[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Jun 14 23:56:01 UTC 2023
The branch, master has been updated
via 9b0a71bd308 tests/auth_log: Refactor waitForMessages() to use nextMessage()
via 67da91ef166 tests/auth_log: Add method to fetch the next relevant message from the messaging bus
via 7c6dbe31950 tests/krb5: Test authentication with policy restrictions and a wrong password
via a9534e7be08 tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies
via 94e7a550db4 tests/krb5: Remove unneeded ‘dn’ parameter
via 21d1f1ca996 s4:kdc: Fix typo
via fb260e1f467 tests/krb5: Make use of KerberosCredentials.get_sid()
via 490c451a797 tests/krb5: Keep track of account SIDs
via 0ec229e7b93 tests/krb5: Fix overlong lines
via 117bba98a11 tests/krb5: Add a couple of authentication policy tests
via f1c24f4bc98 tests/krb5: Test authentication logging of TGT lifetimes
via 9d8ee6a4222 tests/krb5: Cache created authentication policies
via 01643b35273 tests/krb5: Keep track of the type of each created account
via 359e820404e librpc/idl: Add authentication policy event IDs
via b859b3b67d2 s4:kdc: Consolidate assignments to r->error_code and final_ret
via 868e1146600 s4:kdc: Don’t log authentication failures as successes
via d1fcecd1214 tests/auth_log: Properly expect authentication failures
via 11671a743fe tests/auth_log: Make samba.tests.auth_log test executable
via efb85e3d6dd s4/scripting/bin: Add NT_STATUS_OK to list of definitions
via 7c66cd4dfde selftest: Remove duplicate knownfails
via 60f76b9ec82 selftest: Fix typo
via f8f0ee53548 param: Remove reference to unrecognized parameter ‘directory name cache size’
via 234be6b0dd8 samba-tool ou: Remove unused variables
via d93e340b80e samba-tool ou: Remove unused import
via 0743e11d465 samba-tool: Fix typo
via 2eda24663f8 pyldb: Check for allocation failure in py_ldb_dn_get_parent()
via 5905a63307f pyldb: Raise an exception if ldb_dn_get_parent() fails
via 49592b80f75 selftest: Assert trust realm is not None
via 97a5ee4bbb7 tests/auth_log: Factor out isRemote()
via 1f74f9f366d python:safe_tarfile: Improve safe extract()
via 431f7698e48 python:safe_tarfile: Implement safer extractall()
via 8c90c66a9a4 python:safe_tarfile: Set extraction_filter for pythons providing it
via ebaa0081625 python:tests: Adopt safe_tarfile for extraction_filter raises
via 4952cb88e4c s4-server: Call dsdb_check_and_update_fl() during startup transaction.
via c28e719bb0e selftest: Add unit tests of the DC startup FL check/update code
via ae7f2b417b7 python/tests: Make helpful, stateless methods @classmethod and @staticmethod
via b8a613b4b15 dsdb: Add routine to check the DB vs lp functional levels
via 4919e8d8088 dsdb: Indicate in rootdse.c why samdb_ntds_settings_dn() is not used
via 8e895fc5d62 selftest: Split up tests in dsdb.py to avoid creating a user when not required
via f83baa2723f selftest: Specify that DCs prepared with prepare_dc_testenv() to be 2016 capable
from 585e4cdd6c9 docs-xml: remove completely outdated Samba-Developers-Guide
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9b0a71bd3085b7c67a72bf498870c69cf6b3baa5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 16:29:27 2023 +1200
tests/auth_log: Refactor waitForMessages() to use nextMessage()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Jun 14 23:55:42 UTC 2023 on atb-devel-224
commit 67da91ef1665a15d93233c5a74a63926f5a2ef7e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 16:30:30 2023 +1200
tests/auth_log: Add method to fetch the next relevant message from the messaging bus
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7c6dbe31950894c8092a100aeece238ae6f0c8ab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 13 17:23:41 2023 +1200
tests/krb5: Test authentication with policy restrictions and a wrong password
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a9534e7be08a3a72593f34e10ed46d8062ddaf79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 18 12:00:29 2023 +1200
tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 94e7a550db47735581f58f6602c8d04b92b6489f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 11:26:25 2023 +1200
