[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Jul 21 02:20:01 UTC 2023
The branch, master has been updated
via 0da6cc71054 claims.idl: Fix AD claims encoding
via 3109899299e lib/fault: During smb_panic() print process comment and setprocname() title
via e401ae44b2f python/samba: Adjust tarfile extraction filter
via 5e473cba0d3 WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction
via 3f253002280 WHATSNEW: mention KDC auditing
via b9667bc29a6 WHATSNEW: FAST support, Claims compression, SID compression
via 6844def6675 WHATSNEW: Mention Heimdal updates
via fbed6d80b1f WHATSNEW: Expand detail on what of 2012, 2012R2 and 2016 support is implemented
via 29310f27d49 WHATSNEW: PKINIT testing
via fb27e01b36f WHATSNEW: Include info on new samba-tool features
via 0ee8c263f61 WHATSNEW: Add text on PKINIT Certificate Revocation
via 980c1565ed1 s4:param: replace calls to deprecated Python methods
from ca5cc05b22b s3:script: Replace --merge by --merge-by-timestamp in samba-log-parser
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0da6cc710542f534c82d9694e8d85d1fb376e536
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 20 11:14:23 2023 +1200
claims.idl: Fix AD claims encoding
Up to now we have been absorbing the discriminant in the NDR padding,
and setting it to zero in the push. But if the discriminant is not set
correctly, Windows will refuse to regard any of the claims.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Jul 21 02:19:48 UTC 2023 on atb-devel-224
commit 3109899299e28884261f54363e84b1090b574e39
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 20 14:10:43 2023 +1200
lib/fault: During smb_panic() print process comment and setprocname() title
The purpose of this is to make it clear which part of the AD DC (in particular)
has faulted without having to deduce it from the stacktrace.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e401ae44b2f952fc2686065fbfb3a563e3d4066a
Author: Noel Power <noel.power at suse.com>
Date: Fri Jul 14 14:53:29 2023 +0100
python/samba: Adjust tarfile extraction filter
The 'data_filter' is far too restrictive, this filter doesn't apply any
mode bits to directories which in turn will result in unexpected
directory permissions of the amongst others msg.[ls]ock directories.
With 'data_filter' and a 'patched' python at best we experience
CI failures with samba-ad-back1 & samba-ad-back2 CI jobs due to server
startup failures, at worst user/admins will need to adjust directory
permissions post backup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5e473cba0d3dd842a41789f5d61d8234db54d6b7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 20 15:49:08 2023 +1200
WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3f253002280fa562de1c317e616d72ab8b6773c4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 20 15:48:40 2023 +1200
WHATSNEW: mention KDC auditing
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b9667bc29a63179b302a6610848df241239da7a7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 20 15:36:09 2023 +1200
WHATSNEW: FAST support, Claims compression, SID compression
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6844def66754b87dc4b2647b65ac106382005fa7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 20 15:19:51 2023 +1200
WHATSNEW: Mention Heimdal updates
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fbed6d80b1fc4bb22896a1850ef9f15ddd0bc259
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 20 15:01:43 2023 +1200
WHATSNEW: Expand detail on what of 2012, 2012R2 and 2016 support is implemented
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 29310f27d49b7b1a15a2db5966969fd0756484c4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 20 15:01:07 2023 +1200
WHATSNEW: PKINIT testing
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fb27e01b36f6741d88bfc739e693d6d273383100
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 20 14:54:02 2023 +1200
WHATSNEW: Include info on new samba-tool features
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0ee8c263f615baa3b839eeb94236b3f54862233b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 19 15:50:43 2023 +1200
WHATSNEW: Add text on PKINIT Certificate Revocation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 980c1565ed11e609d415ae4daec50a587c77960c
Author: Dmitry Antipov <dantipov at cloudlinux.com>
Date: Thu Mar 30 14:04:37 2023 +0300
s4:param: replace calls to deprecated Python methods
Replace calls to (obsolete but still stable)
PyEval_CallObjectWithKeywords() with PyObject_Call()
by using trivial wrapper.
Signed-off-by: Dmitry Antipov <dantipov at cloudlinux.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Adjusted to always use the PyObject_Call()
as it is available in all of Samba's supported python versions]
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 103 +++++++++++++++++++++++++++++++++++++++++++
lib/cmdline/cmdline.c | 2 +
lib/util/fault.c | 13 +++++-
lib/util/util_process.c | 38 +++++++++++++++-
lib/util/util_process.h | 34 ++++++++++++++
lib/util/wscript_build | 2 +-
librpc/idl/claims.idl | 2 +-
python/samba/safe_tarfile.py | 2 +-
source4/param/provision.c | 18 ++++++--
9 files changed, 205 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7cdb9f32f08..17067eb7e27 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -64,6 +64,14 @@ Kerberos Claims, Authentication Silos and NTLM authentication policies
An initial, partial implementation of Active Directory Functional
Level 2012, 2012R2 and 2016 is available in this release.
