[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Nov 1 21:13:01 UTC 2023
The branch, master has been updated
via e7f38c3a190 pytest:samba-tool domain test policy: test SDDL diagnostics
via d915443ab00 pytest: samba_tool domain auth policy fix for SDDL err msg
via cc2498f35b4 samba-tool: try to present diagnostics for SDDL errors.
via 42b5a09a031 pytest:sddl: assert SDDLValueError values make sense
via d7fe04205f8 s4/librpc/py_security: use SDDLValueError for better error messages
via fd8cf82be1e pytest:sddl: handle SDDLValueError
via 328ddf6d3aa pytest:security_descriptors: handle SDDLValueError
via d47c6654f96 pytest: sid_strings: handle SDDLValueError
via 054725440f2 s4/librpc/py_security: add SDDLValueError
via 0c123e142f4 ndr/py_security: mod patch reports errors
via cbf8349ec53 lib/ldb: pyldb search iterator avoids exception leak
via 1d8024e733e lib/ldb: py LDBError avoids leak and checks for alloc failure
via ffa08426e0e libcli/security: conditional ace err messages don't hardcode offset
via c31d41d7219 libcli/security: sddl: guard against inconsistent msg pointers
via c63a8989770 libcli/security: sddl: remove unreachable debug
via 67fa97d61f9 libcli/security: sddl_decode_ace/acl pass through messages
via 93347aa5af1 libcli/security: add sddl_decode_err_msg()
via 9b57d5cd5c8 libcli/security: sddl_conditional_ace: ensure message is talloced
via cc11165ecbc libcli/security: sddl: check a talloc_zero
via 5319c5bdac8 libcli/security: SDDL accepts lowercase "s-" in SIDs
via c75be6c3261 librpc:ndr: Increase size of ‘libndr_flags’ type to 64 bits
via a396b705c8a librpc:ndr: Introduce ‘ndr_flags_type’ type
via c4f281e9ae3 librpc:ndr: Introduce ‘libndr_flags’ type
via 4ec7578e79c s4:torture: Make static variables constant
via 83c68236526 librpc:ndr: Fix code spelling
via 0071a60fb63 dcerpc.idl: Use simple boolean value instead of flag
via bea9958b607 s4:kdc: Call kdc_request_set_e_data() instead of kdc_set_e_data()
via 57c543a1d91 third_party/heimdal: Import lorikeet-heimdal-202310310018 (commit 3a433861903ff7c35f3a42c2e88aef2fab7bb5b4) (CID 1544591, CID 1544617)
via b06751389db s4:auth: Comment about claims in the security token
via ebbba22cfbd s4:auth: Remove trailing whitespace
via 0733ea3663f s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself
via f8bfd607ca3 tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs
via 6760dd48ad0 s4:kdc: Do not add Claims Valid SID twice
via 54eb175816b tests/krb5: Rename ‘krbtgt_creds’ to ‘rodc_krbtgt_creds’
via 66b45978621 tests/krb5: Don’t pass unnecessary parameter
via 2b69e1e7c31 tests/krb5: Use __slots__ to indicate which attributes are used by classes
via b0da50b5b0d s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it
via 915b40521e6 s4:auth: Check that the PAC is not NULL before dereferencing it
via 76e27c3ab13 libcli/security: Add sid_attrs_contains_sid()
via 69edfd7b11a libcli/security: Make use of sids_contains_sid()
via 04611d9ebc1 libcli/security: Add sids_contains_sid()
via ce3f04dca9a libcli/security: Make use of sids_contains_sid_attrs()
via 5ff72d0e04e libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs()
via 487e21ec899 s4:dsdb: Make sids_contains_sid() usable by other Samba modules
via ce9fbceadba libcli/security: Correct function documentation
via 01b89669931 libcli/security: Remove unnecessary return statement
via 12b0c9d043f s4:dsdb: Align integer type
via 3b936623a42 s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs
via 7ba4bb81645 tests/krb5: Add tests to see how SIDs are conveyed from PACs
via dc1e2b41ca4 tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs
via 947d3e5932e tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC
from 1862561d1a1 smbd: Open file as REPARSE_POINT in unlink_internals()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e7f38c3a190c0faacdbab230439d98d7e3fe7c0e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Oct 28 12:09:04 2023 +1300
pytest:samba-tool domain test policy: test SDDL diagnostics
The existing 'bad SDDL' test has SDDL so bad that the diagnostics
are not exercised.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Nov 1 21:12:33 UTC 2023 on atb-devel-224
commit d915443ab0076389036890c0046de9d33c5d7be6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 27 16:14:04 2023 +1300
pytest: samba_tool domain auth policy fix for SDDL err msg
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cc2498f35b4bc39b939069863ab5e8483aa026ec
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 27 13:16:56 2023 +1300
samba-tool: try to present diagnostics for SDDL errors.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 42b5a09a0318580ae34fb9feabdd512d9ceb2935
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 26 16:31:40 2023 +1300
pytest:sddl: assert SDDLValueError values make sense
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d7fe04205f8dedd61404c2aa03f1dda7d2dc72b7
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 26 17:46:35 2023 +1300
s4/librpc/py_security: use SDDLValueError for better error messages
The aim is to allow samba-tool to tell users where their SDDL went
wrong.
