[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Oct 13 00:12:01 UTC 2023
The branch, master has been updated
via a2d96f5e291 s4:kdc: Always regard device info when checking a server authentication policy
via c0ef3b4292d s4:dsdb: Skip allocation of empty device SIDs array
via 4b19a707f2a s4:kdc: Use claims to evaluate RBCD conditions
via f7064f6fd26 s4:kdc: Use device info to evaluate RBCD conditions
via 9b4dbaecfe5 s4:kdc: Pass claims and device info into samba_kdc_check_s4u2proxy_rbcd()
via 51d516cc2f8 s4:kdc: Rename ‘user_info_dc’ to ‘client_info’
via 310c537ffa1 s4:kdc: Call samba_kdc_get_user_info_dc() to get client information
via 6c02e9ac62f s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation
via b13701ac181 s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into its callers
via 390be7d3325 s4:kdc: Adapt interface to new Heimdal revision
via 204b1f0c121 third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627b5b203e471b8d761dcfbb)
via 3280893ae80 third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204))
via 09857f86f59 s4:kdc: Use claims and device info to evaluate server authentication policy
via 3c511c59ca0 s4:kdc: Make samba_kdc_get_user_info_dc() non‐static
via 03e3a3a49a1 s4:kdc: Use ‘claims_data’ functions to create client claims blob
via 608c8d493c7 s4:kdc: Use device claims to evaluate client authentication policy
via 7336fbb2ece s4:kdc: Use claims and device info to evaluate server authentication policy
via 9cef5de95af s4:kdc: Have samba_kdc_allowed_to_authenticate_to() take claims and device info
via 430f7a8918e s4:kdc: Fetch device claims for server restrictions
via 407a979b983 s4:kdc: Do not perform compound authentication for services without Compound Identity support
via 43cce1d190d tests/krb5: Correctly test services that do not support Compound Identity
via 3199a815db2 s4:kdc: Make samba_kdc_add_compounded_auth() static
via 981411ba4a7 s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_add_compounded_auth()
via 0d2424a26a5 s4:kdc: Change the type of ‘compounded_auth’ to boolean
via 0038cc050b5 s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_add_claims_valid()
via b15ef257787 s4:kdc: Introduce helper variable ‘server_restrictions_present’
via b5ebe74e5ee s4:kdc: Simplify creation of device claims blob
via 6d3d6f9bbec s4:kdc: Note use of parent memory context
via 65a6676cc43 s4:kdc: Simplify samba_kdc_check_device() by calling samba_kdc_get_user_info_dc()
via 6228267cba6 s4:kdc: Create the Requester SID blob only if we actually need it
via 1e3c3479850 s4:kdc: Remove unused function get_claims_blob_for_principal()
via 9859711513d s4:kdc: Modify samba_kdc_get_claims_blob() to use claims_data functions
via 2462dacc243 s4:kdc: Add functions to fetch claims from the DB or from the PAC
via e09bf1bc9e8 s4:auth: Explicitly initialize claims structures
via 3e5aba62ecd s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims
via e3953e18aef s4:kdc: Declare ‘auth_entry’ to be of type ‘samba_kdc_entry_pac’
via 72b26d5684a s4:kdc: Rename samba_kdc_obtain_user_info_dc() to samba_kdc_get_user_info_dc()
via 9937c1c5464 s4:kdc: Cache user info and resource groups from PACs
via 37321e6f76a s4-kdc: Do not modify the returned user_info_dc from samba_kdc_get_user_info_dc()
via 19b1e31e234 s4:kdc: Always fetch resource groups
via a7765d13814 s4:kdc: Label ‘resource_groups_out’ parameter
via 2f3a8ae8d50 s4:kdc: Remove ‘group_inclusion’ parameter from samba_kdc_obtain_user_info_dc()
via 300459e86a8 s4:kdc: Pass AUTH_EXCLUDE_RESOURCE_GROUPS into samba_kdc_obtain_user_info_dc()
via 30cfa9b79ac s4:kdc: Pass resource groups parameter only if we are creating a TGT
via 3f6e6a3c230 s4:kdc: Make ‘resource_groups_out’ parameter const
via d7ed1b53020 s4:kdc: Check parameters of samba_kdc_get_user_info_from_pac()
via b2bb86bc54a s4:kdc: Simplify memory management with talloc stackframe
via 886bbcdc1c7 s4:kdc: Remove common out path from samba_kdc_obtain_user_info_dc()
via 02daf011f75 s4:kdc: Split samba_kdc_get_user_info_from_pac() out of samba_kdc_obtain_user_info_dc()
via 453bb84e640 s4:kdc: Rename variable ‘user_info_dc’ to ‘info’
via 7ee08114d4a s4:kdc: Rename parameter ‘user_info_dc_out’ to ‘info_out’
via 3045908557b s4:kdc: Fix leak
via c559e9922e1 s4:kdc: Introduce intermediate variable ‘resource_groups’
via d57062300f8 s4:kdc: Initialize out parameter of samba_kdc_get_user_info_from_db()
via 0ed6d11e582 s4:kdc: Check parameters of samba_kdc_get_user_info_from_db()
via d02f37b489f s4:kdc: Rename local variable ‘user_info_dc’ to ‘info’
