[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Feb 16 03:48:01 UTC 2024
The branch, master has been updated
via 4698cf0f335 s4:dsdb: Fix grammar
via a8387195707 libcli/security: Make ‘session_info’ parameter const
via 8c970eaa2ed s4:ldap_server: Remove trailing whitespace
via 1e13e37e219 libcli/security: Include missing headers
via b0b9e03c990 s4:dsdb: Let requests with the AS_SYSTEM control reset an account’s password
via eece2e8a9c6 s4:dsdb: Make use of dsdb_have_system_access()
via 1ad9b93dbf6 s4:dsdb: Add function to determine whether we have system access
via e0e2126face s4:dsdb: Add include guard to dsdb/samdb/ldb_modules/util.h
via 91fdd431645 s4:dsdb: Remove redundant include
via 324d0fbc06d s4:dsdb: Add function to create a GMSA password update request
via d55c281c538 s4:dsdb: Remove unused includes
via e1d27ba5455 s4:dsdb: Add to ‘user_attrs’ attributes required for Group Managed Service Accounts
via 0d3d2c433a0 s3:passdb: Reformat long line
via 676601340c5 s3:passdb: Reformat array of strings
via 2135e91b406 s3:passdb: Make array of strings static
via 1b44febc8ee s3:passdb: Remove trailing whitespace
via f2a3c186c36 pidl: Do not call mapTypeName() on expression
via 2d3712906dc lib:crypto: Add test for GMSA password derivation
via fe2dc161607 lib:crypto: Add functions for deriving gMSA passwords
via e062db32257 lib:crypto: Add more GKDI functions
via 80a59d111ba ldb: Fix documentation typos
via d453feb8949 ldb: Split out ldb_controls_get_control() to search a list of controls
via 93762362c5a ldb: Correct copy‐and‐pasted comments
via f810ea94f33 ldb: Remove trailing whitespace
via 002e01963d9 s4:dsdb: Add dsdb_werror() macro
via 447467f77ee s4:dsdb: Add search flag indicating that gMSA passwords are to be updated
via eeadffc91c6 s4:dsdb: Include missing headers
via 424882452fc s4:dsdb: Add dsdb control indicating that gMSA passwords are to be updated
via 78565c5ee33 s4:setup: Remove empty line
via 03e4de449d8 s4:dsdb: Fix code formatting
via 4e01e2bfc30 s4:dsdb: Add ‘ares’ parameter to operational attribute constructor functions
via 24552b02005 s4:dsdb: Make array static
via f439bd39430 s4:dsdb: Remove trailing whitespace
via c0f9c177d05 s4:dsdb: Remove duplicate word
via 25c610f8fad mailmap: Associate my identity with my old email address
via ed37c6f23bc s4:dsdb: Remove unused ‘domain_dn’ parameter
via 470a9838e1d s4:dsdb: Remove reference to now‐gone lmNewHash parameter
via 43cc1a99738 s4:dsdb: Split out function to create a ‘password set’ ldb request
via 72142253003 s4:dsdb: Allocate NT hash on to more appropriate memory context
via e1e28d42988 s4:dsdb: Undefine helper macro
via c3ac22a4cb8 s4:dsdb: Check return value of talloc_new()
via 8fe57658222 python:tests: Remove unused imports
via 2489ffbe009 s4:kdc: Remove ‘attrs’ parameter from samba_kdc_lookup_server()
via 72ac0ec8500 lib:compression: Update my name
via 2748466ec6a python: Reformat nt_time.py
via debc4bc31f7 ldb: Fix code spelling
via 3ba0dcdcd81 ldb: Simplify ldb_errstring()
via 1b4eb4d6380 ldb: Remove trailing whitespace
via ac85c120074 lib:util: Remove inaccurate comment
via 635f6baf7bc s3:libads: Remove ‘unicodePwd’ attribute from ads_find_machine_acct() search
