[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu May 18 01:59:01 UTC 2023
The branch, master has been updated
via 6ee5c80ea96 s4:kdc: Add support for constructed claims (for authentication silos)
via 420fae5dcbe s4:kdc: Make use of dsdb_search_one()
via e1f8cb063dd s4:kdc: Don’t perform unnecessary search to get account objectClass
via 10d6d77a272 s4:kdc: Have get_claims_for_principal() take the entire principal
via 3d9863cfdc4 s4:kdc: Enforce TGT lifetime authentication policy
via 1fdff371051 s4:kdc: Look up authentication policies for Kerberos clients and servers
via f1212ffe4e4 s4:kdc: Make maximum lifetime and renew time signed
via 9eaff7e852b s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag
via eeebd488f2a third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0)
via f547cf1db86 s4:kdc: Add helper functions for authentication policies
via 633ebe1b3ef s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure
via 8cc0b76509b s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure
via 9ff7d6c5c55 s4:kdc: Add NTSTATUS strings to log messages
via 32b49d8a56e lib:audit_logging: Fix typo in log message
via d7b68236ecf lib:audit_logging: Add function to add a formatted time value to a JSON message
via 0080148483c lib:audit_logging: Add function to add an optional boolean value to a JSON message
via 4440f1db54b lib:audit_logging: Add function to add flags to a JSON message
via 89d30cdfe16 s4:auth: Remove superfluous semicolon
via 34080e8839a s4:auth: Fix leak
via 263deae7e2b auth: Fix leaks
via 1de2feef90c auth: Correct parameter order in header
via 6d8a7e1655c s4:kdc: Fix diagnostic messages
via ad14287dd7c s4:kdc: Fix error messages
via 451f221bf35 s4:kdc: Check ldb_dn_new() return value
via 8f7f55da1e4 s4:kdc: Remove double-free
via 96a64b0522e s4:kdc: Remove double-free
via 02e6970ad65 s4:kdc: Fix leaks
via 2a9d057e828 s4:kdc: Make use of auth_generate_security_token()
via 9aaedb152ca s4:auth: Fix typos
via e2e752b5461 s4:auth: Split out new function to generate a security token
via 024e5f7e92a auth: Remove unnecessary return statements
via f948f9cb66f s3:utils: Fix typo
via 798be592f90 s4:kdc: Fix debugging strings
via 60803ea8c81 s4:kdc: Fix typos
via bbdb3bf8a63 s4:kdc: Factor out PAC blob functions into new source file
via 9a78a8b3f21 s4:kdc: Add missing includes and declarations
via c782dd2ffea libcli: Add missing include
via cdb1047bdc5 s4:kdc: Include missing headers
via 12fd8274fff s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant
via 84a7ae8e0c7 tests/krb5: Add tests for authentication policies
via f9b666297cb tests/krb5: Allow specifying whether PA-DATA types are to be checked
via 53b62429f89 tests/krb5: Allow server and workstation accounts to perform a SamLogon
via c1ab6036bb0 tests/krb5: Allow specifying machine credentials to _test_samlogon()
via 031f1c7632e tests/krb5: Rename ‘server’ to ‘dc_server’
via 78cca1411ff netlogon:schannel: Fix NULL pointer dereference
via 3424c6d20fe tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data
via 18b24f95728 tests/krb5: Improve edata checking
via 3063abbfb0a tests/krb5: Remove unused import
via 0d609ee5ed3 samba-tool domain: Clean up code
via 56d98e974c3 samba-tool domain: Remove unused variables
from e03e738dfc9 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6ee5c80ea9610adf4e4624d2e1953e3fc3e91b71
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 28 15:10:50 2023 +1300
s4:kdc: Add support for constructed claims (for authentication silos)
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224
commit 420fae5dcbe886b7e66928e88d031c8569aacd5c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 17 12:02:47 2023 +1200
s4:kdc: Make use of dsdb_search_one()
Ensure we get exactly one object back, or an error.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e1f8cb063ddc3753ab8673416fa70fa616138f30
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 17 12:07:44 2023 +1200
s4:kdc: Don’t perform unnecessary search to get account objectClass
We now have this information in the ldb_message.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 10d6d77a2720577e51bc93c51c85261c1e3d37b8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 17 11:55:16 2023 +1200
s4:kdc: Have get_claims_for_principal() take the entire principal
The ldb_message contains more information than just the DN, such as
which authentication policy or silo is assigned.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3d9863cfdc443817b1fd7e25cb30b5363a47fa58
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 15:06:40 2023 +1200
s4:kdc: Enforce TGT lifetime authentication policy
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1fdff3710511c92bd103473e4c296c98f971dd13
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 15:06:40 2023 +1200
s4:kdc: Look up authentication policies for Kerberos clients and servers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1212ffe4e4e2c09b9e10e9b7fe5a152e6f7adf6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Apr 28 11:58:38 2023 +1200
s4:kdc: Make maximum lifetime and renew time signed
This is now consistent with Heimdal, and with our usage of time_t
elsewhere.