via 024d8cf500d s4:kdc: Pass ‘samdb’ into samba_kdc_get_user_info_from_db()
via 8b518817e3f s4:kdc: Add ‘samdb’ parameter to samba_kdc_get_device_info_blob()
via 29c230531c6 s4:kdc: Add ‘samdb’ parameter to samba_kdc_verify_pac()
via 16cb8c47872 s4:kdc: Make boolean members into bit‐fields
via a57d973d804 s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code
via 54cd2af2de7 s4:kdc: Pass Kerberos context into samba_kdc_get_device_info_blob()
via d51c505d355 s4:kdc: Rename samba_kdc_entry::user_info_dc to samba_kdc_entry::info_from_db
via 64326818ebd s4:kdc: Rename samba_kdc_get_user_info_dc() to samba_kdc_get_user_info_from_db()
via c35d1fe593f s4:kdc: Inline samba_kdc_get_user_info_from_db() into its only caller
via 0a61dc6ce98 s4:kdc: Replace calls to samba_kdc_get_user_info_from_db() with calls to samba_kdc_get_user_info_dc()
via 96ab35bb911 s4:kdc: Add ‘msg’ parameter to samba_kdc_get_user_info_dc()
via ce7c543ffcb s4:kdc: Rename ‘user_info_dc_out’ parameter of samba_kdc_get_user_info_dc() to ‘info_out’
via 9c4647436cf s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_dc() to ‘entry’
via f03b14f8b8b s4:kdc: Rename ‘user_info_dc’ parameter of samba_kdc_get_user_info_from_db() to ‘info_out’
via a7323d704e2 s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_from_db() to ‘entry’
via 704c71daf50 libcli/security: Initialize conditional ACE token
from 4b9b7f70f25 libsmb: Use cli_smb2_qpathinfo_send() for SMB_QUERY_FILE_ALT_NAME_INFO
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a2d96f5e29149dd3951e3a19ec52cc070ccc069a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 18:20:53 2023 +1300
s4:kdc: Always regard device info when checking a server authentication policy
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224
commit c0ef3b4292d2985807f8a203901b3f623357e5db
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 16:19:53 2023 +1300
s4:dsdb: Skip allocation of empty device SIDs array
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b19a707f2ac78ee7ce45ec93c47edaca9d94e47
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 15:41:40 2023 +1300
s4:kdc: Use claims to evaluate RBCD conditions
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f7064f6fd26e2ee302141fec77c3b98ad4c236ae
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 15:40:13 2023 +1300
s4:kdc: Use device info to evaluate RBCD conditions
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9b4dbaecfe5678c3270cf71b97d8abda78bc91ff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 15:38:29 2023 +1300
s4:kdc: Pass claims and device info into samba_kdc_check_s4u2proxy_rbcd()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 51d516cc2f8ab3357b3aa625d6fd4d9420ff2976
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 15:22:28 2023 +1300
s4:kdc: Rename ‘user_info_dc’ to ‘client_info’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 310c537ffa15b85cc83c1c4ccb5adb55333574b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 15:19:47 2023 +1300
s4:kdc: Call samba_kdc_get_user_info_dc() to get client information
Among other things, this function can deal with RODC‐issued PACs.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6c02e9ac62fc527c7af34214a7253631ae89de51
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 15:16:24 2023 +1300
s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b13701ac1810d98b43fa8fbe9fba603cddcbc286
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 15:12:30 2023 +1300
s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into its callers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 390be7d332588d58472d51bb31458e84d285e86a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 15:03:22 2023 +1300
s4:kdc: Adapt interface to new Heimdal revision
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 204b1f0c12172eac0d39c7cfebd4f6d87a615ea3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 13 11:14:55 2023 +1300
third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627b5b203e471b8d761dcfbb)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 3280893ae80507e36653a0c7da03c82b88ece30b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 11:59:34 2023 +1300
third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204))
The issue here is that only the size of the pointer, not the size
of the struture was allocated with calloc().
This means that the malloc() for the freshness token bytes would
have the memory address written beyond the end of the allocated memory.