via 059cb760b03 testprogs:blackbox: Fix code spelling
via 22c6629e165 samba-tool: Display friendlier error message if no password is available
via 75ca027f61d python:tests: Pass correct arguments to set_named_ccache()
via 678ed54e781 python:tests: Fix code spelling
via 510d01b0ea1 s4:dsdb: Add helper functions to get GKDI root key DNs
via 332522d7798 lib:crypto: Explicitly check for zero
via cac31aac34e lib:crypto: Comment on GKDI definitions
via 88351a788c9 lib:crypto: Export gkid_key_type() and gkid_is_valid()
via ac3d67adab2 lib:crypto: Fix code formatting
via b2215aaee0d python:tests: Produce more helpful error message for future GKIDs
via b401502c55b netcmd: models: add GroupManagedServiceAccount model
via 5e52e211a9b netcmd: models: add missing fields to User model
via b31cdb03987 netcmd: models: add missing enum fields to Group model
via 16e1ea9bf52 netcmd: models: make Group.system_flags a flags based EnumField
via 5165d54da4c netcmd: models: add Computer model subclass of User
via 128a5cf087b netcmd: models: stop using LookupError exception and change it to NotFound
via 0a3da8dccd2 netcmd: models: rename DoesNotExist exception to NotFound
via 73c44e96dd0 netcmd: models: SDDLField move line down where it gets used
via 63064d4c9fe netcmd: models: SDDLField parses to object instead of string
via 9ca05ec28ce netcmd: delegation: don't use assert but raise CommandError
via 6d7ad278659 netcmd: delegation: initial value not required because of raise below
via ec6fb98b4a4 netcmd: delegation: move line down where it gets used
via 1608dde944f netcmd: delegation: pep8 fix blank lines
via 68092f85fa4 netcmd: bugfix: json encoder failed to call super method
via ea63b058fc4 netcmd: json encoder supports security descriptor objects
via de8b61cbbe3 netcmd: support hyphens in top-level commands and convert to underscore
via 2a95f83c5c3 libds: remove unreachable break statements after return
from 7a674ee9ffe docs-xml: document "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}"
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4698cf0f335f96cd902f234a09dc48102e33952a
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 16:53:57 2024 +1300
s4:dsdb: Fix grammar
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Feb 16 03:47:12 UTC 2024 on atb-devel-224
commit a8387195707baa9c2a11437755eb85ff040dee0f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Feb 14 08:17:03 2024 +1300
libcli/security: Make ‘session_info’ parameter const
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8c970eaa2ed5bae4501df6ebfc3af67a946a0c76
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Feb 12 16:48:36 2024 +1300
s4:ldap_server: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1e13e37e219bcf5804662143fcf85332c6954ac8
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jan 18 14:28:04 2024 +1300
libcli/security: Include missing headers
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b0b9e03c99098c46580b151064f673c6c47e1b4e
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 14:13:46 2024 +1300
s4:dsdb: Let requests with the AS_SYSTEM control reset an account’s password
dsdb_have_system_access() takes into account the AS_SYSTEM control as
well as the result of dsdb_module_am_system().
