[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Apr 16 05:03:02 UTC 2024
The branch, master has been updated
via 532789b4f3f s4:dsdb: Implement msDS-ManagedPassword attribute
via ddcf20b518c s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL
via be0029cff4a python:tests: Catch failures to authenticate with gMSA managed passwords
via a52239af9df selftest: Expand out knownfails for gMSA getpassword tests
via 6f9281b028c s4:dsdb: Set up passwords and password IDs of new gMSAs
via 85fbdcd048f s4:dsdb: Add functions for Group Managed Service Accounts implementation
via 85d34934e13 s4:dsdb: Factor out a function to remove all password related attributes
via 7b7fdfbce3c lib:crypto: Reformat source code
via bb5ca9f466f tests/krb5: Add tests for gMSAs
via 42710f0455c python:nt_time: Add NT_TIME_MAX constant
via c6ed19ad1a7 python:gkdi: Reformat code with ‘ruff’
via 5aaebb537e3 python:gkdi: Add Gkdi.from_key_envelope() method
via 0c0a25d0b2d python:gkdi: Add notes on GKDI time periods
via 13815813341 tests/gkdi: Change ‘current_gkid’ parameter to ‘current_time’
via b64a02d5b5a tests/gkdi: Remove implicit clock skew offset
via 13dcf7f74c2 tests/gkdi: Allow current time to be overridden
via 6d20d436dee tests/krb5: Make use of ‘expect_edata’ parameter
via 1f4e1c026d9 tests/krb5: Remove unused variable
via 586c4ec718c tests/krb5: Fix code spelling
via 5656fd2ff2b tests/krb5: Remove unused import
via 4b6f65a4a25 python:tests: Fix typo
via 5379956bd44 python:tests: Reformat code
via ae39a15b518 python:tests: Fix set declaration
via ea83bb84b98 python:tests: Replace deprecated method assertRaisesRegexp()
via ff8e98daf1c s4:ldap_server: Consider ldapi connections to be encrypted
via c63cabf1e09 s4:ldap_server: Store whether an LDAP connection is over ldapi
via c2378d0c6f3 s4:ldap_server: Add copy of non‐privileged ops specifically for ldapi connections
via ec6579829f9 s4:ldap_server: Rename privileged ops to indicate they are used for ldapi
via 7df4bdd0fe7 s4:ldap_server: Fix code spelling
via 1a6dbcfb105 s4:ldap_server: Remove trailing whitespace
via c9370d3ced2 selftest: Move some KDS root key tests around to prepare for gMSA server side
via bd60c605ca1 selftest: Remove duplicate setup of "spn/upn namespaces" in the customdc testenv
via aa6795b32ff s3:auth: Add support standalone server with MIT Keberos 1.21
via b58395e5c37 s3:auth: Split auth3_generate_session_info_pac() into functions
via 20c546f928d s3:auth: Re-format auth3_generate_session_info_pac()
via cdb31d7e45b s3:auth: Remove trailing spaces
from 75a4fbbf6a3 smbdotconf: Enable "winbind debug traceid" by default
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 532789b4f3f0efe5350089391a97f24296f3be90
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 15:45:21 2024 +1300
s4:dsdb: Implement msDS-ManagedPassword attribute
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224
commit ddcf20b518c676140d83052bf0b79628a9299012
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 9 16:15:48 2024 +1200
s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit be0029cff4af5c7ef0fb54bdf18fbcb7165572eb
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 9 14:09:17 2024 +1200
python:tests: Catch failures to authenticate with gMSA managed passwords
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a52239af9dff958fb26c7bf5242a3f9e9b4fc3a2
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 9 13:55:58 2024 +1200
selftest: Expand out knownfails for gMSA getpassword tests
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6f9281b028ca6a8f392a1c0fff02ba9af5c0072f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 5 13:23:18 2024 +1300
s4:dsdb: Set up passwords and password IDs of new gMSAs
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 85fbdcd048fefc5c7edca709855e7510f3085a9a
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 16:09:57 2024 +1300
s4:dsdb: Add functions for Group Managed Service Accounts implementation
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 85d34934e1348e4b09591499f6080b2867b9c99d
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 9 12:15:00 2024 +1200
s4:dsdb: Factor out a function to remove all password related attributes
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7b7fdfbce3c2b6f86399fb585e334a78fe696423
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 2 10:33:27 2024 +1300
lib:crypto: Reformat source code
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bb5ca9f466f2aa018624fc29eac6410b550b2630
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 5 13:44:08 2024 +1300
tests/krb5: Add tests for gMSAs
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 42710f0455c95d6250f9fbf3a2b1ca469d2d6e2d
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 5 13:43:46 2024 +1300
python:nt_time: Add NT_TIME_MAX constant
