[SCM] Samba Shared Repository - branch master updated
Joseph Sutton
jsutton at samba.org
Sun Oct 1 23:47:01 UTC 2023
The branch, master has been updated
via 7b6c17359ba tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used
via 77b35c423ee s4:kdc: Make use of ‘samba_kdc_entry_pac’ wrapper type
via bad7a3fcead s4:kdc: Add function to get device PAC entry from Heimdal request structure
via 79b33eeaccb s4:kdc: Add function to determine whether a KDC entry represents a trust
via 1ea4b271628 s4:kdc: Fix indentation
via 45e8e197198 s4:kdc: Remove unused declaration
via 1c456912a13 s4:kdc: Add ‘samba_kdc_entry_pac’ wrapper type
via 0633e78b57e third_party/heimdal_build: Define HAVE_KRB5_PAC_IS_TRUSTED when using embedded Heimdal
via 46c08652f81 tests/krb5: Add Device Restriction tests for silos and authentication policies in the KDC
via 321e0ed675b s4:kdc: Remove unused parameters from samba_kdc_verify_pac()
via 3358b04a589 s4:kdc: Remove device PAC validation
via 989fb009852 tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets
via 849ee959845 tests/krb5: Add method to perform an armored AS‐REQ
via eba1ab0c840 tests/krb5: Initialize variable
via 68dc69d86f1 s4:kdc: Remove ‘asserted_identity’ parameter from samba_kdc_get_user_info_dc()
via 3c480886ade s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add an Asserted Identity SID
via f250a24e922 s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_get_user_info_dc()
via cfeb3d75cb3 s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID
via e0a3dd54992 s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_get_user_info_dc()
via 41527cfaf93 s4:kdc: Remove unused memory context from samba_kdc_lookup_realm()
via 2f9d2ff8952 s4:kdc: Add parameters for claims and device info to authn_policy_authenticate_to_service()
via 3ae75998307 s4:kdc: Add claims parameter to authn_policy_authenticate_from_device()
via 54cd7f4f804 s4:kdc: Add parameters for claims and device info to authn_policy_access_check()
via 8a5921d9747 s4:auth: Add parameters for claims and device info to auth_generate_security_token()
via a3a489fa537 s4:kdc: Reformat function call
via a2b6c2199fd s4:auth: Reformat function calls
via 4f0ba2b0bf2 s4:auth: Rename parameter to match function implementation
via a621e9ab991 s4:dsdb: Add session info flag to indicate authentication with a device
via c829dd1ba84 s4:dsdb: Add parameters for claims and device SIDs to security_token_create()
via 773c36baa0d pidl: Parenthesize expression to be cast
via 26e40717aa0 ndr: Parenthesize expressions to be cast
via c45a24cc417 s4:kdc: Initialize pointer to NULL
via 7587532292c s4:kdc: Remove unnecessary assignments
via af22a6552df s4:kdc: Check that principal being copied is not NULL
via 452aeb218d9 s4:kdc: Prefer explicit initialization to ZERO_STRUCTP()
via fff9b71b847 .gitattributes: Mark large data file as binary
via da202eb2092 lib:krb5_wrap: Include missing headers
via d30a6124101 s4:auth: Ensure that some parameters are not NULL
via bbb259e1d06 libcli/security: Handle new ACE types with sec_ace_object()
via 4437eb149e3 libcli/security: Have security_ace_equal() handle callback and resource ACEs
via e4d45d4103f libcli/security: Parenthesize macro parameter
via 9ecd17c84b0 libcli/security: Conform to Samba’s brace style
via bc680b6f4a0 s4:torture: Fix building with FORTIFY_SOURCE=2
via c2f55b061f8 s4:ntvfs: Fix building with FORTIFY_SOURCE=2
via c3eaa285d81 s3:smbd: Fix building with FORTIFY_SOURCE=2
via b33a486e657 s3:rpc_server: Fix building with FORTIFY_SOURCE=2
via 10726fb347a s3:libads: Fix building with FORTIFY_SOURCE=2
via 184a48d6577 s3:libads: Don’t do first loop iteration if ‘attr’ is NULL
via 1f92b5f1501 lib/util: Fix building with FORTIFY_SOURCE=2
via a77b90d8085 ldb: Fix building with FORTIFY_SOURCE=2
via 50c208fc536 lib/ldb-samba: Fix building with FORTIFY_SOURCE=2
via e961783add9 lib:compression: Fix building with FORTIFY_SOURCE=2
from 90ba53eee4a samba-tool: Fix for gpo restore not working without --tmpdir
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7b6c17359ba4f264e4f84e5495c79c62a3e9bb89
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 12:47:49 2023 +1300
tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Sun Oct 1 23:46:44 UTC 2023 on atb-devel-224
commit 77b35c423eef521dcebc617e59fdbe5031f6808c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 11:43:57 2023 +1300
s4:kdc: Make use of ‘samba_kdc_entry_pac’ wrapper type
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bad7a3fceadc8004cc73ee93a61be8cef4a42b59
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 29 13:53:24 2023 +1300
s4:kdc: Add function to get device PAC entry from Heimdal request structure
