[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Mar 17 01:37:01 UTC 2022
The branch, master has been updated
via def505e68be wafsamba: Fix call to sorted()
via 005866b1092 s4-smbtorture: Fix typo in assertion message
via 27dd0afb62d python/ntacls.py: Fix ACE type comparison
via 52afaa0ceb5 s4:policy: Fix ACE type comparison
via 95abdbcbb8c dsdb audit tests: Use assert_in_range() for comparing timestamps
via 591db0ccc09 dsdb audit tests: Fix flapping test
via 2a8ae72bc01 samba-tool: Fix typo
via c4ecb66715c s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin
via 1a28d97fefe s4:kdc: Remove trailing whitespace in wdc-samba4.c
via 2380c7eab4d s4:kdc: Remove ks_is_tgs_principal()
via c78f5b724be s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac()
via b59c55e0528 s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac()
via 0828cbd4bfe s4:kdc: Implement common samba_kdc_update_pac()
via 27554581c1d s4:kdc: Make pac parameter of samba_client_requested_pac() const
via 95cdbe1724f s4:kdc: Cleanup include files in pac-glue.c
via a84cabf4711 lib:krb5_wrap: Implement smb_krb5_principal_is_tgs()
via 1f24724b24e auth: Add required headers to auth_sam_reply.h
via 27dd3d9fca0 s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy()
via 70b4660c208 s4:kdc: Make sure ret is set if we goto bad_option
via 94e9b338338 s4:kdc: Fix return code in mit_samba_update_pac()
via 18dbdf6aace python:tests: Fix type error in raw_testcase.py
via 5294dc80090 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()
via b01388da8a7 s4-kdc: Handle previously unhandled auth event types
from 70b9977a46e s3:libsmb: Fix errno for failed authentication in SMBC_server_internal()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit def505e68be66e0179a345d3f7e2bd930712e150
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 15 20:05:55 2022 +1300
wafsamba: Fix call to sorted()
In Python 3, sorted() does not take a 'cmp' parameter, so we need to use
the 'key' parameter instead.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Mar 17 01:36:59 UTC 2022 on sn-devel-184
commit 005866b10922c8dd59d334f1a77712be33213986
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 15 09:25:38 2022 +1300
s4-smbtorture: Fix typo in assertion message
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 27dd0afb62d4f7427c966e984c7c8b01bc4d93b5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 4 16:11:42 2022 +1300
python/ntacls.py: Fix ACE type comparison
SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the one in
gp_create_gpt_security_descriptor().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 52afaa0ceb5f2a372c075f64c5ae445621263b36
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Mar 2 17:14:42 2022 +1300
s4:policy: Fix ACE type comparison
SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the comment.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 95abdbcbb8c96bb58aa1fe08ddc5c8280e9e6a30
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Mar 17 11:20:45 2022 +1300
dsdb audit tests: Use assert_in_range() for comparing timestamps
This can make the code clearer. assert_in_range() takes only integer
parameters, but POSIX allows us to assume that time_t is an integer.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 591db0ccc090f49c74dff8dab6a7240432d03024
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 28 20:42:36 2021 +1300
dsdb audit tests: Fix flapping test
Use gettimeofday() to obtain the current time for comparison, to be
consistent with audit_logging.c. On Linux, time() may occasionally
return a smaller value than gettimeofday(), despite being called later.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a8ae72bc0125e22b2637b961ca3b03a16774dcb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Mar 18 19:22:52 2021 +1300
samba-tool: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c4ecb66715caec7cb900f6bdf6b7ad749c4ef037
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 7 10:41:41 2022 +0100
s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 1a28d97fefed6391e4d4e9c37b51baac598a66cc
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 7 13:15:08 2022 +0100
s4:kdc: Remove trailing whitespace in wdc-samba4.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 2380c7eab4d5fea7ca3f284482429b914b84c900
Author: Andreas Schneider <asn at samba.org>
Date: Tue Mar 15 07:33:57 2022 +0100
s4:kdc: Remove ks_is_tgs_principal()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit c78f5b724be429ad313adc7215cd42b2a3eddb2c
Author: Andreas Schneider <asn at samba.org>
Date: Tue Mar 8 07:34:16 2022 +0100
s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac()
This is for MIT Kerberos >= 1.20.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit b59c55e0528a7319d825df33fd7f8ddac694ab93
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 10 17:20:46 2022 +0100
s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac()
This is for MIT Kerberos <= 1.19
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 0828cbd4bfe0340dd05a8e47eca647d134863d2e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 7 10:24:14 2022 +0100
s4:kdc: Implement common samba_kdc_update_pac()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 27554581c1d870f7dd95e2ea984b4ac71b2014ce
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 7 10:23:18 2022 +0100
s4:kdc: Make pac parameter of samba_client_requested_pac() const
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 95cdbe1724f8bbf8f98f26b2271e8f1a64dbe18a
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 7 07:45:03 2022 +0100
s4:kdc: Cleanup include files in pac-glue.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit a84cabf471198b19d24b74c1deae9d49049823dc
Author: Andreas Schneider <asn at samba.org>
Date: Tue Mar 15 07:30:03 2022 +0100
lib:krb5_wrap: Implement smb_krb5_principal_is_tgs()
This will be used later and allows to remove static implementations.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 1f24724b24e04ee4ac1bdf44f83a4f4e19497856
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 7 10:25:38 2022 +0100
auth: Add required headers to auth_sam_reply.h
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 27dd3d9fca094e19803bc0b934ff4c873138eb6a
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 7 16:02:18 2022 +0100
s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy()
CID 1502873: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always
true. "el->num_values >= 0U".