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c6ed19ad1a71d9d8bfebd9e9db939e2959df3a2c
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 5 13:43:30 2024 +1300
python:gkdi: Reformat code with ‘ruff’
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5aaebb537e3e5e3595567429b7cdf478d9e3be80
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 5 13:43:15 2024 +1300
python:gkdi: Add Gkdi.from_key_envelope() method
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0c0a25d0b2d96aac9e587433108c35fab31d75fe
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 5 13:42:31 2024 +1300
python:gkdi: Add notes on GKDI time periods
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 13815813341cf797fe3f99d67fbd78f133fbed84
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 2 11:15:08 2024 +1300
tests/gkdi: Change ‘current_gkid’ parameter to ‘current_time’
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b64a02d5b5aafc87637083ac35d4a0af99c0529e
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 2 11:13:37 2024 +1300
tests/gkdi: Remove implicit clock skew offset
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 13dcf7f74c2f8ae2e8911f92063fe34095483438
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Mar 26 16:25:31 2024 +1300
tests/gkdi: Allow current time to be overridden
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d20d436dee2b6c4c6c91a809b2916c0b8a62d7f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Mar 19 14:27:00 2024 +1300
tests/krb5: Make use of ‘expect_edata’ parameter
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f4e1c026d9914f2ae2212112b3e60c962e06ba3
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Mar 22 12:32:46 2024 +1300
tests/krb5: Remove unused variable
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 586c4ec718ceb177e6ddee437af6416d9590b179
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Mar 22 12:32:25 2024 +1300
tests/krb5: Fix code spelling
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5656fd2ff2b1cceb6dfc8a3593cfb112324daf89
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Mar 22 12:31:38 2024 +1300
tests/krb5: Remove unused import
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b6f65a4a259bd3dd6a9439582e71c20b2eb2a17
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 9 14:15:51 2024 +1200
python:tests: Fix typo
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5379956bd444fe49110bf8102c199ea8a0d4f909
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Mar 4 13:38:10 2024 +1300
python:tests: Reformat code
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ae39a15b51841c6106b5857a5ae892687c8deea8
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 9 15:39:43 2024 +1200
python:tests: Fix set declaration
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ea83bb84b98ae381862f68d245d45e53508dbc09
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 9 15:31:15 2024 +1200
python:tests: Replace deprecated method assertRaisesRegexp()
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff8e98daf1c3fd99d4d880ddc2d47eeb0d99718c
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 16 14:28:43 2024 +1200
s4:ldap_server: Consider ldapi connections to be encrypted
Modifications to unicodePwd require an encrypted connection. This change
allows unicodePwd to be modified over an ldapi connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c63cabf1e09bb2d1416483767d1ca835abe017da
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 16 14:28:21 2024 +1200
s4:ldap_server: Store whether an LDAP connection is over ldapi
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c2378d0c6f3e2f6b10902dc40b4a28c1dc788042
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 16 14:27:41 2024 +1200
s4:ldap_server: Add copy of non‐privileged ops specifically for ldapi connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ec6579829f9781d113428b8b3c603edd3e6c222d
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 16 14:31:11 2024 +1200
s4:ldap_server: Rename privileged ops to indicate they are used for ldapi
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7df4bdd0fe722da63862d46f809f7ac0498ebe59
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 16 14:17:33 2024 +1200
s4:ldap_server: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1a6dbcfb1054a2f140a50a039e4f054c43cfb77d
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 16 14:17:02 2024 +1200
s4:ldap_server: Remove trailing whitespace
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c9370d3ced2fb32bd42883366b4400c65f18512f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 11 16:26:49 2024 +1200
selftest: Move some KDS root key tests around to prepare for gMSA server side
Once we have a gMSA server side the impact of deleting root keys becomes real
and so we must do this in a quiet place where it can not impact on other things.