Some tests would turn into errors (not knownfail-able failures)
if they were not changed at the same time, so they are changed too.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fd8cf82be1e36a6398de3d6f48daf890a7fa8c9c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Oct 28 11:39:17 2023 +1300
pytest:sddl: handle SDDLValueError
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 328ddf6d3aab9bc1dea13170b6acef391ba8d3de
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 27 13:21:24 2023 +1300
pytest:security_descriptors: handle SDDLValueError
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d47c6654f9603bab40e53a422a2f34187f7b2fb8
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 27 13:20:33 2023 +1300
pytest: sid_strings: handle SDDLValueError
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 054725440f2d5452219fbbaa868feb2fe862c3ba
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 25 15:56:30 2023 +1300
s4/librpc/py_security: add SDDLValueError
This will soon be raised for SDDL parsing errors.
It would have been nice to have it as a subclass of
ValueError, meaning that all existing callers would
continue to catch this error as before, but it turns
out that that is quite difficult.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0c123e142f41092210c953f82db29d4eff6950e6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 27 13:19:47 2023 +1300
ndr/py_security: mod patch reports errors
We can, so we might as well.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cbf8349ec53d0f4e50397149bff3fec5e18004d8
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 25 13:18:34 2023 +1300
lib/ldb: pyldb search iterator avoids exception leak
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1d8024e733e9717e86883c03092264fbcf25ac1d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 25 13:15:36 2023 +1300
lib/ldb: py LDBError avoids leak and checks for alloc failure
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ffa08426e0e95e7a1e013ae9164b39072160ff4f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Nov 1 10:46:20 2023 +1300
libcli/security: conditional ace err messages don't hardcode offset
Usually the conditions are embedded in part of some SDDL, and the
offset from the beginning of the condtions is a bit useless and
confusing. Callers of sddl_decode_err_msg get the offset from the
beginning of the SDDL which is a different and more useful number.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c31d41d72199937f5902c3e32b88c4743522ef26
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 26 17:28:44 2023 +1300
libcli/security: sddl: guard against inconsistent msg pointers
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c63a8989770b99dcb6396e77c0a9f24ad4111627
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 26 17:25:43 2023 +1300
libcli/security: sddl: remove unreachable debug
As it stands, ace_conditions_compile_sddl() won't produce a message when
it succeeds (i.e. return non-NULL), so this debug is just clutter.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 67fa97d61f9ffc4d5a87d340954e55db8afea3d1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 26 17:20:49 2023 +1300
libcli/security: sddl_decode_ace/acl pass through messages
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 93347aa5af151c4441b768580d174a0d26fb5b91
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 26 16:55:33 2023 +1300
libcli/security: add sddl_decode_err_msg()
This will return an error message, if it can, along with an indicative
position.
For conditional ACEs the message might be accurate, and the position
fine-grained. For example, you might be able to construct the message
like this:
D:(XA;;CC;;;S-1-2-3;(@User.Title == !(@User.Title)))
^
16: unexpected operator
For non-conditional ACEs, the position typically points to the beginning
of the ACE, like this:
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;AU)
^
unknown error
Here the error is in the spaces either side of " OICI; ", but the pointer
points to the beginning of the ACE.
The old sddl_decode() function becomes a wrapper around the new function,
which inherits the guts of the old function.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9b57d5cd5c880e1cd2ea43b586686481cb347aa6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Oct 21 12:56:24 2023 +1300
libcli/security: sddl_conditional_ace: ensure message is talloced
It is simpler for the message to have consistent parentage; it
is easier to drop one message we'll never see than to talloc it.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cc11165ecbcb1f51f853ffe8b1ab9ec338bfb4d0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Oct 21 12:56:54 2023 +1300
libcli/security: sddl: check a talloc_zero
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5319c5bdac8ad299ad6538fa4d48293ab36d09e1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Oct 21 12:47:33 2023 +1300
libcli/security: SDDL accepts lowercase "s-" in SIDs
This is what Windows does, and it removes a couple of knownfails.
We can change it here cheaply without affecting the core dom_sid code,
which is good because there seem to be other places where we need the
uppercase S (for example in ldap search <SID=> queries).
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c75be6c326119a64e95513b3bad3f78522f4587a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 11:08:49 2023 +1300
librpc:ndr: Increase size of ‘libndr_flags’ type to 64 bits
This gives us thirty‐two new LIBNDR_ flags to play with.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a396b705c8a8f3f0e10a925349034dd513cbc7dc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 27 14:41:17 2023 +1300
librpc:ndr: Introduce ‘ndr_flags_type’ type
Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning,
consistently use a newly added type to hold NDR_ flags.
Update the NDR 4.0.0 ABI.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c4f281e9ae36c225b6003e0fa1cb8fb2e67bf543
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 10 15:47:03 2023 +1200
librpc:ndr: Introduce ‘libndr_flags’ type
The LIBNDR_FLAG_ namespace is getting dangerously full, with only a
single flag value (1 << 9) remaining for use. After that flag is put
into use, we won’t be able to add any new flags without increasing the
flag width to 64‐bit.