tests/krb5: Remove unneeded ‘dn’ parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 21d1f1ca996c0d31992a6f5cca0c63068ae6e7f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 15:51:09 2023 +1200
s4:kdc: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fb260e1f467fc8a53b5feea766a0b9dafd5f981b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 10:51:54 2023 +1200
tests/krb5: Make use of KerberosCredentials.get_sid()
KerberosCredentials objects now keep track of their account’s SID, which
removes the need to look it up with KDCBaseTest.get_objectSid().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 490c451a79711d4cd5f03e933786cf56f9d31db4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 11:21:43 2023 +1200
tests/krb5: Keep track of account SIDs
This prevents having to look them up in the database when tests need
them.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0ec229e7b939df13b81916b4f3e29d3d83665e46
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 10:59:41 2023 +1200
tests/krb5: Fix overlong lines
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 117bba98a119d57f7591e2fa0c776333288da063
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 10:58:12 2023 +1200
tests/krb5: Add a couple of authentication policy tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1c24f4bc98213999c282fb318977a53e19c81fc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 11:02:28 2023 +1200
tests/krb5: Test authentication logging of TGT lifetimes
It is useful to test a combination of device restrictions and TGT
lifetime restrictions so that we can check what TGT lifetime values end
up in the logs.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9d8ee6a422277da8145ca30cd76c9e74263f0b14
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 11:12:15 2023 +1200
tests/krb5: Cache created authentication policies
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 01643b35273ba77b927fa3f337acecde71bd5e62
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 11:13:00 2023 +1200
tests/krb5: Keep track of the type of each created account
This allows us to determine which parts of an authentication policy
apply to a particular account, which will be necessary to test audit
logging.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 359e820404ed43530aea1d94531ed0ff1d51c45b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 11:28:40 2023 +1200
librpc/idl: Add authentication policy event IDs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b859b3b67d29c04158ddda541b4e4f7fac7188de
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 11:37:03 2023 +1200
s4:kdc: Consolidate assignments to r->error_code and final_ret
This makes it clearer that we are assigning a value to both together.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 868e114660026a5dd972a583f7610e4f20c54247
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 11:58:13 2023 +1200
s4:kdc: Don’t log authentication failures as successes
If a client was authorized, we would ignore the Kerberos error code and
just log the return value of authsam_logon_success_accounting().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d1fcecd1214eba0dc8bcaca72cc889d209b7f716
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 15:28:39 2023 +1200
tests/auth_log: Properly expect authentication failures
These authentications are actually failing (due to RESPONSE_TOO_BIG
errors), but our authentication logging infrastructure hides this.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 11671a743fe914a0abbee2326cbd8df359d50beb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 13:47:20 2023 +1200
tests/auth_log: Make samba.tests.auth_log test executable
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit efb85e3d6dd976deb89a46089a5556b846c478d9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri May 26 15:14:22 2023 +1200
s4/scripting/bin: Add NT_STATUS_OK to list of definitions
Add NT_STATUS_OK to our pre-generated list of status codes. Ensure it
goes first in the list to ensure that code that previously found this
error code in ‘special_errs’ maintains the same behaviour by falling
back to ‘nt_errs’.
