[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Dec 14 04:33:02 UTC 2023
The branch, master has been updated
via ff52e342887 python: Remove references to removed parameters
via ddddf9d4a40 python: Remove unused parameter ‘backup’
via 891e1da968a python: Remove unused parameter ‘serverrole’
via 7750edc14e2 python: Remove unused parameter ‘am_rodc’
via 10d79ef21f7 python: Remove unused parameter ‘am_rodc’
via e67196e13cb python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’
via beefbb277a9 python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’
via 7e7f7d63ed6 python: Remove unused parameter ‘fill’
via 9fbd3435512 python: Remove unused parameter ‘keytab_path’
via 9cc823454ac python: Remove unused parameter ‘erase’
via efaa27c498e python: Remove unused parameter ‘backend_store_size’
via b6dc21169c7 python: Remove unused parameter ‘root_gid’
via 6fdf710ba7e python: Remove unused parameters ‘maxuid’ and ‘maxgid’
via 8c288c6beb6 python: Remove unused parameters ‘maxuid’ and ‘maxgid’
via 8331142081a python: Remove unused parameter ‘name’
via 704ad18bf5b python: Remove unused parameter ‘netlogon’
via eb727331a37 python: Remove unused parameter ‘samdb’
via d9a665a0e44 python: Remove unused parameter ‘lp’
via 246666e7220 python: Remove unused parameter ‘message’
via 5132771fb71 python: Remove unused parameter ‘targetdir’
via 8439dcb4842 python: Remove unused parameter ‘backend_store’
via e37dfc29671 python: Remove unused parameter ‘lp’
via 58814bfd392 python: Remove unused parameter ‘lp’
via c692653459b python: Remove unused parameter ‘targetdir’
via 49801372c61 python: Remove unused parameter ‘targetdir’
via a84c5212655 python: Remove unused parameter ‘backend_store’
via 95e0df789c3 python: Remove unused parameter ‘lp’
via 7064e39fae8 python: Remove unused parameter ‘logger’
via a341aca14cb python: Make use of ‘prefix’ parameter
via d8b5cb103b1 python: Remove unused parameter ‘lp’
via 7e65a368d66 python: Remove unused parameter ‘targetdir’
via f9b22c6d5e0 python: Make use of ‘serverdn’ parameter
via dddaed61ea6 python: Remove unused variable ‘machinesid’
via dd9dfb0e664 python: Remove unfinished join method
via 25f8e507931 libcli/security: allow SDDL conditional ACE round-trip for -00 and -0x0
via 66f341e5c39 libcli/security: allow round-trip for conditional ACE hex integers
via d33ed631479 libcli/security: allow round-trip for conditional ACE octal integers
via bbe217604bd libcli/security: tests for conditional ACE integer base persistence
via b247a11e62e libcli/security: fix tests for SDDL conditional ACE round-trip
via db6b06578b6 libcli/security: clarify tests for SDDL round trips
via a016ce70684 libcli/security: don't allow conditional ACE SIDs to have trailing bytes
via e004a5a444f libcli/security: SDDL decode stops earlier with too many ACEs
from 3a01ef710d4 tests: Add a test for the idmap_nss : use_upn setting
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ff52e342887a9a6054580fec238880646302ecb8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 1 15:01:16 2023 +1300
python: Remove references to removed parameters
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Dec 14 04:32:31 UTC 2023 on atb-devel-224
commit ddddf9d4a408a4e5a5f193b5f314af1fa1d3a579
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 21:04:07 2023 +1300
python: Remove unused parameter ‘backup’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 891e1da968a41c53ae3e2f24c9837930ce4c1007
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 21:03:57 2023 +1300
python: Remove unused parameter ‘serverrole’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7750edc14e2a4d38873a5157681b881ae1d8785b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 21:03:19 2023 +1300
python: Remove unused parameter ‘am_rodc’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 10d79ef21f708df54098a8fa8051deacc5cd97ae
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 21:02:13 2023 +1300
python: Remove unused parameter ‘am_rodc’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e67196e13cb4d470650291f17df05ea1ad877045
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 21:01:19 2023 +1300
python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit beefbb277a95b876e1fa323f9401da531d73ab9b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:59:59 2023 +1300
python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7e7f7d63ed6f6a6c0ff991ca7633286c1d7010d3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:58:02 2023 +1300
python: Remove unused parameter ‘fill’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9fbd3435512ba5f3d47f8c8e31d657c242f29a00
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:57:29 2023 +1300
python: Remove unused parameter ‘keytab_path’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9cc823454acb9b6beed73b09f47f573f3c65b74b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:57:10 2023 +1300
python: Remove unused parameter ‘erase’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit efaa27c498e9a8448404cda42e1b7c5f61235b14
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:56:49 2023 +1300
python: Remove unused parameter ‘backend_store_size’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6dc21169c733a1aa94f20177cd805c6e323a975
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:55:41 2023 +1300
python: Remove unused parameter ‘root_gid’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6fdf710ba7e05498f0bc2ea63889b2935381bc64
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:54:45 2023 +1300