This is probably just a paranoia check as num_values should be set to at least
1 if the we have an LDAP entry.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 70b4660c2089bff25f3c56d3f918491799417999
Author: Andreas Schneider <asn at samba.org>
Date: Tue Mar 8 15:04:34 2022 +0100
s4:kdc: Make sure ret is set if we goto bad_option
The ret variable is just used to set the error message for logging.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 94e9b338338bc55312e4cb481a36d583066995cf
Author: Andreas Schneider <asn at samba.org>
Date: Tue Mar 8 08:43:07 2022 +0100
s4:kdc: Fix return code in mit_samba_update_pac()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 18dbdf6aace6e37f294781fe7e379da87558992a
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 7 11:22:29 2022 +0100
python:tests: Fix type error in raw_testcase.py
This fixes a lot of tests with Python 3.8. Stacktrace example:
File "python/samba/tests/krb5/as_req_tests.py", line 249, in test_as_req_enc_timestamp_rc4_dummy
self._run_as_req_enc_timestamp(
File "python/samba/tests/krb5/as_req_tests.py", line 129, in _run_as_req_enc_timestamp
as_rep, kdc_exchange_dict = self._test_as_exchange(
File "python/samba/tests/krb5/raw_testcase.py", line 3982, in _test_as_exchange
rep = self._generic_kdc_exchange(kdc_exchange_dict,
File "python/samba/tests/krb5/raw_testcase.py", line 2029, in _generic_kdc_exchange
return check_rep_fn(kdc_exchange_dict, callback_dict, rep)
File "python/samba/tests/krb5/raw_testcase.py", line 2328, in generic_check_kdc_rep
self.check_reply_padata(kdc_exchange_dict,
File "python/samba/tests/krb5/raw_testcase.py", line 2998, in check_reply_padata
got_patypes = tuple(pa['padata-type'] for pa in rep_padata)
TypeError: 'NoneType' object is not iterable
This adds additional checks for rep_padata.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 5294dc80090482d5669126802672eb2c89e269cf
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 16 09:21:03 2022 +0100
s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()
Otherwise useful information gets lost while converting
from NTSTATUS to krb5_error and back to NTSTATUS again.
E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as
NT_STATUS_ACCOUNT_LOCKED_OUT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b01388da8a72c11c46bb27e773b354520bc6ac88
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 15 15:34:34 2022 +1300
s4-kdc: Handle previously unhandled auth event types
Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:
commit 791be84c3eecb95e03611458e2305bae272ba267
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 10:10:08 2022 +1300
s4:kdc: hdb_samba4_audit() is only called once per request
Normally these auth event types are overwritten with the
KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
pre-authentication check, and happens to fail the client access check
(e.g. because the account is disabled), we get error messages of the
form:
hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR
To avoid such errors, use the error code provided in the request
structure to obtain a relevant status code in cases not handled
explicitly.