Likewise, we want the samba.tests.dsdb_quiet_provision_tests tests to run
somewhere that is not doing other things, so we can see what a bare provision
will do. We must not allow test ordering inside the file to cause tests that
create root keys to run before checking if provision created a usable root key.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit bd60c605ca1cf3f3568646dc3c0ca3501f0bfbec
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 11 14:33:16 2024 +1200
selftest: Remove duplicate setup of "spn/upn namespaces" in the customdc testenv
The call to $self->setup_namespaces() was allways in error, as the design
is to have the in the state that it was backed up in, but before commit
08be28241b808845c4b51a4c47765a9416ca3aa7 the error return was not
checked and so this was harmless.
The customdc environment is not tested in selftest currently, as
it is intended to be used for manual testing of domains from backup
files not as an automatically constructed environment.
This makes:
BACKUP_FILE=samba-backup-2024-04-11T14-10-20.437096.tar.bz2 SELFTEST_TESTENV=customdc make testenv
work again.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit aa6795b32ff6335c2136f9c97482da6a09a2f059
Author: Andreas Schneider <asn at samba.org>
Date: Thu Apr 11 10:29:18 2024 +0200
s3:auth: Add support standalone server with MIT Keberos 1.21
This adds support for MIT Kerberos minimal PAC. Tickets from pure
Kerberos realms with MIT Kerberos 1.21 or newer will always include a
minimal PAC. The PAC include the checksum buffers and a logon_name PAC
buffer.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b58395e5c37e952667f31370c593742328ff324e
Author: Andreas Schneider <asn at samba.org>
Date: Thu Apr 11 10:21:16 2024 +0200
s3:auth: Split auth3_generate_session_info_pac() into functions
This gets rid of the multiple goto and just have a single destructor
goto.
Best view this commit with `git show -b <sha> --color-moved=zebra`
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 20c546f928dfc952e701afe7ee76ea3602580d35
Author: Andreas Schneider <asn at samba.org>
Date: Fri Apr 12 14:36:32 2024 +0200
s3:auth: Re-format auth3_generate_session_info_pac()
This is in preparation to split up the function into several functions.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cdb31d7e45bf1ca8a899dea82bd5b1ecc0ef1838
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 15 12:41:19 2024 +0100
s3:auth: Remove trailing spaces
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/crypto/gmsa.c | 8 +-
python/samba/gkdi.py | 24 +-
python/samba/nt_time.py | 3 +-
python/samba/tests/blackbox/gmsa.py | 2 +-
python/samba/tests/dckeytab.py | 4 +-
..._provision_tests.py => dsdb_quiet_env_tests.py} | 28 +-
python/samba/tests/dsdb_quiet_provision_tests.py | 211 ---
python/samba/tests/gkdi.py | 73 +-
python/samba/tests/krb5/gkdi_tests.py | 41 +-
python/samba/tests/krb5/gmsa_tests.py | 905 +++++++++++++
python/samba/tests/krb5/kdc_base_test.py | 3 +
python/samba/tests/krb5/pkinit_tests.py | 14 +-
python/samba/tests/samba_tool/service_account.py | 2 +-
.../tests/samba_tool/user_getpassword_gmsa.py | 29 +-
selftest/knownfail.d/gmsa | 1 -
.../samba-tool-user-get-kerberos-ticket | 3 -
selftest/knownfail.d/user_getpassword_gmsa | 4 +-
selftest/knownfail_mit_kdc_1_20 | 5 +
selftest/target/Samba4.pm | 4 -
source3/auth/auth_generic.c | 420 +++---
source4/dsdb/gmsa/gkdi.c | 248 ++++
source4/dsdb/gmsa/gkdi.h | 25 +
source4/dsdb/gmsa/util.c | 1414 ++++++++++++++++++++
source4/dsdb/gmsa/util.h | 106 ++
source4/dsdb/samdb/ldb_modules/managed_pwd.c | 178 +++
.../gkdi.h => samdb/ldb_modules/managed_pwd.h} | 35 +-
source4/dsdb/samdb/ldb_modules/operational.c | 25 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 14 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 98 ++
