[SCM] Samba Shared Repository - branch v4-15-test updated
Jule Anger
janger at samba.org
Wed Sep 8 13:32:01 UTC 2021
The branch, v4-15-test has been updated
via 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
via 1252f2c170c s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
via bb825a909e9 selftest: Add a test for LookupSids3 and LookupNames4 in python
via 86d3397f852 dsdb: Be careful to avoid use of the expensive talloc_is_parent()
via d18232cdcfc selftest: Only run samba_tool_drs_showrepl test once
via 8c246869e14 selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
via 5cec6963b69 WHATSNEW: Update with samba-tool domain backup offline fix
via 0cc8a4708f0 WHATSNEW: Update for KDC crash fixes
via 7ca641892b3 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
via 0fd150e4844 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
via dcbec3eab52 tests/krb5: Allow expected_error_mode to be a container type
via 8d17a87523b tests/krb5: Add tests for omitting sname in inner request
via c837f43a9cd tests/krb5: Allow specifying parameters specific to the inner FAST request body
via b628cda6604 tests/krb5: Add tests for omitting sname in request
via 83ba64c9106 tests/krb5: Check PADATA-PW-SALT element in e-data
via 13cb2664266 tests/krb5: Check e-data element for TGS-REP errors without FAST
via 2762a9dcee4 tests/krb5: Remove harmful and a-typical return in as_req testcase
via f50f9618efa CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
via d9de103cc58 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
via 1ae386bf725 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
via b6496bd5990 tests/krb5: Make cname checking less strict
via c9b594a1a21 tests/krb5: Make e-data checking less strict
via ef69ac460bc Update common on currently supported Fedora versions
via d0f26d12a9b bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
via 04cbe284f4e bootstrap: Update to get newer krb5 on Fedora 34
via 2c7d7307ae3 mit-kdc: Remove build time support for KDB_API < 10
via 0cf8c13b940 build: Move minimum MIT krb5 version to 1.19 to align with what is tested
via e30483eb251 autobuild.py: Do not build MIT builds by default (eg sn-devel)
via 1dd8ded8c57 gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC
via 961bdab6647 gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos
via e850967129d autobuild.py: Explain why each job is removed from the default set
via 521adb2fd3e samba-tool domain backup: Use tdbbackup on metadata.tdb
via 2f8295604ce samba-tool: Rework transations/locks to hold a lock during mdb backup
via 21e1a6b48d6 samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb
via 535bd82604e mit-samba: Only set the function opening bracket once
via 13dff7227f4 mit-samba: Use talloc_get_type_abort() instead of casting
via 9698e453ae9 mit-samba: Send the logging to the kdc log facility
via 4bf41b6ccf5 mit-samba: Define debug class for kdb module
via 07cfa4d6f95 tests/krb5: Add FAST tests
via 003307b7d34 initial FAST tests
via 18c2ff9a3c6 tests/krb5: Check PADATA-FX-ERROR in reply
via 54f1f269f0a tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
via d6acfe270d0 tests/krb5: Check PADATA-PAC-OPTIONS in reply
via 1e9a7cd0a81 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
via 464a7efe1b2 tests/krb5: Make check_rep_padata() also work for checking TGS replies
via 220f76a98eb tests/krb5: Check PADATA-FX-COOKIE in reply
via 18b587ad53b tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
via 904df7418b8 tests/krb5: Adjust reply padata checking depending on whether FAST was sent
via 19aaacb5b2b tests/krb5: Check reply FAST padata if request included FAST
via 5fc7588d3cc tests/krb5: Check sname is krbtgt for FAST generic error
via fc2ec4b9e01 tests/krb5: Add get_krbtgt_sname() method
via 6ed03543ea0 tests/krb5: Remove unused variables
via 2e9c0a7ff2f tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
via 4d8b3dcd2f7 tests/krb5: Add check_rep_padata() method to check padata in reply
via 7628f04aa64 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
via 5893e9dc6d6 tests/krb5: Include authdata in kdc_exchange_dict
via d544371bd15 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
via 6457ecee2a9 tests/krb5: Check encrypted-pa-data
via 79972f42603 tests/krb5: Add methods to determine whether elements were included in the request
via 361d9e73d15 tests/krb5: Add functions to get dicts of request padata
via 038921df85e tests/krb5: Check FAST response
via afd32084e3b tests/krb5: Add method to verify ticket checksum for FAST
via 846c0132b52 tests/krb5: Add method to check PA-FX-FAST-REPLY
via 9cc2d4a659c tests/krb5: Allow specifying parameters specific to the outer request body
via 889593908e6 tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
via dbf3f3bab68 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
via 5f35f5ce1dc tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
via dc778a5f4ca tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
via 943a58fc29f tests/krb5: Add methods to calculate keys for FAST
via 539981fc13b tests/krb5: Add method to generate FAST encrypted challenge padata
via cb609e47d76 tests/krb5: Add more methods to create ASN1 objects for FAST
via db22b645c05 tests/krb5: Add more ASN1 definitions for FAST
via 98f242cf97f tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
via 9d8973d3775 tests/krb5: Ensure generated padata is not None
via 2898841517e tests/krb5: Add generate_ap_req() method
via 8bc2d847585 tests/krb5: Check nonce in EncKDCRepPart
via 9c80f3188c5 tests/krb5: Make checking less strict
via cd4d26b7342 tests/krb5: Check version number of obtained ticket
via 7b859c2ce3a tests/krb5: Assert that more variables are not None
via 17fb5d3534a tests/krb5: Ensure in assertElementPresent() that container elements are not empty
via 88a3de1f8cd tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
via c8f98ef1bf7 tests/krb5: Include kdc_options in kdc_exchange_dict
via 2804451db04 tests/krb5: Always specify expected error code
via 9668d0a12af tests/krb5: Add check_reply() method to check for AS or TGS reply
via 5d4f3948652 tests/krb5: Add method to calculate account salt
via 2f26125a45b tests/krb5: Add more methods for obtaining machine and service credentials
via 8926866e50f tests/krb5: Allow specifying additional details when creating an account
via 80904c2493a tests/krb5: Use encryption with admin credentials
via 8ebde4958f6 tests/krb5: Add get_EpochFromKerberosTime()
via ad37b892482 tests/krb5: Make _test_as_exchange() return value more consistent
via 4f9621dc01d tests/krb5: Add method to return dict containing padata elements
via 790c07f6262 tests/krb5: Add get_enc_timestamp_pa_data_from_key()
via 0ad81b04468 tests/krb5: Refactor get_pa_data()
via 8a465e73ba3 tests/krb5: Allow cf2 to automatically use the enctype of the first key
via d003d7a3edc tests/krb5: Use credentials kvno when creating password key
via bd1a33d8b09 tests/krb5: Check Kerberos protocol version number
via 5bed0606922 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
via 34b85fc9f02 tests/krb5: Fix encpart_decryption_key with MIT KDC
via f5bb7f975c2 tests/krb5: Fix callback_dict parameter
via 3ace86e524c tests/krb5: Fix including enc-authorization-data
via f191934f14d tests/krb5: Remove magic constants
via 82158d38ad6 tests/krb5: Simplify Python syntax
via 122ed8d3f3e tests/krb5: Use more compact dict lookup
via 68fc4851772 tests/krb5: Remove unneeded statements
via 5df6c6850f4 tests/krb5: formatting
via 3d751f9cc6f tests/krb5: Fix method name typo
via 204f2dbcefe tests/krb5: Fix comment typo
via 424b945426a tests/krb5: Fix ms_kile_client_principal_lookup_test errors
via 25b51c3a287 pygensec: Don't modify Python bytes objects
via a90933e820c pygensec: Fix memory leaks
via 36a99feeafb selftest: Add support for setting ENV variables in plantestsuite()
via daab1eba30a selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
via 2dfe335bbe2 selftest: Re-format long lines in selftesthelpers.py
via a116dec4bb6 bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros
via 9ded25beb7e python:waf: Correctly check for python-dateutil
via 8586802eaca bootstrap: Install krb5-workstation on Fedora based distros
from a0a96f6ebab VERSION: Bump version up to Samba 4.15.0rc6...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit 45b5c9074e7b9fc429d741a2920ab24a28bb2cc1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 6 08:52:21 2021 +1200
selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
If two of these unit tests run in the same second they could
select the same name, as the name was only based on the time
and a common prefix.