+In particular Samba will issue Active Directory "Claims" in the PAC,
+for member servers that support these, and honour in-directory
+configuration for Authentication Policies and Authentication Silos.
+
+The primary limitation is that while Samba can read and write claims
+in the directory, and populate the PAC, Samba does not yet use them
+for access control decisions.
+
While we continue to develop these features, existing domains can
test the feature by selecting the functional level in provision or
raising the DC functional level by setting
@@ -90,6 +98,56 @@ samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016
+Improved KDC Auditing
+---------------------
+
+As part of the auditing required to allow successful deployment of
+Authentication Policies and Authentication Silos, our KDC now provides
+Samba-style JSON audit logging of all issued Kerberos tickets,
+including if they would fail a policy that is not yet enforced.
+Additionally most failures are audited, (after the initial
+pre-validation of the request).
+
+Kerberos Armoring (FAST) Support for Windows clients
+----------------------------------------------------
+
+In domains where the domain controller functional level is set, as
+above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
+via GPO, use FAST to protect user passwords between (in particular) a
+workstation and the KDC on the AD DC. This is a significant security
+improvement, as weak passwords in an AS-REQ are no longer available
+for offline attack.
+
+Claims compression in the AD PAC
+--------------------------------
+
+Samba as an AD DC will compress "AD claims" using the same compression
+algorithm as Microsoft Windows.
+
+Resource SID compression in the AD PAC
+--------------------------------------
+
+Samba as an AD DC will now correctly populate the various PAC group
+membership buffers, splitting global and local groups correctly.
+
+Additionally, Samba marshals Resource SIDs, being local groups in the
+member server's own domain, to only consume a header and 4 bytes per
+group in the PAC, not a full-length SID worth of space each. This is
+known as "Resource SID compression".
+
+New samba-tool support for silos, claims, sites and subnets.
+------------------------------------------------------------
+
+samba-tool can now list, show, add and manipulate Authentication Silos
+(silos) and Active Directory Authentication Claims (claims).
+
+samba-tool can now list and show Active Directory sites and subnets.
+
+A new Object Relational Model (ORM) based architecture, similar to
+that used with Django, has been built to make adding new samba-tool
+subcommands simpler and more consistent, with JSON output available
+standard on these new commands.
+
Updated GnuTLS requirement / in-tree cryptography removal
----------------------------------------------------------
@@ -108,7 +166,52 @@ The use of well known cryptography libraries makes Samba easier for
end-users to validate and deploy, and for distributors to ship. This
is the end of a very long journey for Samba.
+Updated Heimdal import
+----------------------
+Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to
+the current pre-8.0 (master) tree from upstream Heimdal, ensuring that
+this vendored copy, included in our release remains as close as
+possible to the current upstream code.
+
+Revocation support in Heimdal KDC for PKINIT certificates
+---------------------------------------------------------
+
+Samba will now correctly honour the revocation of 'smart card'
+certificates used for PKINIT Kerberos authentication.
+
+This list is reloaded each time the file changes, so no further action
+other than replacing the file is required. The additional krb5.conf
+option is:
+
+ [kdc]
+ pkinit_revoke = FILE:/path/to/crl.pem
+
+Information on the "Smart Card login" feature as a whole is at:
+ https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
+
+Protocol level testsuite for (Smart Card Logon) PKINIT
+------------------------------------------------------
+
+Previously Samba's PKINIT support in the KDC was tested by use of
+shell scripts around the client tools of MIT or Heimdal Kerberos.
+Samba's independently written python testsuite has been extended to
+validate KDC behaviour for PKINIT.
+
+Require encrypted connection to modify unicodePwd on the AD DC
+--------------------------------------------------------------
+
+Setting the password on an AD account on should never be attempted
+over a plaintext or signed-only LDAP connection. If the unicodePwd
+(or userPassword) attribute is modified without encryption (as seen by
+Samba), the request will be rejected. This is to encourage the
+administrator to use an encrypted connection in the future.
+
+NOTE WELL: If Samba is accessed via a TLS frontend or load balancer,
+the LDAP request will be regarded as plaintext.