This makes NT_STATUS_OK available to Python code using the ‘ntstatus’
module.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7c66cd4dfde03bf4a246b32aa347a4020d24b00d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 13:40:50 2023 +1200
selftest: Remove duplicate knownfails
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 60f76b9ec82af634601fa1e9a608f0cf077e49c3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 8 16:17:30 2023 +1200
selftest: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f8f0ee5354895a45160dd699fd1e125355ac8b58
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 15:06:08 2023 +1200
param: Remove reference to unrecognized parameter ‘directory name cache size’
This parameter was removed in commit
c37d6be2db8ee30d632275e7b1c156a8b5d791a7.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 234be6b0dd8eb3f028cf1d5a1a2be6ee6e7062f6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 8 13:46:05 2023 +1200
samba-tool ou: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d93e340b80e6a4db3f3f7167b2a4df049e49068d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 8 13:45:17 2023 +1200
samba-tool ou: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0743e11d4658b3efe6687b20d6d424de70368999
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 8 13:44:59 2023 +1200
samba-tool: Fix typo
Found by Rob van der Linde <rob at catalyst.net.nz>.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2eda24663f8b9d6d03bffe96785518d16d06ae6e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 10:07:56 2023 +1200
pyldb: Check for allocation failure in py_ldb_dn_get_parent()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5905a63307fd48d8c316178b92b9027165901048
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 6 13:56:32 2023 +1200
pyldb: Raise an exception if ldb_dn_get_parent() fails
Such a failure could be caused by situations other than memory errors,
but a simple indication of failure is all that ldb_dn_get_parent() gives
us to work with.
We keep the old behaviour of returning None if the DN has no components,
which an existing test (ldb.python.api.DnTests.test_parent_nonexistent)
expects.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 49592b80f751e3ff19b5b86ae0a7841fabfb8cf1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri May 26 10:10:02 2023 +1200
selftest: Assert trust realm is not None
This is consistent with the other tests in this file.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 97a5ee4bbb7971ee98c0a8cf314cd39f655f2182
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 24 10:31:53 2023 +1200
tests/auth_log: Factor out isRemote()
This makes waitForMessages() easier to read.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f74f9f366d7f107a89220a4a5951bc4daf18025
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jun 6 15:38:12 2023 +0200
python:safe_tarfile: Improve safe extract()
This also checks for symlinks and hardlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 431f7698e48387413aac586c7a939a1682464681
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jun 6 15:30:20 2023 +0200
python:safe_tarfile: Implement safer extractall()
This also checks for symlinks and hardlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8c90c66a9a409d807dad56822540509c9813425b
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jun 6 15:29:06 2023 +0200
python:safe_tarfile: Set extraction_filter for pythons providing it
It should be available for Python >= 3.11.4 but also has been
backported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit ebaa00816259cbae5c45ebf0ba5fb260b09e4695
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jun 6 16:06:57 2023 +0200
python:tests: Adopt safe_tarfile for extraction_filter raises
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4952cb88e4c4c52a30d1eea3a15fad5f6d45c314
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 31 14:38:02 2023 +1200
s4-server: Call dsdb_check_and_update_fl() during startup transaction.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c28e719bb0e122fa330ae3b15d954e3438a428bb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 9 09:17:39 2023 +1200
selftest: Add unit tests of the DC startup FL check/update code