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 79b33eeaccb2f352924ad1f96483f87bb01c14b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 29 20:11:52 2023 +1300
s4:kdc: Add function to determine whether a KDC entry represents a trust
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1ea4b271628acd51002a64d55931f0e78df37433
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 29 15:42:52 2023 +1300
s4:kdc: Fix indentation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 45e8e197198a37488ee188a79e7c70ec964baa1a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 29 12:08:54 2023 +1300
s4:kdc: Remove unused declaration
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1c456912a13835c29e810379dfc36e2773baf895
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 13:15:15 2023 +1300
s4:kdc: Add ‘samba_kdc_entry_pac’ wrapper type
With embedded Heimdal, we can mark a PAC as being trusted (i.e. not
issued by an RODC). This is convenient, as it saves us needing to carry
that information in flags, hoping it isn’t inadvertently lost.
System Heimdal and MIT Kerberos, however, don’t provide a way to mark a
PAC trusted. So we add a new wrapper type, ‘samba_kdc_entry_pac’, that
contains this extra information if ‘krb5_const_pac’ doesn’t contain it
already. As it also stores a pointer to the client entry, the
structure’s lifetime must therefore be carefully managed. Finally, it
keeps track of whether the PAC came across a trust, to know which is
useful in some circumstances.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0633e78b57e538cd6dedca885b1f92043bdbcc2e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 13:14:09 2023 +1300
third_party/heimdal_build: Define HAVE_KRB5_PAC_IS_TRUSTED when using embedded Heimdal
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 46c08652f8165ce384865dcbaa035aa291f1e11e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 2 15:42:24 2023 +1200
tests/krb5: Add Device Restriction tests for silos and authentication policies in the KDC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 321e0ed675b4bf11319518f0c6f70ba87d987e7a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 29 13:50:51 2023 +1300
s4:kdc: Remove unused parameters from samba_kdc_verify_pac()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3358b04a589df64cb44a76c9254bf31ff7f96b2f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 29 12:44:08 2023 +1300
s4:kdc: Remove device PAC validation
In the first place, this check was only applicable to the Heimdal KDC,
the MIT KDC not having support for compounded authentication. Secondly,
it was redundant, because _kdc_fast_check_armor_pac() would have already
been called to verify the armor ticket; a second round of validation
achieved nothing. And finally, the check was flawed: it checked only
*explicitly* armored PACs, and so would have done nothing for an armored
*AS‐REQ*.
In short, this check was useless; remove it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 989fb009852e8b80691f71fd784c93bb29a58465
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 29 13:21:01 2023 +1300
tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 849ee959845832b206ae315ab5911c623ea61148
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 29 13:13:01 2023 +1300
tests/krb5: Add method to perform an armored AS‐REQ
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eba1ab0c84099361cb4c0a7d3879535a689c45bb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 29 13:27:39 2023 +1300
tests/krb5: Initialize variable
This avoids the following exception:
Exception: Traceback (most recent call last):
File "/samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 2500, in test_renew_pac_request_false
tgt = self._modify_tgt(tgt, renewable=True)
File "samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 3014, in _modify_tgt
return self.modified_ticket(
File "/samba/bin/python/samba/tests/krb5/raw_testcase.py", line 5694, in modified_ticket
auth_data, new_pac,
UnboundLocalError: local variable 'new_pac' referenced before assignment
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 68dc69d86f16f73a55647e54c4d59f5cdf9c9494
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 16:52:59 2023 +1300
s4:kdc: Remove ‘asserted_identity’ parameter from samba_kdc_get_user_info_dc()
It was not used.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3c480886ade3cc58123e6d635e8af35ca11e769b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 16:38:23 2023 +1300
s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add an Asserted Identity SID
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.