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9eaff7e852bc6cd6d6146d5cf3d6007c3119d5d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 16 16:48:09 2023 +1200
s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag
This corresponds with the HDB_F_ARMOR_PRINCIPAL flag in Heimdal, and
indicates a lookup of an armor ticket client principal, rather than the
principal of the main TGT. This helps us to determine whether an
authentication policy will apply to a principal acting as a client, and
hence whether we have to look up the policy in the database.
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eeebd488f2a31482f2c47a1618513c937041c3ac
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 17 09:06:17 2023 +1200
third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f547cf1db865f93f634e561945da9da44c697f29
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 10:59:49 2023 +1200
s4:kdc: Add helper functions for authentication policies
These functions are not yet used.
They are arranged into two libraries: ‘authn_policy’, containing the
core functions, and ‘authn_policy_util’, containing utility functions
that can access the database. This separation is so that libraries
depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions
without introducing a dependency cycle.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 633ebe1b3efee4c61e1856cad5be5723010f9bd1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 10 14:54:21 2023 +1200
s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure
Just copying the structure fields is prone to lead to use-after-frees if
we access them after the original structure and its fields are freed.
Instead, call authsam_shallow_copy_user_info_dc() to make the copy. This
properly references the fields in the original structure so that they
will not be freed until we are sure we have finished with them.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8cc0b76509b51bb57c2c527ea504812f8de06144
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 16 11:18:38 2023 +1200
s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9ff7d6c5c55ff562afbda7b4329c59c83d2933cf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 16 11:00:24 2023 +1200
s4:kdc: Add NTSTATUS strings to log messages
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 32b49d8a56e353d4f5b8b031aea75324056ba6ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 16 10:00:48 2023 +1200
lib:audit_logging: Fix typo in log message
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d7b68236ecf8692f276d63d29e475c3b1ddb290d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 16 09:57:12 2023 +1200
lib:audit_logging: Add function to add a formatted time value to a JSON message
json_add_timestamp() is limited to adding a ‘timestamp’ field with the
current time. The new function can add an arbitrary timestamp with an
arbitrary field name.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0080148483c2972393d33bf1f2c7dbb248bbb9c0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 16 09:55:52 2023 +1200
lib:audit_logging: Add function to add an optional boolean value to a JSON message
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4440f1db54b7ad54b7a4920ac67236d1d8605353
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 16 09:53:02 2023 +1200
lib:audit_logging: Add function to add flags to a JSON message
This replaces a couple of calls to snprintf() in
log_authentication_event_json() and log_successful_authz_event_json()
respectively.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 89d30cdfe164e441d0b565e02ea9422eaae789fb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 11 14:45:13 2023 +1200
s4:auth: Remove superfluous semicolon
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 34080e8839a998ed177526129049e0cf2a4bbaf6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 16 11:17:35 2023 +1200
s4:auth: Fix leak
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 263deae7e2b88ae35646426eb31c76a71623bf72
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 11 10:40:27 2023 +1200
auth: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1de2feef90c44819f7d2c0a6f743310dca28c2e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 10 13:00:08 2023 +1200
auth: Correct parameter order in header
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d8a7e1655cf6d6c0030a71c01bf9f3e26e2b318
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 16:28:22 2023 +1200
s4:kdc: Fix diagnostic messages
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ad14287dd7c9bd586a1aff1a255c1f82753af2f2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 16:26:35 2023 +1200
s4:kdc: Fix error messages
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 451f221bf352f45d7bdc496ad80779a052a1157f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 16:23:17 2023 +1200
s4:kdc: Check ldb_dn_new() return value
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8f7f55da1e4f97245b4101ecb62e1b06a395a4ba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 16:21:51 2023 +1200
s4:kdc: Remove double-free