python: Remove unused parameters ‘maxuid’ and ‘maxgid’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8c288c6beb634654da33193a1b7333e19f2bd0e2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:53:41 2023 +1300
python: Remove unused parameters ‘maxuid’ and ‘maxgid’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8331142081aaa0a5874ad0f8fec2a6e350447b05
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:52:32 2023 +1300
python: Remove unused parameter ‘name’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 704ad18bf5ba3a0c2b923343a93a48b3d4cada50
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:52:03 2023 +1300
python: Remove unused parameter ‘netlogon’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eb727331a3702d025036daab619f428eb749c5f3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:50:42 2023 +1300
python: Remove unused parameter ‘samdb’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d9a665a0e448d1049da61dee285f51ee8120f393
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:50:18 2023 +1300
python: Remove unused parameter ‘lp’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 246666e722036d1273bb550ca8b8226e776fc839
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:48:56 2023 +1300
python: Remove unused parameter ‘message’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5132771fb71e4e2f6843093fc10f7e793fb7b3fb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:47:31 2023 +1300
python: Remove unused parameter ‘targetdir’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8439dcb484221c167e8c5fae78105dbafc1e6fd7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:42:57 2023 +1300
python: Remove unused parameter ‘backend_store’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e37dfc2967107b7262b3b5b92b1ec49f6b1a7d81
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:42:16 2023 +1300
python: Remove unused parameter ‘lp’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 58814bfd392d830b99ff9b8f8e1252f7a5e924c4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:41:18 2023 +1300
python: Remove unused parameter ‘lp’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c692653459bd4be40d904bdd3b7128457b90e1a1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:40:16 2023 +1300
python: Remove unused parameter ‘targetdir’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 49801372c61636d86c3a7263cb087c5e9dcd5a85
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:38:15 2023 +1300
python: Remove unused parameter ‘targetdir’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a84c5212655ffce39bc234e65292a2585fd44161
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:37:04 2023 +1300
python: Remove unused parameter ‘backend_store’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 95e0df789c380b21bb2517ad9c135c00c5f01bfd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:34:31 2023 +1300
python: Remove unused parameter ‘lp’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7064e39fae81f0e75a3c6f26dc418cac4e7ff2a9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:34:08 2023 +1300
python: Remove unused parameter ‘logger’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a341aca14cb56de64260c0766b94e0d068ab3c02
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 30 17:05:22 2023 +1300
python: Make use of ‘prefix’ parameter
This method is now consistent with the other ‘add_*_record()’ methods.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d8b5cb103b1e016bc43761c4b7aeb1f7bdb94249
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:31:55 2023 +1300
python: Remove unused parameter ‘lp’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7e65a368d66da7b4fa5a4a77dac6bcef354197c5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:30:55 2023 +1300
python: Remove unused parameter ‘targetdir’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9b22c6d5e01452372f541e4bd60397f4cf5caaa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 30 17:01:11 2023 +1300
python: Make use of ‘serverdn’ parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dddaed61ea6684831bc23272748717aae537cc12
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 23 20:22:16 2023 +1300
python: Remove unused variable ‘machinesid’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd9dfb0e664bb474b97a46be952b07734dcbd03b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 13 13:00:43 2023 +1300
python: Remove unfinished join method
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 25f8e5079315b97279dd7d174aeb98241c3d8b5a
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Dec 14 12:50:31 2023 +1300
libcli/security: allow SDDL conditional ACE round-trip for -00 and -0x0
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 66f341e5c3975c549b51a6ce4b82fbe02fb0a71d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Dec 13 17:24:50 2023 +1300
libcli/security: allow round-trip for conditional ACE hex integers
As with the previous commit, though not addressing the particular fuzz
case, zero hex numbers need to be explicitly written as "0x0", or the
round-trip will fail.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d33ed63147930377697535066fa96b9b4965ea41
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Dec 13 17:20:38 2023 +1300
libcli/security: allow round-trip for conditional ACE octal integers
The string "00" will decode into an integer tagged as octal, but
`snprintf("%#oll")` will write the string "0", which would decode as
decimal, so the in the SDDL1->SD1->SDDL2->SD2 round trip, SD1 would
not be the same as SD2.