By extracting the call to samba_kdc_add_asserted_identity() into the
former function’s callers, we’ll be able to remove the
‘asserted_identity’ parameter in the next commit, reducing the
function’s complexity.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f250a24e922a4db019208bce2c5025f5577fb688
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 16:18:56 2023 +1300
s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_get_user_info_dc()
It was not used.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cfeb3d75cb39966b5809dc9eea91385a4a5788e0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 16:23:33 2023 +1300
s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.
By extracting the call to samba_kdc_add_claims_valid() into the former
function’s callers, we’ll be able to remove the ‘claims_valid’ parameter
in the next commit, reducing the function’s complexity.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e0a3dd54992003c7cf07338d11f59728b425ebaa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 16:12:50 2023 +1300
s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_get_user_info_dc()
It was never used.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 41527cfaf93dccada60e534519efee959037da79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 15:58:55 2023 +1300
s4:kdc: Remove unused memory context from samba_kdc_lookup_realm()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2f9d2ff89528b96a9e27061ffe3871d0dc18c241
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 15:49:59 2023 +1300
s4:kdc: Add parameters for claims and device info to authn_policy_authenticate_to_service()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3ae75998307583b4b477021e455a7f2b16cda2fc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 15:47:06 2023 +1300
s4:kdc: Add claims parameter to authn_policy_authenticate_from_device()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 54cd7f4f804ee82e4970eae65fecd0cd2481512c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 15:44:56 2023 +1300
s4:kdc: Add parameters for claims and device info to authn_policy_access_check()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8a5921d9747929a306b41fbfbe2d860da9d8a164
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 15:16:21 2023 +1300
s4:auth: Add parameters for claims and device info to auth_generate_security_token()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a3a489fa5370b6879af22d0f20f193cc1814f347
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 15:20:04 2023 +1300
s4:kdc: Reformat function call
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a2b6c2199fd097debbe249f832f9a2b6f8636422
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 15:11:20 2023 +1300
s4:auth: Reformat function calls
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f0ba2b0bf2d30790a0de7c41989d67a6b2341c5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 15:08:26 2023 +1300
s4:auth: Rename parameter to match function implementation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a621e9ab991144adf1f2d1ef2d0d266cad5f8bbd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 14:54:06 2023 +1300
s4:dsdb: Add session info flag to indicate authentication with a device
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c829dd1ba842ecf6196d5645f3f8161a41054f2f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 14:51:36 2023 +1300
s4:dsdb: Add parameters for claims and device SIDs to security_token_create()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 773c36baa0ded91a75a046f6766acc3a8e45221c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 11 10:27:33 2021 +1200
pidl: Parenthesize expression to be cast
We must parenthesize each expression that is to be cast to a specific
type, otherwise the cast will apply to only part of the full expression.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9914
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 26e40717aa02106bd9a9b86157ba4cc25bfa98b7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 4 14:09:44 2021 +1200
ndr: Parenthesize expressions to be cast
We must parenthesize each expression that is to be cast to a specific
type, otherwise the cast will apply to only part of the full expression.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9914
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c45a24cc41737561bb5da263f7a1240076bf44e9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 14:10:44 2023 +1300
s4:kdc: Initialize pointer to NULL