This change means that we can reset the password of an account without
being SYSTEM by means of the AS_SYSTEM control. This is essential for
ldapsrv_SearchRequest() to be able to process the automatic password
changes of Group Managed Service Accounts.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eece2e8a9c6c5bf32c2824ed5853b88d1e3f679b
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 14:12:30 2024 +1300
s4:dsdb: Make use of dsdb_have_system_access()
There should not be any change in behaviour.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1ad9b93dbf6dd2b899bcb11c20c841735aede12f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 14:09:23 2024 +1300
s4:dsdb: Add function to determine whether we have system access
This takes into account the dsdb session info, as well as the presence
or absence of an AS_SYSTEM control.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e0e2126face6d0a46dff348a8c690eb943dc2930
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Feb 15 16:48:29 2024 +1300
s4:dsdb: Add include guard to dsdb/samdb/ldb_modules/util.h
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 91fdd4316458d1dd9c696aff8d36737e5095b10f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Feb 15 16:48:06 2024 +1300
s4:dsdb: Remove redundant include
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 324d0fbc06d358756e69696b8d8cf389e91e0054
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 14:06:38 2024 +1300
s4:dsdb: Add function to create a GMSA password update request
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d55c281c538dac7361614fc8c56466d1fbf89805
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 13:50:40 2024 +1300
s4:dsdb: Remove unused includes
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e1d27ba5455cdd7a69e16112ed05c75ba5c1f003
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 13:45:10 2024 +1300
s4:dsdb: Add to ‘user_attrs’ attributes required for Group Managed Service Accounts
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0d3d2c433a0ecb8fefe57fef2e60121f684ed6a7
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 13:43:59 2024 +1300
s3:passdb: Reformat long line
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 676601340c5ff8895845b089289dcbb2e9f60d91
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 13:40:48 2024 +1300
s3:passdb: Reformat array of strings
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2135e91b406104944b0f27edb892450acaae9968
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 13:40:29 2024 +1300
s3:passdb: Make array of strings static
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1b44febc8eea317c6e09fc4f318472028745857e
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 13:40:20 2024 +1300
s3:passdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f2a3c186c365f0e864dfe6734fcec0bf14bc4f3f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 13:17:28 2024 +1300
pidl: Do not call mapTypeName() on expression
$var_name is not a type name, but an expression, such as ‘r->in.server’.
mapTypeName() will turn this into ‘struct r->in.server’, which makes no
sense.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d3712906dc72c229ba5d5f84399f105a0b158bc
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 14:39:41 2024 +1300
lib:crypto: Add test for GMSA password derivation
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fe2dc161607ad035d805c035e7c090f7b4b13483
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 13:04:06 2024 +1300
lib:crypto: Add functions for deriving gMSA passwords
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e062db322576e029037b2cd303beb5258c1ad40f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 13:04:48 2024 +1300
lib:crypto: Add more GKDI functions
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 80a59d111ba5d8d861c6be523d43c9ecd01ae444
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 12:34:43 2024 +1300
ldb: Fix documentation typos
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d453feb8949b5d270b55fba3052d50db5de354d3
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 11:57:07 2024 +1300
ldb: Split out ldb_controls_get_control() to search a list of controls
Update the ldb ABI accordingly.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 93762362c5ad51995b6dfda2223e9d728b97ead6
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 11:54:57 2024 +1300
ldb: Correct copy‐and‐pasted comments
These comments refer to controls being added, but in these functions the
controls are actually being *searched* for.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f810ea94f334fed8a4a20b87a4d479ed80c4f8ea
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 11:53:07 2024 +1300
ldb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 002e01963d93c9e9c2b5f5392d07ba3eed215012
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 11:52:06 2024 +1300
s4:dsdb: Add dsdb_werror() macro
This works like dsdb_module_werror(), but does not require an ldb module
to work.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 447467f77ee119fd425645af36fd28362b42c5b3
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 11:51:35 2024 +1300
s4:dsdb: Add search flag indicating that gMSA passwords are to be updated
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eeadffc91c621bd452c7d9648d0b327b861a3752
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 11:51:19 2024 +1300
s4:dsdb: Include missing headers
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 424882452fcea14ae2f48d5449b5f991f3dc5ee8
