[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Mar 17 01:37:01 UTC 2022


The branch, master has been updated
       via  def505e68be wafsamba: Fix call to sorted()
       via  005866b1092 s4-smbtorture: Fix typo in assertion message
       via  27dd0afb62d python/ntacls.py: Fix ACE type comparison
       via  52afaa0ceb5 s4:policy: Fix ACE type comparison
       via  95abdbcbb8c dsdb audit tests: Use assert_in_range() for comparing timestamps
       via  591db0ccc09 dsdb audit tests: Fix flapping test
       via  2a8ae72bc01 samba-tool: Fix typo
       via  c4ecb66715c s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin
       via  1a28d97fefe s4:kdc: Remove trailing whitespace in wdc-samba4.c
       via  2380c7eab4d s4:kdc: Remove ks_is_tgs_principal()
       via  c78f5b724be s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac()
       via  b59c55e0528 s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac()
       via  0828cbd4bfe s4:kdc: Implement common samba_kdc_update_pac()
       via  27554581c1d s4:kdc: Make pac parameter of samba_client_requested_pac() const
       via  95cdbe1724f s4:kdc: Cleanup include files in pac-glue.c
       via  a84cabf4711 lib:krb5_wrap: Implement smb_krb5_principal_is_tgs()
       via  1f24724b24e auth: Add required headers to auth_sam_reply.h
       via  27dd3d9fca0 s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy()
       via  70b4660c208 s4:kdc: Make sure ret is set if we goto bad_option
       via  94e9b338338 s4:kdc: Fix return code in mit_samba_update_pac()
       via  18dbdf6aace python:tests: Fix type error in raw_testcase.py
       via  5294dc80090 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()
       via  b01388da8a7 s4-kdc: Handle previously unhandled auth event types
      from  70b9977a46e s3:libsmb: Fix errno for failed authentication in SMBC_server_internal()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit def505e68be66e0179a345d3f7e2bd930712e150
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Feb 15 20:05:55 2022 +1300

    wafsamba: Fix call to sorted()
    
    In Python 3, sorted() does not take a 'cmp' parameter, so we need to use
    the 'key' parameter instead.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Thu Mar 17 01:36:59 UTC 2022 on sn-devel-184

commit 005866b10922c8dd59d334f1a77712be33213986
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Feb 15 09:25:38 2022 +1300

    s4-smbtorture: Fix typo in assertion message
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 27dd0afb62d4f7427c966e984c7c8b01bc4d93b5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Mar 4 16:11:42 2022 +1300

    python/ntacls.py: Fix ACE type comparison
    
    SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
    as intended. Modify the check to more closely match the one in
    gp_create_gpt_security_descriptor().
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 52afaa0ceb5f2a372c075f64c5ae445621263b36
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Mar 2 17:14:42 2022 +1300

    s4:policy: Fix ACE type comparison
    
    SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
    as intended. Modify the check to more closely match the comment.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 95abdbcbb8c96bb58aa1fe08ddc5c8280e9e6a30
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Mar 17 11:20:45 2022 +1300

    dsdb audit tests: Use assert_in_range() for comparing timestamps
    
    This can make the code clearer. assert_in_range() takes only integer
    parameters, but POSIX allows us to assume that time_t is an integer.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 591db0ccc090f49c74dff8dab6a7240432d03024
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Sep 28 20:42:36 2021 +1300

    dsdb audit tests: Fix flapping test
    
    Use gettimeofday() to obtain the current time for comparison, to be
    consistent with audit_logging.c. On Linux, time() may occasionally
    return a smaller value than gettimeofday(), despite being called later.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 2a8ae72bc0125e22b2637b961ca3b03a16774dcb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Mar 18 19:22:52 2021 +1300

    samba-tool: Fix typo
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit c4ecb66715caec7cb900f6bdf6b7ad749c4ef037
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 7 10:41:41 2022 +0100

    s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 1a28d97fefed6391e4d4e9c37b51baac598a66cc
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 7 13:15:08 2022 +0100

    s4:kdc: Remove trailing whitespace in wdc-samba4.c
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 2380c7eab4d5fea7ca3f284482429b914b84c900
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Mar 15 07:33:57 2022 +0100

    s4:kdc: Remove ks_is_tgs_principal()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit c78f5b724be429ad313adc7215cd42b2a3eddb2c
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Mar 8 07:34:16 2022 +0100

    s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac()
    