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7587532292cd1fc732da3cb9fdda4d327b0c3259
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 14:00:07 2023 +1300
s4:kdc: Remove unnecessary assignments
These structures have been zero‐initialized already.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit af22a6552dfb1058ce34f3056bf90131f5ff8fe5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 13:59:32 2023 +1300
s4:kdc: Check that principal being copied is not NULL
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 452aeb218d990c8eab2d876d22fedc92e13dfeee
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 13:58:31 2023 +1300
s4:kdc: Prefer explicit initialization to ZERO_STRUCTP()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fff9b71b847ac0fa9cedf6fbea1980a23ca6a332
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 13:38:36 2023 +1300
.gitattributes: Mark large data file as binary
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit da202eb209226a05b0f0cd21998cfe254be4fd01
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 27 13:13:39 2023 +1300
lib:krb5_wrap: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d30a6124101b5e79a496a6f6cc0a7f959fa2b5e1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 26 13:34:56 2023 +1300
s4:auth: Ensure that some parameters are not NULL
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bbb259e1d0685a4db6bb88b0f1aef16144502551
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 31 10:55:42 2023 +1200
libcli/security: Handle new ACE types with sec_ace_object()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4437eb149e3319b51084141b51c19dca26538891
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 31 10:52:32 2023 +1200
libcli/security: Have security_ace_equal() handle callback and resource ACEs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e4d45d4103f6df6d638b06bd95bff4b9f5295d4a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 19 12:28:11 2023 +1200
libcli/security: Parenthesize macro parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9ecd17c84b03087a10ff7653cc0dfcc52c26584d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 19 12:15:15 2023 +1200
libcli/security: Conform to Samba’s brace style
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bc680b6f4a0c160bc65b1c2955477e292f05d90b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 16:51:38 2023 +1300
s4:torture: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c2f55b061f85ed7588ef93bdd2d80c5be996f028
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 16:50:29 2023 +1300
s4:ntvfs: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c3eaa285d81df401489795e712ac3c69656ef8cd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 16:49:56 2023 +1300
s3:smbd: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b33a486e657ee3d07f274748098d1250cfc6f048
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 16:49:07 2023 +1300
s3:rpc_server: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 10726fb347a0aeb463f050303c524d79fa708c7a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 16:39:47 2023 +1300
s3:libads: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 184a48d65772f359bd81f83256daada8c9e500b3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 16:45:19 2023 +1300
s3:libads: Don’t do first loop iteration if ‘attr’ is NULL
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f92b5f1501d59b6c186ac1446693c97a24c3db6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 16:39:07 2023 +1300
lib/util: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a77b90d80851956d4b99f81940e13e7dd34167fc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 16:36:07 2023 +1300
ldb: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 50c208fc5367190dda2c27a5447caecd9e7bf829
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 28 16:32:29 2023 +1300
lib/ldb-samba: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e961783add974c3bc4a0fc89e5db32b3ce39ff55
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 15 16:04:51 2022 +1300
lib:compression: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitattributes | 1 +
auth/common_auth.h | 1 +
lib/compression/lzxpress_huffman.c | 2 +-
lib/krb5_wrap/krb5_samba.h | 3 +
lib/ldb-samba/ldb_ildap.c | 1 +
lib/ldb/tools/ldbmodify.c | 3 +
lib/util/debug.c | 2 +-
libcli/security/conditional_ace.c | 3 +-
libcli/security/conditional_ace.h | 8 +-
libcli/security/security_descriptor.c | 140 +++--
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 8 +-
python/samba/tests/krb5/authn_policy_tests.py | 60 +++