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 96a64b0522e37a5b9fecaf99d34bec097a3304f3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 14:59:54 2023 +1200
s4:kdc: Remove double-free
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 02e6970ad65c1b1681d9581917130651d3431ede
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 14:53:33 2023 +1200
s4:kdc: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a9d057e8288d00dba9a2f0fe931f35dc370c26a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 14:41:30 2023 +1200
s4:kdc: Make use of auth_generate_security_token()
We don’t need the whole session info structure to perform an access
check.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9aaedb152ca2e4188b5329d6af1ffa91b97d1ffe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 14:06:23 2023 +1200
s4:auth: Fix typos
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2e752b5461ab3806d8ac9165ee82a77dff6a063
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 14:30:40 2023 +1200
s4:auth: Split out new function to generate a security token
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 024e5f7e92acd81a53e95b0652c08688e54d251a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 14:11:42 2023 +1200
auth: Remove unnecessary return statements
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f948f9cb66f07de66e0e7548a9a5c305d32da678
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 14:09:19 2023 +1200
s3:utils: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 798be592f90e47f71207bddefe77dfe84f82d903
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 12:42:54 2023 +1200
s4:kdc: Fix debugging strings
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 60803ea8c81486911caa079af22d43ebeb662c40
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 12:07:35 2023 +1200
s4:kdc: Fix typos
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bbdb3bf8a634c32f9d2c93d6b1c77eff194dabe6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 11:57:09 2023 +1200
s4:kdc: Factor out PAC blob functions into new source file
pac-glue.c has become rather large, and can do without these PAC
blob–handling functions.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9a78a8b3f21c934f736870b25065278545359d21
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 8 13:30:40 2023 +1200
s4:kdc: Add missing includes and declarations
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c782dd2ffea00bef7d218b5db8435e3205187097
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 8 13:25:34 2023 +1200
libcli: Add missing include
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cdb1047bdc5e6f7b9edd52e96dfdbb53e80e554e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 8 13:16:10 2023 +1200
s4:kdc: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 12fd8274fff0bc9a3f098c3a481040ae6db999ee
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 8 12:58:46 2023 +1200
s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 84a7ae8e0c7730e03161d69b5ca55436cfc5b066
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 13:53:06 2023 +1200
tests/krb5: Add tests for authentication policies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9b666297cbbe5d475b570a9d268df1f3fce048e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 14:44:11 2023 +1200
tests/krb5: Allow specifying whether PA-DATA types are to be checked
Not all tests are intended to test that the correct PA-DATA types are
returned. This parameter allows us to skip checking for cases where we
don’t care.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 53b62429f894cc6d8689d38acc59e8d6ca4ddff9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 14:41:00 2023 +1200
tests/krb5: Allow server and workstation accounts to perform a SamLogon
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c1ab6036bb091dea69e8fce189c9badf10bdd753
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 14:40:21 2023 +1200
tests/krb5: Allow specifying machine credentials to _test_samlogon()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 031f1c7632e32b52b686a11c1f587cd13da2d3ab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 13:55:31 2023 +1200
tests/krb5: Rename ‘server’ to ‘dc_server’
This makes it more clear that this is in fact the DC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 78cca1411ff510f06f6665ccc32f2808e18f02cc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 2 14:48:25 2023 +1200
netlogon:schannel: Fix NULL pointer dereference
We should not pass a NULL pointer into netlogon_creds_client_init().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3424c6d20fe32f7821ccd61b385189ef271e68ab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 1 15:35:56 2022 +1300
tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data
Certain clients rely on this behaviour.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 18b24f9572877b295a863432daaf458eb72562d0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 14:55:36 2023 +1200
tests/krb5: Improve edata checking
Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA
or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA
and fall back to METHOD_DATA if that fails.