    This is for MIT Kerberos >= 1.20.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit b59c55e0528a7319d825df33fd7f8ddac694ab93
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Mar 10 17:20:46 2022 +0100

    s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac()
    
    This is for MIT Kerberos <= 1.19
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 0828cbd4bfe0340dd05a8e47eca647d134863d2e
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 7 10:24:14 2022 +0100

    s4:kdc: Implement common samba_kdc_update_pac()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 27554581c1d870f7dd95e2ea984b4ac71b2014ce
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 7 10:23:18 2022 +0100

    s4:kdc: Make pac parameter of samba_client_requested_pac() const
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 95cdbe1724f8bbf8f98f26b2271e8f1a64dbe18a
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 7 07:45:03 2022 +0100

    s4:kdc: Cleanup include files in pac-glue.c
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit a84cabf471198b19d24b74c1deae9d49049823dc
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Mar 15 07:30:03 2022 +0100

    lib:krb5_wrap: Implement smb_krb5_principal_is_tgs()
    
    This will be used later and allows to remove static implementations.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 1f24724b24e04ee4ac1bdf44f83a4f4e19497856
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 7 10:25:38 2022 +0100

    auth: Add required headers to auth_sam_reply.h
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 27dd3d9fca094e19803bc0b934ff4c873138eb6a
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 7 16:02:18 2022 +0100

    s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy()
    
    CID 1502873:  Control flow issues  (NO_EFFECT)
    >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always
    true. "el->num_values >= 0U".
    
    This is probably just a paranoia check as num_values should be set to at least
    1 if the we have an LDAP entry.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 70b4660c2089bff25f3c56d3f918491799417999
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Mar 8 15:04:34 2022 +0100

    s4:kdc: Make sure ret is set if we goto bad_option
    
    The ret variable is just used to set the error message for logging.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 94e9b338338bc55312e4cb481a36d583066995cf
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Mar 8 08:43:07 2022 +0100

    s4:kdc: Fix return code in mit_samba_update_pac()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 18dbdf6aace6e37f294781fe7e379da87558992a
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 7 11:22:29 2022 +0100

    python:tests: Fix type error in raw_testcase.py
    
    This fixes a lot of tests with Python 3.8. Stacktrace example:
    
    File "python/samba/tests/krb5/as_req_tests.py", line 249, in test_as_req_enc_timestamp_rc4_dummy
      self._run_as_req_enc_timestamp(
    File "python/samba/tests/krb5/as_req_tests.py", line 129, in _run_as_req_enc_timestamp
      as_rep, kdc_exchange_dict = self._test_as_exchange(
    File "python/samba/tests/krb5/raw_testcase.py", line 3982, in _test_as_exchange
      rep = self._generic_kdc_exchange(kdc_exchange_dict,
    File "python/samba/tests/krb5/raw_testcase.py", line 2029, in _generic_kdc_exchange
      return check_rep_fn(kdc_exchange_dict, callback_dict, rep)
    File "python/samba/tests/krb5/raw_testcase.py", line 2328, in generic_check_kdc_rep
      self.check_reply_padata(kdc_exchange_dict,
    File "python/samba/tests/krb5/raw_testcase.py", line 2998, in check_reply_padata
      got_patypes = tuple(pa['padata-type'] for pa in rep_padata)
    TypeError: 'NoneType' object is not iterable
    
    This adds additional checks for rep_padata.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 5294dc80090482d5669126802672eb2c89e269cf
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Mar 16 09:21:03 2022 +0100

    s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()
    