Additionally, the allocation was not free()ed, resulting in a memory
leak. This means that a user could trigger ongoing memory allocation
in the server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 09857f86f593d6dbada036a2bf59526083f370b1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 19:35:10 2023 +1300
s4:kdc: Use claims and device info to evaluate server authentication policy
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3c511c59ca0523c5f72c46904b14db201bdd81f2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 19:37:08 2023 +1300
s4:kdc: Make samba_kdc_get_user_info_dc() non‐static
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 03e3a3a49a1d7dd6284449f9409cc1425a2efdab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 19:32:24 2023 +1300
s4:kdc: Use ‘claims_data’ functions to create client claims blob
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 608c8d493c7f96bbf20dc95d3801f8d0293755be
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 19:27:59 2023 +1300
s4:kdc: Use device claims to evaluate client authentication policy
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7336fbb2ece658e47ad60ffa0244efd96848ac59
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 19:00:09 2023 +1300
s4:kdc: Use claims and device info to evaluate server authentication policy
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9cef5de95afe8627c1137d2c8124fdaccfd31eac
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 18:19:36 2023 +1300
s4:kdc: Have samba_kdc_allowed_to_authenticate_to() take claims and device info
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 430f7a8918ea8fa0f49e8e0e9b1cca86bf5397cd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 15:50:19 2023 +1300
s4:kdc: Fetch device claims for server restrictions
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 407a979b983a107a2c58fe6c7d54d5eb341d08f7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 14:19:13 2023 +1300
s4:kdc: Do not perform compound authentication for services without Compound Identity support
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 43cce1d190ddd3cf831cb5709816ccc03bf805d2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 14:08:43 2023 +1300
tests/krb5: Correctly test services that do not support Compound Identity
These two tests now pass against Windows.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3199a815db2a1032b9e32858ec9e1176894ede17
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 15:24:57 2023 +1300
s4:kdc: Make samba_kdc_add_compounded_auth() static
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 981411ba4a7ca215cd8cb900252ce13b3d454ab2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 15:24:06 2023 +1300
s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_add_compounded_auth()
It’s only ever equal to SAMBA_COMPOUNDED_AUTH_INCLUDE.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0d2424a26a5eca2e180ab5581b2d93cbfc6d498b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 11 17:25:48 2023 +1300
s4:kdc: Change the type of ‘compounded_auth’ to boolean
View with ‘git show -b’.
This allows us to make the call to authsam_shallow_copy_user_info_dc()
and samba_kdc_add_compounded_auth() only if required.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0038cc050b5dcda4f92779e014486d3b356ef33c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 15:19:01 2023 +1300
s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_add_claims_valid()
It’s only ever equal to SAMBA_CLAIMS_VALID_INCLUDE.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b15ef2577874dfa38556e64d50d02b6bd8c0e277
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 9 13:41:59 2023 +1300
s4:kdc: Introduce helper variable ‘server_restrictions_present’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b5ebe74e5eeb439873921367db3a8aa4062caa7e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 16:39:47 2023 +1300
s4:kdc: Simplify creation of device claims blob
Let samba_kdc_get_claims_data() and claims_data_encoded_claims_set()
handle the work for us.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d3d6f9bbec432ca8a3839ab19775f9b948f55e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 16:35:52 2023 +1300
s4:kdc: Note use of parent memory context
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 65a6676cc43381948b02fc5d740d0e727c299e24
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 16:11:57 2023 +1300
s4:kdc: Simplify samba_kdc_check_device() by calling samba_kdc_get_user_info_dc()
The latter function accomplishes most of what we were doing ourselves.
No intended change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6228267cba64121d14747700b785cc4aa041b810
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 16:07:55 2023 +1300
s4:kdc: Create the Requester SID blob only if we actually need it
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1e3c347985033fbb73f32097440427bb352baeea
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 15:34:55 2023 +1300
s4:kdc: Remove unused function get_claims_blob_for_principal()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9859711513d18a7ceba2ef80fcb3a3acfb51a888
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 15:34:41 2023 +1300
s4:kdc: Modify samba_kdc_get_claims_blob() to use claims_data functions
The chief advantage of these functions is that the claims got from the
database are retained in the ‘samba_kdc_entry’ object, allowing them to
be reused should they be needed later during the same request.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2462dacc243e8628f3d66b569d1a2fedf368b4be
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 15:33:42 2023 +1300
s4:kdc: Add functions to fetch claims from the DB or from the PAC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e09bf1bc9e8529ff64803e15ab4ecf5a57ca0e73
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 13:43:54 2023 +1300
s4:auth: Explicitly initialize claims structures
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3e5aba62ecdc227466879d2e74d7314b5f21e6c0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 15:11:42 2023 +1300
s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims
Having the lifetime of the encoded claims be tied in a predictable
fashion to a caller‐controlled memory context is less prone to error.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e3953e18aef4203ed30f2d1fc7a76e130429e5dd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 5 11:07:48 2023 +1300
s4:kdc: Declare ‘auth_entry’ to be of type ‘samba_kdc_entry_pac’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72b26d5684a338ef034ba697bc2217cd8bacc2bc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 12:57:45 2023 +1300
s4:kdc: Rename samba_kdc_obtain_user_info_dc() to samba_kdc_get_user_info_dc()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9937c1c5464e09b28907c915d2a5473e8b1a5611
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 4 17:19:31 2023 +1300
s4:kdc: Cache user info and resource groups from PACs
When authentication policies are implemented, we shall need to fetch
SIDs (and claims) from the PACs of users and devices repeatedly — not
just when first looking up a user, but every time a policy needs to be
evaluated.