As observed by Jeremy Allison. Thanks for the report!
RN: Address flapping dsdb_schema_attributes test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14819
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Sep 6 02:32:51 UTC 2021 on sn-devel-184
(cherry picked from commit 6590bb0b77c641f0d4686b39c713c1405ffb64f5)
Autobuild-User(v4-15-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-15-test): Wed Sep 8 13:31:05 UTC 2021 on sn-devel-184
commit 1252f2c170cd273d944f70b27584518b3bc8218d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 25 12:03:08 2021 +1200
s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
Since 5c0345ea9bb34695dcd7be6c913748323bebe937 this
would not have been implicitly cached via the ldb_wrap
cache, due to the recording of the remote IP address
(which is a good thing).
This creates a more explicit and direct correct
cache on the connection.
The common code, including the SCHANNEL check is
placed into a helper function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807
RN: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sun Sep 5 03:19:26 UTC 2021 on sn-devel-184
(cherry picked from commit ae57d22e45b33537e9fca5969e9b68abd1ad633f)
commit bb825a909e91c1ba138490691258702744c60f6f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 25 09:54:04 2021 +0000
selftest: Add a test for LookupSids3 and LookupNames4 in python
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b40761b42e889369599c5eb355028ba377c43b49)
commit 86d3397f852e4e6e5fa5096d91c4263e26742d0f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 25 09:41:11 2021 +1200
dsdb: Be careful to avoid use of the expensive talloc_is_parent()
The wrong talloc API was selected while addressing a memory leak.
commit ee2fe56ba0ef6626b634376e8dc2185aa89f8c99
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue Nov 27 11:07:44 2018 +1300
drepl: memory leak fix
Fixes a memory leak where schema reference attached to ldb
instance is lost before it can be freed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14042
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming at samba.org>
Autobuild-Date(master): Wed Jul 17 06:17:10 UTC 2019 on sn-devel-184
By using talloc_get_parent() walking the entire talloc tree is
avoided.
RN: Address a signifcant performance regression in database access in the AD DC since Samba 4.12
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14806
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8affe4a1e625104de4ca024fdc3e9cd96498aff3)
commit d18232cdcfc48ed7b03e831bb28ff57140fe5f9a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 4 13:11:08 2021 +1200
selftest: Only run samba_tool_drs_showrepl test once
This test is not slow, but there is no value running it twice.
Running this test twice just increases the chances we might
loose a race as it shows and validates live replication data.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 75a5ed66731e947fa16af81aab7649d1fddec45f)
commit 8c246869e142a8115a6428285d582f0e123a38ff
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 4 12:28:20 2021 +1200
selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
These now run in the disconnected sets schema_dc/schema_pair_dc and
ad_dc/vampire_dc/promoted_dc. By aiming at different sets ofservers
we can't cause cross-contamination in terms of which servers are
listed as outbound connections.
Also, by running the tests only once we reduce the chaces of trouble
by half.
RN: Address flapping samba_tool_drs_showrepl test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14818
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e8b4599e0935290c5e59df9fd4f695ad8d6f361c)
commit 5cec6963b697b14177f06fd09c95741810d9d25f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 8 19:24:29 2021 +1200
WHATSNEW: Update with samba-tool domain backup offline fix
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 0cc8a4708f08f36719ea98026b083e481c315fb6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 8 19:20:55 2021 +1200
WHATSNEW: Update for KDC crash fixes
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 7ca641892b389f2bd6f13afb862c632a8375cff6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 31 22:38:01 2021 +1200
tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
This allows our code to still pass with the error code that
MIT and Heimdal have chosen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184
(cherry picked from commit 10baaf08523200e47451aa1862430977b0365b59)
commit 0fd150e48447d362e47c4c3f9e7bf0930db03afd
Author: Luke Howard <lukeh at padl.com>
Date: Tue Aug 31 17:38:16 2021 +1200
kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour.
[abartlet at samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd
and knownfail added]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b0f4455e524cbbfb13202220e7095f466b083a2f)
commit dcbec3eab5253f0c5c9ad30e3a406a4fed4c1d29
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 31 19:42:33 2021 +1200
tests/krb5: Allow expected_error_mode to be a container type
This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ebd673e976aea5dd481a75f180fd526995c4fda0)
commit 8d17a87523bf5d3660840cd5b81738b8b98f61fa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:37:16 2021 +1200
tests/krb5: Add tests for omitting sname in inner request
Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC.
This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49
and was given CVE-2021-37750
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 24914ae17d49f634fafc1bdeb88859293da05f79)
commit c837f43a9cdd03a1f45913d1e19a71fbb3373af0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:26:45 2021 +1200
tests/krb5: Allow specifying parameters specific to the inner FAST request body
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340)
commit b628cda6604c8bd3552eac7e8ba5d203638e51c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:02:04 2021 +1200
tests/krb5: Add tests for omitting sname in request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b)
commit 83ba64c9106ff5bd53848c46a3f493045db868d4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:37 2021 +1200
tests/krb5: Check PADATA-PW-SALT element in e-data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1e4d757394a0bbda587d5ff91801f88539b712b1)
commit 13cb266426646bdbb786aba734a95f25e1bfff2f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:21 2021 +1200
tests/krb5: Check e-data element for TGS-REP errors without FAST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a)
commit 2762a9dcee4e37eb238007558bc790543a796a17
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 10:43:06 2021 +1200
tests/krb5: Remove harmful and a-typical return in as_req testcase
A test in a TestCase class should not return a value, the
test is determined by the assertions raised.
Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.
