[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Oct 17 04:17:01 UTC 2023
The branch, master has been updated
via 310629508bf gitignore: add WAF lockfile
via e2ace2d6137 build: Add 'make printversion' to provide version string
via 53ff61bbddd s4:kdc: Remove unused function int2SDBFlags()
via 7405a8fab0d s4:kdc: Explicitly initialize SDBFlags structures
via 9fcace5818a s4:kdc: Make ‘struct user_info_dc’ members const
via b7b4c7ca8c4 s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667)
via c15a9af8e58 tests/krb5: Fix ASN.1 source
via 1712449aa67 tests/krb5: Don’t expect groups if we’re expecting an error
via a8a186868e4 tests/krb5: Fix tests that crash Windows
via 52ea480543b tests/krb5: Expect a status code with policy errors
via b5b8b16a50e tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD
via 35c7061f97a buildtools: Correctly raise exception
via ec23abfe1f7 buildtools: Don’t call normpath() repeatedly
from bf79979f847 s4:kdc: fix user2user tgs-requests for normal user accounts
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 310629508bfbedecfab9b653b7cba0282f5c0e8b
Author: Michael Adam <obnox at samba.org>
Date: Mon Oct 16 19:04:55 2023 +0200
gitignore: add WAF lockfile
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Christof Schmitt <christof.schmitt at us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Oct 17 04:16:29 UTC 2023 on atb-devel-224
commit e2ace2d613701f3d4a7c7c202f68d2f193c0a64a
Author: Christof Schmitt <christof.schmitt at us.ibm.com>
Date: Thu Sep 12 16:11:34 2013 -0700
build: Add 'make printversion' to provide version string
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497
Signed-off-by: Christof Schmitt <christof.schmitt at us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 53ff61bbddd5c4db6f0849c833c800f2a792e45f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 12 11:56:01 2023 +1300
s4:kdc: Remove unused function int2SDBFlags()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7405a8fab0d4a8ba31213abbe2bfaa1197fd3415
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 12 11:54:50 2023 +1300
s4:kdc: Explicitly initialize SDBFlags structures
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9fcace5818a43770c2f30710fb32e0db8dd599c3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 12 13:40:21 2023 +1300
s4:kdc: Make ‘struct user_info_dc’ members const
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b7b4c7ca8c4309e9563ac90378b84e4b83bd1eab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 6 14:11:24 2023 +1300
s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667)
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c15a9af8e58075f364c617578abee9b897abc342
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 16 15:37:29 2023 +1300
tests/krb5: Fix ASN.1 source
It currently fails to compile.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1712449aa67d52ff5f3bb6b673644b25bce41086
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 16 14:41:51 2023 +1300
tests/krb5: Don’t expect groups if we’re expecting an error
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a8a186868e4f4e8a8d711437747e6af47edb9be9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 2 12:20:48 2023 +1300
tests/krb5: Fix tests that crash Windows
Expect an actual error code or an outcome, not CRASHES_WINDOWS.
I don’t know which error codes Windows might be expected to produce, so
I’ve chosen some that seem plausible.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 52ea480543b53173b9f92550b844224d17c14c51
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 17 14:03:33 2023 +1300
tests/krb5: Expect a status code with policy errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b5b8b16a50ecb7225fe1bfa31d3a839efdd9f7d0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 17 13:34:29 2023 +1300
tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD
If we’re verifying that a ticket was permitted to be issued by an RODC,
and not trusting the group SIDs in the ticket, is there any reason to
ban its use with RBCD?
A client with a ticket issued by an RODC that happens to select a DC to
direct an RBCD request at should not have the request mysteriously fail.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 35c7061f97a1f0dd79efe3a567b7054304192f55
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 13 12:38:35 2023 +1300
buildtools: Correctly raise exception
This avoids errors like the following:
‘RuntimeError: No active exception to reraise’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ec23abfe1f77b756ea63f4fc0a572c4d9cd8c30b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 13 11:23:27 2023 +1300
buildtools: Don’t call normpath() repeatedly
A non‐negligible fraction of the build process — especially for
incremental builds — is spent calling normpath() over and over again.