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit ae7f2b417b74f12d6d5e09669b4a56b19a453015
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 15 10:49:32 2023 +1200
python/tests: Make helpful, stateless methods @classmethod and @staticmethod
This allows them to be used in setUpClass in tests.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b8a613b4b151b4142595f285e81109257738954f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 31 14:33:08 2023 +1200
dsdb: Add routine to check the DB vs lp functional levels
This will be called at server startup (as well as from Python tests)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4919e8d8088d80a8a708df5033b22a07eab6f03b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 31 14:29:57 2023 +1200
dsdb: Indicate in rootdse.c why samdb_ntds_settings_dn() is not used
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8e895fc5d62278706b61bf1f6cd207947d778ba4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 1 16:04:57 2023 +1200
selftest: Split up tests in dsdb.py to avoid creating a user when not required
Creating a user is CPU intensive, particularly when a password is set
so avoid doing so if not required.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f83baa2723fed4284f39ff5590523fb4b283ad10
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 13 13:33:10 2023 +1200
selftest: Specify that DCs prepared with prepare_dc_testenv() to be 2016 capable
This allows the backup/restore process to pass once the DC startup
code confirms what DC level the domain functional level in the DB
is expecting.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 2 +-
lib/ldb/pyldb.c | 15 +-
lib/param/loadparm.c | 2 -
libcli/util/nterr.c | 1 -
libcli/util/ntstatus.h | 2 -
librpc/idl/windows_event_ids.idl | 10 +
python/samba/netcmd/ou.py | 6 +-
python/samba/safe_tarfile.py | 73 ++-
python/samba/tests/__init__.py | 8 +-
python/samba/tests/auth_log.py | 31 +-
python/samba/tests/auth_log_base.py | 91 ++-
python/samba/tests/dsdb.py | 77 ++-
python/samba/tests/getdcname.py | 3 +-
python/samba/tests/krb5/alias_tests.py | 2 +-
python/samba/tests/krb5/authn_policy_tests.py | 620 +++++++++++++--------
python/samba/tests/krb5/claims_tests.py | 10 +-
python/samba/tests/krb5/device_tests.py | 4 +-
python/samba/tests/krb5/group_tests.py | 8 +-
python/samba/tests/krb5/kdc_base_test.py | 66 ++-
python/samba/tests/krb5/kdc_tgs_tests.py | 32 +-
python/samba/tests/krb5/kpasswd_tests.py | 18 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 21 +-
python/samba/tests/krb5/raw_testcase.py | 14 +
python/samba/tests/krb5/s4u_tests.py | 10 +-
python/samba/tests/safe_tarfile.py | 27 +-
python/samba/tests/samba_startup_fl_change.py | 181 ++++++
selftest/knownfail_heimdal_kdc | 4 +
selftest/knownfail_mit_kdc | 7 +-
selftest/knownfail_mit_kdc_1_20 | 5 +
selftest/target/Samba4.pm | 7 +-
source4/dsdb/common/util.c | 117 ++++
source4/dsdb/pydsdb.c | 38 ++
source4/dsdb/samdb/ldb_modules/rootdse.c | 10 +-
source4/kdc/hdb-samba4.c | 24 +-
source4/samba/server.c | 16 +-
source4/scripting/bin/gen_ntstatus.py | 11 +-
source4/selftest/tests.py | 1 +
37 files changed, 1159 insertions(+), 415 deletions(-)
mode change 100644 => 100755 python/samba/tests/auth_log.py
create mode 100644 python/samba/tests/samba_startup_fl_change.py
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 0834f606659..910d9093771 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -1546,7 +1546,7 @@
<varlistentry>
<term>--force-subtree-delete</term>
<listitem><para>
- Delete organizational unit and all children reclusively.
+ Delete organizational unit and all children recursively.
</para></listitem>
</varlistentry>
</variablelist>
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 544d5672983..8981e5ea45c 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -608,12 +608,23 @@ static PyObject *py_ldb_dn_get_parent(PyLdbDnObject *self,
struct ldb_dn *dn = pyldb_Dn_AS_DN((PyObject *)self);
struct ldb_dn *parent;
PyLdbDnObject *py_ret;
- TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ TALLOC_CTX *mem_ctx = NULL;
+
+ if (ldb_dn_get_comp_num(dn) < 1) {
+ Py_RETURN_NONE;
+ }
+
+ mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
parent = ldb_dn_get_parent(mem_ctx, dn);