The effect is really only relevant to SDDL, which wants to remember
what base the numbers were presented in, though the fuzzers and tests
don't directly compare SDDL, which can have extra spaces and so forth.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bbe217604bd304454ae07fa817a50ef6d220e200
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Dec 14 11:56:19 2023 +1300
libcli/security: tests for conditional ACE integer base persistence
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b247a11e62edce02622ad5996a9791987c362127
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Dec 14 12:27:08 2023 +1300
libcli/security: fix tests for SDDL conditional ACE round-trip
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit db6b06578b6784b4d09c1d8e70015f0ab72303a6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Dec 14 11:56:19 2023 +1300
libcli/security: clarify tests for SDDL round trips
The `failed = failed || ok` did the same thing, obscurely.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a016ce70684e5237764b2432fa182ba8b0af6b0b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Dec 13 15:39:33 2023 +1300
libcli/security: don't allow conditional ACE SIDs to have trailing bytes
They should be tightly packed, allowing conditional ACEs to
round-trip.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64197
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e004a5a444f9760ff305154cb0c3f1fe1800e8af
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Dec 13 10:57:41 2023 +1300
libcli/security: SDDL decode stops earlier with too many ACEs
For this purpose, "too many" means we know for sure that it won't fit
in packet format, even if all the ACEs are minimum size. This would
fail anyway.
Credit to OSS-Fuzz, who found that 50 thousand ACEs that took more
than 60 seconds to decode. This will now fail after 4096 ACEs which
should be about 150 times faster than 50k (because the realloc loop in
quadratic), so ~0.5 seconds in the fuzz context with sanitisers
enabled. That is still slowish, but SDDL parsing is not a critical
path and without address sanitisers it will be many times faster.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62511
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/conditional_ace.c | 2 +
libcli/security/sddl.c | 10 +++
libcli/security/sddl_conditional_ace.c | 10 +--
libcli/security/tests/test_sddl_conditional_ace.c | 23 +++++--
python/samba/join.py | 11 +---
python/samba/netcmd/ntacl.py | 3 +-
python/samba/provision/__init__.py | 78 ++++++++++-------------
python/samba/provision/sambadns.py | 26 +++-----
python/samba/tests/upgradeprovisionneeddc.py | 4 +-
python/samba/upgrade.py | 12 ++--
python/samba/upgradehelpers.py | 2 +-
source4/scripting/bin/samba_upgradeprovision | 2 +-
12 files changed, 87 insertions(+), 96 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 1876b52c141..158c8ecf82e 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -254,6 +254,8 @@ static ssize_t pull_sid(TALLOC_CTX *mem_ctx,
if (ndr == NULL) {
return -1;
}
+ ndr->flags |= LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES;
+
ndr_err = ndr_pull_ace_condition_sid(ndr, NDR_SCALARS|NDR_BUFFERS, tok);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
TALLOC_FREE(ndr);
diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 3b92404634c..d1f77075238 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -853,6 +853,16 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
while (*sddl_copy == '(') {
bool ok;
+ if (acl->num_aces > UINT16_MAX / 16) {
+ /*
+ * We can't fit this many ACEs in a wire ACL
+ * which has a 16 bit size field (and 16 is
+ * the minimal size of an ACE with no subauths).