Make builds faster by not doing that.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 1 +
Makefile | 4 +
buildtools/wafsamba/samba_utils.py | 6 +-
python/samba/tests/krb5/conditional_ace_tests.py | 131 ++++++++++++++---------
python/samba/tests/krb5/rfc4120.asn1 | 2 +-
selftest/knownfail_heimdal_kdc | 21 ----
source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 7 +-
source4/kdc/db-glue.c | 4 +-
source4/kdc/pac-glue.c | 5 +-
source4/kdc/samba_kdc.h | 6 +-
source4/kdc/sdb.c | 28 -----
source4/kdc/sdb.h | 1 -
wscript | 5 +
13 files changed, 107 insertions(+), 114 deletions(-)
Changeset truncated at 500 lines:
diff --git a/.gitignore b/.gitignore
index de3feaabf28..9a663e2a065 100644
--- a/.gitignore
+++ b/.gitignore
@@ -88,3 +88,4 @@ compile_commands.json
.clangd/
.cache/
.ropeproject/
+.tmplock
diff --git a/Makefile b/Makefile
index 09700af32c2..b037c398391 100644
--- a/Makefile
+++ b/Makefile
@@ -67,6 +67,10 @@ distcheck:
touch .tmplock
WAFLOCK=.tmplock $(WAF) distcheck
+printversion:
+ touch .tmplock
+ WAFLOCK=.tmplock $(WAF) printversion
+
clean:
$(WAF) clean
diff --git a/buildtools/wafsamba/samba_utils.py b/buildtools/wafsamba/samba_utils.py
index 39512f0ac96..f287e85d838 100644
--- a/buildtools/wafsamba/samba_utils.py
+++ b/buildtools/wafsamba/samba_utils.py
@@ -469,8 +469,7 @@ def RECURSE(ctx, directory):
return ctx.recurse(relpath)
if 'waflib.extras.compat15' in sys.modules:
return ctx.recurse(relpath)
- Logs.error('Unknown RECURSE context class: {}'.format(ctxclass))
- raise
+ raise Errors.WafError('Unknown RECURSE context class: {}'.format(ctxclass))
Options.OptionsContext.RECURSE = RECURSE
Build.BuildContext.RECURSE = RECURSE
@@ -710,8 +709,9 @@ def samba_before_apply_obj_vars(self):
"""before apply_obj_vars for uselib, this removes the standard paths"""
def is_standard_libpath(env, path):
+ normalized_path = os.path.normpath(path)
for _path in env.STANDARD_LIBPATH:
- if _path == os.path.normpath(path):
+ if _path == normalized_path:
return True
return False
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index 5c5616ce1f1..62f2e7a647a 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -1350,7 +1350,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
('{a}', claims.CLAIM_TYPE_BOOLEAN, [2]),
('{b}', claims.CLAIM_TYPE_BOOLEAN, [3]),
]),
- ], '{a} == {b}', CRASHES_WINDOWS),
+ ], '{a} == {b}', (None, CRASHES_WINDOWS)),
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{a}', claims.CLAIM_TYPE_BOOLEAN, [1]),
@@ -1469,7 +1469,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{larger_claim}', claims.CLAIM_TYPE_STRING, ['z' * 100000]),
]),
- ], '{larger_claim} > "z"', CRASHES_WINDOWS),
+ ], '{larger_claim} > "z"', (True, CRASHES_WINDOWS)),
# Test a great number of claims. Windows does not appear to like
# receiving this many claims.
([
@@ -1477,7 +1477,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
('{many_claims}', claims.CLAIM_TYPE_UINT64,
list(range(0, 100000))),
]),
- ], '{many_claims} Any_of "99999"', CRASHES_WINDOWS),
+ ], '{many_claims} Any_of "99999"', (True, CRASHES_WINDOWS)),
# Test a claim with a very long name. Much larger than this, and
# conditional_ace_encode_binary() will refuse to encode the conditions.
([
@@ -1565,18 +1565,18 @@ class ConditionalAceTests(ConditionalAceBaseTests):
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{invalid_sid}', 5, []),
]),
- ], '{invalid_sid} == {invalid_sid}', CRASHES_WINDOWS),
+ ], '{invalid_sid} == {invalid_sid}', (None, CRASHES_WINDOWS)),
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{invalid_octet_string}', 16, []),
]),
- ], '{invalid_octet_string} == {invalid_octet_string}', CRASHES_WINDOWS),
+ ], '{invalid_octet_string} == {invalid_octet_string}', (None, CRASHES_WINDOWS)),