This also fixes a *lot* of tests against the MIT KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5)
commit f50f9618efa49fc7a2a56b2f1c99fb6b2c0c5bcd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 12:25:06 2021 +1200
CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b8e2515552ffa158fab1e86a39004de4cc419da5)
commit d9de103cc587aa98e0e79781bcb387dac4ee1302
Author: Luke Howard <lukeh at padl.com>
Date: Fri Aug 27 11:42:48 2021 +1000
CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]
RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0cb4b939f192376bf5e33637863a91a20f74c5a5)
commit 1ae386bf72564850f0660eb4d9b74076ed74bd91
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 16:52:29 2021 +1200
tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
Note: This test crashed the MIT KDC prior to MIT commit
fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given
CVE-2021-36222.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 15f9f040fe537ebd30419a4751aa0f13b20f242b)
commit b6496bd599024aefc858d5163d701543585736f3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 14:43:53 2021 +1200
tests/krb5: Make cname checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 36798f5b651a02b74b6844c024101f7a026f1f68)
commit c9b594a1a21ea7b2d02f2b6811206edc1f245471
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:35:59 2021 +1200
tests/krb5: Make e-data checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 79dda329f2a8382f1e46b50f4b9692e78d687826)
commit ef69ac460bc02c3b0c9d5be12198a858c0472421
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 20:53:45 2021 +1200
Update common on currently supported Fedora versions
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d9edad89f3b268c6da8f988a42f8cf2a3b697fe7)
commit d0f26d12a9b6b76404b57bd2e23921de94936342
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 20:55:40 2021 +1200
bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5805a7c49aa13b578a717cbbc46460741d325c65)
commit 04cbe284f4e02bd3908b42781c997888e193d253
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 20:45:03 2021 +1200
bootstrap: Update to get newer krb5 on Fedora 34
We need the update FEDORA-2021-20b495cb94 (krb5) to
get a fix for CVE-2021-37750 (explicit NULL deref on KDC)
so our CI will pass as we have a test for this.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e9c8ac4adbca2f8cb45470ccb45a45039188a285)
commit 2c7d7307ae37b038bf191aeef0c0096f9e58e0bb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 14:46:31 2021 +1200
mit-kdc: Remove build time support for KDB_API < 10
The previous commits restricted to MIT KDC build to MIT 1.19 and this removes the
#ifdef in the code of what will become untested code.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Aug 26 07:05:44 UTC 2021 on sn-devel-184
(cherry picked from commit 9b9fd2a0d9ca81aa16ddfe2f7e219b94e2ac158b)
commit 0cf8c13b94027856e98a1ccd02cb5ef04b8374d9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 14:25:54 2021 +1200
build: Move minimum MIT krb5 version to 1.19 to align with what is tested
This avoid shipping untested code and aligns with the version
used in GitLab CI for all the MIT builds.
The "bronze bit" (CVE-2020-17049) security fixes will need
a new MIT KDB version in any case, this prepares the ground
by removing the older version support.
(knownfail_mit_kdc updates taken from a patch by
Andreas Schneider <asn at samba.org> that did this optionally)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 554bdfa8a04fd95c710b486890277dd92f685f2f)
commit e30483eb2512a1f13c961fab8320fb27fe1e9e98
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 13:53:58 2021 +1200
autobuild.py: Do not build MIT builds by default (eg sn-devel)
This avoids the need for MIT KDC tests and the MIT KDC glue code to
operate against the older MIT 1.16 found on Ubuntu 18.04, which
is our current build environment.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ff267c3c790c0ae9f276225f67fb543d6371cb53)
commit 1dd8ded8c576e427c2d0432e4317071e6ff0f1ea
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 13:52:04 2021 +1200
gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC
Fedora packages current MIT builds pretty fast so we base our
MIT KDC tests there, as this avoids backporting and tests against
the most current code.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 649b0741e17909afce762a5b84c1231600eec5f0)
commit 961bdab6647753c1d9512e803321ff3b7a281bdd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 18 14:59:47 2021 +1200
gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos
Because the MIT KDC builds are moving to current MIT and out of the default autobuild
this ensures that on our default host, which is closer to what most of our
users operate, Samba still works with Kerberos.
This uses the ktest environment that does not require the KDC to exist
and instead uses a static ccache and keytab.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6145c388d201d817444322dee67ca1ec1989ecd1)
commit e850967129d75f93432baa8fb0d899a366bd02cf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 13:40:39 2021 +1200
autobuild.py: Explain why each job is removed from the default set
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 167ad96136b42b5cb601decc0fc68c9603c8b172)
commit 521adb2fd3e65d8a6e6276265182958b967be59f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 23 20:45:50 2021 +1200
samba-tool domain backup: Use tdbbackup on metadata.tdb
metadata.tdb is inside sam.ldb.d/ but should be backed up with tdbbackup.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Aug 24 13:22:04 UTC 2021 on sn-devel-184
(cherry picked from commit 78942ad7d17a92cd39d9c46ae1b8348e9673ac30)
commit 2f8295604ce6bf0c7829332ae56f6cfecdb18afa
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 23 18:14:16 2021 +1200
samba-tool: Rework transations/locks to hold a lock during mdb backup
We now also get sidForRestore under that lock, rather than
after the backup.
This avoids using the database again after the backup process
While not entirely clear how/why this matters with LMDB
as seen in Fedora 34, likely due to the same issues
seen with 0.9.26 or later fixed by commmit
bb3dcd403ced922574a89011dd3814c4fe87dd76.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 958931ad379af26dcbc55cfbc49e7886ef8e0550)
commit 21e1a6b48d6c3670f7dad4fa595b39178e77f445
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 23 19:41:15 2021 +1200
samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb
This avoids opening the database again by having the caller pass in
the DB open
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 423f808ff48e297745f576a52b2118c4b920a3e4)
commit 535bd82604e5a43701c9d307ccb3a5d5cc1192ba
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 15 08:48:37 2021 +0200
mit-samba: Only set the function opening bracket once
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Aug 5 10:33:18 UTC 2021 on sn-devel-184
(cherry picked from commit 104fc3539090ae9e161945ef9d18d897e3b71fed)
commit 13dff7227f41922bbcf66f035ced9f0b371072e6
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 13:05:59 2021 +0200
mit-samba: Use talloc_get_type_abort() instead of casting
This is safer to use and fixes compiler warnings.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 60159e03850f88cdee332ba65939cfe4582cb5e1)
commit 9698e453ae952af5ce1af09c1cd8e12cc2c3eb94
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jun 11 16:15:10 2018 +0200
mit-samba: Send the logging to the kdc log facility
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dd8138236bec3635c25e5b482b7a14faa0a9c36b)
commit 4bf41b6ccf5be2293e104ba921fcc409f123f357
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 14 12:49:11 2021 +0200
mit-samba: Define debug class for kdb module
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 41d906301b8d13f831b155dcec37d88889b9f36c)
commit 07cfa4d6f95ec83081c3afde7f3e1d871a12d155
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:58:44 2021 +1200
tests/krb5: Add FAST tests
Example command:
SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
(cherry picked from commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854)
commit 003307b7d340c2bafbbcd1136bedb1d677221eeb
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Jun 10 09:56:58 2021 +1200
initial FAST tests
Currently incomplete, and tested only against MIT Kerberos.
[abartlet at samba.org
Originally "WIP inital FAST tests"
Samba's general policy that we don't push WIP patches, we polish
into a 'perfect' patch stream.
However, I think there are good reasons to keep this patch distinct
in this particular case.
Gary is being modest in titling this WIP (now removed from the title
to avoid confusion). They are not WIP in the normal sense of
partially or untested code or random unfinished thoughts. The primary
issue is that at that point where Gary had to finish up he had
trouble getting FAST support enabled on Windows, so couldn't test
against our standard reference. They are instead good, working
initial tests written against the RFC and tested against Samba's AD DC
in the mode backed by MIT Kerberos.