Up to now we’ve used a haphazard mix of int, unsigned, and uint32_t to
store these flags. Introduce a new type, ‘libndr_flags’, to be used
consistently to hold LIBNDR flags. If in the future we find we need to
move to 64‐bit flags, this type gives us an opportunity to do that.
Bump the NDR version to 4.0.0 — an major version increment, for we’re
changing the function ABI and adding the new symbol
ndr_print_libndr_flags.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ec7578e79cf821e6dc8945eee393635cd4c62ca
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 11:04:58 2023 +1300
s4:torture: Make static variables constant
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 83c68236526289a0e063b2a15fc3017f4c4e63e9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 27 13:00:42 2023 +1300
librpc:ndr: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0071a60fb635b87499f9c9ee0ca4cf360d80d134
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 11 12:00:24 2023 +1200
dcerpc.idl: Use simple boolean value instead of flag
One advantage of this is that the type of the switch value is no longer
tied to the type of the NDR flags.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bea9958b60754dd4dec08a862ea1bd356b7e4b06
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 11 16:31:13 2023 +1300
s4:kdc: Call kdc_request_set_e_data() instead of kdc_set_e_data()
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 57c543a1d91112301b38e3832f706684b4d30877
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 31 13:22:05 2023 +1300
third_party/heimdal: Import lorikeet-heimdal-202310310018 (commit 3a433861903ff7c35f3a42c2e88aef2fab7bb5b4) (CID 1544591, CID 1544617)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b06751389db1faf9f74bfe172e15ad291d9135b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 31 16:18:35 2023 +1300
s4:auth: Comment about claims in the security token
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ebbba22cfbd50c854da30b03360f559a8f49f9a6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 19 19:45:17 2023 +1300
s4:auth: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0733ea3663f0bad035795e35e9ad909a5488fb85
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 31 16:14:26 2023 +1300
s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself
samba_kdc_get_user_info_dc() will add the Asserted Identity and Claims
Valid SIDs as appropriate.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f8bfd607ca3701384622caf2a223883f57ce1c36
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 31 16:08:41 2023 +1300
tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs
These tests crash Windows, but we can assume reasonable behaviour for
Samba.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6760dd48ad0c0e7e003c1911a79535d144655126
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 31 14:50:12 2023 +1300
s4:kdc: Do not add Claims Valid SID twice
samba_kdc_get_user_info_dc() now adds the SID itself.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 54eb175816b72e7274a66ef718b3f33a9c007f71
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 31 13:49:09 2023 +1300
tests/krb5: Rename ‘krbtgt_creds’ to ‘rodc_krbtgt_creds’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 66b45978621ad8b02dc2cdf957c25bd2982c0505
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 31 10:52:03 2023 +1300
tests/krb5: Don’t pass unnecessary parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2b69e1e7c316e634090aad1d97ecadf8cdf529f3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 14:05:17 2023 +1300
tests/krb5: Use __slots__ to indicate which attributes are used by classes
These should help to catch mistaken attempts to set invalid attributes.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b0da50b5b0d4817184202c63ddeb71e1c20b631e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 15:12:34 2023 +1300
s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 915b40521e660a4e685f45bbb4dd1bc7308492d1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 15:09:28 2023 +1300
s4:auth: Check that the PAC is not NULL before dereferencing it
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 76e27c3ab1349fb4b7a71d7420a4616275befa37