# Sending an empty string will crash Windows.
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{empty_string}', claims.CLAIM_TYPE_STRING, ['']),
]),
- ], '{empty_string}', CRASHES_WINDOWS),
+ ], '{empty_string}', (None, CRASHES_WINDOWS)),
# But sending empty arrays is OK.
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
@@ -1595,8 +1595,13 @@ class ConditionalAceTests(ConditionalAceBaseTests):
outcome):
self.assertIsInstance(expression, str)
- if outcome is CRASHES_WINDOWS and not self.crash_windows:
- self.skipTest('test crashes Windows servers')
+ try:
+ outcome, crashes_windows = outcome
+ self.assertIs(crashes_windows, CRASHES_WINDOWS)
+ if not self.crash_windows:
+ self.skipTest('test crashes Windows servers')
+ except TypeError:
+ self.assertIsNot(outcome, CRASHES_WINDOWS)
if claim_map is None:
claim_map = {}
@@ -2145,37 +2150,34 @@ class ConditionalAceTests(ConditionalAceBaseTests):
def test_rbcd_device_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
device_from_rodc=True,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_rbcd_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
service_from_rodc=True,
- code=KDC_ERR_BADOPTION,
edata=self.expect_padata_outer)
def test_rbcd_device_and_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
service_from_rodc=True,
device_from_rodc=True,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_rbcd_client_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
client_from_rodc=True,
- code=KDC_ERR_MODIFIED,
edata=self.expect_padata_outer)
def test_rbcd_client_and_device_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
client_from_rodc=True,
device_from_rodc=True,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_rbcd_client_and_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
client_from_rodc=True,
service_from_rodc=True,
- code=KDC_ERR_BADOPTION,
edata=self.expect_padata_outer)
def test_rbcd_all_from_rodc(self):
@@ -2183,7 +2185,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
client_from_rodc=True,
service_from_rodc=True,
device_from_rodc=True,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def _rbcd(self,
rbcd_expression=None,
@@ -2206,8 +2208,13 @@ class ConditionalAceTests(ConditionalAceBaseTests):
expected_groups=None,
expected_device_groups=None,
expected_claims=None):
- if code is CRASHES_WINDOWS and not self.crash_windows:
- self.skipTest('test crashes Windows servers')
+ try:
+ code, crashes_windows = code
+ self.assertIs(crashes_windows, CRASHES_WINDOWS)
+ if not self.crash_windows:
+ self.skipTest('test crashes Windows servers')
+ except TypeError:
+ self.assertIsNot(code, CRASHES_WINDOWS)
samdb = self.get_samdb()
functional_level = self.get_domain_functional_level(samdb)
@@ -2389,7 +2396,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.aa_asserted_identity})',
client_sids=client_sids,
- expected_groups=client_sids,
code=KDC_ERR_POLICY,
status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
@@ -2405,8 +2411,10 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.aa_asserted_identity})',
client_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
code=KDC_ERR_POLICY,
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
def test_tgs_without_aa_asserted_identity_device_from_rodc(self):
@@ -2418,8 +2426,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.aa_asserted_identity})',
device_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_without_aa_asserted_identity_both_from_rodc(self):
client_sids = {
@@ -2431,8 +2442,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
client_from_rodc=True,
device_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_with_aa_asserted_identity(self):
client_sids = {
@@ -2455,9 +2469,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.aa_asserted_identity})',
client_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
- code=KDC_ERR_POLICY,
- edata=self.expect_padata_outer)
+ expected_groups=client_sids)
def test_tgs_with_aa_asserted_identity_device_from_rodc(self):
client_sids = {
@@ -2470,7 +2482,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_with_aa_asserted_identity_both_from_rodc(self):
client_sids = {
@@ -2484,7 +2496,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_without_service_asserted_identity(self):
client_sids = {
@@ -2494,7 +2506,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.service_asserted_identity})',
client_sids=client_sids,
- expected_groups=client_sids,
code=KDC_ERR_POLICY,
status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
@@ -2510,8 +2521,10 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.service_asserted_identity})',
client_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
code=KDC_ERR_POLICY,
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
def test_tgs_without_service_asserted_identity_device_from_rodc(self):
@@ -2523,8 +2536,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.service_asserted_identity})',