This preserves clear authorship for the two distinct bodies of work,
as in the next patch Joseph was able to extend and improve the tests
significantly. ]
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b7b62957bdce9929fabd3812b9378bdbd6c12966)
commit 18c2ff9a3c64271b90bca0040f6649bd97803046
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:58 2021 +1200
tests/krb5: Check PADATA-FX-ERROR in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit aa2c221f4e1bfc3403de857e62eaeaee1577560c)
commit 54f1f269f0a0469f60a39a6a371f4de349a9cb54
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 11:50:16 2021 +1200
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 66e1eb58bedf036ad25a868993d44480c4e0e055)
commit d6acfe270d0dbe632dd84f6c47f34cdb97106e67
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:50:20 2021 +1200
tests/krb5: Check PADATA-PAC-OPTIONS in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07)
commit 1e9a7cd0a81ebbbb81b3fe336e6e1fff010744f8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:29:39 2021 +1200
tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 29070e74baa18d94642efcd36930b9bab216e10c)
commit 464a7efe1b243e06bb09b58c4b31cb6fe928ad60
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:25 2021 +1200
tests/krb5: Make check_rep_padata() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ab4e7028a6ac01eab9531c8a26507a912df54278)
commit 220f76a98ebefc2c2b8384801a4f447978956ffd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:12 2021 +1200
tests/krb5: Check PADATA-FX-COOKIE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7)
commit 18b587ad53b4b9162f787f08578a40257794b86c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:36:56 2021 +1200
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd)
commit 904df7418b8a45a31e92e96426cbe0d3af537c17
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:42:26 2021 +1200
tests/krb5: Adjust reply padata checking depending on whether FAST was sent
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 44a44109db96eab08a3da3683c34446bc13b295b)
commit 19aaacb5b2bc1ec12739957072b46370911ab057
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:31:39 2021 +1200
tests/krb5: Check reply FAST padata if request included FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 056fb71832e7aa16132c58ff393ab8b752ef6a93)
commit 5fc7588d3cc6ff98c45f4ad64476f49218666a0e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:25:39 2021 +1200
tests/krb5: Check sname is krbtgt for FAST generic error
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7a27b75621908a4a6449efaecb54eb20fa45aca0)
commit fc2ec4b9e01eb8173275f3109a049109f6c2a9b5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:15:00 2021 +1200
tests/krb5: Add get_krbtgt_sname() method
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dbe98005d5873440063b91e56679937149535be7)
commit 6ed03543ea034dc0ad9d92d9b8515e8cd8ddd60d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:26:06 2021 +1200
tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5edbabeb26e110648d4588c90843e4715ec1ac5c)
commit 2e9c0a7ff2feb5c77329bf023fa32f6d8d0df77b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:35:32 2021 +1200
tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 705e45e37f4752e283a80626be10c38b29232359)
commit 4d8b3dcd2f74a4ae59319a9d6a58699c790509fe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:21:14 2021 +1200
tests/krb5: Add check_rep_padata() method to check padata in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab)
commit 7628f04aa6425e53a50c42876f5290d1c16812ef
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:09 2021 +1200
tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1389ba346df81c9ea1e1143c4e819212939f6aeb)
commit 5893e9dc6d6908af451e3b601a7c3a8bd67c3be5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:18:29 2021 +1200
tests/krb5: Include authdata in kdc_exchange_dict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ea1ed63e8819926db1cf15974009601c7d37e944)
commit d544371bd15a1b1186faf763ae26eaa92d068de2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:05:59 2021 +1200
tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
This is useful for testing the 'hide client names' FAST option.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d)
commit 6457ecee2a95f59378f9160bbad071d928984149
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:34:49 2021 +1200
tests/krb5: Check encrypted-pa-data
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0c029e780cf16a49c674593e8329eaf3b87aec69)
commit 79972f42603d7e46549221dff957d628eaccc8a5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:21:01 2021 +1200
tests/krb5: Add methods to determine whether elements were included in the request
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2)
commit 361d9e73d151f2c6127c8b96f4792ccb94d99b4a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:44 2021 +1200
tests/krb5: Add functions to get dicts of request padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6)
commit 038921df85e7e64ac798291b3485804899c2ca2a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:42:57 2021 +1200
tests/krb5: Check FAST response
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e)
commit afd32084e3b8dfbc970dedeb13f736d9bc5d939e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:10:13 2021 +1200
tests/krb5: Add method to verify ticket checksum for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4ca05402b36ba13a987b07b2402906764d3cd49b)
commit 846c0132b5201eb806a308a1334c823d3e58a39a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:04:37 2021 +1200
tests/krb5: Add method to check PA-FX-FAST-REPLY
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b62488113f6053755f9be9faa9b757e7193074fa)
commit 9cc2d4a659c9034ad1c79bea16ad2d016216cb9c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:01:36 2021 +1200
tests/krb5: Allow specifying parameters specific to the outer request body
This is useful for testing FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb)
commit 889593908e632848916eeecfddb19e58c5a7a442
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:24 2021 +1200
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0df385fc49cc2693c195209936a29e31216df16d)
commit dbf3f3bab68759d42084e55aa865416d983c0fdc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:10 2021 +1200
tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e)
commit 5f35f5ce1dcc9aca32b3cceead23f972f859c410
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:19:46 2021 +1200
tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
This is needed for FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d554b6dc0f4e14d154e487dc2a842321aa746155)
commit dc778a5f4caa6b48e74be14492b7824ff8c8e5a7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:12 2021 +1200
tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
This method will also be useful in checking TGS-REP error replies.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 74f332c6f9e31b933837cefee69b219054970713)
commit 943a58fc29fe55090f315a399b3dd0d8dffbb20d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:49:05 2021 +1200
tests/krb5: Add methods to calculate keys for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 080894067469d60e2c71961c2d1c1990ba15b917)
commit 539981fc13b8342f755610d01fc4670c02aa431b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:47:18 2021 +1200
tests/krb5: Add method to generate FAST encrypted challenge padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit aafc86896969d02ff1daecdf2668bfa642860082)
commit cb609e47d76a86ba3176044bf77ecd8a1177d752
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:23:26 2021 +1200
tests/krb5: Add more methods to create ASN1 objects for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d)
commit db22b645c05d4692f47d9e1927bf504ef2ef5a9c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:21:07 2021 +1200
tests/krb5: Add more ASN1 definitions for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ec702900295100ae4e48ba57242eee6670bf30d6)
commit 98f242cf97f2009df7d50c076ba390d58e06c74d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:59:36 2021 +1200
tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 025737deb5325d25b2ae4c57583c24ae1d0eca33)
commit 9d8973d3775ac2dd44237fe71549be0cd32d752f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:35 2021 +1200
tests/krb5: Ensure generated padata is not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b6f96dd6395a30e15fa906959cbe665757aaba8d)
commit 2898841517e2d58276f3bf2e2207970c7f8dafee
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 19:27:02 2021 +1200
tests/krb5: Add generate_ap_req() method
This method will be useful to generate an AP-REQ for use as FAST armor.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7)
commit 8bc2d8475853c838dd22614a2751c2ede33e1575
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 12:52:42 2021 +1200
tests/krb5: Check nonce in EncKDCRepPart
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4951a105b0448854115a7ecc3d867be6f34b0dcf)
commit 9c80f3188c5c6f021ebf999a43d8c8ed90e6b0d3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:39:37 2021 +1200
tests/krb5: Make checking less strict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc)