For unexpected values we return KRB5KRB_ERR_GENERIC
in order to hopefully prevent success. And within make test
we panic in order let a ci run fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_sam_reply.h | 4 +
buildtools/wafsamba/samba_deps.py | 6 +-
lib/krb5_wrap/krb5_samba.c | 28 +
lib/krb5_wrap/krb5_samba.h | 3 +
python/samba/netcmd/domain.py | 2 +-
python/samba/ntacls.py | 3 +-
python/samba/tests/krb5/raw_testcase.py | 6 +-
selftest/knownfail_mit_kdc | 2 -
selftest/knownfail_mit_kdc_pre_1_20 | 5 -
.../dsdb/samdb/ldb_modules/tests/test_audit_log.c | 66 +-
.../samdb/ldb_modules/tests/test_group_audit.c | 23 +-
source4/kdc/db-glue.c | 5 +-
source4/kdc/hdb-samba4.c | 47 ++
source4/kdc/mit_samba.c | 794 ++-------------------
source4/kdc/pac-glue.c | 564 ++++++++++++++-
source4/kdc/pac-glue.h | 22 +-
source4/kdc/samba_kdc.h | 1 +
source4/kdc/wdc-samba4.c | 495 ++-----------
source4/lib/policy/gp_manage.c | 3 +-
source4/torture/drs/unit/prefixmap_tests.c | 2 +-
20 files changed, 861 insertions(+), 1220 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h
index e4b26e961d7..d8a30c6b36f 100644
--- a/auth/auth_sam_reply.h
+++ b/auth/auth_sam_reply.h
@@ -23,6 +23,10 @@
#ifndef __AUTH_AUTH_SAM_REPLY_H__
#define __AUTH_AUTH_SAM_REPLY_H__
+#include "libcli/util/ntstatus.h"
+#include "libcli/util/werror.h"
+#include "librpc/gen_ndr/auth.h"
+
#undef _PRINTF_ATTRIBUTE
#define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2)
/* this file contains prototypes for functions that are private
diff --git a/buildtools/wafsamba/samba_deps.py b/buildtools/wafsamba/samba_deps.py
index 9c922f7e036..c0a330b1b5e 100644
--- a/buildtools/wafsamba/samba_deps.py
+++ b/buildtools/wafsamba/samba_deps.py
@@ -1023,10 +1023,10 @@ def show_object_duplicates(bld, tgt_list):
Logs.info("showing indirect dependency counts (sorted by count)")
- def indirect_count(t1, t2):
- return len(t2.indirect_objects) - len(t1.indirect_objects)
+ def indirect_count(t):
+ return len(t.indirect_objects)
- sorted_list = sorted(tgt_list, cmp=indirect_count)
+ sorted_list = sorted(tgt_list, key=indirect_count, reverse=True)
for t in sorted_list:
if len(t.indirect_objects) > 1:
Logs.info("%s depends on %u indirect objects" % (t.sname, len(t.indirect_objects)))
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index e9eaddac75d..2351d172779 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3348,6 +3348,34 @@ void smb_krb5_principal_set_type(krb5_context context,
#endif
}
+/**
+ * @brief Check if a principal is a TGS
+ *
+ * @param[in] context The library context
+ *
+ * @param[inout] principal The principal to check.
+ *
+ * @returns 1 if equal, 0 if not and -1 on error.
+ */
+int smb_krb5_principal_is_tgs(krb5_context context,
+ krb5_const_principal principal)
+{
+ char *p = NULL;
+ int eq = 1;
+
+ p = smb_krb5_principal_get_comp_string(NULL, context, principal, 0);
+ if (p == NULL) {
+ return -1;
+ }
+
+ eq = krb5_princ_size(context, principal) == 2 &&
+ (strequal(p, KRB5_TGS_NAME));
+
+ talloc_free(p);
+
+ return eq;
+}
+
#if !defined(HAVE_KRB5_WARNX)
/**
* @brief Log a Kerberos message
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index c8573f52bd9..653cd561406 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -306,6 +306,9 @@ void smb_krb5_principal_set_type(krb5_context context,
krb5_principal principal,
int type);
+int smb_krb5_principal_is_tgs(krb5_context context,
+ krb5_const_principal principal);
+
krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
krb5_principal principal,
const char *realm);
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index e814a47233d..49e60625e44 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -120,7 +120,7 @@ common_provision_join_options = [
help="choose machine password (otherwise random)"),
Option("--plaintext-secrets", action="store_true",
help="Store secret/sensitive values as plain text on disk" +
- "(default is to encrypt secret/ensitive values)"),
+ "(default is to encrypt secret/sensitive values)"),
Option("--backend-store", type="choice", metavar="BACKENDSTORE",
choices=["tdb", "mdb"],
help="Specify the database backend to be used "
diff --git a/python/samba/ntacls.py b/python/samba/ntacls.py
index 89e64b7dc5a..f35be48c30b 100644
--- a/python/samba/ntacls.py
+++ b/python/samba/ntacls.py
@@ -301,7 +301,8 @@ def dsacl2fsacl(dssddl, sid, as_sddl=True):
aces = ref.dacl.aces
for i in range(0, len(aces)):
ace = aces[i]
- if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
+ if ace.type in (security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT,
+ security.SEC_ACE_TYPE_ACCESS_ALLOWED) and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