+ */
+ talloc_free(acl);
+ return NULL;
+ }
+
acl->aces = talloc_realloc(acl, acl->aces, struct security_ace,
acl->num_aces+1);
if (acl->aces == NULL) {
diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index d281e186a6c..b5d0a3afa3a 100644
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -635,11 +635,11 @@ static bool sddl_write_int(struct sddl_write_context *ctx,
if (sign == CONDITIONAL_ACE_INT_SIGN_NONE) {
/* octal and hex will end up unsigned! */
if (base == CONDITIONAL_ACE_INT_BASE_8) {
- snprintf(buf, sizeof(buf), "%#"PRIo64, v);
+ snprintf(buf, sizeof(buf), "0%"PRIo64, v);
} else if (base == CONDITIONAL_ACE_INT_BASE_10) {
snprintf(buf, sizeof(buf), "%"PRId64, v);
} else {
- snprintf(buf, sizeof(buf), "%#"PRIx64, v);
+ snprintf(buf, sizeof(buf), "0x%"PRIx64, v);
}
return sddl_write(ctx, buf);
}
@@ -670,12 +670,12 @@ static bool sddl_write_int(struct sddl_write_context *ctx,
return sddl_write(ctx, "-0x8000000000000000");
}
- buf[0] = (v < 0) ? '-' : '+';
+ buf[0] = (sign == CONDITIONAL_ACE_INT_SIGN_NEGATIVE) ? '-' : '+';
if (base == CONDITIONAL_ACE_INT_BASE_8) {
- snprintf(buf + 1, sizeof(buf) - 1, "%#llo", llabs(v));
+ snprintf(buf + 1, sizeof(buf) - 1, "0%llo", llabs(v));
} else {
- snprintf(buf + 1, sizeof(buf) - 1, "%#llx", llabs(v));
+ snprintf(buf + 1, sizeof(buf) - 1, "0x%llx", llabs(v));
}
return sddl_write(ctx, buf);
}
diff --git a/libcli/security/tests/test_sddl_conditional_ace.c b/libcli/security/tests/test_sddl_conditional_ace.c
index 4aaf4f21d19..3ea9e23b2b8 100644
--- a/libcli/security/tests/test_sddl_conditional_ace.c
+++ b/libcli/security/tests/test_sddl_conditional_ace.c
@@ -583,7 +583,8 @@ static void test_round_trips(void **state)
{
/*
* These expressions should parse into proper conditional
- * ACEs, which then decode into the same string.
+ * ACEs, which then encode into an equivalent SDDL string,
+ * which then parses again into the same conditional ACE.
*/
static const char *sddl[] = {
("(Member_of{SID(AA)})"),
@@ -616,6 +617,14 @@ static void test_round_trips(void **state)
"( x == SID(BA))",
"((x) == SID(BA))",
"(OctetStringType==#1#2#3###))",
+ "(@user.x == 00)",
+ "(@user.x == 01)",
+ "(@user.x == -00)",
+ "(@user.x == -01)",
+ "(@user.x == 0x0)",
+ "(@user.x == 0x1)",
+ "(@user.x == -0x0)",
+ "(@user.x == -0x1)",
};
size_t i, length;
TALLOC_CTX *mem_ctx = talloc_new(NULL);
@@ -667,7 +676,7 @@ static void test_round_trips(void **state)
continue;
}
if (data_blob_cmp(&e1, &e2) != 0) {
- failed = failed || ok;
+ failed = true;
}
resddl1 = sddl_from_conditional_ace(mem_ctx, s1);
@@ -684,9 +693,9 @@ static void test_round_trips(void **state)
}
if (strcmp(resddl1, resddl2) != 0) {
print_message("SDDL 2: %s\n", resddl2);
- failed = failed || ok;
+ failed = true;
}
- print_message("SDDL: %s\n", resddl1);
+ print_message("SDDL: '%s' -> '%s'\n", sddl[i], resddl1);
s3 = ace_conditions_compile_sddl(mem_ctx,
ACE_CONDITION_FLAG_ALLOW_DEVICE,
resddl1,
@@ -705,9 +714,9 @@ static void test_round_trips(void **state)
debug_fail("%s could not encode\n", resddl1);
continue;
}
- if (data_blob_cmp(&e1, &e2) != 0) {
- debug_fail("'%s' compiled differently\n", resddl1);
- failed = failed || ok;
+ if (data_blob_cmp(&e1, &e3) != 0) {