if (parent == NULL) {
+ PyErr_NoMemory();
talloc_free(mem_ctx);
- Py_RETURN_NONE;
+ return NULL;
}
py_ret = (PyLdbDnObject *)PyLdbDn.tp_alloc(&PyLdbDn, 0);
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 65e3fa06da4..447087911b5 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3048,8 +3048,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "lock spin time", "200");
- lpcfg_do_global_parameter(lp_ctx, "directory name cache size", "100");
-
lpcfg_do_global_parameter(lp_ctx, "nmbd bind explicit broadcast", "yes");
lpcfg_do_global_parameter(lp_ctx, "init logon delay", "100");
diff --git a/libcli/util/nterr.c b/libcli/util/nterr.c
index 3bca6da1b55..0a57a8fd28e 100644
--- a/libcli/util/nterr.c
+++ b/libcli/util/nterr.c
@@ -45,7 +45,6 @@ typedef struct
* same table as the other ones. */
static const nt_err_code_struct special_errs[] =
{
- { "NT_STATUS_OK", NT_STATUS_OK },
{ "STATUS_NO_MORE_FILES", STATUS_NO_MORE_FILES },
{ "STATUS_INVALID_EA_NAME", STATUS_INVALID_EA_NAME },
{ "STATUS_BUFFER_OVERFLOW", STATUS_BUFFER_OVERFLOW },
diff --git a/libcli/util/ntstatus.h b/libcli/util/ntstatus.h
index 2aaee5dcc4d..9a1d1fd855a 100644
--- a/libcli/util/ntstatus.h
+++ b/libcli/util/ntstatus.h
@@ -51,8 +51,6 @@ typedef uint32_t NTSTATUS;
#define NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP NT_STATUS(0xC05D0000)
/* Other error codes that aren't in the list we use */
-#define NT_STATUS_OK NT_STATUS_SUCCESS
-
#define STATUS_MORE_ENTRIES NT_STATUS_MORE_ENTRIES
#define STATUS_BUFFER_OVERFLOW NT_STATUS_BUFFER_OVERFLOW
#define STATUS_NO_MORE_FILES NT_STATUS_NO_MORE_FILES
diff --git a/librpc/idl/windows_event_ids.idl b/librpc/idl/windows_event_ids.idl
index 240ad9e56ff..f482800d897 100644
--- a/librpc/idl/windows_event_ids.idl
+++ b/librpc/idl/windows_event_ids.idl
@@ -28,6 +28,16 @@ interface windows_events
EVT_ID_USER_REMOVED_FROM_UNIVERSAL_GROUP = 4762
} event_id_type;
+ /* See https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos#BKMK_ErrorandEvents */
+ typedef [v1_enum,public] enum {
+ AUTH_EVT_ID_NONE = 0,
+ AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION = 101,
+ AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION = 105,
+ AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT = 305,
+ AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION = 106,
+ AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT = 306
+ } auth_event_id_type;
+
typedef [v1_enum,public] enum {
EVT_LOGON_INTERACTIVE = 2,
EVT_LOGON_NETWORK = 3,
diff --git a/python/samba/netcmd/ou.py b/python/samba/netcmd/ou.py
index d83920d9862..ce068716a01 100644
--- a/python/samba/netcmd/ou.py
+++ b/python/samba/netcmd/ou.py
@@ -27,7 +27,6 @@ from samba.netcmd import (
SuperCommand,
)
from samba.samdb import SamDB
-from samba import dsdb
from operator import attrgetter
@@ -67,7 +66,6 @@ class cmd_rename(Command):
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
- domain_dn = ldb.Dn(samdb, samdb.domain_dn())
try:
full_old_ou_dn = samdb.normalize_dn_in_domain(old_ou_dn)
@@ -133,7 +131,6 @@ class cmd_move(Command):
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
- domain_dn = ldb.Dn(samdb, samdb.domain_dn())
try:
full_old_ou_dn = samdb.normalize_dn_in_domain(old_ou_dn)
except Exception as e:
@@ -361,7 +358,7 @@ class cmd_delete(Command):
type=str, metavar="URL", dest="H"),
Option("--force-subtree-delete", dest="force_subtree_delete",
default=False, action='store_true',
- help="Delete organizational unit and all children reclusively"),
+ help="Delete organizational unit and all children recursively"),
]
takes_args = ["ou_dn"]
@@ -377,7 +374,6 @@ class cmd_delete(Command):
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
- domain_dn = ldb.Dn(samdb, samdb.domain_dn())
try:
full_ou_dn = samdb.normalize_dn_in_domain(ou_dn)
diff --git a/python/samba/safe_tarfile.py b/python/samba/safe_tarfile.py
index cc19770d73f..7a2b0382a79 100644
--- a/python/samba/safe_tarfile.py
+++ b/python/samba/safe_tarfile.py
@@ -15,6 +15,9 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import os
+import tarfile
+from pathlib import Path
from tarfile import ExtractError, TarInfo, TarFile as UnsafeTarFile
@@ -24,20 +27,68 @@ class TarFile(UnsafeTarFile):
using '../../'.
