrincipal(
+ "computer", "msDS-RevealOnDemandGroup")
+
+ def _test_fail_foreignSecurityPrincipal(self, obj_class, fpo_attr,
+ msg_exp, lerr_exp, werr_exp,
+ allow_reference=True):
+
+ dom_sid = self.samdb.get_domain_sid()
+ lsid_str = str(dom_sid) + "-4294967294"
+ bsid_str = "S-1-5-32-4294967294"
+ fsid_str = "S-1-5-4294967294"
+ basedn = self.samdb.get_default_basedn()
+ cn1 = "dsdb_test_fpo1"
+ dn1_str = "cn=%s,cn=Users,%s" % (cn1, basedn)
+ dn1 = ldb.Dn(self.samdb, dn1_str)
+ cn2 = "dsdb_test_fpo2"
+ dn2_str = "cn=%s,cn=Users,%s" % (cn2, basedn)
+ dn2 = ldb.Dn(self.samdb, dn2_str)
+
+ res = self.samdb.search(scope=ldb.SCOPE_SUBTREE,
+ base=basedn,
+ expression="(objectSid=%s)" % lsid_str,
+ attrs=[])
+ self.assertEqual(len(res), 0)
+ res = self.samdb.search(scope=ldb.SCOPE_SUBTREE,
+ base=basedn,
+ expression="(objectSid=%s)" % bsid_str,
+ attrs=[])
+ self.assertEqual(len(res), 0)
+ res = self.samdb.search(scope=ldb.SCOPE_SUBTREE,
+ base=basedn,
+ expression="(objectSid=%s)" % fsid_str,
+ attrs=[])
+ self.assertEqual(len(res), 0)
+
+ self.addCleanup(delete_force, self.samdb, dn1_str)
+ self.addCleanup(delete_force, self.samdb, dn2_str)
+
+ self.samdb.add({
+ "dn": dn1_str,
+ "objectClass": obj_class})
+
+ self.samdb.add({
+ "dn": dn2_str,
+ "objectClass": obj_class})
+
+ msg = ldb.Message()
+ msg.dn = dn1
+ msg[fpo_attr] = ldb.MessageElement("<SID=%s>" % lsid_str,
+ ldb.FLAG_MOD_ADD,
+ fpo_attr)
+ try:
+ self.samdb.modify(msg)
+ self.fail("No exception should get %s" % msg_exp)
+ except ldb.LdbError as e:
+ (code, msg) = e.args
+ self.assertEqual(code, lerr_exp, str(e))
+ werr = "%08X" % werr_exp
+ self.assertTrue(werr in msg, msg)
+
+ msg = ldb.Message()
+ msg.dn = dn1
+ msg[fpo_attr] = ldb.MessageElement("<SID=%s>" % bsid_str,
+ ldb.FLAG_MOD_ADD,
+ fpo_attr)
+ try:
+ self.samdb.modify(msg)
+ self.fail("No exception should get %s" % msg_exp)
+ except ldb.LdbError as e:
+ (code, msg) = e.args
+ self.assertEqual(code, lerr_exp, str(e))
+ werr = "%08X" % werr_exp
+ self.assertTrue(werr in msg, msg)
+
+ msg = ldb.Message()
+ msg.dn = dn1
+ msg[fpo_attr] = ldb.MessageElement("<SID=%s>" % fsid_str,
+ ldb.FLAG_MOD_ADD,
+ fpo_attr)
+ try:
+ self.samdb.modify(msg)
+ self.fail("No exception should get %s" % msg)
+ except ldb.LdbError as e:
+ (code, msg) = e.args
+ self.assertEqual(code, lerr_exp, str(e))
+ werr = "%08X" % werr_exp
+ self.assertTrue(werr in msg, msg)
+
+ msg = ldb.Message()
+ msg.dn = dn1
+ msg[fpo_attr] = ldb.MessageElement("%s" % dn2,
+ ldb.FLAG_MOD_ADD,
+ fpo_attr)
+ try:
+ self.samdb.modify(msg)
+ if not allow_reference:
+ sel.fail("No exception should get %s" % msg_exp)
+ except ldb.LdbError as e:
+ if allow_reference:
+ self.fail("Should have not raised an exception: %s" % e)
+ (code, msg) = e.args
+ self.assertEqual(code, lerr_exp, str(e))
+ werr = "%08X" % werr_exp
+ self.assertTrue(werr in msg, msg)
+
+ self.samdb.delete(dn2)
+ self.samdb.delete(dn1)
+
+ def test_foreignSecurityPrincipal_NonMembers(self):
+ return self._test_fail_foreignSecurityPrincipal(
+ "group", "msDS-NonMembers",
+ "LDB_ERR_UNWILLING_TO_PERFORM/WERR_NOT_SUPPORTED",
+ ldb.ERR_UNWILLING_TO_PERFORM, werror.WERR_NOT_SUPPORTED,
+ allow_reference=False)
+
+ def test_foreignSecurityPrincipal_HostServiceAccount(self):
+ return self._test_fail_foreignSecurityPrincipal(
+ "computer", "msDS-HostServiceAccount",
+ "LDB_ERR_CONSTRAINT_VIOLATION/WERR_DS_NAME_REFERENCE_INVALID",
+ ldb.ERR_CONSTRAINT_VIOLATION,
+ werror.WERR_DS_NAME_REFERENCE_INVALID)
+
+ def test_foreignSecurityPrincipal_manager(self):
+ return self._test_fail_foreignSecurityPrincipal(
+ "user", "manager",
+ "LDB_ERR_CONSTRAINT_VIOLATION/WERR_DS_NAME_REFERENCE_INVALID",
+ ldb.ERR_CONSTRAINT_VIOLATION,
+ werror.WERR_DS_NAME_REFERENCE_INVALID)
+
#
# Duplicate objectSID's should not be permitted for sids in the local
--
Samba Shared Repository
More information about the samba-cvs
mailing list