python/samba/tests/krb5/conditional_ace_tests.py | 625 +++++++++++++++++++++++
python/samba/tests/krb5/kdc_tgs_tests.py | 150 ++++++
python/samba/tests/krb5/raw_testcase.py | 4 +-
selftest/knownfail_heimdal_kdc | 6 +
selftest/knownfail_mit_kdc | 20 +
source3/libads/ldap.c | 8 +-
source3/rpc_server/mdssvc/es_mapping.c | 2 +-
source3/smbd/smb2_server.c | 2 +-
source4/auth/ntlm/auth.c | 9 +-
source4/auth/ntlm/auth_sam.c | 3 +
source4/auth/sam.c | 12 +
source4/auth/session.c | 22 +-
source4/auth/session.h | 4 +-
source4/auth/system_session.c | 31 +-
source4/dsdb/samdb/samdb.c | 80 ++-
source4/dsdb/samdb/samdb.h | 1 +
source4/kdc/authn_policy_util.c | 36 +-
source4/kdc/authn_policy_util.h | 9 +
source4/kdc/db-glue.c | 5 +-
source4/kdc/hdb-samba4.c | 2 +-
source4/kdc/kdc-glue.c | 24 +
source4/kdc/kdc-glue.h | 13 +-
source4/kdc/mit_samba.c | 49 +-
source4/kdc/pac-glue.c | 309 +++++------
source4/kdc/pac-glue.h | 58 ++-
source4/kdc/sdb_to_hdb.c | 43 +-
source4/kdc/wdc-samba4.c | 129 ++---
source4/ntvfs/common/brlock_tdb.c | 2 +-
source4/torture/rpc/clusapi.c | 4 +-
third_party/heimdal_build/wscript_configure | 1 +
42 files changed, 1519 insertions(+), 376 deletions(-)
Changeset truncated at 500 lines:
diff --git a/.gitattributes b/.gitattributes
index 9530d88a70e..1fda7c1af77 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,5 +1,6 @@
*.dump binary
*.SAMBABACKUP binary
+libcli/security/tests/data/conditional_aces.txt.json binary
testdata/compression/compressed-huffman/** binary
testdata/compression/compressed-more-huffman/** binary
testdata/compression/compressed-more-plain/** binary
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 24b7b14f51a..58fb2cd0b3d 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -40,6 +40,7 @@ enum auth_password_state {
#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privileges, rather than a DB */
#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */
#define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */
+#define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION 0x20 /* The user authenticated with a device. */
struct auth_usersupplied_info
{
diff --git a/lib/compression/lzxpress_huffman.c b/lib/compression/lzxpress_huffman.c
index 30744332e6e..c5da4af0d85 100644
--- a/lib/compression/lzxpress_huffman.c
+++ b/lib/compression/lzxpress_huffman.c
@@ -1514,7 +1514,7 @@ static bool fill_decomp_table(struct bitstream *input)
uint16_t sort_mem[512];
size_t i, n_symbols;
ssize_t code;
- uint16_t len, prev_len;
+ uint16_t len = 0, prev_len;
const uint8_t *table_bytes = input->bytes + input->byte_pos;
if (input->byte_pos + 260 > input->byte_size) {
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 82f66f51815..7b9d8fd145c 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -23,6 +23,9 @@
#ifndef _KRB5_SAMBA_H
#define _KRB5_SAMBA_H
+#include "lib/util/data_blob.h"
+#include "libcli/util/ntstatus.h"
+
#ifdef HAVE_KRB5
#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c
index c3d872ebaa1..37ef185fbbf 100644
--- a/lib/ldb-samba/ldb_ildap.c
+++ b/lib/ldb-samba/ldb_ildap.c
@@ -291,6 +291,7 @@ static void ildb_callback(struct ldap_request *req)
case LDAP_TAG_SearchRequest:
/* loop over all messages */
+ ret = LDB_SUCCESS;
for (i = 0; i < req->num_replies; i++) {
msg = req->replies[i];
diff --git a/lib/ldb/tools/ldbmodify.c b/lib/ldb/tools/ldbmodify.c
index 73df41787e2..2eb8bcc3002 100644
--- a/lib/ldb/tools/ldbmodify.c
+++ b/lib/ldb/tools/ldbmodify.c
@@ -102,6 +102,9 @@ static int process_file(struct ldb_context *ldb, FILE *f, unsigned int *count)
}
}
break;
+ default:
+ ret = LDB_ERR_PROTOCOL_ERROR;
+ break;
}
if (ret != LDB_SUCCESS) {
if (errstr == NULL) {
diff --git a/lib/util/debug.c b/lib/util/debug.c
index 0e13fa564e3..6872f2dfe46 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -1291,7 +1291,7 @@ bool reopen_logs_internal(void)
struct debug_backend *b = NULL;
mode_t oldumask;
size_t i;
- bool ok;
+ bool ok = true;
if (state.reopening_logs) {
return true;
diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 2f15b873dd3..a84060ce698 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -1750,7 +1750,8 @@ static bool composite_relational_operator(const struct ace_condition_token *op,
/* negate the NOTs */
if (op->type == CONDITIONAL_ACE_TOKEN_NOT_CONTAINS ||
- op->type == CONDITIONAL_ACE_TOKEN_NOT_ANY_OF) {
+ op->type == CONDITIONAL_ACE_TOKEN_NOT_ANY_OF)
+ {
answer = !answer;
}
diff --git a/libcli/security/conditional_ace.h b/libcli/security/conditional_ace.h
index b66fa188800..ea6c3592f53 100644