device_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_without_service_asserted_identity_both_from_rodc(self):
client_sids = {
@@ -2536,8 +2552,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
client_from_rodc=True,
device_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_with_service_asserted_identity(self):
client_sids = {
@@ -2560,9 +2579,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.service_asserted_identity})',
client_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
- code=KDC_ERR_POLICY,
- edata=self.expect_padata_outer)
+ expected_groups=client_sids)
def test_tgs_with_service_asserted_identity_device_from_rodc(self):
client_sids = {
@@ -2575,7 +2592,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_with_service_asserted_identity_both_from_rodc(self):
client_sids = {
@@ -2589,7 +2606,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_without_claims_valid(self):
client_sids = {
@@ -2599,7 +2616,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
client_sids=client_sids,
- expected_groups=client_sids,
code=KDC_ERR_POLICY,
status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
@@ -2615,8 +2631,10 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
client_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
code=KDC_ERR_POLICY,
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
def test_tgs_without_claims_valid_device_from_rodc(self):
@@ -2628,8 +2646,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
device_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_without_claims_valid_both_from_rodc(self):
client_sids = {
@@ -2641,8 +2662,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
client_from_rodc=True,
device_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_with_claims_valid(self):
client_sids = {
@@ -2665,9 +2689,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
client_from_rodc=True,
client_sids=client_sids,
- expected_groups=client_sids,
- code=KDC_ERR_POLICY,
- edata=self.expect_padata_outer)
+ expected_groups=client_sids)
def test_tgs_with_claims_valid_device_from_rodc(self):
client_sids = {
@@ -2680,7 +2702,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_with_claims_valid_both_from_rodc(self):
client_sids = {
@@ -2694,7 +2716,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def _tgs(self,
target_policy=None,
@@ -2713,8 +2735,13 @@ class ConditionalAceTests(ConditionalAceBaseTests):
expected_groups=None,
expected_device_groups=None,
expected_claims=None):
- if code is CRASHES_WINDOWS and not self.crash_windows:
- self.skipTest('test crashes Windows servers')
+ try:
+ code, crashes_windows = code
+ self.assertIs(crashes_windows, CRASHES_WINDOWS)
+ if not self.crash_windows:
+ self.skipTest('test crashes Windows servers')
+ except TypeError:
+ self.assertIsNot(code, CRASHES_WINDOWS)
samdb = self.get_samdb()
functional_level = self.get_domain_functional_level(samdb)
diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1
index 62af4207d61..1b2c7cc06dc 100644
--- a/python/samba/tests/krb5/rfc4120.asn1
+++ b/python/samba/tests/krb5/rfc4120.asn1
@@ -129,7 +129,7 @@
-- Support. For questions and support, please contact dochelp at microsoft.com
- The above is the IPR notice from MS-KILE
+-- The above is the IPR notice from MS-KILE
KerberosV5Spec2 {
iso(1) identified-organization(3) dod(6) internet(1)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 2ef041b6a29..842309bafe8 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -111,12 +111,8 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_or_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_2_b_6_3___a_equals_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_6_1___b_or_b_or_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_empty_string_3___empty_string_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_and_true_boolean_6_0_1___false_and_true_boolean_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_boolean_6_0___false_boolean_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_octet_string_16___invalid_octet_string_equals_invalid_octet_string_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_sid_5___invalid_sid_equals_invalid_sid_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_larger_claim_3_zzzzzzzzzzzzzzzzzzz
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_many_claims_2_0_1_2_3_4_5_6_7_8_9_10
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_non_empty_string_3_foo_bar___non_empty_string_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_nonzero_int_1_1___nonzero_int_\(ad_dc\)
@@ -129,35 +125,18 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_service_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_service_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_device_from_rodc\(ad_dc\)
#
# Conditional ACE device restrictions
#
diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index d9de16e02c2..37213a5febc 100644
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list