    Otherwise useful information gets lost while converting
    from NTSTATUS to krb5_error and back to NTSTATUS again.
    E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as
    NT_STATUS_ACCOUNT_LOCKED_OUT.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit b01388da8a72c11c46bb27e773b354520bc6ac88
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Mar 15 15:34:34 2022 +1300

    s4-kdc: Handle previously unhandled auth event types
    
    Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
    KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:
    
    commit 791be84c3eecb95e03611458e2305bae272ba267
    Author: Stefan Metzmacher <metze at samba.org>
    Date:   Wed Mar 2 10:10:08 2022 +1300
    
        s4:kdc: hdb_samba4_audit() is only called once per request
    
    Normally these auth event types are overwritten with the
    KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
    pre-authentication check, and happens to fail the client access check
    (e.g. because the account is disabled), we get error messages of the
    form:
    hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR
    
    To avoid such errors, use the error code provided in the request
    structure to obtain a relevant status code in cases not handled
    explicitly.
    
    For unexpected values we return KRB5KRB_ERR_GENERIC
    in order to hopefully prevent success. And within make test
    we panic in order let a ci run fail.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/auth_sam_reply.h                              |   4 +
 buildtools/wafsamba/samba_deps.py                  |   6 +-
 lib/krb5_wrap/krb5_samba.c                         |  28 +
 lib/krb5_wrap/krb5_samba.h                         |   3 +
 python/samba/netcmd/domain.py                      |   2 +-
 python/samba/ntacls.py                             |   3 +-
 python/samba/tests/krb5/raw_testcase.py            |   6 +-
 selftest/knownfail_mit_kdc                         |   2 -
 selftest/knownfail_mit_kdc_pre_1_20                |   5 -
 .../dsdb/samdb/ldb_modules/tests/test_audit_log.c  |  66 +-
 .../samdb/ldb_modules/tests/test_group_audit.c     |  23 +-
 source4/kdc/db-glue.c                              |   5 +-
 source4/kdc/hdb-samba4.c                           |  47 ++
 source4/kdc/mit_samba.c                            | 794 ++-------------------
 source4/kdc/pac-glue.c                             | 564 ++++++++++++++-
 source4/kdc/pac-glue.h                             |  22 +-
 source4/kdc/samba_kdc.h                            |   1 +
 source4/kdc/wdc-samba4.c                           | 495 ++-----------
 source4/lib/policy/gp_manage.c                     |   3 +-
 source4/torture/drs/unit/prefixmap_tests.c         |   2 +-
 20 files changed, 861 insertions(+), 1220 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h
index e4b26e961d7..d8a30c6b36f 100644
--- a/auth/auth_sam_reply.h
+++ b/auth/auth_sam_reply.h
@@ -23,6 +23,10 @@
 #ifndef __AUTH_AUTH_SAM_REPLY_H__
 #define __AUTH_AUTH_SAM_REPLY_H__
 
+#include "libcli/util/ntstatus.h"
+#include "libcli/util/werror.h"
+#include "librpc/gen_ndr/auth.h"
+
 #undef _PRINTF_ATTRIBUTE
 #define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2)
 /* this file contains prototypes for functions that are private
diff --git a/buildtools/wafsamba/samba_deps.py b/buildtools/wafsamba/samba_deps.py
index 9c922f7e036..c0a330b1b5e 100644
--- a/buildtools/wafsamba/samba_deps.py
+++ b/buildtools/wafsamba/samba_deps.py
@@ -1023,10 +1023,10 @@ def show_object_duplicates(bld, tgt_list):
 
     Logs.info("showing indirect dependency counts (sorted by count)")
 
-    def indirect_count(t1, t2):
-        return len(t2.indirect_objects) - len(t1.indirect_objects)
+    def indirect_count(t):
+        return len(t.indirect_objects)
 