This will likely be more efficient if we can cache this information,
removing the need to derive it more than once.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 37321e6f76a79ef249245d52cab9be4910a29480
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 11 17:07:02 2023 +1300
s4-kdc: Do not modify the returned user_info_dc from samba_kdc_get_user_info_dc()
We have the duplicated shallow copy in each caller so that the caller is
clear on what memory can be changed.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 19b1e31e234c7ee0f2ad58a4fbc275697e439683
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 4 17:10:35 2023 +1300
s4:kdc: Always fetch resource groups
No behaviour change, and if the caller doesn’t need the resource groups
after all, the cost incurred is little more than the allocation of a
couple of dozen bytes of memory.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a7765d13814d0b6c53f771522c4c579d16b5c20e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 4 16:38:28 2023 +1300
s4:kdc: Label ‘resource_groups_out’ parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2f3a8ae8d50a018e6040346a153db90090f24194
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 4 16:31:41 2023 +1300
s4:kdc: Remove ‘group_inclusion’ parameter from samba_kdc_obtain_user_info_dc()
It could be equal only to AUTH_EXCLUDE_RESOURCE_GROUPS.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 300459e86a8c0b840c71d4771df670ee85defd7a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 4 16:23:12 2023 +1300
s4:kdc: Pass AUTH_EXCLUDE_RESOURCE_GROUPS into samba_kdc_obtain_user_info_dc()
As the ‘group_inclusion’ parameter has an effect only if the
‘resource_groups_out’ parameter is non‐NULL, this does not result in a
change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 30cfa9b79aca7ca985818f1d4ae0e7b019f3d6b3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 4 10:35:14 2023 +1300
s4:kdc: Pass resource groups parameter only if we are creating a TGT
No change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3f6e6a3c230f6e9ee1a876bcc2eee3da11bfb38d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 20:08:03 2023 +1300
s4:kdc: Make ‘resource_groups_out’ parameter const
The caller shouldn’t need to modify this.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d7ed1b530202b97a3478dd9b1290f4eba14e8c44
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 20:06:29 2023 +1300
s4:kdc: Check parameters of samba_kdc_get_user_info_from_pac()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b2bb86bc54a53ecf9f89a9fb3bff750ed6273f6e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 20:04:44 2023 +1300
s4:kdc: Simplify memory management with talloc stackframe
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 886bbcdc1c765b7f350b39f0904b23358738578b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 19:27:20 2023 +1300
s4:kdc: Remove common out path from samba_kdc_obtain_user_info_dc()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 02daf011f754c77f82bda4538e6adf5c1e205350
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 18:45:17 2023 +1300
s4:kdc: Split samba_kdc_get_user_info_from_pac() out of samba_kdc_obtain_user_info_dc()
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 453bb84e64091f646808382376b2b99fcf7fbf54
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 19:44:41 2023 +1300
s4:kdc: Rename variable ‘user_info_dc’ to ‘info’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7ee08114d4a0c1ee194550db01f30b2373a470dc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 19:43:21 2023 +1300
s4:kdc: Rename parameter ‘user_info_dc_out’ to ‘info_out’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3045908557bdbe8804256c82b2db14ee2be1e705
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 18:45:14 2023 +1300
s4:kdc: Fix leak
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c559e9922e1327e5c5c8dc0f5642b0acb485a382
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 18:41:59 2023 +1300
s4:kdc: Introduce intermediate variable ‘resource_groups’
No change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d57062300f8ab73d8326ac934cc910fed2bf23ba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 17:01:07 2023 +1300
s4:kdc: Initialize out parameter of samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0ed6d11e58229dab0999ac95cc0d157e3124971f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 17:00:43 2023 +1300
s4:kdc: Check parameters of samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d02f37b489f61e3716a3fa6e38343ee5debd6898
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 15:35:27 2023 +1300
s4:kdc: Rename local variable ‘user_info_dc’ to ‘info’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 024d8cf500d15decf83057adb516ad9a06e09cf9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 14:53:17 2023 +1300
s4:kdc: Pass ‘samdb’ into samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8b518817e3fdc7df16ce37093e7fa0fdca7cd8a0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 14:58:52 2023 +1300
s4:kdc: Add ‘samdb’ parameter to samba_kdc_get_device_info_blob()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 29c230531c61722aafd5b8f72dedd15cfddbdc80
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 14:58:10 2023 +1300
s4:kdc: Add ‘samdb’ parameter to samba_kdc_verify_pac()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 16cb8c47872559145209bdea719e41a02eddde93
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 14:33:48 2023 +1300
s4:kdc: Make boolean members into bit‐fields
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a57d973d804eeda2129017a94e4ee7cfa22cc26c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 13:39:48 2023 +1300
s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code