# if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT
if str(ace.trustee) == security.SID_CREATOR_OWNER:
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 584a3fe5567..69c52b25761 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2995,10 +2995,14 @@ class RawKerberosTest(TestCaseInTempDir):
kcrypto.Enctype.AES128}:
expected_patypes += (PADATA_ETYPE_INFO2,)
+ if not self.strict_checking and rep_padata is None:
+ rep_padata = ()
+
+ self.assertIsNotNone(rep_padata)
got_patypes = tuple(pa['padata-type'] for pa in rep_padata)
self.assertSequenceElementsEqual(expected_patypes, got_patypes)
- if not expected_patypes:
+ if len(expected_patypes) == 0:
return None
pa_dict = self.get_pa_dict(rep_padata)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index c2a35c68152..25b1e5bb413 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -219,8 +219,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
#
# MIT currently fails some as_req_no_preauth tests.
#
-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn(?!_)
-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn_realm
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_aes128_rc4.*fl2003dc
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_mac_aes128_rc4.*fl2003dc
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth.*aes.*rc4.*fl2003dc
diff --git a/selftest/knownfail_mit_kdc_pre_1_20 b/selftest/knownfail_mit_kdc_pre_1_20
index 988342c77b6..a32ae4c0e71 100644
--- a/selftest/knownfail_mit_kdc_pre_1_20
+++ b/selftest/knownfail_mit_kdc_pre_1_20
@@ -118,10 +118,6 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple
#
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid\(
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate
#
# PAC tests
#
@@ -145,7 +141,6 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple
# PAC attributes tests
#
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid)
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none
#
# PAC request tests
#
diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c
index 2fba2406b64..885248e5fb9 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c
@@ -41,10 +41,12 @@ static void check_timestamp(time_t before, const char* timestamp)
struct tm tm;
time_t after;
time_t actual;
- const double lower = -1;
+ struct timeval tv;
- after = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ after = tv.tv_sec;
/*
* Convert the ISO 8601 timestamp into a time_t
@@ -71,12 +73,8 @@ static void check_timestamp(time_t before, const char* timestamp)
/*
* The timestamp should be before <= actual <= after
- * Note: as the microsecond portion of the time is truncated we use
- * a -1 as the lower bound for the time difference instead of
- * zero
*/
- assert_true(difftime(actual, before) >= lower);
- assert_true(difftime(after, actual) >= lower);
+ assert_in_range(actual, before, after);
}
static void test_has_password_changed(void **state)
@@ -295,6 +293,8 @@ static void test_operation_json_empty(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -310,7 +310,9 @@ static void test_operation_json_empty(void **state)
reply = talloc_zero(ctx, struct ldb_reply);
reply->error = LDB_SUCCESS;
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = operation_json(module, req, reply);
assert_int_equal(3, json_object_size(json.root));
@@ -426,6 +428,8 @@ static void test_operation_json(void **state)
json_t *f = NULL;
json_t *g = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -465,7 +469,9 @@ static void test_operation_json(void **state)
reply = talloc_zero(ctx, struct ldb_reply);
reply->error = LDB_ERR_OPERATIONS_ERROR;
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = operation_json(module, req, reply);
assert_int_equal(3, json_object_size(json.root));
@@ -621,6 +627,8 @@ static void test_as_system_operation_json(void **state)
json_t *f = NULL;
json_t *g = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -669,7 +677,9 @@ static void test_as_system_operation_json(void **state)
reply = talloc_zero(ctx, struct ldb_reply);
reply->error = LDB_ERR_OPERATIONS_ERROR;
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = operation_json(module, req, reply);
assert_int_equal(3, json_object_size(json.root));
@@ -796,6 +806,8 @@ static void test_password_change_json_empty(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -811,7 +823,9 @@ static void test_password_change_json_empty(void **state)
reply = talloc_zero(ctx, struct ldb_reply);
reply->error = LDB_SUCCESS;
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = password_change_json(module, req, reply);
assert_int_equal(3, json_object_size(json.root));
@@ -899,6 +913,8 @@ static void test_password_change_json(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -936,7 +952,9 @@ static void test_password_change_json(void **state)