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 15:03:04 2023 +1300
libcli/security: Add sid_attrs_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 69edfd7b11ab01ca321eaa85a80e5e44e4b2ff02
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 14:52:42 2023 +1300
libcli/security: Make use of sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 04611d9ebc1c54c6ec6ee3a6a365035dd477283c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 14:51:17 2023 +1300
libcli/security: Add sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ce3f04dca9a673517879998af60fd7b346201de3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 14:35:12 2023 +1300
libcli/security: Make use of sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5ff72d0e04e6c8d55c32ad9a73c9b79c4893f83a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 14:48:23 2023 +1300
libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 487e21ec89999f1357db4144775d1923d99260f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 14:33:00 2023 +1300
s4:dsdb: Make sids_contains_sid() usable by other Samba modules
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ce9fbceadbabe35cae07f5b0c52d0258ded782ee
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 14:32:09 2023 +1300
libcli/security: Correct function documentation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 01b8966993186ce3f71e8d938c2cc28c4fbaf77b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 14:21:42 2023 +1300
libcli/security: Remove unnecessary return statement
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 12b0c9d043ff6ccff5e4d024dcf8dd2847e05734
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 14:17:31 2023 +1300
s4:dsdb: Align integer type
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b936623a421a5a25f3fce717a6ca8652e7e0845
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 13:40:37 2023 +1300
s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7ba4bb81645be100ac2e871de6cf92a79a29fbe5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 25 16:38:57 2023 +1300
tests/krb5: Add tests to see how SIDs are conveyed from PACs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 16:12:36 2023 +1300
tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 947d3e5932e128fdbe782477e981087d8cf5bc26
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 30 15:20:59 2023 +1300
tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/fuzzing/fuzz_ndr_X.c | 4 +-
lib/ldb/pyldb.c | 23 +-
libcli/nbt/nbtname.c | 10 +-
libcli/security/dom_sid.h | 11 +-
libcli/security/sddl.c | 102 ++++++---
libcli/security/sddl.h | 3 +
libcli/security/sddl_conditional_ace.c | 20 +-
libcli/security/secace.h | 3 +-
libcli/security/util_sid.c | 99 +++++++--
librpc/ABI/{ndr-3.0.2.sigs => ndr-4.0.0.sigs} | 217 +++++++++---------
librpc/idl/dcerpc.idl | 4 +-
librpc/idl/ntprinting.idl | 8 +-
librpc/ndr/libndr.h | 129 ++++++-----
librpc/ndr/ndr.c | 14 +-
librpc/ndr/ndr_auth.c | 4 +-
librpc/ndr/ndr_auth.h | 4 +-
librpc/ndr/ndr_backupkey.c | 10 +-
librpc/ndr/ndr_backupkey.h | 4 +-
librpc/ndr/ndr_basic.c | 144 ++++++------
librpc/ndr/ndr_bkupblobs.c | 8 +-
librpc/ndr/ndr_cab.c | 8 +-
librpc/ndr/ndr_dcerpc.c | 12 +-
librpc/ndr/ndr_dcerpc.h | 2 +-
librpc/ndr/ndr_dns.c | 16 +-
librpc/ndr/ndr_dns.h | 8 +-
librpc/ndr/ndr_dns_utils.c | 2 +-
librpc/ndr/ndr_dns_utils.h | 2 +-
librpc/ndr/ndr_dnsp.c | 12 +-
librpc/ndr/ndr_dnsp.h | 8 +-
librpc/ndr/ndr_dnsserver.c | 8 +-
librpc/ndr/ndr_dnsserver.h | 4 +-
librpc/ndr/ndr_drsblobs.c | 16 +-
librpc/ndr/ndr_drsblobs.h | 2 +-
librpc/ndr/ndr_drsuapi.c | 18 +-
librpc/ndr/ndr_drsuapi.h | 2 +-
librpc/ndr/ndr_frsrpc.c | 10 +-
librpc/ndr/ndr_frsrpc.h | 6 +-
librpc/ndr/ndr_krb5pac.c | 14 +-
librpc/ndr/ndr_krb5pac.h | 3 +-
librpc/ndr/ndr_nbt.c | 36 +--
librpc/ndr/ndr_nbt.h | 12 +-
librpc/ndr/ndr_negoex.c | 26 +--
librpc/ndr/ndr_negoex.h | 22 +-
librpc/ndr/ndr_netlogon.c | 8 +-
librpc/ndr/ndr_netlogon.h | 8 +-
librpc/ndr/ndr_ntlmssp.c | 12 +-
librpc/ndr/ndr_ntlmssp.h | 6 +-
librpc/ndr/ndr_ntprinting.c | 8 +-
librpc/ndr/ndr_ntprinting.h | 4 +-
librpc/ndr/ndr_orpc.c | 8 +-
librpc/ndr/ndr_preg.c | 8 +-
librpc/ndr/ndr_preg.h | 4 +-