"""
- def extract(self, member, path="", set_attrs=True, *, numeric_owner=False):
- if isinstance(member, TarInfo):
- name = member.name
- else:
- name = member
+ try:
+ # New in version 3.11.4 (also has been backported)
+ # https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extraction_filter
+ # https://peps.python.org/pep-0706/
+ extraction_filter = staticmethod(tarfile.data_filter)
+ except AttributeError:
+ def extract(self, member, path="", set_attrs=True, *,
+ numeric_owner=False):
+ self._safetarfile_check()
+ super().extract(member, path, set_attrs=set_attrs,
+ numeric_owner=numeric_owner)
- if '../' in name:
- raise ExtractError(f"'../' is not allowed in path '{name}'")
+ def extractall(self, path, members=None, *, numeric_owner=False):
+ self._safetarfile_check()
+ super().extractall(path, members,
+ numeric_owner=numeric_owner)
- if name.startswith('/'):
- raise ExtractError(f"path '{name}' should not start with '/'")
+ def _safetarfile_check(self):
+ for tarinfo in self.__iter__():
+ if self._is_traversal_attempt(tarinfo=tarinfo):
+ raise ExtractError(
+ "Attempted directory traversal for "
+ f"member: {tarinfo.name}")
+ if self._is_unsafe_symlink(tarinfo=tarinfo):
+ raise ExtractError(
+ "Attempted directory traversal via symlink for "
+ f"member: {tarinfo.linkname}")
+ if self._is_unsafe_link(tarinfo=tarinfo):
+ raise ExtractError(
+ "Attempted directory traversal via link for "
+ f"member: {tarinfo.linkname}")
- super().extract(member, path, set_attrs=set_attrs,
- numeric_owner=numeric_owner)
+ def _resolve_path(self, path):
+ return os.path.realpath(os.path.abspath(path))
+
+ def _is_path_in_dir(self, path, basedir):
+ return self._resolve_path(os.path.join(basedir,
+ path)).startswith(basedir)
+
+ def _is_traversal_attempt(self, tarinfo):
+ if (tarinfo.name.startswith(os.sep)
+ or ".." + os.sep in tarinfo.name):
+ return True
+ return False
+
+ def _is_unsafe_symlink(self, tarinfo):
+ if tarinfo.issym():
+ symlink_file = Path(
+ os.path.normpath(os.path.join(os.getcwd(),
+ tarinfo.linkname)))
+ if not self._is_path_in_dir(symlink_file, os.getcwd()):
+ return True
+ return False
+
+ def _is_unsafe_link(self, tarinfo):
+ if tarinfo.islnk():
+ link_file = Path(
+ os.path.normpath(os.path.join(os.getcwd(),
+ tarinfo.linkname)))
+ if not self._is_path_in_dir(link_file, os.getcwd()):
+ return True
+ return False
open = TarFile.open
diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
index 101f5922a22..f117d0b1341 100644
--- a/python/samba/tests/__init__.py
+++ b/python/samba/tests/__init__.py
@@ -393,7 +393,8 @@ class BlackboxProcessError(Exception):
class BlackboxTestCase(TestCaseInTempDir):
"""Base test case for blackbox tests."""