source4/dsdb/samdb/ldb_modules/util.c | 18 +
.../dsdb/samdb/ldb_modules/wscript_build_server | 4 +-
source4/dsdb/samdb/samdb.h | 5 +-
source4/dsdb/wscript_build | 2 +-
source4/ldap_server/ldap_backend.c | 2 +-
source4/ldap_server/ldap_server.c | 60 +-
source4/ldap_server/ldap_server.h | 9 +-
source4/selftest/tests.py | 20 +-
37 files changed, 3492 insertions(+), 555 deletions(-)
copy python/samba/tests/{dsdb_quiet_provision_tests.py => dsdb_quiet_env_tests.py} (92%)
create mode 100755 python/samba/tests/krb5/gmsa_tests.py
create mode 100644 source4/dsdb/gmsa/util.c
create mode 100644 source4/dsdb/gmsa/util.h
create mode 100644 source4/dsdb/samdb/ldb_modules/managed_pwd.c
copy source4/dsdb/{gmsa/gkdi.h => samdb/ldb_modules/managed_pwd.h} (52%)
Changeset truncated at 500 lines:
diff --git a/lib/crypto/gmsa.c b/lib/crypto/gmsa.c
index 1cd7a0e6973..cc3aff525d1 100644
--- a/lib/crypto/gmsa.c
+++ b/lib/crypto/gmsa.c
@@ -238,8 +238,12 @@ NTSTATUS gmsa_talloc_password_based_on_key_id(
return NT_STATUS_NO_MEMORY;
}
- status = gmsa_password_based_on_key_id(
- mem_ctx, gkid, current_time, root_key, account_sid, password->buf);
+ status = gmsa_password_based_on_key_id(mem_ctx,
+ gkid,
+ current_time,
+ root_key,
+ account_sid,
+ password->buf);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(password);
return status;
diff --git a/python/samba/gkdi.py b/python/samba/gkdi.py
index 4179263b769..22890c83ff3 100644
--- a/python/samba/gkdi.py
+++ b/python/samba/gkdi.py
@@ -105,6 +105,10 @@ class UndefinedStartTime(Exception):
@total_ordering
class Gkid:
+ # L2 increments every 10 hours. It rolls over after 320 hours (13 days and 8 hours).
+ # L1 increments every 320 hours. It rolls over after 10240 hours (426 days and 16 hours).
+ # L0 increments every 10240 hours. It rolls over after 43980465111040 hours (five billion years).
+
__slots__ = ["_l0_idx", "_l1_idx", "_l2_idx"]
max_l0_idx = 0x7FFF_FFFF
@@ -285,6 +289,10 @@ class Gkid:
return start_time
+ @staticmethod
+ def from_key_envelope(env: gkdi.KeyEnvelope) -> "Gkid":
+ return Gkid(env.l0_index, env.l1_index, env.l2_index)
+
class SeedKeyPair:
__slots__ = ["l1_key", "l2_key", "gkid", "hash_algorithm", "root_key_id"]
@@ -344,13 +352,15 @@ class SeedKeyPair:
)
def __hash__(self) -> int:
- return hash((
- self.l1_key,
- self.l2_key,
- self.gkid,
- self.hash_algorithm,
- ndr_pack(self.root_key_id),
- ))
+ return hash(
+ (
+ self.l1_key,
+ self.l2_key,
+ self.gkid,
+ self.hash_algorithm,
+ ndr_pack(self.root_key_id),
+ )
+ )
class GroupKey:
diff --git a/python/samba/nt_time.py b/python/samba/nt_time.py
index ff6903c8e68..098748f4f3c 100644
--- a/python/samba/nt_time.py
+++ b/python/samba/nt_time.py
@@ -25,6 +25,7 @@ import re
NtTime = NewType("NtTime", int)
NtTimeDelta = NewType("NtTimeDelta", int)
+NT_TIME_MAX = NtTime((1 << 64) - 1)
NT_EPOCH = datetime.datetime(1601, 1, 1, 0, 0, 0, 0, tzinfo=datetime.timezone.utc)
NT_TICKS_PER_μSEC = 10
@@ -34,7 +35,7 @@ NT_TICKS_PER_SEC = NT_TICKS_PER_μSEC * 1_000_000
def _validate_nt_time(nt_time: NtTime) -> None:
if not isinstance(nt_time, int):
raise ValueError(f"{nt_time} is not an integer")
- if not 0 <= nt_time < 2**64:
+ if not 0 <= nt_time <= NT_TIME_MAX:
raise ValueError(f"{nt_time} is out of range")
diff --git a/python/samba/tests/blackbox/gmsa.py b/python/samba/tests/blackbox/gmsa.py
index eefa3799f6d..6d0411c0d19 100644
--- a/python/samba/tests/blackbox/gmsa.py
+++ b/python/samba/tests/blackbox/gmsa.py
@@ -192,7 +192,7 @@ class GMSABlackboxTest(BlackboxTestCase):
self.check_run(f'samba-tool service-account modify --name={gmsa_account} --group-msa-membership="{sddl}" -H {HOST} {ADMIN_CREDS}')