librpc/ndr/ndr_sec_helper.c | 32 +--
librpc/ndr/ndr_spoolss_buf.c | 186 ++++++++--------
librpc/ndr/ndr_spoolss_buf.h | 52 ++---
librpc/ndr/ndr_string.c | 60 ++---
librpc/ndr/ndr_witness.c | 12 +-
librpc/ndr/ndr_witness.h | 4 +-
librpc/ndr/ndr_wmi.h | 4 +-
librpc/ndr/ndr_xattr.c | 8 +-
librpc/ndr/ndr_xattr.h | 4 +-
librpc/rpc/dcerpc_pkt_auth.c | 2 +-
librpc/rpc/dcerpc_util.c | 2 +-
librpc/rpc/dcesrv_core.c | 2 +-
librpc/rpc/dcesrv_core.h | 2 +-
librpc/rpc/rpc_common.h | 10 +-
librpc/tests/test_ndr_string.c | 6 +-
librpc/tools/ndrdump.c | 2 +-
librpc/wscript_build | 2 +-
pidl/lib/Parse/Pidl/NDR.pm | 2 +
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 24 +-
pidl/lib/Parse/Pidl/Samba4/Python.pm | 14 +-
pidl/lib/Parse/Pidl/Typelist.pm | 2 +
python/samba/netcmd/__init__.py | 28 +++
python/samba/tests/krb5/authn_policy_tests.py | 11 +-
python/samba/tests/krb5/conditional_ace_tests.py | 244 +++++++++++++++++++--
python/samba/tests/krb5/device_tests.py | 100 +++++++++
python/samba/tests/krb5/kdc_base_test.py | 11 +-
python/samba/tests/krb5/raw_testcase.py | 37 ++++
.../samba/tests/samba_tool/domain_auth_policy.py | 46 +++-
python/samba/tests/sddl.py | 17 +-
python/samba/tests/security.py | 2 +-
python/samba/tests/security_descriptors.py | 3 +-
python/samba/tests/sid_strings.py | 2 +-
selftest/knownfail.d/sid-strings | 2 -
selftest/knownfail_heimdal_kdc | 6 -
selftest/knownfail_mit_kdc | 9 +
source3/librpc/ndr/ndr_ads.c | 4 +-
source3/libsmb/cliquota.c | 2 +-
source3/rpc_client/cli_pipe.c | 2 +-
source3/rpc_client/wsp_cli.c | 18 +-
source3/winbindd/winbindd_dual_ndr.c | 2 +-
source4/auth/kerberos/kerberos_pac.c | 5 +
source4/auth/ntlm/auth.c | 53 +++--
source4/auth/session.c | 12 +-
source4/dsdb/common/util_groups.c | 25 +--
source4/dsdb/wscript_build | 2 +-
source4/kdc/hdb-samba4.c | 2 +-
source4/kdc/pac-glue.c | 165 +++++++-------
source4/lib/messaging/messaging.c | 2 +-
source4/librpc/ndr/py_security.c | 72 +++++-
source4/librpc/rpc/dcerpc.c | 2 +-
source4/librpc/rpc/pyrpc.h | 2 +-
source4/torture/ndr/ndr.c | 20 +-
source4/torture/ndr/ndr.h | 10 +-
source4/torture/ndr/string.c | 16 +-
source4/torture/rpc/iremotewinspool.c | 2 +-
third_party/heimdal/kdc/fast.c | 19 +-
third_party/heimdal/kdc/kdc-plugin.c | 13 ++
third_party/heimdal/kdc/kerberos5.c | 21 --
third_party/heimdal/kdc/libkdc-exports.def | 2 +-
third_party/heimdal/kdc/process.c | 3 +-
third_party/heimdal/kdc/version-script.map | 2 +-
third_party/heimdal/lib/base/heimbase-svc.h | 2 +-
third_party/heimdal/tests/plugin/kdc_test_plugin.c | 8 +-
115 files changed, 1614 insertions(+), 960 deletions(-)
copy librpc/ABI/{ndr-3.0.2.sigs => ndr-4.0.0.sigs} (62%)
Changeset truncated at 500 lines:
diff --git a/lib/fuzzing/fuzz_ndr_X.c b/lib/fuzzing/fuzz_ndr_X.c
index a3d7199edc9..16109cccb2b 100644
--- a/lib/fuzzing/fuzz_ndr_X.c
+++ b/lib/fuzzing/fuzz_ndr_X.c
@@ -152,10 +152,10 @@ static void ndr_print_nothing(struct ndr_print *ndr, const char *format, ...)
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
uint8_t type;
- int pull_push_print_flags;
+ ndr_flags_type pull_push_print_flags;
uint16_t fuzz_packet_flags, function;
TALLOC_CTX *mem_ctx = NULL;
- uint32_t ndr_flags = 0;
+ libndr_flags ndr_flags = 0;
struct ndr_push *ndr_push;
enum ndr_err_code ndr_err;
struct ndr_interface_call f_buffer;
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 49641957223..f398887e579 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -266,13 +266,25 @@ static PyTypeObject PyLdbControl = {
static void PyErr_SetLdbError(PyObject *error, int ret, struct ldb_context *ldb_ctx)
{
- if (ret == LDB_ERR_PYTHON_EXCEPTION)
+ PyObject *exc = NULL;
+ if (ret == LDB_ERR_PYTHON_EXCEPTION) {
return; /* Python exception should already be set, just keep that */
-
- PyErr_SetObject(error,
- Py_BuildValue(discard_const_p(char, "(i,s)"), ret,
- ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx)));
+ }
+ exc = Py_BuildValue("(i,s)", ret,
+ ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx));
+ if (exc == NULL) {
+ /*
+ * Py_BuildValue failed, and will have set its own exception.
+ * It isn't the one we wanted, but it will have to do.
+ * This is all very unexpected.