+ debug_fail("'%s' and '%s' compiled differently\n", sddl[i], resddl1);
+ failed = true;
}
}
assert_false(failed);
diff --git a/python/samba/join.py b/python/samba/join.py
index af5e9339157..557d9e19b32 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -463,12 +463,6 @@ class DCJoinContext(object):
am_rodc=False)
ctx.tmp_samdb.set_schema(ctx.tmp_schema)
- def build_DsReplicaAttribute(ctx, attrname, attrvalue):
- '''build a DsReplicaAttributeCtr object'''
- r = drsuapi.DsReplicaAttribute()
- r.attid = ctx.tmp_samdb.get_attid_from_lDAPDisplayName(attrname)
- r.value_ctr = 1
-
def DsAddEntry(ctx, recs):
'''add a record via the DRSUAPI DsAddEntry call'''
if ctx.drsuapi is None:
@@ -925,7 +919,7 @@ class DCJoinContext(object):
provision_fill(ctx.local_samdb, secrets_ldb,
ctx.logger, ctx.names, ctx.paths,
dom_for_fun_level=ctx.behavior_version,
- targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN,
+ samdb_fill=FILL_SUBDOMAIN,
machinepass=ctx.acct_pass, serverrole="active directory domain controller",
lp=ctx.lp, hostip=ctx.names.hostip, hostip6=ctx.names.hostip6,
dns_backend=ctx.dns_backend, adminpass=ctx.adminpass)
@@ -1376,10 +1370,9 @@ class DCJoinContext(object):
if ctx.dns_backend.startswith("BIND9_"):
setup_bind9_dns(ctx.local_samdb, secrets_ldb,
- ctx.names, ctx.paths, ctx.lp, ctx.logger,
+ ctx.names, ctx.paths, ctx.logger,
dns_backend=ctx.dns_backend,
dnspass=ctx.dnspass, os_level=ctx.behavior_version,
- targetdir=ctx.targetdir,
key_version_number=ctx.dns_key_version_number)
def join_setup_trusts(ctx):
diff --git a/python/samba/netcmd/ntacl.py b/python/samba/netcmd/ntacl.py
index 022de076cba..34675c71375 100644
--- a/python/samba/netcmd/ntacl.py
+++ b/python/samba/netcmd/ntacl.py
@@ -407,7 +407,6 @@ class cmd_ntacl_sysvolreset(Command):
creds.set_kerberos_state(DONT_USE_KERBEROS)
logger = self.get_logger()
- netlogon = lp.get("path", "netlogon")
sysvol = lp.get("path", "sysvol")
try:
samdb = SamDB(session_info=system_session(),
@@ -447,7 +446,7 @@ class cmd_ntacl_sysvolreset(Command):
logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
try:
- provision.setsysvolacl(samdb, netlogon, sysvol,
+ provision.setsysvolacl(samdb, sysvol,
LA_uid, BA_gid, domain_sid,
lp.get("realm").lower(), samdb.domain_dn(),
lp, use_ntvfs=use_ntvfs)
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 57908a141f9..f731d642d7f 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -686,6 +686,10 @@ def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
if sitename is None:
sitename = DEFAULTSITE
+ if serverdn is None:
+ serverdn = "CN=%s,CN=Servers,CN=%s,CN=Sites,%s" % (
+ netbiosname, sitename, configdn)
+
names = ProvisionNames()
names.rootdn = rootdn
names.domaindn = domaindn
@@ -698,8 +702,7 @@ def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
names.netbiosname = netbiosname
names.hostname = hostname
names.sitename = sitename
- names.serverdn = "CN=%s,CN=Servers,CN=%s,CN=Sites,%s" % (
- netbiosname, sitename, configdn)
+ names.serverdn = serverdn
return names
@@ -807,7 +810,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir,
def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
- users_gid, root_gid):
+ users_gid):
"""setup reasonable name mappings for sam names to unix names.