+
+
+================
REMOVED FEATURES
================
diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c
index 106be10aa0f..de34a798aaf 100644
--- a/lib/cmdline/cmdline.c
+++ b/lib/cmdline/cmdline.c
@@ -21,6 +21,7 @@
#include "auth/gensec/gensec.h"
#include "libcli/smb/smb_util.h"
#include "cmdline_private.h"
+#include "lib/util/util_process.h"
#include <samba/version.h>
@@ -296,6 +297,7 @@ poptContext samba_popt_get_context(const char * name,
return NULL;
}
#endif
+ process_save_binary_name(name);
return poptGetContext(name, argc, argv, options, flags);
}
diff --git a/lib/util/fault.c b/lib/util/fault.c
index 3b1d10dce89..10c3720144a 100644
--- a/lib/util/fault.c
+++ b/lib/util/fault.c
@@ -36,6 +36,7 @@
#include "debug.h"
#include "lib/util/signal.h" /* Avoid /usr/include/signal.h */
#include "fault.h"
+#include "util_process.h"
static struct {
bool disabled;
@@ -170,9 +171,16 @@ static void smb_panic_default(const char *why)
_PUBLIC_ void smb_panic_log(const char *why)
{
+ const char *binary_name = process_get_saved_binary_name();
+ const char *short_title = process_get_short_title();
+ const char *long_title = process_get_long_title();
+
DEBUGSEP(0);
- DEBUG(0,("INTERNAL ERROR: %s in pid %lld (%s)\n",
+ DEBUG(0,("INTERNAL ERROR: %s in %s (%s) (%s) pid %lld (%s)\n",
why,
+ binary_name,
+ short_title,
+ long_title,
(unsigned long long)getpid(),
SAMBA_VERSION_STRING));
DEBUG(0,("If you are running a recent Samba version, and "
@@ -189,6 +197,9 @@ _PUBLIC_ void smb_panic_log(const char *why)
/**
Something really nasty happened - panic !
+
+ This function is in this file to allow sharing the last set process
+ title into the logs before the backtrace
**/
_PUBLIC_ void smb_panic(const char *why)
{
diff --git a/lib/util/util_process.c b/lib/util/util_process.c
index 4b13c591309..eccbffda1c5 100644
--- a/lib/util/util_process.c
+++ b/lib/util/util_process.c
@@ -26,11 +26,19 @@
#include <sys/prctl.h>
#endif
+/*
+ * These variables are static so that we can print them in access them
+ * with process_get_short_title() and process_get_long_title(). The
+ * purpose of this is to allow smb_panic_log() to print them.
+ */
+static char short_comment[16] = {0,};
+static char long_comment[256] = {0,};
+static char binary_name[256];
+
void process_set_title(const char *short_format, const char *long_format, ...)
{
#if defined(HAVE_PRCTL) && defined(PR_SET_NAME)
if (short_format != NULL) {
- char short_comment[16] = {0,};
va_list ap;
va_start(ap, long_format);
@@ -42,7 +50,6 @@ void process_set_title(const char *short_format, const char *long_format, ...)
#endif
if (long_format != NULL) {
- char long_comment[256] = {0,};
va_list ap;
va_start(ap, long_format);
@@ -53,6 +60,33 @@ void process_set_title(const char *short_format, const char *long_format, ...)
}
}
+const char *process_get_short_title(void)
+{
+ return short_comment;
+}
+
+const char *process_get_long_title(void)
+{
+ return long_comment;
+}
+
+/*
+ * This is just for debugging in a panic, so we don't want to do
+ * anything more than return a fixed pointer, so we save a copy to a
+ * static variable.
+ */
+void process_save_binary_name(const char *progname)
+{
+ strlcpy(binary_name, progname, sizeof(binary_name));
+}
+
+/* Samba binaries will set this during popt handling */
+const char *process_get_saved_binary_name(void)
+{
+ return binary_name;
+}
+
+
int prctl_set_comment(const char *comment_format, ...)
{
char comment[16];
diff --git a/lib/util/util_process.h b/lib/util/util_process.h
index ccb2a752232..4da135bc666 100644
--- a/lib/util/util_process.h
+++ b/lib/util/util_process.h
@@ -47,4 +47,38 @@ int prctl_set_comment(const char *comment_format, ...) PRINTF_ATTRIBUTE(1,2);
void process_set_title(const char *short_format, const char *long_format, ...)
PRINTF_ATTRIBUTE(1,3) PRINTF_ATTRIBUTE(2,3);
+/**
+ * @brief Get the process comment name set from process_set_title()
+ *
+ * @return process comment name
+ */
+const char *process_get_short_title(void);
+
+/**
+ * @brief Get the process longname set from process_set_title()
+ *
+ * @return process longname
+ */
+const char *process_get_long_title(void);
+
+/*
+ * @brief Save the binary name for later printing in smb_panic()
+ *
+ * @param[in] progname The binary name at process startup
+ *
+ * This is just for debugging in a panic, so we don't want to do
+ * anything more than return a fixed pointer, so we save a copy to a
+ * static variable.