+ */
+ fprintf(stderr, "could not make LdbError %d!\n", ret);
+ return;
+ }
+ PyErr_SetObject(error, exc);
+ Py_DECREF(exc);
}
+
static PyObject *py_ldb_bytes_str(PyBytesObject *self)
{
char *msg = NULL;
@@ -3005,6 +3017,7 @@ static PyObject *py_ldb_search_iterator_result(PyLdbSearchIteratorObject *self,
if (self->state.exception != NULL) {
PyErr_SetObject(PyExc_LdbError, self->state.exception);
+ Py_DECREF(self->state.exception);
self->state.exception = NULL;
return NULL;
}
diff --git a/libcli/nbt/nbtname.c b/libcli/nbt/nbtname.c
index 1881e463635..a2b0d346c26 100644
--- a/libcli/nbt/nbtname.c
+++ b/libcli/nbt/nbtname.c
@@ -106,7 +106,7 @@ static uint8_t *compress_name(TALLOC_CTX *mem_ctx,
/**
pull a nbt name from the wire
*/
-_PUBLIC_ enum ndr_err_code ndr_pull_nbt_name(struct ndr_pull *ndr, int ndr_flags, struct nbt_name *r)
+_PUBLIC_ enum ndr_err_code ndr_pull_nbt_name(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct nbt_name *r)
{
uint8_t *scope;
char *cname;
@@ -155,7 +155,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_nbt_name(struct ndr_pull *ndr, int ndr_flags
/**
push a nbt name to the wire
*/
-_PUBLIC_ enum ndr_err_code ndr_push_nbt_name(struct ndr_push *ndr, int ndr_flags, const struct nbt_name *r)
+_PUBLIC_ enum ndr_err_code ndr_push_nbt_name(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct nbt_name *r)
{
uint8_t *cname, *fullname;
enum ndr_err_code ndr_err;
@@ -326,7 +326,7 @@ _PUBLIC_ char *nbt_name_string(TALLOC_CTX *mem_ctx, const struct nbt_name *name)
/**
pull a nbt name, WINS Replication uses another on wire format for nbt name
*/
-_PUBLIC_ enum ndr_err_code ndr_pull_wrepl_nbt_name(struct ndr_pull *ndr, int ndr_flags, struct nbt_name **_r)
+_PUBLIC_ enum ndr_err_code ndr_pull_wrepl_nbt_name(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct nbt_name **_r)
{
struct nbt_name *r;
uint8_t *namebuf;
@@ -400,7 +400,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_wrepl_nbt_name(struct ndr_pull *ndr, int ndr
/**
push a nbt name, WINS Replication uses another on wire format for nbt name
*/
-_PUBLIC_ enum ndr_err_code ndr_push_wrepl_nbt_name(struct ndr_push *ndr, int ndr_flags, const struct nbt_name *r)
+_PUBLIC_ enum ndr_err_code ndr_push_wrepl_nbt_name(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct nbt_name *r)
{
uint8_t *namebuf;
uint32_t namebuf_len;
@@ -478,7 +478,7 @@ _PUBLIC_ void ndr_print_wrepl_nbt_name(struct ndr_print *ndr, const char *name,
talloc_free(s);
}
-_PUBLIC_ enum ndr_err_code ndr_push_nbt_qtype(struct ndr_push *ndr, int ndr_flags, enum nbt_qtype r)
+_PUBLIC_ enum ndr_err_code ndr_push_nbt_qtype(struct ndr_push *ndr, ndr_flags_type ndr_flags, enum nbt_qtype r)
{
/* For WACK replies, we need to send NBT_QTYPE_NETBIOS on the wire. */
NDR_CHECK(ndr_push_enum_uint16(ndr, NDR_SCALARS, (r == NBT_QTYPE_WACK) ? NBT_QTYPE_NETBIOS : r));
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index e3be817dd43..343001e87ee 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -141,6 +141,15 @@ void del_sid_from_array(const struct dom_sid *sid, struct dom_sid **sids,
bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx,
uint32_t rid, uint32_t **pp_rids, size_t *p_num);
bool is_null_sid(const struct dom_sid *sid);
+bool sids_contains_sid(const struct dom_sid *sids,
+ const uint32_t num_sids,
+ const struct dom_sid *sid);
+bool sid_attrs_contains_sid(const struct auth_SidAttr *sids,
+ const uint32_t num_sids,
+ const struct dom_sid *sid);
+bool sids_contains_sid_attrs(const struct auth_SidAttr *sids,
+ const uint32_t num_sids,
+ const struct dom_sid *sid,
+ uint32_t attrs);
#endif /*_DOM_SID_H_*/
-
diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 5f8a01fbef8..15943e6aa24 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -208,7 +208,7 @@ static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const cha
size_t i;
/* see if its in the numeric format */
- if (strncmp(sddl, "S-", 2) == 0) {
+ if (strncasecmp(sddl, "S-", 2) == 0) {
struct dom_sid *sid = NULL;
char *sid_str = NULL;
const char *end = NULL;
@@ -230,6 +230,13 @@ static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const cha
if (sid_str == NULL) {
return NULL;
}
+ if (sid_str[0] == 's') {
+ /*
+ * In SDDL, but not in the dom_sid parsers, a
+ * lowercase "s-1-1-0" is accepted.
+ */
+ sid_str[0] = 'S';
+ }
sid = talloc(mem_ctx, struct dom_sid);
if (sid == NULL) {
TALLOC_FREE(sid_str);
@@ -481,16 +488,16 @@ static bool sddl_decode_guid(const char *str, struct GUID *guid)
static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx,
const char *conditions,
- const char **message,
- size_t *length)
+ size_t *length,
+ const char **msg,
+ size_t *msg_offset)
{
DATA_BLOB blob = {0};
struct ace_condition_script *script = NULL;
- size_t message_offset;
script = ace_conditions_compile_sddl(mem_ctx,
conditions,
- message,
- &message_offset,
+ msg,
+ msg_offset,
length);
if (script != NULL) {
bool ok = conditional_ace_encode_binary(mem_ctx,
@@ -499,10 +506,6 @@ static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx,
if (! ok) {
DBG_ERR("could not blobify '%s'\n", conditions);
}
- if (*message) {
- DBG_ERR(" %*c", (int)message_offset, '^');
- DBG_ERR("error '%s'\n", *message);
- }
}
return blob;
}
@@ -516,7 +519,8 @@ static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx,
static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
struct security_ace *ace,
char **sddl_copy,
- struct sddl_transition_state *state)
+ struct sddl_transition_state *state,
+ const char **msg, size_t *msg_offset)
{
const char *tok[7];
const char *s;
@@ -664,13 +668,14 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
* conditional ACE compiler.