:param samdb: SamDB object.
@@ -817,7 +820,6 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
:param root_uid: uid of the UNIX root user.
:param nobody_uid: uid of the UNIX nobody user.
:param users_gid: gid of the UNIX users group.
- :param root_gid: gid of the UNIX root group.
"""
idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
@@ -827,8 +829,8 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
def setup_samdb_partitions(samdb_path, logger, lp, session_info,
provision_backend, names, serverrole,
- erase=False, plaintext_secrets=False,
- backend_store=None,backend_store_size=None):
+ plaintext_secrets=False,
+ backend_store=None):
"""Setup the partitions for the SAM database.
Alternatively, provision() may call this, and then populate the database.
@@ -901,7 +903,6 @@ def setup_samdb_partitions(samdb_path, logger, lp, session_info,
def secretsdb_self_join(secretsdb, domain,
netbiosname, machinepass, domainsid=None,
realm=None, dnsdomain=None,
- keytab_path=None,
key_version_number=1,
secure_channel_type=SEC_CHAN_WKSTA):
"""Add domain join-specific bits to a secrets database.
@@ -996,7 +997,6 @@ def setup_secretsdb(paths, session_info, lp):
:param path: Path to the secrets database.
:param session_info: Session info.
- :param credentials: Credentials
:param lp: Loadparm context
:return: LDB handle for the created secrets database
"""
@@ -1035,7 +1035,6 @@ def setup_privileges(path, session_info, lp):
:param path: Path to the privileges database.
:param session_info: Session info.
- :param credentials: Credentials
:param lp: Loadparm context
:return: LDB handle for the created secrets database
"""
@@ -1076,7 +1075,6 @@ def setup_registry(path, session_info, lp):
:param path: Path to the registry database
:param session_info: Session information
- :param credentials: Credentials
:param lp: Loadparm context
"""
reg = samba.registry.Registry()
@@ -1092,7 +1090,6 @@ def setup_idmapdb(path, session_info, lp):
:param path: path to the idmap database
:param session_info: Session information
- :param credentials: Credentials
:param lp: Loadparm context
"""
if os.path.exists(path):
@@ -1274,7 +1271,7 @@ def create_default_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
DEFAULT_BACKEND_SIZE = 8 * 1024 * 1024 *1024
def setup_samdb(path, session_info, provision_backend, lp, names,
- logger, fill, serverrole, schema, am_rodc=False,
+ logger, serverrole, schema, am_rodc=False,
plaintext_secrets=False, backend_store=None,
backend_store_size=None, batch_mode=False):
"""Setup a complete SAM Database.