commit cd4d26b7342e47101c9262386515ba7be19f6cd0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:34:19 2021 +1200
tests/krb5: Check version number of obtained ticket
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b)
commit 7b859c2ce3ad925552abce6047cdf10bd8f5e4b1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:39:42 2021 +1200
tests/krb5: Assert that more variables are not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3d1066e923815782036bd11524fda110a2528951)
commit 17fb5d3534a2ab9cb3dfe89aee557492f1fca695
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:37:48 2021 +1200
tests/krb5: Ensure in assertElementPresent() that container elements are not empty
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ba3c92f77b20e1e0d298cd92399dc69535739c27)
commit 88a3de1f8cd38b0c6cde8388f3553906da19ed7b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:15 2021 +1200
tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
This means that there can no longer be surprises where a test receives a
reply when it was expecting an error, or vice versa.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 78818655505b3183251940e86270cd40bae73206)
commit c8f98ef1bf7f8fb3fc9eabfef36154bf3556a604
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:35:40 2021 +1200
tests/krb5: Include kdc_options in kdc_exchange_dict
Make kdc_options an element of kdc_exchange_dict instead of a parameter
to _generic_kdc_exchange(). This allows testing code to adjust the reply
checking based on the options that were specified in the request.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95)
commit 2804451db0457872430cc4106b97d07fce5e25b2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:32:52 2021 +1200
tests/krb5: Always specify expected error code
Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 21c64fda8f98d451e028ea483dbe351b1280390c)
commit 9668d0a12aff1dcfadcd5822ba81ab6a1850ad73
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:19:04 2021 +1200
tests/krb5: Add check_reply() method to check for AS or TGS reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329)
commit 5d4f394865267cacd90589c3bcfb340e610365f0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:22:09 2021 +1200
tests/krb5: Add method to calculate account salt
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5)
commit 2f26125a45bc3124022ad8ff5a616147186d4c0c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:19:57 2021 +1200
tests/krb5: Add more methods for obtaining machine and service credentials
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb)
commit 8926866e50f159868892851c19fbb5ff4693ad97
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:25:55 2021 +1200
tests/krb5: Allow specifying additional details when creating an account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c)
commit 80904c2493a045435aca71475e2e0c54085e3a38
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:58:19 2021 +1200
tests/krb5: Use encryption with admin credentials
This ensures that account creation using admin credentials succeeds.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ce379edf2e135b105b18d35e24d732389de94291)
commit 8ebde4958f6b1931686e0e5cd3e40e48d786b549
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:27:17 2021 +1200
tests/krb5: Add get_EpochFromKerberosTime()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bab7503e3043002b1422b00f40cd03a0a29538aa)
commit ad37b892482bc941f45a9e7dd3980c8ef09dfb8a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:27:47 2021 +1200
tests/krb5: Make _test_as_exchange() return value more consistent
Always return the reply and the kdc_exchange_dict so that the caller has
more potentially useful information.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fe8912e4a85c5fd614ad3079b041c0e1975958e3)
commit 4f9621dc01d5ea55693c0184c6815f9edf67c63f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:51:54 2021 +1200
tests/krb5: Add method to return dict containing padata elements
This makes checking multiple padata elements easier.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit cb332d83008aa97a60eaca9e008054f641d514d6)
commit 790c07f626215b03e37d9063f1db823eb35f6c56
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:18:38 2021 +1200
tests/krb5: Add get_enc_timestamp_pa_data_from_key()
This makes it easier to create encrypted timestamp padata when the key
has already been obtained.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit f5a906f74f9665a894db3c13722022f732180620)
commit 0ad81b04468ea1af8d0b13d96eccb2dfd1740b8d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:16:01 2021 +1200
tests/krb5: Refactor get_pa_data()
The function now returns a single padata object rather than a list,
making it easier to combine multiple padata elements into a request. The
new name 'get_enc_timestamp_pa_data' also makes it clearer as to what
the method generates.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731)
commit 8a465e73ba36ede6e88893740096611a5dd3312f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:24:52 2021 +1200
tests/krb5: Allow cf2 to automatically use the enctype of the first key
RFC6113 states: "Unless otherwise specified, the resulting enctype of
KRB-FX-CF2 is the enctype of k1." This change means the enctype no
longer has to be specified manually.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a5e5f8fdfe8b6952592d7d682af893c79080826f)
commit d003d7a3edcff2a64cbcc0e7481941b1ff5c84fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:28:37 2021 +1200
tests/krb5: Use credentials kvno when creating password key
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 17d5a267298ccd7272e86fd24c2c608511cf46b7)
commit bd1a33d8b09fa0754d4f6c638aef5e03ce886c73
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:07:59 2021 +1200
tests/krb5: Check Kerberos protocol version number
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d6a242e20004217a0ce02dc4ef620a121e5944da)
commit 5bed0606922952a79f6390f23e431c52b1d930f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 17:00:09 2021 +1200
tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b)
commit 34b85fc9f02223ef9671287c672592e5be132aa6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:06:29 2021 +1200
tests/krb5: Fix encpart_decryption_key with MIT KDC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1)
commit f5bb7f975c21d5e1518ade66ccd44b099d0944b9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:12:34 2021 +1200
tests/krb5: Fix callback_dict parameter
Items contained in a default-created callback_dict should not be carried
over between unrelated calls to {as,tgs}_as_exchange_dict().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf)
commit 3ace86e524c66131945a736853de57912bcbeae3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:14:08 2021 +1200
tests/krb5: Fix including enc-authorization-data
Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 67ff72395cec2e5170c0ebae8db416a1f226df72)
commit f191934f14d7bfd20861b37d1449726a1daffcd4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:49:27 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a2b183c179e74634438c85a4b35518836ba59e47)
commit 82158d38ad6a946ae74d7dba88e0a11e35394f06
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:03:00 2021 +1200
tests/krb5: Simplify Python syntax
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 41c3e410344280d691e5a21fa5240ef52e71bd2d)
commit 122ed8d3f3e946e950006581c70aeedb71cd6c21
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:10:32 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 38b3a361819c716adb773fb3b4507c28d7d26c0d)
commit 68fc48517722d4747a85cbe83bf9069ba87dd761
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:01:39 2021 +1200
tests/krb5: Remove unneeded statements
A return statement is redundant as the last statement in a method, as
methods will otherwise return None. Also, code blocks consisting of a
single 'pass' statement can be safely omitted.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d)
commit 5df6c6850f44d99680f3873773f09d2e1cb3ca59
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:00:09 2021 +1200
tests/krb5: formatting
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit df6623363a7ec1a13af48a09e1d29fa8784e825c)
commit 3d751f9cc6ff0fe914e9a4a2b4aec7e39483ac5f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:17:52 2021 +1200
tests/krb5: Fix method name typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2)
commit 204f2dbcefe58c8e6081ff515c3c0698fcfba7ae
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:26:17 2021 +1200
tests/krb5: Fix comment typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4)
commit 424b945426ad666fd1c0654b95f7a33761eec0f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:15:23 2021 +1200
tests/krb5: Fix ms_kile_client_principal_lookup_test errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4797ced89095155c01e44727cf8b66ee4fb39710)
commit 25b51c3a287caf5243d2728d4410e40627b25ec5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 20 10:48:41 2021 +1200
pygensec: Don't modify Python bytes objects
gensec_update() and gensec_unwrap() can both modify their input buffers
(for example, during the inplace RRC operation on GSSAPI tokens).