*/
size_t length;
- const char *message = NULL;
DATA_BLOB conditions = {0};
s = tok[6];
- conditions = sddl_decode_conditions(mem_ctx, s, &message, &length);
+ conditions = sddl_decode_conditions(mem_ctx, s, &length, msg, msg_offset);
if (conditions.data == NULL) {
- DBG_WARNING("Conditional ACE compilation failure: %s\n", message);
+ DBG_WARNING("Conditional ACE compilation failure at %zu: %s\n",
+ *msg_offset, *msg);
+ *msg_offset += s - *sddl_copy;
return false;
}
ace->coda.conditions = conditions;
@@ -729,7 +734,8 @@ static const struct flag_map acl_flags[] = {
*/
static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
const char **sddlp, uint32_t *flags,
- struct sddl_transition_state *state)
+ struct sddl_transition_state *state,
+ const char **msg, size_t *msg_offset)
{
const char *sddl = *sddlp;
char *sddl_copy = NULL;
@@ -789,8 +795,10 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
return NULL;
}
ok = sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces],
- &sddl_copy, state);
+ &sddl_copy, state, msg, msg_offset);
if (!ok) {
+ *msg_offset += sddl_copy - aces_start;
+ talloc_steal(sd, *msg);
talloc_free(acl);
return NULL;
}
@@ -803,10 +811,14 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
}
/*
- decode a security descriptor in SDDL format
-*/
-struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
- const struct dom_sid *domain_sid)
+ * Decode a security descriptor in SDDL format, catching compilation
+ * error messages, if any.
+ *
+ * The message will be a direct talloc child of mem_ctx or NULL.
+ */
+struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl,
+ const struct dom_sid *domain_sid,
+ const char **msg, size_t *msg_offset)
{
struct sddl_transition_state state = {
/*
@@ -818,12 +830,24 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
.domain_sid = domain_sid,
.forest_sid = domain_sid,
};
+ const char *start = sddl;
struct security_descriptor *sd;
sd = talloc_zero(mem_ctx, struct security_descriptor);
-
+ if (sd == NULL) {
+ goto failed;
+ }
sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
sd->type = SEC_DESC_SELF_RELATIVE;
+ if (msg != NULL) {
+ if (msg_offset == NULL) {
+ DBG_ERR("Programmer misbehaviour\n");
+ goto failed;
+ }
+ *msg = NULL;
+ *msg_offset = 0;
+ }
+
while (*sddl) {
uint32_t flags;
char c = sddl[0];
@@ -833,13 +857,13 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
switch (c) {
case 'D':
if (sd->dacl != NULL) goto failed;
- sd->dacl = sddl_decode_acl(sd, &sddl, &flags, &state);
+ sd->dacl = sddl_decode_acl(sd, &sddl, &flags, &state, msg, msg_offset);
if (sd->dacl == NULL) goto failed;
sd->type |= flags | SEC_DESC_DACL_PRESENT;
break;
case 'S':
if (sd->sacl != NULL) goto failed;
- sd->sacl = sddl_decode_acl(sd, &sddl, &flags, &state);
+ sd->sacl = sddl_decode_acl(sd, &sddl, &flags, &state, msg, msg_offset);
if (sd->sacl == NULL) goto failed;
/* this relies on the SEC_DESC_SACL_* flags being
1 bit shifted from the SEC_DESC_DACL_* flags */
@@ -859,15 +883,43 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
goto failed;
}
}
-
return sd;
-
failed:
+ if (msg != NULL) {
+ if (*msg != NULL) {
+ *msg = talloc_steal(mem_ctx, *msg);
+ }
+ /*
+ * The actual message (*msg) might still be NULL, but the
+ * offset at least provides a clue.
+ */
+ *msg_offset += sddl - start;
+ }
DEBUG(2,("Badly formatted SDDL '%s'\n", sddl));
talloc_free(sd);
return NULL;
}
+
+/*
+ decode a security descriptor in SDDL format
+*/
+struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
+ const struct dom_sid *domain_sid)
+{
+ const char *msg = NULL;
+ size_t msg_offset = 0;
+ struct security_descriptor *sd = sddl_decode_err_msg(mem_ctx, sddl, domain_sid,
+ &msg, &msg_offset);
+ DBG_NOTICE("could not decode '%s'\n", sddl);
+ if (msg != NULL) {
+ DBG_NOTICE(" %*c\n", (int)msg_offset, '^');
+ DBG_NOTICE("error '%s'\n", msg);
+ talloc_free(discard_const(msg));
+ }
+ return sd;
+}
+
/*
turn a set of flags into a string
*/
diff --git a/libcli/security/sddl.h b/libcli/security/sddl.h
index 824b7032546..c4dc72d834d 100644
--- a/libcli/security/sddl.h
+++ b/libcli/security/sddl.h
@@ -25,6 +25,9 @@
struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
const struct dom_sid *domain_sid);
+struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl,
+ const struct dom_sid *domain_sid,
+ const char **msg, size_t *msg_offset);
char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
const struct dom_sid *domain_sid);
char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index 2f243bca6a6..2a86cd34e7f 100644
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -1268,7 +1268,6 @@ static void comp_error(struct ace_condition_sddl_compiler_context *comp,
if (msg == NULL) {
goto fail;
}
- comp->message_offset = comp->offset;
if (comp->message == NULL) {
/*
@@ -1276,13 +1275,8 @@ static void comp_error(struct ace_condition_sddl_compiler_context *comp,
*
* This is the common case.