@@ -1286,8 +1283,7 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
setup_samdb_partitions(path, logger=logger, lp=lp,
provision_backend=provision_backend, session_info=session_info,
names=names, serverrole=serverrole, plaintext_secrets=plaintext_secrets,
- backend_store=backend_store,
- backend_store_size=backend_store_size)
+ backend_store=backend_store)
store_size = DEFAULT_BACKEND_SIZE
if backend_store_size:
@@ -1341,10 +1337,8 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
def fill_samdb(samdb, lp, names, logger, policyguid,
policyguid_dc, fill, adminpass, krbtgtpass, machinepass, dns_backend,
- dnspass, invocationid, ntdsguid, serverrole, am_rodc=False,
- dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None,
- backend_store=None,
- backend_store_size=None):
+ dnspass, invocationid, ntdsguid,
+ dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None):
if next_rid is None:
next_rid = 1000
@@ -1657,12 +1651,11 @@ def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, p
passdb=passdb)
-def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
+def setsysvolacl(samdb, sysvol, uid, gid, domainsid, dnsdomain,
domaindn, lp, use_ntvfs):
"""Set the ACL for the sysvol share and the subfolders
:param samdb: An LDB object on the SAM db
- :param netlogon: Physical path for the netlogon folder
:param sysvol: Physical path for the sysvol folder
:param uid: The UID of the "Administrator" user
:param gid: The GID of the "Domain administrators" group
@@ -1913,16 +1906,15 @@ def interface_ips_v6(lp):
def provision_fill(samdb, secrets_ldb, logger, names, paths,
schema=None,
- targetdir=None, samdb_fill=FILL_FULL,
+ samdb_fill=FILL_FULL,
hostip=None, hostip6=None,
next_rid=1000, dc_rid=None, adminpass=None, krbtgtpass=None,
domainguid=None, policyguid=None, policyguid_dc=None,
invocationid=None, machinepass=None, ntdsguid=None,
dns_backend=None, dnspass=None,
serverrole=None, dom_for_fun_level=None,
- am_rodc=False, lp=None, use_ntvfs=False,
- skip_sysvolacl=False, backend_store=None,
- backend_store_size=None):
+ lp=None, use_ntvfs=False,
+ skip_sysvolacl=False):
# create/adapt the group policy GUIDs
# Default GUID for default policy are described at
# "How Core Group Policy Works"
@@ -1955,11 +1947,9 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
invocationid=invocationid, machinepass=machinepass,
dns_backend=dns_backend, dnspass=dnspass,
- ntdsguid=ntdsguid, serverrole=serverrole,
- dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
- next_rid=next_rid, dc_rid=dc_rid,
- backend_store=backend_store,
- backend_store_size=backend_store_size)
+ ntdsguid=ntdsguid,
+ dom_for_fun_level=dom_for_fun_level,
+ next_rid=next_rid, dc_rid=dc_rid)
# Set up group policies (domain policy and domain controller
# policy)
@@ -1976,7 +1966,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
# Continue setting up sysvol for GPO. This appears to require being
# outside a transaction.
if not skip_sysvolacl:
- setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
+ setsysvolacl(samdb, paths.sysvol, paths.root_uid,
paths.root_gid, names.domainsid, names.dnsdomain,
names.domaindn, lp, use_ntvfs)
else:
@@ -2006,11 +1996,10 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
# It might be that this attribute does not exist in this schema
raise
- setup_ad_dns(samdb, secrets_ldb, names, paths, lp, logger,
+ setup_ad_dns(samdb, secrets_ldb, names, paths, logger,
hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
dnspass=dnspass, os_level=dom_for_fun_level,
- targetdir=targetdir, fill_level=samdb_fill,
- backend_store=backend_store)
+ fill_level=samdb_fill)
domainguid = samdb.searchone(basedn=samdb.get_default_basedn(),
attribute="objectGUID").decode('utf8')
@@ -2085,8 +2074,7 @@ def sanitize_server_role(role):
raise ValueError(role)
-def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
- maxuid, maxgid):
+def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain):
"""Create AD entries for the fake ypserver.
This is needed for being able to manipulate posix attrs via ADUC.