The environment variable EXPECT_NT_STATUS indicates that the KDC
supports returning a status code in the e-data field.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3063abbfb0aaee65b80bd185d66923c148a861b4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Apr 27 16:22:38 2023 +1200
tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0d609ee5ed33f01cbb35baae61adf1f19d804fa6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 13 14:53:42 2023 +1300
samba-tool domain: Clean up code
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 56d98e974c39e640ef2aa3da1d3d2ea9980c677a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 13 14:53:19 2023 +1300
samba-tool domain: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_log.c | 22 +-
auth/auth_sam_reply.c | 77 +-
auth/common_auth.h | 2 +-
lib/audit_logging/audit_logging.c | 157 +-
lib/audit_logging/audit_logging.h | 8 +
libcli/util/ntstatus.h | 2 +
python/samba/functional_level.py | 2 +-
python/samba/netcmd/domain/dcpromo.py | 1 -
python/samba/netcmd/domain/demote.py | 6 +-
python/samba/netcmd/domain/provision.py | 6 +-
python/samba/netcmd/domain/trust.py | 48 +-
python/samba/tests/krb5/authn_policy_tests.py | 6589 +++++++++++++++++++++++++
python/samba/tests/krb5/kdc_base_test.py | 29 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 18 +-
python/samba/tests/krb5/lockout_tests.py | 105 +-
python/samba/tests/krb5/raw_testcase.py | 183 +-
python/samba/tests/krb5/rfc4120_constants.py | 1 +
python/samba/tests/krb5/s4u_tests.py | 6 +
python/samba/tests/usage.py | 1 +
selftest/knownfail.d/constructed-claims | 1 -
selftest/knownfail_heimdal_kdc | 70 +
selftest/knownfail_mit_kdc | 114 +
source3/utils/ntlm_auth.c | 2 +-
source4/auth/auth.h | 3 +
source4/auth/ntlm/auth.c | 4 +-
source4/auth/sam.c | 87 +-
source4/auth/session.c | 120 +-
source4/auth/session.h | 10 +-
source4/auth/system_session.c | 2 +-
source4/kdc/ad_claims.c | 233 +-
source4/kdc/ad_claims.h | 2 +-
source4/kdc/authn_policy.c | 85 +
source4/kdc/authn_policy.h | 44 +
source4/kdc/authn_policy_impl.h | 55 +
source4/kdc/authn_policy_util.c | 774 +++
source4/kdc/authn_policy_util.h | 90 +
source4/kdc/db-glue.c | 130 +-
source4/kdc/hdb-samba4.c | 6 +-
source4/kdc/mit_samba.c | 8 +-
source4/kdc/pac-blobs.c | 250 +
source4/kdc/pac-blobs.h | 89 +
source4/kdc/pac-glue.c | 326 +-
source4/kdc/pac-glue.h | 12 +-
source4/kdc/samba_kdc.h | 6 +
source4/kdc/sdb.h | 12 +-
source4/kdc/sdb_to_hdb.c | 4 +-
source4/kdc/wdc-samba4.c | 8 +-
source4/kdc/wscript_build | 18 +-
source4/librpc/rpc/dcerpc_schannel.c | 3 +
source4/selftest/tests.py | 6 +
third_party/heimdal/kdc/fast.c | 5 +-
third_party/heimdal/kdc/kerberos5.c | 15 +-
third_party/heimdal/kdc/krb5tgs.c | 2 +-
third_party/heimdal/kuser/kinit.c | 20 +-
third_party/heimdal/lib/hdb/hdb.asn1 | 4 +-
third_party/heimdal/lib/hdb/hdb.h | 1 +
56 files changed, 9239 insertions(+), 645 deletions(-)
create mode 100755 python/samba/tests/krb5/authn_policy_tests.py
delete mode 100644 selftest/knownfail.d/constructed-claims
create mode 100644 source4/kdc/authn_policy.c
create mode 100644 source4/kdc/authn_policy.h
create mode 100644 source4/kdc/authn_policy_impl.h
create mode 100644 source4/kdc/authn_policy_util.c
create mode 100644 source4/kdc/authn_policy_util.h
create mode 100644 source4/kdc/pac-blobs.c
create mode 100644 source4/kdc/pac-blobs.h
Changeset truncated at 500 lines:
diff --git a/auth/auth_log.c b/auth/auth_log.c
index cf1f9109c74..c0506823008 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -149,7 +149,6 @@ static void log_authentication_event_json(
{
struct json_object wrapper = json_empty_object;
struct json_object authentication = json_empty_object;
- char negotiate_flags[11];
char logon_id[19];
int rc = 0;
const char *clientDomain = ui->orig_client.domain_name ?