However, buffers obtained from Python bytes objects must not be modified
in any way. Create a copy of the input buffer so the original isn't
modified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159)
commit a90933e820c390bfa5dd2d243f27deb7826fa810
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 19 17:29:39 2021 +1200
pygensec: Fix memory leaks
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 814df05f8c10e9d82e6082d42ece1df569db4385)
commit 36a99feeafba8e407c353a748ce114945eac9fd6
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 13:45:03 2021 +0200
selftest: Add support for setting ENV variables in plantestsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 48289b6964d28e153fec885aceca02c6a9b436ef)
commit daab1eba30ae5b27b3e3550352d2c543e6336414
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 13:25:59 2021 +0200
selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3db299e586fd9464b6e1b145f29b10c8ae325d3a)
commit 2dfe335bbe2e4d9d4ff00f31068adb5852ad528d
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 08:50:54 2021 +0200
selftest: Re-format long lines in selftesthelpers.py
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 18976a9568b23759060377d09304e9d7badb143a)
commit a116dec4bb6c47ca5de14df8eb4a7c88fac224ed
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 21 09:32:42 2021 +0200
bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Jul 21 12:18:30 UTC 2021 on sn-devel-184
(cherry picked from commit ee9dfff617ad21d81369d7ef2ea35d7caab82fec)
commit 9ded25beb7e1bae31989bdcd18cea1751428c8c6
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 21 09:17:31 2021 +0200
python:waf: Correctly check for python-dateutil
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e51e9d014598241e1cb8b525cce9e9c6b9e4e98f)
commit 8586802eacad0469ec014242b33a0931f0ce5592
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 20 15:55:53 2021 +0200
bootstrap: Install krb5-workstation on Fedora based distros
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e0fa3e359f16b26122d49ad79372e3923f5ded77)
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 15 +-
WHATSNEW.txt | 25 +
bootstrap/README.md | 4 +-
bootstrap/config.py | 8 +-
bootstrap/generated-dists/centos7/bootstrap.sh | 1 +
bootstrap/generated-dists/centos7/packages.yml | 1 +
bootstrap/generated-dists/centos8/bootstrap.sh | 1 +
bootstrap/generated-dists/centos8/packages.yml | 1 +
bootstrap/generated-dists/fedora33/bootstrap.sh | 3 +-
bootstrap/generated-dists/fedora33/packages.yml | 3 +-
bootstrap/generated-dists/fedora34/bootstrap.sh | 3 +-
bootstrap/generated-dists/fedora34/packages.yml | 3 +-
bootstrap/generated-dists/opensuse151/bootstrap.sh | 1 +
bootstrap/generated-dists/opensuse151/packages.yml | 1 +
bootstrap/generated-dists/opensuse152/bootstrap.sh | 3 +-
bootstrap/generated-dists/opensuse152/packages.yml | 3 +-
bootstrap/sha1sum.txt | 2 +-
python/samba/netcmd/domain_backup.py | 54 +-
python/samba/tests/dcerpc/lsa.py | 333 ++++
python/samba/tests/dsdb_schema_attributes.py | 6 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 4 -
python/samba/tests/krb5/as_req_tests.py | 117 +-
python/samba/tests/krb5/compatability_tests.py | 4 -
python/samba/tests/krb5/fast_tests.py | 1734 ++++++++++++++++++++
python/samba/tests/krb5/kcrypto.py | 12 +-
python/samba/tests/krb5/kdc_base_test.py | 193 ++-
python/samba/tests/krb5/kdc_tests.py | 27 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 18 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 71 +-
python/samba/tests/krb5/raw_testcase.py | 1561 ++++++++++++++----
python/samba/tests/krb5/rfc4120.asn1 | 106 +-
python/samba/tests/krb5/rfc4120_constants.py | 44 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 100 +-
python/samba/tests/krb5/s4u_tests.py | 4 -
python/samba/tests/krb5/simple_tests.py | 4 -
python/samba/tests/krb5/xrealm_tests.py | 4 -
python/samba/tests/usage.py | 1 +
python/wscript | 23 +-
script/autobuild.py | 47 +-
selftest/knownfail_heimdal_kdc | 56 +
selftest/knownfail_mit_kdc | 393 +----
selftest/knownfail_mit_krb5_pre_1_18 | 1 -
selftest/selftesthelpers.py | 42 +-
selftest/wscript | 3 -
source4/auth/gensec/gensec_gssapi.c | 4 +
source4/auth/gensec/pygensec.c | 59 +-
source4/dsdb/schema/schema_set.c | 41 +-
source4/heimdal/kdc/kerberos5.c | 4 +-
source4/heimdal/kdc/krb5tgs.c | 4 +
source4/kdc/mit-kdb/kdb_samba.h | 32 -
source4/kdc/mit-kdb/kdb_samba_change_pwd.c | 3 +
source4/kdc/mit-kdb/kdb_samba_common.c | 3 +
source4/kdc/mit-kdb/kdb_samba_masterkey.c | 3 +
source4/kdc/mit-kdb/kdb_samba_pac.c | 3 +
source4/kdc/mit-kdb/kdb_samba_policies.c | 42 +-
source4/kdc/mit-kdb/kdb_samba_principals.c | 10 +-
source4/kdc/mit_samba.c | 37 +-
source4/rpc_server/lsa/lsa_lookup.c | 131 +-
source4/selftest/tests.py | 42 +-
wscript_configure_system_mitkrb5 | 4 +-
60 files changed, 4338 insertions(+), 1124 deletions(-)
create mode 100644 python/samba/tests/dcerpc/lsa.py
create mode 100755 python/samba/tests/krb5/fast_tests.py
delete mode 100644 selftest/knownfail_mit_krb5_pre_1_18
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 0979c007dc6..4b2f17938c8 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -42,7 +42,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: fa3eeb92fb5447524a057a4c377e6960dff626ce
+ SAMBA_CI_CONTAINER_TAG: 733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
@@ -234,10 +234,14 @@ samba-def-build:
samba-mit-build:
extends: .shared_template_build_only
+ variables:
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34}
stage: build_first
.needs_samba-mit-build:
extends: .shared_template_test_only
+ variables:
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34}
needs:
- job: samba-mit-build
artifacts: true
@@ -274,6 +278,8 @@ samba:
samba-mitkrb5:
extends: .shared_template
+ variables:
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34}
samba-minimal-smbd:
extends: .shared_template
@@ -383,6 +389,13 @@ samba-fips:
samba-fileserver:
extends: .needs_samba-h5l-build-private
+# This is a full build without the AD DC so we test the build with MIT
+# Kerberos from the default system (Ubuntu 18.04 at this stage).
+# Runtime behaviour checked via the ktest (static ccache and keytab)
+# environment
+samba-ktest-mit:
+ extends: .shared_template
+
samba-ad-dc-1:
extends: .needs_samba-def-build-private
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d2c25df89ff..2f3e1422485 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -52,6 +52,14 @@ Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
+New minimum version for the experimental MIT KDC
+------------------------------------------------
+
+The build of the AD DC using the system MIT Kerberos, an
+experimental feature, now requires MIT Kerberos 1.19. An up-to-date
+Fedora 34 has this version and has backported fixes for the KDC crash
+bugs CVE-2021-37750 and CVE-2021-36222
+
NEW FEATURES/CHANGES
====================
@@ -274,6 +282,23 @@ Windows.
'samba-tool dns update' is now a bit more careful in rejecting and
warning you about malformed IPv4 and IPv6 addresses.
+CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
+-----------------------------------------------------------------------
+
+An unuthenticated user can crash the AD DC KDC by omitting the server
+name in a TGS-REQ. Per Samba's updated security process a specific
+security release was not made for this issue as it is a recoverable
+Denial Of Service.
+
+See https://wiki.samba.org/index.php/Samba_Security_Proces
+
+samba-tool domain backup offline with the LMDB backend
+------------------------------------------------------
+
+samba-tool domain backup offline, when operating with the LMDB backend
+now correctly takes out locks against concurrent modification of the
+database during the backup. If you use this tool on a Samba AD DC
+using LMDB, you should upgrade to this release for safer backups.