*/
- comp->message = talloc_asprintf(comp->mem_ctx,
- "%"PRIu32": %s",
- comp->offset, msg);
- TALLOC_FREE(msg);
- if (comp->message == NULL) {
- goto fail;
- }
+ comp->message_offset = comp->offset;
+ comp->message = msg;
return;
}
/*
@@ -1290,8 +1284,8 @@ static void comp_error(struct ace_condition_sddl_compiler_context *comp,
* This is unlikely to happen.
*/
comp->message = talloc_asprintf(comp->mem_ctx,
- "%s AND THEN %"PRIu32": %s",
- comp->message, comp->offset,
+ "%s AND THEN %s",
+ comp->message,
msg);
TALLOC_FREE(msg);
if (comp->message == NULL) {
@@ -1299,7 +1293,8 @@ static void comp_error(struct ace_condition_sddl_compiler_context *comp,
}
return;
fail:
- comp->message = "failed to set error message";
+ comp->message = talloc_strdup(comp->mem_ctx,
+ "failed to set error message");
}
@@ -2736,8 +2731,7 @@ struct ace_condition_script * ace_conditions_compile_sddl(
bool ok;
struct ace_condition_sddl_compiler_context comp = {};
- /* just in case, a message for the next few tallocs */
- *message = "allocation error";
+ *message = NULL;
*message_offset = 0;
ok = init_compiler_context(mem_ctx,
diff --git a/libcli/security/secace.h b/libcli/security/secace.h
index 8f1a5581d39..879c711e485 100644
--- a/libcli/security/secace.h
+++ b/libcli/security/secace.h
@@ -22,9 +22,10 @@
#define _ACE_H_
#include "librpc/gen_ndr/security.h"
+#include "librpc/ndr/libndr.h"
bool sec_ace_object(uint8_t type);
-size_t ndr_subcontext_size_of_ace_coda(const struct security_ace *ace, size_t ace_size, int flags);
+size_t ndr_subcontext_size_of_ace_coda(const struct security_ace *ace, size_t ace_size, libndr_flags flags);
bool sec_ace_callback(uint8_t type);
bool sec_ace_resource(uint8_t type);
bool sec_ace_has_extra_blob(uint8_t type);
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 7c20836314f..54a2fc35fda 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -383,12 +383,11 @@ NTSTATUS add_sid_to_array(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
NTSTATUS add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
struct dom_sid **sids, uint32_t *num_sids)
{
- uint32_t i;
+ bool contains;
- for (i=0; i<(*num_sids); i++) {
- if (dom_sid_equal(sid, &(*sids)[i])) {
- return NT_STATUS_OK;
- }
+ contains = sids_contains_sid(*sids, *num_sids, sid);
+ if (contains) {
+ return NT_STATUS_OK;
}
return add_sid_to_array(mem_ctx, sid, sids, num_sids);
@@ -437,23 +436,17 @@ NTSTATUS add_sid_to_array_attrs(TALLOC_CTX *mem_ctx,
* @param [in] sid The SID to append.
* @param [in] attrs SE_GROUP_* flags to go with the SID.
* @param [inout] sids A pointer to the auth_SidAttr array.
- * @param [inout] num A pointer to the size of the auth_SidArray array.
+ * @param [inout] num_sids A pointer to the size of the auth_SidArray array.
* @returns NT_STATUS_OK on success.
*/
NTSTATUS add_sid_to_array_attrs_unique(TALLOC_CTX *mem_ctx,
const struct dom_sid *sid, uint32_t attrs,
struct auth_SidAttr **sids, uint32_t *num_sids)
{
- uint32_t i;
-
- for (i=0; i<(*num_sids); i++) {
- if (attrs != (*sids)[i].attrs) {
- continue;
- }
- if (!dom_sid_equal(sid, &(*sids)[i].sid)) {
- continue;
- }
+ bool contains;
+ contains = sids_contains_sid_attrs(*sids, *num_sids, sid, attrs);
+ if (contains) {
return NT_STATUS_OK;
}
@@ -487,8 +480,6 @@ void del_sid_from_array(const struct dom_sid *sid, struct dom_sid **sids,
for ( ; i<*num; i++ ) {
sid_copy( &sid_list[i], &sid_list[i+1] );
}
-
- return;
}
bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx,
@@ -519,6 +510,80 @@ bool is_null_sid(const struct dom_sid *sid)
return dom_sid_equal(sid, &null_sid);
}
+/**
+ * Return true if an array of SIDs contains a certain SID.
--
Samba Shared Repository
More information about the samba-cvs
mailing list