@@ -2156,10 +2144,10 @@ def provision(logger, session_info, smbconf=None,
krbtgtpass=None, domainguid=None, policyguid=None, policyguid_dc=None,
dns_backend=None, dns_forwarder=None, dnspass=None,
invocationid=None, machinepass=None, ntdsguid=None,
- root=None, nobody=None, users=None, backup=None,
+ root=None, nobody=None, users=None,
sitename=None, serverrole=None, dom_for_fun_level=None,
useeadb=False, am_rodc=False, lp=None, use_ntvfs=False,
- use_rfc2307=False, maxuid=None, maxgid=None, skip_sysvolacl=True,
+ use_rfc2307=False, skip_sysvolacl=True,
base_schema="2019", adprep_level=DS_DOMAIN_FUNCTION_2016,
plaintext_secrets=False, backend_store=None,
backend_store_size=None, batch_mode=False):
@@ -2329,13 +2317,13 @@ def provision(logger, session_info, smbconf=None,
setup_name_mappings(idmap, sid=str(domainsid),
root_uid=root_uid, nobody_uid=nobody_uid,
- users_gid=users_gid, root_gid=root_gid)
+ users_gid=users_gid)
logger.info("Setting up SAM db")
samdb = setup_samdb(paths.samdb, session_info,
provision_backend, lp, names, logger=logger,
serverrole=serverrole,
- schema=schema, fill=samdb_fill, am_rodc=am_rodc,
+ schema=schema, am_rodc=am_rodc,
plaintext_secrets=plaintext_secrets,
backend_store=backend_store,
backend_store_size=backend_store_size,
@@ -2361,7 +2349,7 @@ def provision(logger, session_info, smbconf=None,
if samdb_fill == FILL_FULL:
provision_fill(samdb, secrets_ldb, logger, names, paths,
- schema=schema, targetdir=targetdir, samdb_fill=samdb_fill,
+ schema=schema, samdb_fill=samdb_fill,
hostip=hostip, hostip6=hostip6,
next_rid=next_rid, dc_rid=dc_rid, adminpass=adminpass,
krbtgtpass=krbtgtpass,
@@ -2369,11 +2357,9 @@ def provision(logger, session_info, smbconf=None,
invocationid=invocationid, machinepass=machinepass,
ntdsguid=ntdsguid, dns_backend=dns_backend,
dnspass=dnspass, serverrole=serverrole,
- dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
+ dom_for_fun_level=dom_for_fun_level,
lp=lp, use_ntvfs=use_ntvfs,
- skip_sysvolacl=skip_sysvolacl,
- backend_store=backend_store,
- backend_store_size=backend_store_size)
+ skip_sysvolacl=skip_sysvolacl)
if adprep_level is not None:
updates_allowed_overridden = False
@@ -2430,7 +2416,7 @@ def provision(logger, session_info, smbconf=None,
"symlink!")
if serverrole == "active directory domain controller":
- create_dns_update_list(lp, logger, paths)
+ create_dns_update_list(paths)
backend_result = provision_backend.post_setup()
provision_backend.shutdown()
@@ -2467,7 +2453,7 @@ def provision(logger, session_info, smbconf=None,
if use_rfc2307:
provision_fake_ypserver(logger=logger, samdb=samdb,
domaindn=names.domaindn, netbiosname=names.netbiosname,
- nisdomain=names.domain.lower(), maxuid=maxuid, maxgid=maxgid)
+ nisdomain=names.domain.lower())
return result
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 78fa8976da8..f77329e2818 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -425,7 +425,7 @@ def add_at_record(samdb, container_dn, prefix, hostname, dnsdomain, hostip, host
at_aaaa_record = AAAARecord(hostip6)
at_records.append(ndr_pack(at_aaaa_record))
- msg = ldb.Message(ldb.Dn(samdb, "DC=@,%s" % container_dn))
+ msg = ldb.Message(ldb.Dn(samdb, "%s,%s" % (prefix, container_dn)))
msg["objectClass"] = ["top", "dnsNode"]
msg["dnsRecord"] = ldb.MessageElement(at_records, ldb.FLAG_MOD_ADD, "dnsRecord")
samdb.add(msg)
@@ -765,7 +765,7 @@ def create_dns_dir_keytab_link(logger, paths):
bind_dns_keytab_path, paths.bind_gid)
-def create_zone_file(lp, logger, paths, targetdir, dnsdomain,
+def create_zone_file(logger, paths, dnsdomain,
hostip, hostip6, hostname, realm, domainguid,
ntdsguid, site):
"""Write out a DNS zone file, from the info in the current database.
@@ -963,7 +963,7 @@ def create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid):
set permissions to sam.ldb* files manually""")
-def create_dns_update_list(lp, logger, paths):
+def create_dns_update_list(paths):
"""Write out a dns_update_list file"""
# note that we use no variable substitution on this file
# the substitution is done at runtime by samba_dnsupdate, samba_spnupdate
@@ -1165,23 +1165,21 @@ def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
domainguid, ntdsguid)
--
Samba Shared Repository
More information about the samba-cvs
mailing list