# Group MSA membership can no longer be represented as a simple list.
- with self.assertRaisesRegexp(BlackboxProcessError, "Cannot be represented as a simple list"):
+ with self.assertRaisesRegex(BlackboxProcessError, "Cannot be represented as a simple list"):
self.check_run(f"samba-tool service-account group-msa-membership show --name={gmsa_account} -H {HOST} {ADMIN_CREDS}")
# Retrieving the SDDL still works fine.
diff --git a/python/samba/tests/dckeytab.py b/python/samba/tests/dckeytab.py
index 090f53332c8..a382e8b7356 100644
--- a/python/samba/tests/dckeytab.py
+++ b/python/samba/tests/dckeytab.py
@@ -458,8 +458,8 @@ class DCKeytabTests(TestCaseInTempDir):
remote_enctypes = set(remote_keys.keys())
# Check that at least the AES keys were generated
- self.assertLessEqual(set(credentials.ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- credentials.ENCTYPE_AES128_CTS_HMAC_SHA1_96),
+ self.assertLessEqual({credentials.ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ credentials.ENCTYPE_AES128_CTS_HMAC_SHA1_96},
remote_enctypes)
local_enctypes = set(local_keys.keys())
diff --git a/python/samba/tests/dsdb_quiet_provision_tests.py b/python/samba/tests/dsdb_quiet_env_tests.py
similarity index 92%
copy from python/samba/tests/dsdb_quiet_provision_tests.py
copy to python/samba/tests/dsdb_quiet_env_tests.py
index f6bdf1705f3..6c79dca7fc7 100644
--- a/python/samba/tests/dsdb_quiet_provision_tests.py
+++ b/python/samba/tests/dsdb_quiet_env_tests.py
@@ -1,5 +1,5 @@
# Unix SMB/CIFS implementation. Tests for dsdb
-# Copyright (C) Matthieu Patou <mat at matws.net> 2010
+# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2024
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -28,16 +28,10 @@ from samba.credentials import Credentials
from samba.samdb import SamDB
from samba.auth import system_session
from samba.tests import TestCase
-from samba.gkdi import (
- KEY_CYCLE_DURATION,
- MAX_CLOCK_SKEW
-)
-from samba.nt_time import nt_now
import ldb
import samba
-
-class DsdbQuietProvisionTests(TestCase):
+class DsdbQuietEnvTests(TestCase):
@classmethod
def setUpClass(cls):
@@ -50,24 +44,6 @@ class DsdbQuietProvisionTests(TestCase):
credentials=cls.creds,
lp=cls.lp)
- def test_dsdb_dn_gkdi_gmsa_root_keys_exist(self):
- """In provision we set up a GKDI root key.