instead of an NT status code.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 54cd2af2de7a2dec965e1362c83ade19c1e21796
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 13:48:11 2023 +1300
s4:kdc: Pass Kerberos context into samba_kdc_get_device_info_blob()
We shall need it in order to produce an error string.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d51c505d3554423d52e482d7313870366716b39d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 12:33:25 2023 +1300
s4:kdc: Rename samba_kdc_entry::user_info_dc to samba_kdc_entry::info_from_db
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 64326818ebd70f366eb94243874541a161ad70dd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 12:32:13 2023 +1300
s4:kdc: Rename samba_kdc_get_user_info_dc() to samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c35d1fe593fb9d01bed9202aef1ffca2f3d3a7ff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 12:28:58 2023 +1300
s4:kdc: Inline samba_kdc_get_user_info_from_db() into its only caller
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0a61dc6ce98b49826b461765a9a9789cf3c1e5cb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 11:58:05 2023 +1300
s4:kdc: Replace calls to samba_kdc_get_user_info_from_db() with calls to samba_kdc_get_user_info_dc()
The latter function behaves identically, except that it makes a shallow
copy of the returned structure, thus avoiding lifetime issues.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 96ab35bb911b0c5b38ac7f99a3187c6c3fd5098a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 11:14:30 2023 +1300
s4:kdc: Add ‘msg’ parameter to samba_kdc_get_user_info_dc()
We want to call this function from more places. But some potential
callers, found in db-glue.c, have only a partially‐initialized
‘samba_kdc_entry’ structure, without the crucial ‘msg’ member. These
callers need to be able to pass in the ldb message as a separate
parameter.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ce7c543ffcbdbe26b730cded780342645abd6f87
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 15:07:55 2023 +1300
s4:kdc: Rename ‘user_info_dc_out’ parameter of samba_kdc_get_user_info_dc() to ‘info_out’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c4647436cf9cf11216e88c6c741f1efb947ec47
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 15:07:18 2023 +1300
s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_dc() to ‘entry’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f03b14f8b8b1692d32a2a3ce177781ad55e9cabb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 15:05:08 2023 +1300
s4:kdc: Rename ‘user_info_dc’ parameter of samba_kdc_get_user_info_from_db() to ‘info_out’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a7323d704e25781026f90b065259d931f08aab1f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 3 15:03:23 2023 +1300
s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_from_db() to ‘entry’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 704c71daf509c1857b0e2814c6b939f28f4dbaa8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 10 14:35:07 2023 +1300
libcli/security: Initialize conditional ACE token
If the ‘flags’ member is not initialized, we invoke undefined behaviour
when trying to push or evaluate the parsed conditional ACE.
One way this issue can manifest is in the mysterious failure of Unicode
comparisons owing to the CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE
flag being set when it shouldn’t.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/conditional_ace.c | 2 +-
python/samba/tests/krb5/claims_tests.py | 20 +-
python/samba/tests/krb5/device_tests.py | 11 +-
selftest/knownfail_heimdal_kdc | 110 +---
source4/auth/session.c | 36 +-
source4/auth/session.h | 3 +-
source4/dsdb/samdb/samdb.c | 2 +-
source4/kdc/ad_claims.c | 33 --
source4/kdc/ad_claims.h | 5 -
source4/kdc/db-glue.c | 30 +-
source4/kdc/db-glue.h | 4 +-
source4/kdc/hdb-samba4.c | 95 ++-
source4/kdc/mit_samba.c | 84 ++-
source4/kdc/pac-glue.c | 988 ++++++++++++++++++++------------
source4/kdc/pac-glue.h | 54 +-
source4/kdc/samba_kdc.h | 14 +-
source4/kdc/wdc-samba4.c | 127 +++-
third_party/heimdal/kdc/kdc-plugin.c | 8 +-
third_party/heimdal/kdc/kdc-plugin.h | 7 +-
third_party/heimdal/kdc/krb5tgs.c | 7 +-
third_party/heimdal/kdc/mssfu.c | 18 +-
third_party/heimdal/kdc/pkinit.c | 5 +-
third_party/heimdal/lib/asn1/gen.c | 118 ++--
third_party/heimdal/lib/asn1/symbol.c | 6 +
third_party/heimdal/lib/asn1/symbol.h | 2 +
third_party/heimdal/lib/hdb/hdb.h | 2 +-
third_party/heimdal/lib/krb5/pac.c | 6 +-
27 files changed, 1078 insertions(+), 719 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index a84060ce698..6fb0cd3a38b 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -322,7 +322,7 @@ static ssize_t pull_composite(TALLOC_CTX *mem_ctx,
uint8_t *el_data = NULL;
size_t available;
bool ok;
- el->type = data[i];
+ *el = (struct ace_condition_token) { .type = data[i] };
i++;
el_data = data + i;
diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py
index 348ea99ec0d..074147e5afe 100755
--- a/python/samba/tests/krb5/claims_tests.py
+++ b/python/samba/tests/krb5/claims_tests.py
@@ -1722,7 +1722,7 @@ class ClaimsTests(KDCBaseTest):
if tgs_to_krbtgt:
requester_sid = user_sid
- if tgs_to_krbtgt:
+ if not tgs_compound_id:
expected_claims = None
unexpected_claims = None
@@ -1758,9 +1758,9 @@ class ClaimsTests(KDCBaseTest):
unexpected_groups=None,
expect_client_claims=True,
expected_client_claims=None,
- expect_device_info=not tgs_to_krbtgt,
+ expect_device_info=bool(tgs_compound_id),
expected_device_groups=tgs_device_expected_mapped,
- expect_device_claims=not tgs_to_krbtgt,
+ expect_device_claims=bool(tgs_compound_id),
expected_device_claims=expected_claims,
unexpected_device_claims=unexpected_claims)
@@ -1841,7 +1841,7 @@ class ClaimsTests(KDCBaseTest):