--- a/libcli/security/conditional_ace.h
+++ b/libcli/security/conditional_ace.h
@@ -67,10 +67,10 @@ char *sddl_from_conditional_ace(TALLOC_CTX *mem_ctx,
#define IS_LITERAL_TOKEN(x) \
((IS_INT_TOKEN(x) || \
- (x->type) == CONDITIONAL_ACE_TOKEN_UNICODE || \
- (x->type) == CONDITIONAL_ACE_TOKEN_OCTET_STRING || \
- (x->type) == CONDITIONAL_ACE_TOKEN_SID || \
- (x->type) == CONDITIONAL_ACE_TOKEN_COMPOSITE) && \
+ ((x)->type) == CONDITIONAL_ACE_TOKEN_UNICODE || \
+ ((x)->type) == CONDITIONAL_ACE_TOKEN_OCTET_STRING || \
+ ((x)->type) == CONDITIONAL_ACE_TOKEN_SID || \
+ ((x)->type) == CONDITIONAL_ACE_TOKEN_COMPOSITE) && \
(! IS_DERIVED_TOKEN(x)))
struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *parse_sddl_literal_as_claim(
diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c
index ba7445832cd..9b9f16c6d2e 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -312,15 +312,8 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
acl->num_aces++;
- switch (acl->aces[idx].type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ if (sec_ace_object(acl->aces[idx].type)) {
acl->revision = SECURITY_ACL_REVISION_ADS;
- break;
- default:
- break;
}
if (add_to_sacl) {
@@ -425,15 +418,9 @@ static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
acl->revision = SECURITY_ACL_REVISION_NT4;
for (i=0;i<acl->num_aces;i++) {
- switch (acl->aces[i].type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ if (sec_ace_object(acl->aces[i].type)) {
acl->revision = SECURITY_ACL_REVISION_ADS;
- return NT_STATUS_OK;
- default:
- break; /* only for the switch statement */
+ break;
}
}
@@ -502,15 +489,9 @@ static NTSTATUS security_descriptor_acl_del_ace(struct security_descriptor *sd,
acl->revision = SECURITY_ACL_REVISION_NT4;
for (i=0;i<acl->num_aces;i++) {
- switch (acl->aces[i].type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ if (sec_ace_object(acl->aces[i].type)) {
acl->revision = SECURITY_ACL_REVISION_ADS;
- return NT_STATUS_OK;
- default:
- break; /* only for the switch statement */
+ break;
}
}
@@ -554,6 +535,93 @@ static bool security_ace_object_equal(const struct security_ace_object *object1,
return true;
}
+
+static bool security_ace_claim_equal(const struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim1,
+ const struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim2)
+{
+ uint32_t i;
+
+ if (claim1 == claim2) {
+ return true;
+ }
+ if (claim1 == NULL || claim2 == NULL) {
+ return false;
+ }
+ if (claim1->name != NULL && claim2->name != NULL) {
+ if (strcasecmp_m(claim1->name, claim2->name) != 0) {
+ return false;
+ }
+ } else if (claim1->name != NULL || claim2->name != NULL) {
+ return false;
+ }
+ if (claim1->value_type != claim2->value_type) {
+ return false;
+ }
+ if (claim1->flags != claim2->flags) {
+ return false;
+ }
+ if (claim1->value_count != claim2->value_count) {
+ return false;
+ }
+ for (i = 0; i < claim1->value_count; ++i) {
+ const union claim_values *values1 = claim1->values;
+ const union claim_values *values2 = claim2->values;
+
+ switch (claim1->value_type) {
+ case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64:
+ if (values1[i].int_value != NULL && values2[i].int_value != NULL) {
+ if (*values1[i].int_value != *values2[i].int_value) {
+ return false;
+ }
+ } else if (values1[i].int_value != NULL || values2[i].int_value != NULL) {
+ return false;
+ }
+ break;
+ case CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64:
+ case CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN:
+ if (values1[i].uint_value != NULL && values2[i].uint_value != NULL) {
+ if (*values1[i].uint_value != *values2[i].uint_value) {
+ return false;
+ }
+ } else if (values1[i].uint_value != NULL || values2[i].uint_value != NULL) {
+ return false;
+ }
+ break;
+ case CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING:
+ if (values1[i].string_value != NULL && values2[i].string_value != NULL) {
+ if (strcasecmp_m(values1[i].string_value, values2[i].string_value) != 0) {
+ return false;
+ }
+ } else if (values1[i].string_value != NULL || values2[i].string_value != NULL) {
+ return false;
+ }
+ break;
+ case CLAIM_SECURITY_ATTRIBUTE_TYPE_SID:
+ if (values1[i].sid_value != NULL && values2[i].sid_value != NULL) {
+ if (data_blob_cmp(values1[i].sid_value, values2[i].sid_value) != 0) {
+ return false;
+ }
+ } else if (values1[i].sid_value != NULL || values2[i].sid_value != NULL) {
+ return false;
+ }
+ break;
+ case CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING:
+ if (values1[i].octet_value != NULL && values2[i].octet_value != NULL) {