@@ -257,12 +256,9 @@ static void log_authentication_event_json(
if (rc != 0) {
goto failure;
}
- snprintf(negotiate_flags,
- sizeof( negotiate_flags),
- "0x%08X",
- ui->netlogon_trust_account.negotiate_flags);
- rc = json_add_string(
- &authentication, "netlogonNegotiateFlags", negotiate_flags);
+ rc = json_add_flags32(
+ &authentication, "netlogonNegotiateFlags",
+ ui->netlogon_trust_account.negotiate_flags);
if (rc != 0) {
goto failure;
}
@@ -368,7 +364,6 @@ static void log_successful_authz_event_json(
{
struct json_object wrapper = json_empty_object;
struct json_object authorization = json_empty_object;
- char account_flags[11];
int rc = 0;
authorization = json_new_object();
@@ -426,12 +421,7 @@ static void log_successful_authz_event_json(
if (rc != 0) {
goto failure;
}
-
- snprintf(account_flags,
- sizeof(account_flags),
- "0x%08X",
- session_info->info->acct_flags);
- rc = json_add_string(&authorization, "accountFlags", account_flags);
+ rc = json_add_flags32(&authorization, "accountFlags", session_info->info->acct_flags);
if (rc != 0) {
goto failure;
}
@@ -491,8 +481,6 @@ static void log_no_json(struct imessaging_context *msg_ctx,
"compiled with jansson\n");
}
}
-
- return;
}
static void log_authentication_event_json(
@@ -508,7 +496,6 @@ static void log_authentication_event_json(
int debug_level)
{
log_no_json(msg_ctx, lp_ctx);
- return;
}
static void log_successful_authz_event_json(
@@ -523,7 +510,6 @@ static void log_successful_authz_event_json(
int debug_level)
{
log_no_json(msg_ctx, lp_ctx);
- return;
}
#endif
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 8e0089eb8d1..8825ae8f83d 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -516,43 +516,69 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
struct auth_user_info *info;
info = talloc_zero(mem_ctx, struct auth_user_info);
- NT_STATUS_HAVE_NO_MEMORY(info);
+ if (info == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
if (base->account_name.string) {
info->account_name = talloc_strdup(info, base->account_name.string);
} else {
info->account_name = talloc_strdup(info, account_name);
}
- NT_STATUS_HAVE_NO_MEMORY(info->account_name);
+ if (info->account_name == NULL) {
+ talloc_free(info);
+ return NT_STATUS_NO_MEMORY;
+ }
if (base->logon_domain.string) {
info->domain_name = talloc_strdup(info, base->logon_domain.string);
- NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
+ if (info->domain_name == NULL) {
+ talloc_free(info);
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (base->full_name.string) {
info->full_name = talloc_strdup(info, base->full_name.string);
- NT_STATUS_HAVE_NO_MEMORY(info->full_name);
+ if (info->full_name == NULL) {
+ talloc_free(info);
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (base->logon_script.string) {
info->logon_script = talloc_strdup(info, base->logon_script.string);
- NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
+ if (info->logon_script == NULL) {
+ talloc_free(info);
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (base->profile_path.string) {
info->profile_path = talloc_strdup(info, base->profile_path.string);
- NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
+ if (info->profile_path == NULL) {
+ talloc_free(info);
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (base->home_directory.string) {
info->home_directory = talloc_strdup(info, base->home_directory.string);
- NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
+ if (info->home_directory == NULL) {
+ talloc_free(info);
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (base->home_drive.string) {
info->home_drive = talloc_strdup(info, base->home_drive.string);
- NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
+ if (info->home_drive == NULL) {
+ talloc_free(info);
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (base->logon_server.string) {
info->logon_server = talloc_strdup(info, base->logon_server.string);
- NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
+ if (info->logon_server == NULL) {
+ talloc_free(info);
+ return NT_STATUS_NO_MEMORY;
+ }
}
info->last_logon = base->logon_time;
info->last_logoff = base->logoff_time;
@@ -661,7 +687,9 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
}
user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
- NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
+ if (user_info_dc == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
/*
Here is where we should check the list of
@@ -670,28 +698,35 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
*/
if (!base->domain_sid) {
DEBUG(0, ("Cannot operate on a Netlogon Validation without a domain SID"));
+ talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
/* The IDL layer would be a better place to check this, but to
* guard the integer addition below, we double-check */
if (base->groups.count > 65535) {
+ talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
user_info_dc->num_sids = PRIMARY_SIDS_COUNT;
user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr, user_info_dc->num_sids + base->groups.count);
- NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
+ if (user_info_dc->sids == NULL) {
+ talloc_free(user_info_dc);
+ return NT_STATUS_NO_MEMORY;
+ }
user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *base->domain_sid;
if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, base->rid)) {
+ talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *base->domain_sid;
if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, base->primary_gid)) {
+ talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
/*
@@ -705,6 +740,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
for (i = 0; i < base->groups.count; i++) {
user_info_dc->sids[user_info_dc->num_sids].sid = *base->domain_sid;
if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid, base->groups.rids[i].rid)) {
+ talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
user_info_dc->sids[user_info_dc->num_sids].attrs = base->groups.rids[i].attributes;
@@ -722,6 +758,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
* guard the integer addition below, we double-check
*/
if (sidcount > UINT16_MAX) {
+ talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -733,6 +770,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
dgrps = talloc_realloc(user_info_dc, dgrps, struct auth_SidAttr,
dgrps_count);
if (dgrps == NULL) {
+ talloc_free(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
@@ -751,6 +789,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
status = make_user_info_SamBaseInfo(user_info_dc, account_name, base, authenticated, &user_info_dc->info);
if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(user_info_dc);
return status;
}
@@ -758,6 +797,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
user_info_dc->info->dns_domain_name = talloc_strdup(user_info_dc->info,
dns_domainname);
if (user_info_dc->info->dns_domain_name == NULL) {
+ talloc_free(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
}
@@ -766,6 +806,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
user_info_dc->info->user_principal_name = talloc_strdup(user_info_dc->info,
principal);
if (user_info_dc->info->user_principal_name == NULL) {
+ talloc_free(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
}
@@ -776,14 +817,20 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
user_info_dc->user_session_key = data_blob(NULL, 0);
} else {
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, base->key.key, sizeof(base->key.key));
- NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
+ if (user_info_dc->user_session_key.data == NULL) {
+ talloc_free(user_info_dc);
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) {
user_info_dc->lm_session_key = data_blob(NULL, 0);
} else {
user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, base->LMSessKey.key, sizeof(base->LMSessKey.key));
- NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
+ if (user_info_dc->lm_session_key.data == NULL) {
+ talloc_free(user_info_dc);
+ return NT_STATUS_NO_MEMORY;
+ }
}
*_user_info_dc = user_info_dc;
@@ -832,6 +879,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
break;
default:
DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion);
+ talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
}
@@ -870,6 +918,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid,
rg->groups.rids[i].rid);
if (!ok) {
+ talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
user_info_dc->sids[user_info_dc->num_sids].attrs = rg->groups.rids[i].attributes;
@@ -883,6 +932,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
talloc_strdup(user_info_dc->info,
pac_upn_dns_info->upn_name);
if (user_info_dc->info->user_principal_name == NULL) {
+ talloc_free(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
}
@@ -891,6 +941,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
talloc_strdup(user_info_dc->info,
pac_upn_dns_info->dns_domain_name);
if (user_info_dc->info->dns_domain_name == NULL) {
+ talloc_free(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 691c6359ac4..756ad3a366d 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -182,8 +182,8 @@ void log_authentication_event(struct imessaging_context *msg_ctx,
const struct timeval *start_time,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
- const char *account_name,
const char *domain_name,
+ const char *account_name,
struct dom_sid *sid);
/*
diff --git a/lib/audit_logging/audit_logging.c b/lib/audit_logging/audit_logging.c
index 671653fdcef..038012f4668 100644
--- a/lib/audit_logging/audit_logging.c
+++ b/lib/audit_logging/audit_logging.c
@@ -450,6 +450,50 @@ int json_add_bool(struct json_object *object,
return ret;
}
+/*
+ * @brief Add an optional boolean value to a JSON object.
+ *
+ * Add an optional boolean value named 'name' to the json object.
+ *
+ * @param object the JSON object to be updated.
+ * @param name the name.
+ * @param value the value.
+ *
+ * @return 0 the operation was successful
+ * -1 the operation failed
+ *
+ */
+int json_add_optional_bool(struct json_object *object,
+ const char *name,
+ const bool *value)
+{
+ int ret = 0;
+
+ if (json_is_invalid(object)) {
+ DBG_ERR("Unable to add boolean [%s] value [%d], "
+ "target object is invalid\n",
+ name,
+ *value);
+ return JSON_ERROR;
+ }
+
+ if (value != NULL) {
+ ret = json_object_set_new(object->root, name, json_boolean(*value));
+ if (ret != 0) {
+ DBG_ERR("Unable to add boolean [%s] value [%d]\n", name, *value);
+ return ret;
+ }
+ } else {
+ ret = json_object_set_new(object->root, name, json_null());
+ if (ret != 0) {
+ DBG_ERR("Unable to add null boolean [%s]\n", name);
+ return ret;
+ }
+ }
+
+ return ret;
+}
+
/*
* @brief Add a string value to a JSON object.