},
{
# Make a TGS request containing claims to a service that lacks
- # support for compound identity. The claims are still propagated to
+ # support for compound identity. The claims are not propagated to
# the final ticket.
'test': 'device to service no compound id',
'groups': {
@@ -1880,20 +1880,10 @@ class ClaimsTests(KDCBaseTest):
'tgs:expected': {
(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, SidType.EXTRA_SID, default_attrs),
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
- (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, default_attrs),
+ # The Compounded Authentication SID should not be present.
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
},
- 'tgs:device:expected': {
- (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
- (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
- frozenset([
- ('foo', SidType.RESOURCE_SID, resource_attrs),
- ('bar', SidType.RESOURCE_SID, resource_attrs),
- ]),
- (asserted_identity, SidType.EXTRA_SID, default_attrs),
- frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
- },
},
{
# Make a TGS request containing claims to a service, but don't
diff --git a/python/samba/tests/krb5/device_tests.py b/python/samba/tests/krb5/device_tests.py
index 87b65735a03..43efc7b0fb2 100755
--- a/python/samba/tests/krb5/device_tests.py
+++ b/python/samba/tests/krb5/device_tests.py
@@ -208,16 +208,9 @@ class DeviceTests(KDCBaseTest):
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
(asserted_identity, SidType.EXTRA_SID, default_attrs),
- (compounded_auth, SidType.EXTRA_SID, default_attrs),
+ # The Compounded Authentication SID should not be present.
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
},
- # The device info is still generated.
- 'tgs:device:expected': {
- (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
- (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
- (asserted_identity, SidType.EXTRA_SID, default_attrs),
- frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
- },
},
{
'test': 'universal groups to krbtgt',
@@ -2102,7 +2095,7 @@ class DeviceTests(KDCBaseTest):
expected_groups=tgs_expected_mapped,
unexpected_groups=None,
expect_device_claims=None,
- expect_device_info=not tgs_to_krbtgt,
+ expect_device_info=bool(tgs_compound_id),
expected_device_groups=tgs_device_expected_mapped)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index e5c9a841bd3..2ef041b6a29 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -83,97 +83,18 @@
#
# Conditional ACE tests
#
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_claim_equals_claim\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_enforced_silo_equals\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_enforced_silo_not_equals_deny\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_unenforced_silo_equals_deny\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_unenforced_silo_not_equals\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_to_client_equals\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_to_device_equals\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_42_equals_literal__42_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_A_is_less_than__\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__123_456__equals_literal__123_456_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__APPLE_BANANA_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__BANANA_APPLE_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__apple_banana_apple_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_FOO\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains__foo_bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_literal__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_literal__foo_bar_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_literal__foo_bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_contain__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_contain__foo_bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_contain_literal__foo_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_equal__foo_bar_baz_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_equal_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__FOO_BAR_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__bar_foo_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__foo_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_BAR\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of__bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_baz\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_literal__bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_literal__baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_none_of__bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_none_of_baz\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_none_of_literal__baz_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_a_is_less_than__\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_bar_contains_literal__bar_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_bar_equals_literal__bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_bar_matches_any_of_literal__bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_exceeds_dog\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_exceeds_or_equals_dog\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_is_less_than_dog\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_is_less_than_or_equals_dog\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_is_less_than_ćàț\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_equals_Foo_BAR\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_equals_literal__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_exceeds_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_contains_literal__foo_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_does_not_equal_bar\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_does_not_equal_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_equals_bar\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_equals_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_exceeds_or_equals_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_is_less_than_foo_bar\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_is_less_than_or_equals_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_is_less_than_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_matches_any_of_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ß_exceeds_SS\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ß_is_less_than_ẞ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ćàș_is_less_than_ĆÀȚ\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_matches_any_of_literal__foo_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ćàț_equals_ĆÀȚ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ɜ_is_less_than_Ɜ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ʞ_is_less_than_ʟ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ʞ_is_less_than_Ʞ\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ԛԣ_equals_ԚԢ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ḽ_equals_Ḽ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ⅸ_equals_Ⅸ\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ⱦ_equals_Ⱦ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ⳬ_exceeds_Ⳬ\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ꙭ_equals_Ꙭ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ꞧ_exceeds_Ꞧ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ퟻ_is_less_than_豈\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ퟻ_is_less_than_𐀀\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_equals_FOO_BAR\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_𐀀_is_less_than_豈\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_1000_unicode_3_a___1000_unicode_equals_a