+ if (data_blob_cmp(values1[i].octet_value, values2[i].octet_value) != 0) {
+ return false;
+ }
+ } else if (values1[i].octet_value != NULL || values2[i].octet_value != NULL) {
+ return false;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+
+ return true;
+}
+
/*
compare two security ace structures
*/
@@ -575,18 +643,30 @@ bool security_ace_equal(const struct security_ace *ace1,
if (ace1->access_mask != ace2->access_mask) {
return false;
}
- if ((ace1->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
- || ace1->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
- || ace1->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
- || ace1->type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)
- && !security_ace_object_equal(&ace1->object.object,
- &ace2->object.object)) {
+ if (sec_ace_object(ace1->type) &&
+ !security_ace_object_equal(&ace1->object.object,
+ &ace2->object.object))
+ {
return false;
}
if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) {
return false;
}
+ if (sec_ace_callback(ace1->type)) {
+ if (data_blob_cmp(&ace1->coda.conditions, &ace2->coda.conditions) != 0) {
+ return false;
+ }
+ } else if (sec_ace_resource(ace1->type)) {
+ if (!security_ace_claim_equal(&ace1->coda.claim, &ace2->coda.claim)) {
+ return false;
+ }
+ } else {
+ /*
+ * Don’t require ace1->coda.ignored to match ace2->coda.ignored.
+ */
+ }
+
return true;
}
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index 1ec037628a7..a631bad3031 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -371,7 +371,7 @@ sub ParseArrayPullGetSize($$$$$$)
} else {
$self->pidl("if ($array_size < $low || $array_size > $high) {");
}
- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value (%\"PRIu32\") out of range (%\"PRIu32\" - %\"PRIu32\")\", $array_size, (uint32_t)$low, (uint32_t)$high);");
+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value (%\"PRIu32\") out of range (%\"PRIu32\" - %\"PRIu32\")\", $array_size, (uint32_t)($low), (uint32_t)($high));");
$self->pidl("}");
}
@@ -411,7 +411,7 @@ sub ParseArrayPullGetLength($$$$$$;$)
} else {
$self->pidl("if ($array_length < $low || $array_length > $high) {");
}
- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value (%\"PRIu32\") out of range (%\"PRIu32\" - %\"PRIu32\")\", $array_length, (uint32_t)$low, (uint32_t)$high);");
+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value (%\"PRIu32\") out of range (%\"PRIu32\" - %\"PRIu32\")\", $array_length, (uint32_t)($low), (uint32_t)($high));");
$self->pidl("}");
}
@@ -926,7 +926,7 @@ sub ParseElementPrint($$$$$)
} else {
my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
- $self->pidl("$ndr->print($ndr, \"%s: ARRAY(%\"PRIu32\")\", \"$e->{NAME}\", (uint32_t)$length);");
+ $self->pidl("$ndr->print($ndr, \"%s: ARRAY(%\"PRIu32\")\", \"$e->{NAME}\", (uint32_t)($length));");
$self->pidl("$ndr->depth++;");
$self->pidl("for ($counter = 0; $counter < ($length); $counter++) {");
$self->indent;
@@ -1050,7 +1050,7 @@ sub ParseDataPull($$$$$$$)
}
}
- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value (%$fmt) out of range (%$fmt - %$fmt)\", ($data_type)$var_name, ($data_type)$low, ($data_type)$high);");
+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value (%$fmt) out of range (%$fmt - %$fmt)\", ($data_type)($var_name), ($data_type)($low), ($data_type)($high));");
$self->pidl("}");
}
} else {
diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py
index adb8a9ae99a..8c5216ec7be 100755
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -41,6 +41,7 @@ import samba.tests.krb5.kcrypto as kcrypto
from samba.tests.krb5.kdc_base_test import GroupType
from samba.tests.krb5.kdc_tgs_tests import KdcTgsBaseTests
from samba.tests.auth_log_base import AuthLogTestBase, NoMessageException
+from samba.tests.krb5.raw_testcase import RawKerberosTest
from samba.tests.krb5.rfc4120_constants import (
FX_FAST_ARMOR_AP_REQUEST,
KDC_ERR_BADOPTION,
@@ -49,9 +50,12 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_POLICY,
NT_PRINCIPAL,
NT_SRV_INST,
+ PADATA_FX_FAST,
)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+SidType = RawKerberosTest.SidType
+
global_asn1_print = False
global_hexdump = False
@@ -5068,6 +5072,62 @@ class AuthnPolicyTests(AuthnPolicyBaseTests):
# appear in the logs.
self.check_tgs_log(client_creds, target_creds, policy=None)
+ def test_authn_policy_allowed_to_user_allow_s4u2self_inner_fast(self):
+ """Test that the correct Asserted Identity SID is placed into the PAC
+ when an S4U2Self requests contains inner FX‐FAST padata."""