-    sorted_list = sorted(tgt_list, cmp=indirect_count)
+    sorted_list = sorted(tgt_list, key=indirect_count, reverse=True)
     for t in sorted_list:
         if len(t.indirect_objects) > 1:
             Logs.info("%s depends on %u indirect objects" % (t.sname, len(t.indirect_objects)))
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index e9eaddac75d..2351d172779 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3348,6 +3348,34 @@ void smb_krb5_principal_set_type(krb5_context context,
 #endif
 }
 
+/**
+ * @brief Check if a principal is a TGS
+ *
+ * @param[in]  context  The library context
+ *
+ * @param[inout] principal The principal to check.
+ *
+ * @returns 1 if equal, 0 if not and -1 on error.
+ */
+int smb_krb5_principal_is_tgs(krb5_context context,
+			      krb5_const_principal principal)
+{
+	char *p = NULL;
+	int eq = 1;
+
+	p = smb_krb5_principal_get_comp_string(NULL, context, principal, 0);
+	if (p == NULL) {
+		return -1;
+	}
+
+	eq = krb5_princ_size(context, principal) == 2 &&
+	     (strequal(p, KRB5_TGS_NAME));
+
+	talloc_free(p);
+
+	return eq;
+}
+
 #if !defined(HAVE_KRB5_WARNX)
 /**
  * @brief Log a Kerberos message
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index c8573f52bd9..653cd561406 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -306,6 +306,9 @@ void smb_krb5_principal_set_type(krb5_context context,
 				 krb5_principal principal,
 				 int type);
 
+int smb_krb5_principal_is_tgs(krb5_context context,
+			      krb5_const_principal principal);
+
 krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
 					     krb5_principal principal,
 					     const char *realm);
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index e814a47233d..49e60625e44 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -120,7 +120,7 @@ common_provision_join_options = [
            help="choose machine password (otherwise random)"),
     Option("--plaintext-secrets", action="store_true",
            help="Store secret/sensitive values as plain text on disk" +
-           "(default is to encrypt secret/ensitive values)"),
+           "(default is to encrypt secret/sensitive values)"),
     Option("--backend-store", type="choice", metavar="BACKENDSTORE",
            choices=["tdb", "mdb"],
            help="Specify the database backend to be used "
diff --git a/python/samba/ntacls.py b/python/samba/ntacls.py
index 89e64b7dc5a..f35be48c30b 100644
--- a/python/samba/ntacls.py
+++ b/python/samba/ntacls.py
@@ -301,7 +301,8 @@ def dsacl2fsacl(dssddl, sid, as_sddl=True):
     aces = ref.dacl.aces
     for i in range(0, len(aces)):
         ace = aces[i]
-        if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
+        if ace.type in (security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT,
+                        security.SEC_ACE_TYPE_ACCESS_ALLOWED) and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
            #    if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
             ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT
             if str(ace.trustee) == security.SID_CREATOR_OWNER:
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 584a3fe5567..69c52b25761 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2995,10 +2995,14 @@ class RawKerberosTest(TestCaseInTempDir):
                                 kcrypto.Enctype.AES128}:
                 expected_patypes += (PADATA_ETYPE_INFO2,)
 
+        if not self.strict_checking and rep_padata is None:
+            rep_padata = ()
+
+        self.assertIsNotNone(rep_padata)
         got_patypes = tuple(pa['padata-type'] for pa in rep_padata)
         self.assertSequenceElementsEqual(expected_patypes, got_patypes)
 
-        if not expected_patypes:
+        if len(expected_patypes) == 0:
             return None
 