*
@@ -686,37 +730,28 @@ int json_add_version(struct json_object *object, int major, int minor)
/*
* @brief add an ISO 8601 timestamp to the object.
*
- * Add the current date and time as a timestamp in ISO 8601 format
- * to a JSON object
+ * Add a date and time as a timestamp in ISO 8601 format to a JSON object
*
- * "timestamp":"2017-03-06T17:18:04.455081+1300"
+ * "time":"2017-03-06T17:18:04.455081+1300"
*
*
* @param object the JSON object to be updated.
+ * @param name the name.
+ * @param time the value to set.
*
* @return 0 the operation was successful
* -1 the operation failed
*/
-int json_add_timestamp(struct json_object *object)
+int json_add_time(struct json_object *object, const char *name, const struct timeval tv)
{
char buffer[40]; /* formatted time less usec and timezone */
char timestamp[65]; /* the formatted ISO 8601 time stamp */
char tz[10]; /* formatted time zone */
struct tm* tm_info; /* current local time */
- struct timeval tv; /* current system time */
- int r; /* response code from gettimeofday */
int ret; /* return code from json operations */
if (json_is_invalid(object)) {
- DBG_ERR("Unable to add time stamp, target object is invalid\n");
- return JSON_ERROR;
- }
-
- r = gettimeofday(&tv, NULL);
- if (r) {
- DBG_ERR("Unable to get time of day: (%d) %s\n",
- errno,
- strerror(errno));
+ DBG_ERR("Unable to add time, target object is invalid\n");
return JSON_ERROR;
}
@@ -735,13 +770,48 @@ int json_add_timestamp(struct json_object *object)
buffer,
tv.tv_usec,
tz);
- ret = json_add_string(object, "timestamp", timestamp);
+ ret = json_add_string(object, name, timestamp);
if (ret != 0) {
- DBG_ERR("Unable to add time stamp to JSON object\n");
+ DBG_ERR("Unable to add time to JSON object\n");
}
return ret;
}
+/*
+ * @brief add an ISO 8601 timestamp to the object.
+ *
+ * Add the current date and time as a timestamp in ISO 8601 format
+ * to a JSON object
+ *
+ * "timestamp":"2017-03-06T17:18:04.455081+1300"
+ *
+ *
+ * @param object the JSON object to be updated.
+ *
+ * @return 0 the operation was successful
+ * -1 the operation failed
+ */
+int json_add_timestamp(struct json_object *object)
+{
+ struct timeval tv; /* current system time */
+ int r; /* response code from gettimeofday */
+
+ if (json_is_invalid(object)) {
+ DBG_ERR("Unable to add time stamp, target object is invalid\n");
+ return JSON_ERROR;
+ }
+
+ r = gettimeofday(&tv, NULL);
+ if (r) {
+ DBG_ERR("Unable to get time of day: (%d) %s\n",
+ errno,
+ strerror(errno));
+ return JSON_ERROR;
+ }
+
+ return json_add_time(object, "timestamp", tv);
+}
+
/*
*@brief Add a tsocket_address to a JSON object
*
@@ -898,7 +968,7 @@ int json_add_guid(struct json_object *object,
guid_str = GUID_buf_string(guid, &guid_buff);
ret = json_add_string(object, name, guid_str);
if (ret != 0) {
- DBG_ERR("Unable to guid GUID [%s] value [%s]\n",
+ DBG_ERR("Unable to add GUID [%s] value [%s]\n",
name,
guid_str);
return ret;
@@ -907,6 +977,57 @@ int json_add_guid(struct json_object *object,
return ret;
}
+/*
+ * @brief Add a hex-formatted string representation of a 32-bit integer to a
+ * json object.
+ *
+ * Add a hex-formatted string representation of a 32-bit flags integer to the
+ * object.
+ *
+ * "accountFlags":"0x12345678"
+ *
+ *
+ * @param object the JSON object to be updated.
+ * @param name the name.
+ * @param flags the flags.
+ *
--
Samba Shared Repository
More information about the samba-cvs
mailing list