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 11:25:33 2024 +1300
s4:dsdb: Add dsdb control indicating that gMSA passwords are to be updated
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 78565c5ee33b3bec8e8e85e141f1fb2867bdd5a9
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 11:26:08 2024 +1300
s4:setup: Remove empty line
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 03e4de449d8b4f10286cf65307ef53d1e49222f0
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Feb 12 16:58:41 2024 +1300
s4:dsdb: Fix code formatting
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4e01e2bfc30da0024db0cb682e77a1be275b06f2
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Feb 12 16:56:59 2024 +1300
s4:dsdb: Add ‘ares’ parameter to operational attribute constructor functions
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 24552b02005abc7b2379cd7f34a8df1a60a7837a
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Feb 12 16:50:39 2024 +1300
s4:dsdb: Make array static
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f439bd39430e63975fb803aff2f8c19f6a4342cb
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Feb 12 16:49:44 2024 +1300
s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c0f9c177d05b4f8b8223b35aeef6cc800c37acca
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Jan 16 15:48:43 2024 +1300
s4:dsdb: Remove duplicate word
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 25c610f8fad10b3c512049698a7d751089dcaea2
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Feb 13 12:32:19 2024 +1300
mailmap: Associate my identity with my old email address
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ed37c6f23bc79c3be088025a875cb20a1f20da41
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Sat Jan 20 12:01:30 2024 +1300
s4:dsdb: Remove unused ‘domain_dn’ parameter
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 470a9838e1dfaa8f33330d1676dcc3bd80a7ddf4
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Feb 15 14:12:07 2024 +1300
s4:dsdb: Remove reference to now‐gone lmNewHash parameter
This parameter was removed in commit
75c54d54ad9fdff7098c1b4f11252528f35ea658.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 43cc1a997383b8290950b7dbb1f5c5d9f6ab6f91
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Sat Jan 20 12:00:27 2024 +1300
s4:dsdb: Split out function to create a ‘password set’ ldb request
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72142253003c430cb10212961fc8fd88a88e7ee6
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Feb 12 16:25:10 2024 +1300
s4:dsdb: Allocate NT hash on to more appropriate memory context
The NT hash should live at least as long as the message to which it is
added.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e1e28d42988d135376e25b97df78c79fe3f1d154
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Sat Jan 20 11:58:45 2024 +1300
s4:dsdb: Undefine helper macro
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c3ac22a4cb87c4957a68257a49e12b7eaf01a208
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Jan 19 13:33:09 2024 +1300
s4:dsdb: Check return value of talloc_new()
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8fe5765822217feb06e0ce2a12bc5ffe4fdb99ea
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jan 18 10:01:49 2024 +1300
python:tests: Remove unused imports
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2489ffbe009f5f56e91c681eec9ad3d042e81634
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Jan 17 13:13:56 2024 +1300
s4:kdc: Remove ‘attrs’ parameter from samba_kdc_lookup_server()
It is always equal to ‘server_attrs’.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72ac0ec850013f5876d7260f12d5d6e395c774e1
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Feb 8 10:55:32 2024 +1300
lib:compression: Update my name
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2748466ec6a5dd8911612b8164fcacaf4137e00e
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Feb 2 13:11:22 2024 +1300
python: Reformat nt_time.py
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit debc4bc31f796636352f478ef9f887392752bd42
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jan 25 10:28:31 2024 +1300
ldb: Fix code spelling
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3ba0dcdcd816c1214b2a157411732f83ca96e35c
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Jan 24 14:19:26 2024 +1300
ldb: Simplify ldb_errstring()
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1b4eb4d6380b1556057d5855a473edca9583fc2b
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Jan 24 14:19:11 2024 +1300
ldb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ac85c1200748e7eaaafcdd1aadacdf1e7b98e6f9
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Sat Jan 20 09:53:20 2024 +1300
lib:util: Remove inaccurate comment
A C compiler would not be allowed to apply the tail call optimization in
this situation, because it would change the observed behaviour of the
program.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 635f6baf7bccc64da5fa8591dee41c379f83601b
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Jan 19 12:38:24 2024 +1300
s3:libads: Remove ‘unicodePwd’ attribute from ads_find_machine_acct() search
This attribute was added to the search in commit
4f389c1f78cdc2424795e3b2a1ce43818c400c2d. But it’s not clear to me that
anything actually retrieves the unicodePwd from the result (excluding
inconsequential things like ads_dump()).
Furthermore, this being a search over LDAP, it will never return a
unicodePwd.