         pa_dict = self.get_pa_dict(rep_padata)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index c2a35c68152..25b1e5bb413 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -219,8 +219,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 # MIT currently fails some as_req_no_preauth tests.
 #
-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn(?!_)
-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn_realm
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_aes128_rc4.*fl2003dc
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_mac_aes128_rc4.*fl2003dc
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth.*aes.*rc4.*fl2003dc
diff --git a/selftest/knownfail_mit_kdc_pre_1_20 b/selftest/knownfail_mit_kdc_pre_1_20
index 988342c77b6..a32ae4c0e71 100644
--- a/selftest/knownfail_mit_kdc_pre_1_20
+++ b/selftest/knownfail_mit_kdc_pre_1_20
@@ -118,10 +118,6 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid\(
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate
 #
 # PAC tests
 #
@@ -145,7 +141,6 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple
 # PAC attributes tests
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid)
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none
 #
 # PAC request tests
 #
diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c
index 2fba2406b64..885248e5fb9 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c
@@ -41,10 +41,12 @@ static void check_timestamp(time_t before, const char* timestamp)
 	struct tm tm;
 	time_t after;
 	time_t actual;
-	const double lower = -1;
+	struct timeval tv;
 
 
-	after = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	after = tv.tv_sec;
 
 	/*
 	 * Convert the ISO 8601 timestamp into a time_t
@@ -71,12 +73,8 @@ static void check_timestamp(time_t before, const char* timestamp)
 
 	/*
 	 * The timestamp should be before <= actual <= after
-	 * Note: as the microsecond portion of the time is truncated we use
-	 *       a -1 as the lower bound for the time difference instead of
-	 *       zero
 	 */
-	assert_true(difftime(actual, before) >= lower);
-	assert_true(difftime(after, actual) >= lower);
+	assert_in_range(actual, before, after);
 }
 
 static void test_has_password_changed(void **state)
@@ -295,6 +293,8 @@ static void test_operation_json_empty(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
@@ -310,7 +310,9 @@ static void test_operation_json_empty(void **state)
 	reply = talloc_zero(ctx, struct ldb_reply);
 	reply->error = LDB_SUCCESS;
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = operation_json(module, req, reply);
 	assert_int_equal(3, json_object_size(json.root));
 
@@ -426,6 +428,8 @@ static void test_operation_json(void **state)
 	json_t *f = NULL;
 	json_t *g = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
@@ -465,7 +469,9 @@ static void test_operation_json(void **state)
 	reply = talloc_zero(ctx, struct ldb_reply);
 	reply->error = LDB_ERR_OPERATIONS_ERROR;
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = operation_json(module, req, reply);
 	assert_int_equal(3, json_object_size(json.root));
 
@@ -621,6 +627,8 @@ static void test_as_system_operation_json(void **state)
 	json_t *f = NULL;
 	json_t *g = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
@@ -669,7 +677,9 @@ static void test_as_system_operation_json(void **state)
 	reply = talloc_zero(ctx, struct ldb_reply);
 	reply->error = LDB_ERR_OPERATIONS_ERROR;
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = operation_json(module, req, reply);
 	assert_int_equal(3, json_object_size(json.root));
 
@@ -796,6 +806,8 @@ static void test_password_change_json_empty(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
@@ -811,7 +823,9 @@ static void test_password_change_json_empty(void **state)
 	reply = talloc_zero(ctx, struct ldb_reply);
 	reply->error = LDB_SUCCESS;
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = password_change_json(module, req, reply);
 	assert_int_equal(3, json_object_size(json.root));
 
@@ -899,6 +913,8 @@ static void test_password_change_json(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
 
@@ -936,7 +952,9 @@ static void test_password_change_json(void **state)
 	reply = talloc_zero(ctx, struct ldb_reply);
 	reply->error = LDB_SUCCESS;
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = password_change_json(module, req, reply);
 	assert_int_equal(3, json_object_size(json.root));
 
@@ -1025,10 +1043,14 @@ static void test_transaction_json(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 	GUID_from_string(GUID, &guid);
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = transaction_json("delete", &guid, 10000099);
 
 	assert_int_equal(3, json_object_size(json.root));
@@ -1086,10 +1108,14 @@ static void test_commit_failure_json(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 	GUID_from_string(GUID, &guid);
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = commit_failure_json(
 		"prepare",
 		987876,
@@ -1173,6 +1199,8 @@ static void test_replicated_update_json_empty(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
@@ -1193,7 +1221,9 @@ static void test_replicated_update_json_empty(void **state)
 	reply = talloc_zero(ctx, struct ldb_reply);
 	reply->error = LDB_SUCCESS;
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = replicated_update_json(module, req, reply);
 	assert_int_equal(3, json_object_size(json.root));
 