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_180388626432___a_equals_180388626432\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_42_42_42___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_42___a_equals_42\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_0___a_equals_3\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_1_2_3___a_equals_1_2_3_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_4294967296___a_exceeds_0\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_42_42___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_42___a_equals_42\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_4_5_6___a_does_not_equal_1_2_3_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_FOO_foo___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_bar___a_equals_foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_bar_b_3_FOO_BAR___a_equals_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_foo___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_this_is_not_the_value_a_3
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_0___a_equals_a_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0__not_a_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0__not_a_and_a_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0__not_a_or_not_a_\(ad_dc\)
@@ -181,29 +102,21 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_b_6_0___a_and_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_b_6_0___a_or_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_b_6_1___a_and_b_\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1___a_equals_42\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1___a_or_a_or_a_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1__not_a_or_a_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_0___a_and_not_b_or_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_0___a_or_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_and_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_equals_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_or_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_2_b_6_3___a_equals_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_3_FOO_BAR_BAZ_a_3_foo_bar_baz___a_does_not_equal_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_6_1___b_or_b_or_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_dotty_claim_3_a___dotty_claim_equals_a___dotty_claim_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_dup_3_foo_dup_3_foo_2_dup_2_42_dup_2_42_2_dup_3_foo_dup_3_foo_dup_3_foo_bar_dup_3_foo_bar___dup_equals_dup_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_empty_string_3___empty_string_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_escaped_claim_3_claim_value___escaped_claim_equals_claim_value___escaped_claim_foo_bar_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_and_true_boolean_6_0_1___false_and_true_boolean_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_boolean_6_0___false_boolean_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_booleans_6_0_0___false_booleans_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_higher_unicode_3_a___higher_unicode_equals_a
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_octet_string_16___invalid_octet_string_equals_invalid_octet_string_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_sid_5___invalid_sid_equals_invalid_sid_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_large_claim_3_zzzzzzzzzzzzzzzzzzzz
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_larger_claim_3_zzzzzzzzzzzzzzzzzzz
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_long_name_3_a___long_name_equals_a
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_many_claims_2_0_1_2_3_4_5_6_7_8_9_10
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_non_empty_string_3_foo_bar___non_empty_string_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_nonzero_int_1_1___nonzero_int_\(ad_dc\)
@@ -215,17 +128,11 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_int_1_0_1___zero_and_one_int_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_ints_1_0_0___zero_ints_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uints_2_0_0___zero_uints_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__2_a_3_foo___a_equals_foo_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_service_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_with_aa_asserted_identity\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_with_claims_valid\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_with_service_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\)
@@ -233,19 +140,12 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_service_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_aa_asserted_identity\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_claims_valid\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_compounded_authentication\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_service_asserted_identity\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_device_from_rodc\(ad_dc\)
@@ -258,10 +158,6 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_claims_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_claims_invalid_no_attrs\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_claims_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support\(ad_dc\)
#
# Conditional ACE device restrictions
#
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 818fdf583df..46b833713ba 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -492,30 +492,36 @@ NTSTATUS encode_claims_set(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- metadata_ndr = talloc_zero(tmp_ctx, struct CLAIMS_SET_METADATA_NDR);
+ metadata_ndr = talloc(tmp_ctx, struct CLAIMS_SET_METADATA_NDR);
if (metadata_ndr == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- metadata = talloc_zero(metadata_ndr, struct CLAIMS_SET_METADATA);
+ metadata = talloc(metadata_ndr, struct CLAIMS_SET_METADATA);
if (metadata == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- claims_set_info = talloc_zero(metadata, struct CLAIMS_SET_NDR);
+ claims_set_info = talloc(metadata, struct CLAIMS_SET_NDR);
if (claims_set_info == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- metadata_ndr->claims.metadata = metadata;
+ *metadata_ndr = (struct CLAIMS_SET_METADATA_NDR) {
+ .claims.metadata = metadata,
+ };
- metadata->claims_set = claims_set_info;
- metadata->compression_format = CLAIMS_COMPRESSION_FORMAT_XPRESS_HUFF;
+ *metadata = (struct CLAIMS_SET_METADATA) {
+ .claims_set = claims_set_info,
+ .compression_format = CLAIMS_COMPRESSION_FORMAT_XPRESS_HUFF,
+ };
- claims_set_info->claims.claims = claims_set;
+ *claims_set_info = (struct CLAIMS_SET_NDR) {
+ .claims.claims = claims_set,
+ };
ndr_err = ndr_push_struct_blob(claims_blob, mem_ctx, metadata_ndr,
(ndr_push_flags_fn_t)ndr_push_CLAIMS_SET_METADATA_NDR);
@@ -612,9 +618,13 @@ NTSTATUS claims_data_from_claims_set(TALLOC_CTX *claims_data_ctx,
* From a ‘claims_data’ structure, return an encoded claims blob that can be put
* into a PAC.