+ */
+void process_save_binary_name(const char *progname);
+
+/**
+ * @brief Get the binary name set at startup process_save_binary_name()
+ *
+ * @return binary name set at startup
+ */
+/* Samba binaries will set this during popt handling */
+const char *process_get_saved_binary_name(void);
+
+
#endif
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index 8eac1013394..b4fcfeaba07 100644
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -79,6 +79,7 @@ bld.SAMBA_SUBSYSTEM('smb-panic',
source='''
fault.c
signal.c
+ util_process.c
''',
deps='''
replace
@@ -97,7 +98,6 @@ bld.SAMBA_SUBSYSTEM('samba-util-core',
util.c
idtree.c
substitute.c
- util_process.c
util_strlist.c
strv_util.c
bitmap.c
diff --git a/librpc/idl/claims.idl b/librpc/idl/claims.idl
index d190988fb98..90ea15585c1 100644
--- a/librpc/idl/claims.idl
+++ b/librpc/idl/claims.idl
@@ -63,7 +63,7 @@ interface claims
[size_is(value_count), string, charset(UTF16)] wchar_t **values;
} CLAIM_STRING;
- typedef [switch_type(CLAIM_TYPE),nodiscriminant,flag(NDR_ALIGN8)] union {
+ typedef [switch_type(CLAIM_TYPE),flag(NDR_ALIGN8)] union {
[case(CLAIM_TYPE_INT64)] CLAIM_INT64 claim_int64;
[case(CLAIM_TYPE_UINT64)] CLAIM_UINT64 claim_uint64;
[case(CLAIM_TYPE_STRING)] CLAIM_STRING claim_string;
diff --git a/python/samba/safe_tarfile.py b/python/samba/safe_tarfile.py
index 7a2b0382a79..21366178475 100644
--- a/python/samba/safe_tarfile.py
+++ b/python/samba/safe_tarfile.py
@@ -31,7 +31,7 @@ class TarFile(UnsafeTarFile):
# New in version 3.11.4 (also has been backported)
# https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extraction_filter
# https://peps.python.org/pep-0706/
- extraction_filter = staticmethod(tarfile.data_filter)
+ extraction_filter = staticmethod(tarfile.tar_filter)
except AttributeError:
def extract(self, member, path="", set_attrs=True, *,
numeric_owner=False):
diff --git a/source4/param/provision.c b/source4/param/provision.c
index e0b7c690e07..d6d120647e6 100644
--- a/source4/param/provision.c
+++ b/source4/param/provision.c
@@ -101,6 +101,18 @@ static PyObject *PyLdb_FromLdbContext(struct ldb_context *ldb_ctx)
return (PyObject *)ret;
}
+static PyObject *call_wrapper(PyObject *callable, PyObject *kwargs)
+{
+ /*
+ * Helper for calls with zero non-keyword arguments.
+ */
+ PyObject *empty = PyTuple_New(0), *result = NULL;
+ SMB_ASSERT(empty);
+ result = PyObject_Call(callable, empty, kwargs);
+ Py_XDECREF(empty);
+ return result;
+}
+
NTSTATUS provision_bare(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
struct provision_settings *settings,
struct provision_result *result)
@@ -265,7 +277,7 @@ NTSTATUS provision_bare(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
goto out;
}
- py_result = PyEval_CallObjectWithKeywords(provision_fn, NULL, parameters);
+ py_result = call_wrapper(provision_fn, parameters);
if (py_result == NULL) {
status = NT_STATUS_UNSUCCESSFUL;
@@ -453,7 +465,7 @@ NTSTATUS provision_store_self_join(TALLOC_CTX *mem_ctx, struct loadparm_context
goto out;
}
- py_result = PyEval_CallObjectWithKeywords(provision_fn, NULL, parameters);
+ py_result = call_wrapper(provision_fn, parameters);
if (py_result == NULL) {
ldb_transaction_cancel(ldb);
@@ -538,7 +550,7 @@ struct ldb_context *provision_get_schema(TALLOC_CTX *mem_ctx,
}
}
- py_result = PyEval_CallObjectWithKeywords(schema_fn, NULL, parameters);
+ py_result = call_wrapper(schema_fn, parameters);
Py_DECREF(parameters);
--
Samba Shared Repository
More information about the samba-cvs
mailing list