REMOVED FEATURES
================
diff --git a/bootstrap/README.md b/bootstrap/README.md
index 47ef1c67836..44a354de545 100644
--- a/bootstrap/README.md
+++ b/bootstrap/README.md
@@ -13,7 +13,7 @@ A pure python3 module with CLI to bootstrap Samba envs for multiple distribution
## Supported Distributions
deb: Debian 10, Ubuntu 1604|1804|2004
-rpm: CentOS 7|8, Fedora 32|33, openSUSE Leap 15.1|15.2
+rpm: CentOS 7|8, Fedora 33|34, openSUSE Leap 15.1|15.2
Easy to add more.
@@ -32,7 +32,7 @@ Just calculate the sha1sum for consistency checks:
bootstrap/template.py --sha1sum
The checksum needs to be added as `SAMBA_CI_CONTAINER_TAG` in
-the toplevel .gitlab-ci.yml file.
+the toplevel .gitlab-ci-main.yml file.
## User Stories
diff --git a/bootstrap/config.py b/bootstrap/config.py
index b5d04d4e371..ba4304bb9f8 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -20,6 +20,9 @@ Manage dependencies and bootstrap environments for Samba.
Config file for packages and templates.
+Update the lists in this file to require new packages in the
+container images used in GitLab CI
+
Author: Joe Guo <joeg at catalyst.net.nz>
"""
import os
@@ -116,7 +119,7 @@ PKGS = [
('bind9utils', 'bind-utils'),
('dnsutils', ''),
('xsltproc', 'libxslt'),
- ('krb5-user', ''),
+ ('krb5-user', 'krb5-workstation'),
('krb5-config', ''),
('krb5-kdc', 'krb5-server'),
('apt-utils', 'yum-utils'),
@@ -485,6 +488,7 @@ RPM_DISTS = {
'lsb-release': 'redhat-lsb',
'libsemanage-python': 'python3-libsemanage',
'policycoreutils-python': 'python3-policycoreutils',
+ 'python3-iso8601': 'python3-dateutil',
}
},
'fedora34': {
@@ -496,6 +500,7 @@ RPM_DISTS = {
'libsemanage-python': 'python3-libsemanage',
'policycoreutils-python': 'python3-policycoreutils',
'perl-FindBin': '',
+ 'python3-iso8601': 'python3-dateutil',
'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available
}
},
@@ -552,6 +557,7 @@ RPM_DISTS = {
'perl-interpreter': '',
'perl-FindBin': '',
'procps-ng': 'procps',
+ 'python3-iso8601': 'python3-python-dateutil',
'python3-dns': 'python3-dnspython',
'python3-markdown': 'python3-Markdown',
'quota-devel': '',
diff --git a/bootstrap/generated-dists/centos7/bootstrap.sh b/bootstrap/generated-dists/centos7/bootstrap.sh
index 00dd22b891f..36913f40b44 100755
--- a/bootstrap/generated-dists/centos7/bootstrap.sh
+++ b/bootstrap/generated-dists/centos7/bootstrap.sh
@@ -45,6 +45,7 @@ yum install -y \
keyutils-libs-devel \
krb5-devel \
krb5-server \
+ krb5-workstation \
lcov \
libacl-devel \
libarchive-devel \
diff --git a/bootstrap/generated-dists/centos7/packages.yml b/bootstrap/generated-dists/centos7/packages.yml
index 3f5e8331b40..4da3d61441f 100644
--- a/bootstrap/generated-dists/centos7/packages.yml
+++ b/bootstrap/generated-dists/centos7/packages.yml
@@ -31,6 +31,7 @@ packages:
- keyutils-libs-devel
- krb5-devel
- krb5-server
+ - krb5-workstation
- lcov
- libacl-devel
- libarchive-devel
diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8/bootstrap.sh
index a3079982dda..60cf3937cf7 100755
--- a/bootstrap/generated-dists/centos8/bootstrap.sh
+++ b/bootstrap/generated-dists/centos8/bootstrap.sh
@@ -54,6 +54,7 @@ yum install -y \
keyutils-libs-devel \
krb5-devel \
krb5-server \
+ krb5-workstation \
libacl-devel \
libarchive-devel \
libattr-devel \
diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8/packages.yml
index 2994e81640a..f5d0ac5ffe6 100644
--- a/bootstrap/generated-dists/centos8/packages.yml
+++ b/bootstrap/generated-dists/centos8/packages.yml
@@ -34,6 +34,7 @@ packages:
- keyutils-libs-devel
- krb5-devel
- krb5-server
+ - krb5-workstation
- libacl-devel
- libarchive-devel
- libattr-devel
diff --git a/bootstrap/generated-dists/fedora33/bootstrap.sh b/bootstrap/generated-dists/fedora33/bootstrap.sh
index 106bd09ede8..52e199f6b88 100755
--- a/bootstrap/generated-dists/fedora33/bootstrap.sh
+++ b/bootstrap/generated-dists/fedora33/bootstrap.sh
@@ -45,6 +45,7 @@ dnf install -y \
keyutils-libs-devel \
krb5-devel \
krb5-server \
+ krb5-workstation \
lcov \
libacl-devel \
libarchive-devel \
@@ -86,10 +87,10 @@ dnf install -y \
psmisc \
python3 \
python3-cryptography \
+ python3-dateutil \
python3-devel \
python3-dns \
python3-gpg \
- python3-iso8601 \
python3-libsemanage \
python3-markdown \
python3-policycoreutils \
diff --git a/bootstrap/generated-dists/fedora33/packages.yml b/bootstrap/generated-dists/fedora33/packages.yml
index 9fa48ad4502..d9cbfbd80db 100644
--- a/bootstrap/generated-dists/fedora33/packages.yml
+++ b/bootstrap/generated-dists/fedora33/packages.yml
@@ -34,6 +34,7 @@ packages:
- keyutils-libs-devel
- krb5-devel
- krb5-server
+ - krb5-workstation
- lcov
- libacl-devel
- libarchive-devel
@@ -75,10 +76,10 @@ packages:
- psmisc
- python3
- python3-cryptography
+ - python3-dateutil
- python3-devel
- python3-dns
- python3-gpg
- - python3-iso8601
- python3-libsemanage
- python3-markdown
- python3-policycoreutils
diff --git a/bootstrap/generated-dists/fedora34/bootstrap.sh b/bootstrap/generated-dists/fedora34/bootstrap.sh
index 6686ab19250..de5a9670601 100755
--- a/bootstrap/generated-dists/fedora34/bootstrap.sh
+++ b/bootstrap/generated-dists/fedora34/bootstrap.sh
@@ -45,6 +45,7 @@ dnf install -y \
keyutils-libs-devel \
krb5-devel \
krb5-server \
+ krb5-workstation \
lcov \
libacl-devel \
libarchive-devel \
@@ -85,10 +86,10 @@ dnf install -y \
psmisc \
python3 \
python3-cryptography \
+ python3-dateutil \
python3-devel \
python3-dns \
python3-gpg \
- python3-iso8601 \
python3-libsemanage \
python3-markdown \
python3-policycoreutils \
diff --git a/bootstrap/generated-dists/fedora34/packages.yml b/bootstrap/generated-dists/fedora34/packages.yml
index 1e488823dda..749f30dfc0e 100644
--- a/bootstrap/generated-dists/fedora34/packages.yml
+++ b/bootstrap/generated-dists/fedora34/packages.yml
@@ -34,6 +34,7 @@ packages:
- keyutils-libs-devel
- krb5-devel
- krb5-server
+ - krb5-workstation
- lcov
- libacl-devel
- libarchive-devel
@@ -74,10 +75,10 @@ packages:
- psmisc
- python3
- python3-cryptography
+ - python3-dateutil
- python3-devel
- python3-dns
- python3-gpg
- - python3-iso8601
- python3-libsemanage
- python3-markdown
- python3-policycoreutils
diff --git a/bootstrap/generated-dists/opensuse151/bootstrap.sh b/bootstrap/generated-dists/opensuse151/bootstrap.sh
index 2271e2ea8b2..e4771284f4d 100755
--- a/bootstrap/generated-dists/opensuse151/bootstrap.sh
+++ b/bootstrap/generated-dists/opensuse151/bootstrap.sh