- def _make_cmdline(self, line):
+ @staticmethod
+ def _make_cmdline(line):
"""Expand the called script into a fully resolved path in the bin
directory."""
if isinstance(line, list):
@@ -458,8 +459,9 @@ class BlackboxTestCase(TestCaseInTempDir):
# where ret is the return code
# stdout is a string containing the commands stdout
# stderr is a string containing the commands stderr
- def run_command(self, line):
- line = self._make_cmdline(line)
+ @classmethod
+ def run_command(cls, line):
+ line = cls._make_cmdline(line)
use_shell = not isinstance(line, list)
p = subprocess.Popen(line,
stdout=subprocess.PIPE,
diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
old mode 100644
new mode 100755
index 8f9f487f82a..98ab4603f98
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -1,3 +1,4 @@
+#!/usr/bin/env python3
# Unix SMB/CIFS implementation.
# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2017
#
@@ -17,6 +18,11 @@
"""Tests for the Auth and AuthZ logging.
"""
+
+import sys
+
+sys.path.insert(0, 'bin/python')
+
import samba.tests
from samba.dcerpc import srvsvc, dnsserver
import os
@@ -170,13 +176,14 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
# returning message too big,
msg = messages[0]
self.assertEqual("Authentication", msg["type"])
- self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"])
+ self.assertEqual("NT_STATUS_PROTOCOL_UNREACHABLE", # RESPONSE_TOO_BIG
+ msg["Authentication"]["status"])
self.assertEqual("Kerberos KDC",
msg["Authentication"]["serviceDescription"])
self.assertEqual(authTypes[1],
msg["Authentication"]["authDescription"])
self.assertEqual(
- EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
+ EVT_ID_UNSUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
self.assertEqual(
EVT_LOGON_NETWORK, msg["Authentication"]["logonType"])
@@ -366,13 +373,14 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
# Check the second message it should be an Authentication
msg = messages[1]
self.assertEqual("Authentication", msg["type"])
- self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"])
+ self.assertEqual("NT_STATUS_PROTOCOL_UNREACHABLE", # RESPONSE_TOO_BIG
+ msg["Authentication"]["status"])
self.assertEqual("Kerberos KDC",
msg["Authentication"]["serviceDescription"])
self.assertEqual(authTypes[2],
msg["Authentication"]["authDescription"])
self.assertEqual(
- EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
+ EVT_ID_UNSUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
self.assertEqual(
EVT_LOGON_NETWORK, msg["Authentication"]["logonType"])
@@ -485,14 +493,15 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
# Check the first message it should be an Authentication
msg = messages[0]
self.assertEqual("Authentication", msg["type"])
- self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"])
+ self.assertEqual("NT_STATUS_PROTOCOL_UNREACHABLE", # RESPONSE_TOO_BIG
+ msg["Authentication"]["status"])
self.assertEqual("Kerberos KDC",
msg["Authentication"]["serviceDescription"])
self.assertEqual("ENC-TS Pre-authentication",
msg["Authentication"]["authDescription"])
self.assertTrue(msg["Authentication"]["duration"] > 0)
self.assertEqual(
- EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
+ EVT_ID_UNSUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
self.assertEqual(
EVT_LOGON_NETWORK, msg["Authentication"]["logonType"])
@@ -729,12 +738,13 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
# Check the first message it should be an Authentication
msg = messages[0]
self.assertEqual("Authentication", msg["type"])
- self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"])
+ self.assertEqual("NT_STATUS_PROTOCOL_UNREACHABLE", # RESPONSE_TOO_BIG
+ msg["Authentication"]["status"])
self.assertEqual("Kerberos KDC",
msg["Authentication"]["serviceDescription"])
self.assertEqual("ENC-TS Pre-authentication",
msg["Authentication"]["authDescription"])
- self.assertEqual(EVT_ID_SUCCESSFUL_LOGON,