reply = talloc_zero(ctx, struct ldb_reply);
reply->error = LDB_SUCCESS;
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = password_change_json(module, req, reply);
assert_int_equal(3, json_object_size(json.root));
@@ -1025,10 +1043,14 @@ static void test_transaction_json(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
GUID_from_string(GUID, &guid);
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = transaction_json("delete", &guid, 10000099);
assert_int_equal(3, json_object_size(json.root));
@@ -1086,10 +1108,14 @@ static void test_commit_failure_json(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
GUID_from_string(GUID, &guid);
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = commit_failure_json(
"prepare",
987876,
@@ -1173,6 +1199,8 @@ static void test_replicated_update_json_empty(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -1193,7 +1221,9 @@ static void test_replicated_update_json_empty(void **state)
reply = talloc_zero(ctx, struct ldb_reply);
reply->error = LDB_SUCCESS;
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = replicated_update_json(module, req, reply);
assert_int_equal(3, json_object_size(json.root));
@@ -1309,6 +1339,8 @@ static void test_replicated_update_json(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -1345,7 +1377,9 @@ static void test_replicated_update_json(void **state)
reply = talloc_zero(ctx, struct ldb_reply);
reply->error = LDB_ERR_NO_SUCH_OBJECT;
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = replicated_update_json(module, req, reply);
assert_int_equal(3, json_object_size(json.root));
diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
index 0bbde9f3e3b..f7075f3485e 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
@@ -268,9 +268,12 @@ static void _check_timestamp(
struct tm tm;
time_t after;
time_t actual;
+ struct timeval tv;
- after = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ after = tv.tv_sec;
/*
* Convert the ISO 8601 timestamp into a time_t
@@ -806,6 +809,8 @@ static void test_audit_group_json(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -826,7 +831,9 @@ static void test_audit_group_json(void **state)
req->operation = LDB_ADD;
add_transaction_id(req, TRANSACTION);
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = audit_group_json(module,
req,
"the-action",
@@ -910,6 +917,8 @@ static void test_audit_group_json_error(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -930,7 +939,9 @@ static void test_audit_group_json_error(void **state)
req->operation = LDB_ADD;
add_transaction_id(req, TRANSACTION);
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = audit_group_json(module,
req,
"the-action",
@@ -1015,6 +1026,8 @@ static void test_audit_group_json_no_event(void **state)
json_t *v = NULL;
json_t *o = NULL;
time_t before;
+ struct timeval tv;
+ int rc;
TALLOC_CTX *ctx = talloc_new(NULL);
@@ -1035,7 +1048,9 @@ static void test_audit_group_json_no_event(void **state)
req->operation = LDB_ADD;
add_transaction_id(req, TRANSACTION);
- before = time(NULL);
+ rc = gettimeofday(&tv, NULL);
+ assert_return_code(rc, errno);
+ before = tv.tv_sec;
json = audit_group_json(module,
req,
"the-action",
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 62cc8bdef1d..f79ff1b8c3c 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2743,8 +2743,10 @@ samba_kdc_check_s4u2proxy(krb5_context context,
el = ldb_msg_find_element(skdc_entry->msg, "msDS-AllowedToDelegateTo");
if (el == NULL) {
+ ret = ENOENT;
goto bad_option;
}
+ SMB_ASSERT(el->num_values != 0);
/*
* This is the Microsoft forwardable flag behavior.
@@ -2752,7 +2754,7 @@ samba_kdc_check_s4u2proxy(krb5_context context,
* If the proxy (target) principal is NULL, and we have any authorized
* delegation target, allow to forward.
*/
- if (el->num_values >= 0 && target_principal == NULL) {
+ if (target_principal == NULL) {
return 0;
}
@@ -2810,6 +2812,7 @@ samba_kdc_check_s4u2proxy(krb5_context context,
}
if (!found) {
+ ret = ENOENT;
goto bad_option;
}
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 5720dfadc1f..e82ebbe7daa 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -612,7 +612,44 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
ui.auth_description = auth_description;
if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+ /* This is the final sucess */
status = NT_STATUS_OK;
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
+ /*
+ * This was only a pre-authentication success,
+ * but we didn't reach the final
+ * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+ * so consult the error code.
--
Samba Shared Repository
More information about the samba-cvs
mailing list