*/
-NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data,
+NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx,
+ struct claims_data *claims_data,
DATA_BLOB *encoded_claims_set_out)
{
+ uint8_t *data = NULL;
+ size_t len;
+
if (encoded_claims_set_out == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -643,7 +653,15 @@ NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data,
claims_data->flags |= CLAIMS_DATA_ENCODED_CLAIMS_PRESENT;
}
- *encoded_claims_set_out = claims_data->encoded_claims_set;
+ if (claims_data->encoded_claims_set.data != NULL) {
+ data = talloc_reference(mem_ctx, claims_data->encoded_claims_set.data);
+ if (data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ len = claims_data->encoded_claims_set.length;
+
+ *encoded_claims_set_out = data_blob_const(data, len);
return NT_STATUS_OK;
}
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 391fcc34bf7..3258c807137 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -136,7 +136,8 @@ NTSTATUS claims_data_from_claims_set(TALLOC_CTX *claims_data_ctx,
* From a ‘claims_data’ structure, return an encoded claims blob that can be put
* into a PAC.
*/
-NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data,
+NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx,
+ struct claims_data *claims_data,
DATA_BLOB *encoded_claims_set_out);
/*
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 81576829a75..42375a8437b 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -247,7 +247,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
}
}
- if (authentication_was_compounded) {
+ if (authentication_was_compounded && num_device_sids) {
ptoken->device_sids = talloc_array(ptoken, struct dom_sid, num_device_sids);
if (ptoken->device_sids == NULL) {
talloc_free(ptoken);
diff --git a/source4/kdc/ad_claims.c b/source4/kdc/ad_claims.c
index b8c355a11ed..5ce23be57ba 100644
--- a/source4/kdc/ad_claims.c
+++ b/source4/kdc/ad_claims.c
@@ -1227,36 +1227,3 @@ int get_claims_set_for_principal(struct ldb_context *ldb,
principal_class->governsID_id,
claims_set_out);
}
-
-int get_claims_blob_for_principal(struct ldb_context *ldb,
- TALLOC_CTX *mem_ctx,
- const struct ldb_message *principal,
- DATA_BLOB *claims_blob_out)
-{
- struct CLAIMS_SET *claims_set = NULL;
- int ret;
- NTSTATUS status;
-
- *claims_blob_out = data_blob_null;
-
- ret = get_claims_set_for_principal(ldb,
- mem_ctx,
- principal,
- &claims_set);
- if (ret) {
- return ret;
- }
-
- if (claims_set == NULL) {
- return LDB_SUCCESS;
- }
-
- /* Encode the claims ready to go into a PAC buffer. */
- status = encode_claims_set(mem_ctx, claims_set, claims_blob_out);
- if (!NT_STATUS_IS_OK(status)) {
- ret = LDB_ERR_OPERATIONS_ERROR;
- talloc_free(claims_set);
- }
-
- return ret;
-}
diff --git a/source4/kdc/ad_claims.h b/source4/kdc/ad_claims.h
index b934e34bbd7..e54b1dac7a7 100644
--- a/source4/kdc/ad_claims.h
+++ b/source4/kdc/ad_claims.h
@@ -33,9 +33,4 @@ int get_claims_set_for_principal(struct ldb_context *ldb,
const struct ldb_message *principal,
struct CLAIMS_SET **claims_set_out);
-int get_claims_blob_for_principal(struct ldb_context *ldb,
- TALLOC_CTX *mem_ctx,
- const struct ldb_message *principal,
- DATA_BLOB *claims_blob_out);
-
#endif
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index c47aa69b035..89de751f616 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1484,9 +1484,12 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* and computers should never be members of Protected Users, or
* they may fail to authenticate.
*/
- status = samba_kdc_get_user_info_from_db(p, msg, &user_info_dc);
- if (!NT_STATUS_IS_OK(status)) {
- ret = EINVAL;
+ ret = samba_kdc_get_user_info_from_db(tmp_ctx,
+ kdc_db_ctx->samdb,
+ p,
+ msg,
+ &user_info_dc);
+ if (ret) {
goto out;
}
@@ -3371,7 +3374,9 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
struct samba_kdc_db_context *kdc_db_ctx,
krb5_const_principal client_principal,
krb5_const_principal server_principal,
- krb5_const_pac header_pac,
+ const struct auth_user_info_dc *user_info_dc,
+ const struct auth_user_info_dc *device_info_dc,
+ const struct auth_claims auth_claims,
struct samba_kdc_entry *proxy_skdc_entry)
{
krb5_error_code code;
@@ -3381,7 +3386,6 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
const char *proxy_dn = NULL;
const DATA_BLOB *data = NULL;
struct security_descriptor *rbcd_security_descriptor = NULL;
- struct auth_user_info_dc *user_info_dc = NULL;
struct security_token *security_token = NULL;
uint32_t session_info_flags =
AUTH_SESSION_INFO_DEFAULT_GROUPS |
@@ -3450,18 +3454,6 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
server_name,
proxy_dn);
- code = kerberos_pac_to_user_info_dc(mem_ctx,
- header_pac,
- context,
- &user_info_dc,
- AUTH_INCLUDE_RESOURCE_GROUPS,
- NULL,
- NULL,
- NULL);
- if (code != 0) {
- goto out;
- }
--
Samba Shared Repository
More information about the samba-cvs
mailing list