+ self.assertEqual(EVT_ID_UNSUCCESSFUL_LOGON,
msg["Authentication"]["eventId"])
self.assertEqual(EVT_LOGON_NETWORK,
msg["Authentication"]["logonType"])
@@ -1475,3 +1485,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
self.assertEqual("schannel", msg["Authorization"]["authType"])
self.assertEqual("SEAL", msg["Authorization"]["transportProtection"])
self.assertTrue(self.is_guid(msg["Authorization"]["sessionId"]))
+
+
+if __name__ == '__main__':
+ import unittest
+ unittest.main()
diff --git a/python/samba/tests/auth_log_base.py b/python/samba/tests/auth_log_base.py
index 586719980cb..a9b2b3fa06b 100644
--- a/python/samba/tests/auth_log_base.py
+++ b/python/samba/tests/auth_log_base.py
@@ -28,6 +28,10 @@ import os
import re
+class NoMessageException(Exception):
+ pass
+
+
class AuthLogTestBase(samba.tests.TestCase):
@classmethod
@@ -83,49 +87,76 @@ class AuthLogTestBase(samba.tests.TestCase):
super(AuthLogTestBase, self).setUp()
type(self).discardMessages()
+ def isRemote(self, message):
+ if self.remoteAddress is None:
+ return True
+
+ supported_types = {
+ "Authentication",
+ "Authorization",
+ }
+ message_type = message["type"]
+ if message_type in supported_types:
+ remote = message[message_type]["remoteAddress"]
+ else:
+ return False
+
+ try:
+ addr = remote.split(":")
+ return addr[1] == self.remoteAddress
+ except IndexError:
+ return False
+
def waitForMessages(self, isLastExpectedMessage, connection=None):
"""Wait for all the expected messages to arrive
The connection is passed through to keep the connection alive
until all the logging messages have been received.
"""
- def completed(messages):
- for message in messages:
- if isRemote(message) and isLastExpectedMessage(message):
- return True
- return False
+ messages = []
+ while True:
+ try:
+ msg = self.nextMessage()
+ except NoMessageException:
+ return []
- def isRemote(message):
- if self.remoteAddress is None:
- return True
+ messages.append(msg)
+ if isLastExpectedMessage(msg):
+ return messages
- supported_types = {
- "Authentication",
- "Authorization",
- }
- message_type = message["type"]
- if message_type in supported_types:
- remote = message[message_type]["remoteAddress"]
- else:
+ def nextMessage(self, msgFilter=None):
+ """Return the next relevant message, or throw a NoMessageException."""
+ def is_relevant(msg):
+ if not self.isRemote(msg):
return False
- try:
- addr = remote.split(":")
- return addr[1] == self.remoteAddress
- except IndexError:
- return False
+ if msgFilter is None:
+ return True
- self.connection = connection
+ return msgFilter(msg)
- start_time = time.time()
- while not completed(self.context["messages"]):
- self.msg_ctx.loop_once(0.1)
- if time.time() - start_time > 1:
- self.connection = None
- return []
+ messages = self.context['messages']
+
+ while True:
+ timeout = 2
+ until = time.time() + timeout
+
+ while not messages:
+ # Fetch a new message from the messaging bus.
+
+ current = time.time()
+ if until < current:
+ break
+
+ self.msg_ctx.loop_once(until - current)
+
+ if not messages:
+ raise NoMessageException('timed out looking for a message')
- self.connection = None
- return list(filter(isRemote, self.context["messages"]))
+ # Grab the next message from the queue.
+ msg = messages.pop(0)
+ if is_relevant(msg):
+ return msg
# Discard any previously queued messages.
@classmethod
diff --git a/python/samba/tests/dsdb.py b/python/samba/tests/dsdb.py
index 6c52994ece7..59d946cd6a6 100644
--- a/python/samba/tests/dsdb.py
+++ b/python/samba/tests/dsdb.py
@@ -24,17 +24,18 @@ from samba.tests import TestCase
from samba.tests import delete_force
from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc import drsblobs, security, misc
-from samba import dsdb
+from samba.param import LoadParm
+from samba import dsdb, functional_level
--
Samba Shared Repository
More information about the samba-cvs
mailing list