-
- There should always be at least one that is already valid
- """
- current_time = nt_now()
- # We need the GKDI key to be already available for use
- min_use_start_time = current_time \
- - KEY_CYCLE_DURATION - MAX_CLOCK_SKEW
-
- dn = self.samdb.get_config_basedn()
- dn.add_child("CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services")
- res = self.samdb.search(dn,
- scope=ldb.SCOPE_SUBTREE,
- expression=f"(&(objectClass = msKds-ProvRootKey)(msKds-UseStartTime<={min_use_start_time}))")
-
- self.assertGreater(len(res), 0)
-
def test_gkdi_create_root_key_wrong_version(self):
server_config_dn = self.samdb.get_config_basedn()
diff --git a/python/samba/tests/dsdb_quiet_provision_tests.py b/python/samba/tests/dsdb_quiet_provision_tests.py
index f6bdf1705f3..81ef3ceb74f 100644
--- a/python/samba/tests/dsdb_quiet_provision_tests.py
+++ b/python/samba/tests/dsdb_quiet_provision_tests.py
@@ -67,214 +67,3 @@ class DsdbQuietProvisionTests(TestCase):
expression=f"(&(objectClass = msKds-ProvRootKey)(msKds-UseStartTime<={min_use_start_time}))")
self.assertGreater(len(res), 0)
-
- def test_gkdi_create_root_key_wrong_version(self):
-
- server_config_dn = self.samdb.get_config_basedn()
- server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
- "CN=Server Configuration," +
- "CN=Group Key Distribution Service," +
- "CN=Services")
- res = self.samdb.search(base=server_config_dn,
- scope=ldb.SCOPE_BASE,
- attrs=["msKds-Version"])
-
- self.assertEqual(len(res), 1)
-
- msg = res[0]
- version = int(msg["msKds-Version"][0])
- self.assertEqual(version, 1)
-
- self.addCleanup(self.samdb.modify,
- ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-Version": [str(version)]},
- ldb.FLAG_MOD_REPLACE))
- self.samdb.modify(ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-Version": ["2"]},
- ldb.FLAG_MOD_REPLACE))
-
- try:
- self.samdb.new_gkdi_root_key()
- self.fail("Creating key with invalid version should fail")
- except ldb.LdbError as e:
- (enum, estr) = e.args
- self.assertEqual(enum, ldb.ERR_CONSTRAINT_VIOLATION)
-
- def test_gkdi_create_root_key_4096(self):
-
- server_config_dn = self.samdb.get_config_basedn()
- server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
- "CN=Server Configuration," +
- "CN=Group Key Distribution Service," +
- "CN=Services")
- res = self.samdb.search(base=server_config_dn,
- scope=ldb.SCOPE_BASE,
- attrs=["msKds-PublicKeyLength"])
-
- self.assertEqual(len(res), 1)
-
- msg = res[0]
- if "msKds-PublicKeyLength" in msg:
- keylen = msg[0]["msKds-PublicKeyLength"]
- # Ensure test still tests something in the future, if the default changes
- self.assertNotEqual(keylen, 4096)
- self.addCleanup(self.samdb.modify,
- ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-PublicKeyLength": [str(keylen)]},
- ldb.FLAG_MOD_REPLACE))
- else:
- self.addCleanup(self.samdb.modify,
- ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-PublicKeyLength": []},
- ldb.FLAG_MOD_DELETE))
-
- self.samdb.modify(ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-PublicKeyLength": ["4096"]},
- ldb.FLAG_MOD_REPLACE))
-
- dn = self.samdb.new_gkdi_root_key()
-
- root_key_res = self.samdb.search(base=dn,
- scope=ldb.SCOPE_BASE)
- self.assertEqual(len(root_key_res), 1)
- root_key = root_key_res[0]
-
- self.assertEqual(int(root_key["msKds-PublicKeyLength"][0]), 4096)
- self.assertEqual(str(root_key["msKds-KDFAlgorithmID"][0]), "SP800_108_CTR_HMAC")
- self.assertEqual(str(root_key["msKds-SecretAgreementAlgorithmID"][0]), "DH")
- self.assertEqual(int(root_key["msKds-Version"][0]), 1)
-
- def test_gkdi_create_root_key_priv_1024(self):
-
- server_config_dn = self.samdb.get_config_basedn()
- server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
- "CN=Server Configuration," +
- "CN=Group Key Distribution Service," +