@@ -1309,6 +1339,8 @@ static void test_replicated_update_json(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
@@ -1345,7 +1377,9 @@ static void test_replicated_update_json(void **state)
 	reply = talloc_zero(ctx, struct ldb_reply);
 	reply->error = LDB_ERR_NO_SUCH_OBJECT;
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = replicated_update_json(module, req, reply);
 	assert_int_equal(3, json_object_size(json.root));
 
diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
index 0bbde9f3e3b..f7075f3485e 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
@@ -268,9 +268,12 @@ static void _check_timestamp(
 	struct tm tm;
 	time_t after;
 	time_t actual;
+	struct timeval tv;
 
 
-	after = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	after = tv.tv_sec;
 
 	/*
 	 * Convert the ISO 8601 timestamp into a time_t
@@ -806,6 +809,8 @@ static void test_audit_group_json(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
@@ -826,7 +831,9 @@ static void test_audit_group_json(void **state)
 	req->operation =  LDB_ADD;
 	add_transaction_id(req, TRANSACTION);
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = audit_group_json(module,
 				req,
 				"the-action",
@@ -910,6 +917,8 @@ static void test_audit_group_json_error(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
@@ -930,7 +939,9 @@ static void test_audit_group_json_error(void **state)
 	req->operation =  LDB_ADD;
 	add_transaction_id(req, TRANSACTION);
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = audit_group_json(module,
 				req,
 				"the-action",
@@ -1015,6 +1026,8 @@ static void test_audit_group_json_no_event(void **state)
 	json_t *v = NULL;
 	json_t *o = NULL;
 	time_t before;
+	struct timeval tv;
+	int rc;
 
 
 	TALLOC_CTX *ctx = talloc_new(NULL);
@@ -1035,7 +1048,9 @@ static void test_audit_group_json_no_event(void **state)
 	req->operation =  LDB_ADD;
 	add_transaction_id(req, TRANSACTION);
 
-	before = time(NULL);
+	rc = gettimeofday(&tv, NULL);
+	assert_return_code(rc, errno);
+	before = tv.tv_sec;
 	json = audit_group_json(module,
 				req,
 				"the-action",
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 62cc8bdef1d..f79ff1b8c3c 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2743,8 +2743,10 @@ samba_kdc_check_s4u2proxy(krb5_context context,
 
 	el = ldb_msg_find_element(skdc_entry->msg, "msDS-AllowedToDelegateTo");
 	if (el == NULL) {
+		ret = ENOENT;
 		goto bad_option;
 	}
+	SMB_ASSERT(el->num_values != 0);
 
 	/*
 	 * This is the Microsoft forwardable flag behavior.
@@ -2752,7 +2754,7 @@ samba_kdc_check_s4u2proxy(krb5_context context,
 	 * If the proxy (target) principal is NULL, and we have any authorized
 	 * delegation target, allow to forward.
 	 */
-	if (el->num_values >= 0 && target_principal == NULL) {
+	if (target_principal == NULL) {
 		return 0;
 	}
 
@@ -2810,6 +2812,7 @@ samba_kdc_check_s4u2proxy(krb5_context context,
 	}
 
 	if (!found) {
+		ret = ENOENT;
 		goto bad_option;
 	}
 
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 5720dfadc1f..e82ebbe7daa 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -612,7 +612,44 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 		ui.auth_description = auth_description;
 
 		if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+			/* This is the final sucess */
 			status = NT_STATUS_OK;
+		} else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
+			/*
+			 * This was only a pre-authentication success,
+			 * but we didn't reach the final
+			 * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+			 * so consult the error code.


-- 
Samba Shared Repository



More information about the samba-cvs mailing list