@@ -40,6 +40,7 @@ zypper --non-interactive install \
hostname \
htop \
keyutils-devel \
+ krb5-client \
krb5-devel \
krb5-server \
lcov \
diff --git a/bootstrap/generated-dists/opensuse151/packages.yml b/bootstrap/generated-dists/opensuse151/packages.yml
index 5710c60bd8b..d465252e26b 100644
--- a/bootstrap/generated-dists/opensuse151/packages.yml
+++ b/bootstrap/generated-dists/opensuse151/packages.yml
@@ -28,6 +28,7 @@ packages:
- hostname
- htop
- keyutils-devel
+ - krb5-client
- krb5-devel
- krb5-server
- lcov
diff --git a/bootstrap/generated-dists/opensuse152/bootstrap.sh b/bootstrap/generated-dists/opensuse152/bootstrap.sh
index ae766095a4d..534ff66896f 100755
--- a/bootstrap/generated-dists/opensuse152/bootstrap.sh
+++ b/bootstrap/generated-dists/opensuse152/bootstrap.sh
@@ -40,6 +40,7 @@ zypper --non-interactive install \
hostname \
htop \
keyutils-devel \
+ krb5-client \
krb5-devel \
krb5-server \
lcov \
@@ -87,8 +88,8 @@ zypper --non-interactive install \
python3-devel \
python3-dnspython \
python3-gpg \
- python3-iso8601 \
python3-pyasn1 \
+ python3-python-dateutil \
python3-setproctitle \
readline-devel \
rng-tools \
diff --git a/bootstrap/generated-dists/opensuse152/packages.yml b/bootstrap/generated-dists/opensuse152/packages.yml
index 6bc1a137ca7..05b3779a2fd 100644
--- a/bootstrap/generated-dists/opensuse152/packages.yml
+++ b/bootstrap/generated-dists/opensuse152/packages.yml
@@ -28,6 +28,7 @@ packages:
- hostname
- htop
- keyutils-devel
+ - krb5-client
- krb5-devel
- krb5-server
- lcov
@@ -75,8 +76,8 @@ packages:
- python3-devel
- python3-dnspython
- python3-gpg
- - python3-iso8601
- python3-pyasn1
+ - python3-python-dateutil
- python3-setproctitle
- readline-devel
- rng-tools
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index e198e6b80ae..e433f698b68 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-fa3eeb92fb5447524a057a4c377e6960dff626ce
+733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0
diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py
index 5cccccd40ec..81738196385 100644
--- a/python/samba/netcmd/domain_backup.py
+++ b/python/samba/netcmd/domain_backup.py
@@ -1004,7 +1004,12 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
# sam.ldb must have a transaction started on it before backing up
# everything in sam.ldb.d with the appropriate backup function.
+ #
+ # Obtains the sidForRestore (SID for the new DC) and returns it
+ # from under the transaction
def backup_smb_dbs(self, private_dir, samdb, lp, logger):
+ sam_ldb_path = os.path.join(private_dir, 'sam.ldb')
+
# First, determine if DB backend is MDB. Assume not unless there is a
# 'backendStore' attribute on @PARTITION containing the text 'mdb'
store_label = "backendStore"
@@ -1012,16 +1017,28 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
attrs=[store_label])
mdb_backend = store_label in res[0] and str(res[0][store_label][0]) == 'mdb'
- sam_ldb_path = os.path.join(private_dir, 'sam.ldb')
+ # This is needed to keep this variable in scope until the end
+ # of the transaction.
+ res_iterator = None
+
copy_function = None
if mdb_backend:
logger.info('MDB backend detected. Using mdb backup function.')
copy_function = self.offline_mdb_copy
+
+ # We can't backup with a write transaction open, so get a
+ # read lock with a search_iterator().
+ #
+ # We have tests in lib/ldb/tests/python/api.py that the
+ # search iterator takes a read lock effective against a
+ # transaction. This in turn will ensure there are no
+ # transactions on either the main or sub-database, even if
+ # the read locks were not enforced globally (they are).
+ res_iterator = samdb.search_iterator()
else:
logger.info('Starting transaction on ' + sam_ldb_path)
copy_function = self.offline_tdb_copy
- sam_obj = Ldb(sam_ldb_path, lp=lp, flags=ldb.FLG_DONT_CREATE_DB)
- sam_obj.transaction_start()
+ samdb.transaction_start()
logger.info(' backing up ' + sam_ldb_path)
self.offline_tdb_copy(sam_ldb_path)
@@ -1031,12 +1048,22 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
if sam_file.endswith('.ldb'):
logger.info(' backing up locked/related file ' + sam_file)
copy_function(sam_file)
+ elif sam_file.endswith('.tdb'):
+ logger.info(' tdbbackup of locked/related file ' + sam_file)
+ self.offline_tdb_copy(sam_file)
else:
logger.info(' copying locked/related file ' + sam_file)
shutil.copyfile(sam_file, sam_file + self.backup_ext)
- if not mdb_backend:
- sam_obj.transaction_cancel()
+ sid = get_sid_for_restore(samdb, logger)
+
+ if mdb_backend:
+ # Delete the iterator, release the read lock
+ del(res_iterator)
+ else:
+ samdb.transaction_cancel()
+
+ return sid
# Find where a path should go in the fixed backup archive structure.
def get_arc_path(self, path, conf_paths):
@@ -1072,9 +1099,6 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
check_targetdir(logger, targetdir)
- samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=lp,
- flags=ldb.FLG_RDONLY)
-
# Iterating over the directories in this specific order ensures that
# when the private directory contains hardlinks that are also contained
# in other directories to be backed up (such as in paths.binddns_dir),
@@ -1117,17 +1141,23 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
all_files.append(full_path)
+ # We would prefer to open with FLG_RDONLY but then we can't
+ # start a transaction which is the strong isolation we want
+ # for the backup.
+ samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=lp,
+ flags=ldb.FLG_DONT_CREATE_DB)
+
# Backup secrets, sam.ldb and their downstream files
self.backup_secrets(paths.private_dir, lp, logger)
- self.backup_smb_dbs(paths.private_dir, samdb, lp, logger)
+ sid = self.backup_smb_dbs(paths.private_dir, samdb, lp, logger)
# Get the domain SID so we can later place it in the backup
dom_sid_str = samdb.get_domain_sid()
dom_sid = security.dom_sid(dom_sid_str)
- sid = get_sid_for_restore(samdb, logger)
-
- # Close the original samdb
+ # Close the original samdb, to avoid any confusion, we will
+ # not use this any more as the data has all been copied under
+ # the transaction
samdb = None
# Open the new backed up samdb, flag it as backed up, and write
diff --git a/python/samba/tests/dcerpc/lsa.py b/python/samba/tests/dcerpc/lsa.py
new file mode 100644
index 00000000000..4377c42e9b8
--- /dev/null
+++ b/python/samba/tests/dcerpc/lsa.py
@@ -0,0 +1,333 @@
--
Samba Shared Repository
More information about the samba-cvs
mailing list