- "CN=Services")
- res = self.samdb.search(base=server_config_dn,
- scope=ldb.SCOPE_BASE,
- attrs=["msKds-PrivateKeyLength"])
-
- self.assertEqual(len(res), 1)
-
- msg = res[0]
- if "msKds-PrivateKeyLength" in msg:
- keylen = msg["msKds-PrivateKeyLength"]
- # Ensure test still tests something in the future, if the default changes
- self.assertNotEqual(keylen, 1024)
- self.addCleanup(self.samdb.modify,
- ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-PrivateKeyLength": [str(keylen)]},
- ldb.FLAG_MOD_REPLACE))
- else:
- self.addCleanup(self.samdb.modify,
- ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-PrivateKeyLength": []},
- ldb.FLAG_MOD_DELETE))
-
- self.samdb.modify(ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-PrivateKeyLength": ["1024"]},
- ldb.FLAG_MOD_REPLACE))
-
- dn = self.samdb.new_gkdi_root_key()
-
- root_key_res = self.samdb.search(base=dn,
- scope=ldb.SCOPE_BASE)
- self.assertEqual(len(root_key_res), 1)
- root_key = root_key_res[0]
-
- self.assertEqual(int(root_key["msKds-PrivateKeyLength"][0]), 1024)
- self.assertEqual(str(root_key["msKds-KDFAlgorithmID"][0]), "SP800_108_CTR_HMAC")
- self.assertEqual(str(root_key["msKds-SecretAgreementAlgorithmID"][0]), "DH")
- self.assertEqual(int(root_key["msKds-Version"][0]), 1)
-
- def test_gkdi_create_root_key_bad_alg(self):
- server_config_dn = self.samdb.get_config_basedn()
- server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
- "CN=Server Configuration," +
- "CN=Group Key Distribution Service," +
- "CN=Services")
- res = self.samdb.search(base=server_config_dn,
- scope=ldb.SCOPE_BASE,
- attrs=["msKds-KDFAlgorithmID"])
-
- self.assertEqual(len(res), 1)
-
- msg = res[0]
- if "msKds-KDFAlgorithmID" in msg:
- alg = msg["msKds-KDFAlgorithmID"][0]
- self.addCleanup(self.samdb.modify,
- ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-KDFAlgorithmID": [alg]},
- ldb.FLAG_MOD_REPLACE))
- else:
- self.addCleanup(self.samdb.modify,
- ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-KDFAlgorithmID": []},
- ldb.FLAG_MOD_DELETE))
-
- self.samdb.modify(ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-KDFAlgorithmID": ["NO_AN_ALG"]},
- ldb.FLAG_MOD_REPLACE))
-
- try:
- self.samdb.new_gkdi_root_key()
- self.fail("Creating key with invalid algorithm should fail")
- except ldb.LdbError as e:
- (enum, estr) = e.args
- self.assertEqual(enum, ldb.ERR_CONSTRAINT_VIOLATION)
-
- def test_gkdi_create_root_key_good_alg(self):
- server_config_dn = self.samdb.get_config_basedn()
- server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
- "CN=Server Configuration," +
- "CN=Group Key Distribution Service," +
- "CN=Services")
- res = self.samdb.search(base=server_config_dn,
- scope=ldb.SCOPE_BASE,
- attrs=["msKds-KDFAlgorithmID"])
-
- self.assertEqual(len(res), 1)
-
- msg = res[0]
- if "msKds-KDFAlgorithmID" in msg:
- alg = msg["msKds-KDFAlgorithmID"][0]
- self.addCleanup(self.samdb.modify,
- ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-KDFAlgorithmID": [alg]},
- ldb.FLAG_MOD_REPLACE))
- else:
- self.addCleanup(self.samdb.modify,
- ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-KDFAlgorithmID": []},
- ldb.FLAG_MOD_DELETE))
-
- self.samdb.modify(ldb.Message.from_dict(self.samdb,
- {"dn": msg["dn"],
- "msKds-KDFAlgorithmID": ["SP800_108_CTR_HMAC"]},
- ldb.FLAG_MOD_REPLACE))
-
- dn = self.samdb.new_gkdi_root_key()
-
- root_key_res = self.samdb.search(base=dn,
- scope=ldb.SCOPE_BASE)
- self.assertEqual(len(root_key_res), 1)
- root_key = root_key_res[0]
-
- self.assertEqual(int(root_key["msKds-PublicKeyLength"][0]), 2048)
- self.assertEqual(str(root_key["msKds-KDFAlgorithmID"][0]), "SP800_108_CTR_HMAC")
- self.assertEqual(str(root_key["msKds-SecretAgreementAlgorithmID"][0]), "DH")
- self.assertEqual(int(root_key["msKds-Version"][0]), 1)