+ mach_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER)
+ mach_tgt = self.get_tgt(mach_creds)
+
+ # Create a user account.
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER)
+ client_cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[client_creds.get_username()])
+ client_realm = client_creds.get_realm()
+
+ # Create a target account.
+ target_creds = self.get_service_creds()
+ target_tgt = self.get_tgt(target_creds)
+
+ def generate_s4u2self_padata(_kdc_exchange_dict,
+ _callback_dict,
+ req_body):
+ s4u2self_padata = self.PA_S4U2Self_create(
+ name=client_cname,
+ realm=client_realm,
+ tgt_session_key=target_tgt.session_key,
+ ctype=None)
+
+ # Add empty FX‐FAST padata to the inner request.
+ fx_fast_padata = self.PA_DATA_create(PADATA_FX_FAST, b'')
+
+ padata = [s4u2self_padata, fx_fast_padata]
+
+ return padata, req_body
+
+ # Check that the PAC contains the correct groups.
+ self._tgs_req(
+ target_tgt, 0, target_creds, target_creds,
+ expected_cname=client_cname,
+ generate_fast_padata_fn=generate_s4u2self_padata,
+ armor_tgt=mach_tgt,
+ expected_groups={
+ (
+ # Expect to get the Service Asserted Identity SID.
+ security.SID_SERVICE_ASSERTED_IDENTITY,
+ SidType.EXTRA_SID,
+ security.SE_GROUP_DEFAULT_FLAGS,
+ ),
+ ...,
+ },
+ unexpected_groups={
+ # Expect not to get the Authentication Authority Asserted
+ # Identity SID.
+ security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY,
+ })
+
def test_authn_policy_allowed_to_user_allow_constrained_delegation(self):
samdb = self.get_samdb()
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index 0b351ae253b..5c5616ce1f1 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2863,6 +2863,554 @@ class ConditionalAceTests(ConditionalAceBaseTests):
status=ntstatus.NT_STATUS_INVALID_WORKSTATION)
+class DeviceRestrictionTests(ConditionalAceBaseTests):
+ def test_pac_groups_not_present(self):
+ """Test that authentication fails if the device does not belong to some
+ required groups.
+ """
+
+ required_sids = {
+ ('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs),
+ ('S-1-9-8-7', SidType.EXTRA_SID, self.default_attrs),
+ }
+
+ # Create a machine account with which to perform FAST.
+ mach_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'id': 'device'})
+ mach_tgt = self.get_tgt(mach_creds)
+
+ # Create an authentication policy that requires the device to belong to
+ # certain groups.
+ client_policy_sddl = self.allow_if(
+ f'Member_of {self.sddl_array_from_sids(required_sids)}')
+ client_policy = self.create_authn_policy(
+ enforced=True, user_allowed_from=client_policy_sddl)
+
+ # Create a user account with the assigned policy.
+ client_creds = self._get_creds(account_type=self.AccountType.USER,
+ assigned_policy=client_policy)
+
+ target_creds = self.get_krbtgt_creds()
+
+ # Show that authentication fails.
+ self._armored_as_req(client_creds,
+ target_creds,
+ mach_tgt,
+ expected_error=KDC_ERR_POLICY)
+
+ self.check_as_log(
+ client_creds,
+ armor_creds=mach_creds,
+ client_policy=client_policy,
+ client_policy_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_DEVICE_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ status=ntstatus.NT_STATUS_INVALID_WORKSTATION)
+
+ def test_pac_groups_present(self):
+ """Test that authentication succeeds if the device belongs to some
+ required groups.
+ """
+
+ required_sids = {
+ ('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs),
+ ('S-1-9-8-7', SidType.EXTRA_SID, self.default_attrs),
+ }
--
Samba Shared Repository
More information about the samba-cvs
mailing list