diff --git a/python/samba/tests/gkdi.py b/python/samba/tests/gkdi.py
index 03ed8d0141e..1fec624248b 100644
--- a/python/samba/tests/gkdi.py
+++ b/python/samba/tests/gkdi.py
@@ -57,6 +57,7 @@ from samba.hresult import (
)
from samba.ndr import ndr_pack, ndr_unpack
from samba.nt_time import (
+ datetime_from_nt_time,
nt_time_from_datetime,
NtTime,
NtTimeDelta,
@@ -74,6 +75,8 @@ RootKey = NewType("RootKey", ldb.Message)
ROOT_KEY_START_TIME = NtTime(KEY_CYCLE_DURATION + MAX_CLOCK_SKEW)
+DSDB_GMSA_TIME_OPAQUE = "dsdb_gmsa_time_opaque"
+
class GetKeyError(Exception):
def __init__(self, status: HResult, message: str):
@@ -89,24 +92,35 @@ class GkdiBaseTest(TestCase):
b"\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00"
)
- @staticmethod
- def current_time(offset: Optional[datetime.timedelta] = None) -> datetime.datetime:
- current_time = datetime.datetime.now(tz=datetime.timezone.utc)
+ def set_db_time(self, samdb: SamDB, time: Optional[NtTime]) -> None:
+ samdb.set_opaque(DSDB_GMSA_TIME_OPAQUE, time)
+
+ def get_db_time(self, samdb: SamDB) -> Optional[NtTime]:
+ return samdb.get_opaque(DSDB_GMSA_TIME_OPAQUE)
+
+ def current_time(
+ self, samdb: SamDB, *, offset: Optional[datetime.timedelta] = None
+ ) -> datetime.datetime:
+ now = self.get_db_time(samdb)
+ if now is None:
+ current_time = datetime.datetime.now(tz=datetime.timezone.utc)
+ else:
+ current_time = datetime_from_nt_time(now)
if offset is not None:
current_time += offset
return current_time
- def current_nt_time(self, offset: Optional[datetime.timedelta] = None) -> NtTime:
- return nt_time_from_datetime(self.current_time(offset))
+ def current_nt_time(
+ self, samdb: SamDB, *, offset: Optional[datetime.timedelta] = None
+ ) -> NtTime:
+ return nt_time_from_datetime(self.current_time(samdb, offset=offset))
- def current_gkid(self, offset: Optional[datetime.timedelta] = None) -> Gkid:
- if offset is None:
- # Allow for clock skew.
- offset = timedelta_from_nt_time_delta(MAX_CLOCK_SKEW)
-
- return Gkid.from_nt_time(self.current_nt_time(offset))
+ def current_gkid(
+ self, samdb: SamDB, *, offset: Optional[datetime.timedelta] = None
+ ) -> Gkid:
+ return Gkid.from_nt_time(self.current_nt_time(samdb, offset=offset))
def gkdi_connect(
self, host: str, lp: LoadParm, server_creds: Credentials
@@ -246,8 +260,12 @@ class GkdiBaseTest(TestCase):
return root_key_object, root_key_id
def validate_get_key_request(
- self, gkid: Gkid, current_gkid: Gkid, root_key_specified: bool
+ self, gkid: Gkid, current_time: NtTime, root_key_specified: bool
) -> None:
+ # The key being requested must not be from the future. That said, we
+ # allow for a little bit of clock skew so that we can compute the next
+ # managed password prior to the expiration of the current one.
+ current_gkid = Gkid.from_nt_time(NtTime(current_time + MAX_CLOCK_SKEW))
if gkid > current_gkid:
raise GetKeyError(
HRES_E_INVALIDARG,
@@ -276,7 +294,7 @@ class GkdiBaseTest(TestCase):
gkid: Gkid,
*,
root_key_id_hint: Optional[misc.GUID] = None,
- current_gkid: Optional[Gkid] = None,
+ current_time: Optional[NtTime] = None,
) -> SeedKeyPair:
"""Emulate the ISDKey.GetKey() RPC method.
@@ -286,8 +304,8 @@ class GkdiBaseTest(TestCase):
Windows, pass a GUID in the *root_key_id_hint* parameter to specify a
particular root key to use."""
- if current_gkid is None:
- current_gkid = self.current_gkid()
+ if current_time is None:
+ current_time = self.current_nt_time(samdb)
root_key_specified = root_key_id is not None
if root_key_specified:
@@ -295,13 +313,14 @@ class GkdiBaseTest(TestCase):
root_key_id_hint, "don’t provide both root key ID parameters"
)
- self.validate_get_key_request(gkid, current_gkid, root_key_specified)
--
Samba Shared Repository
More information about the samba-cvs
mailing list