Removing this attribute from the search means that we no longer have to
worry about the account possibly being a Group Managed Service Account
and the unicodePwd being out‐of‐date.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 059cb760b033ae1e570128a9c546acbdc9a43ec2
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Jan 19 13:23:36 2024 +1300
testprogs:blackbox: Fix code spelling
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 22c6629e16535e7a8014243ac519a7923c2cb3c1
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jan 18 11:26:34 2024 +1300
samba-tool: Display friendlier error message if no password is available
‘samba-tool user get-kerberos-ticket’ is supposed to display an error
message if no password is available. However, the conditions for which
the message is displayed are impossible to be met. If ‘utf16_pw’ is not
None, the message is not displayed; if ‘utf16_pw’ *is* None, ‘nt_pass’
is assigned with a samr.Password object, which is not None — and so the
message is still not displayed.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 75ca027f61de3e0d03ec931e907b06affa3d9fac
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jan 18 10:55:55 2024 +1300
python:tests: Pass correct arguments to set_named_ccache()
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 678ed54e781b5b89c319dabca072fb9d3522986f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jan 18 10:48:44 2024 +1300
python:tests: Fix code spelling
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 510d01b0ea1f0330b168de39faddb62765e4f5bf
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jan 11 13:52:27 2024 +1300
s4:dsdb: Add helper functions to get GKDI root key DNs
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 332522d7798e5c73e77f18ac7e0f05aae749d070
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Jan 8 09:48:44 2024 +1300
lib:crypto: Explicitly check for zero
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cac31aac34e411e0935115c7209b4d45c29efbfc
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Jan 9 14:14:23 2024 +1300
lib:crypto: Comment on GKDI definitions
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 88351a788c979645e8291c068b1276a6e7658d6b
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Jan 9 14:13:31 2024 +1300
lib:crypto: Export gkid_key_type() and gkid_is_valid()
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ac3d67adab2ca10272ea51d4a33956df6b317212
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Dec 22 16:01:36 2023 +1300
lib:crypto: Fix code formatting
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b2215aaee0d7c22d9b2cd3c65a4da57299d28d15
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jan 11 13:49:58 2024 +1300
python:tests: Produce more helpful error message for future GKIDs
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b401502c55b34ea1d87e043fc6f8059bd55c95c8
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Feb 8 23:25:14 2024 +1300
netcmd: models: add GroupManagedServiceAccount model
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 5e52e211a9bd14da7d7f35f0238291509ff65f03
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Feb 8 23:17:34 2024 +1300
netcmd: models: add missing fields to User model
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit b31cdb039875e6f660880a564f3e6ec283175174
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Feb 8 23:13:16 2024 +1300
netcmd: models: add missing enum fields to Group model
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 16e1ea9bf521dd2e6c62b193b84071a1d3db3545
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Feb 13 13:17:24 2024 +1300
netcmd: models: make Group.system_flags a flags based EnumField
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 5165d54da4c1098297a6e031dd77b7183168bdd9
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Feb 8 23:02:11 2024 +1300
netcmd: models: add Computer model subclass of User
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 128a5cf087b1f4e764f1e4afa0667a249346a810
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Feb 8 22:47:14 2024 +1300
netcmd: models: stop using LookupError exception and change it to NotFound
LookupError is a base class for IndexError and KeyError and isn't really the appropriate exception.
NotFound inherits from ModelError just like the other model exceptions.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 0a3da8dccd2096095a7ce5d2fbf8b4943eeadfcc
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Feb 8 22:34:46 2024 +1300
netcmd: models: rename DoesNotExist exception to NotFound
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 73c44e96dd0714cb8c28cef0c6d40f49616881d3
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Feb 12 22:03:34 2024 +1300
netcmd: models: SDDLField move line down where it gets used
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 63064d4c9fe806891392734121241be353c567e4
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Feb 12 21:56:43 2024 +1300
netcmd: models: SDDLField parses to object instead of string
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 9ca05ec28ce9c3b45ad72b6df2a0aa72da3e2e26
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Feb 12 16:13:13 2024 +1300
netcmd: delegation: don't use assert but raise CommandError
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 6d7ad27865974692cebdb5fef1e3a5134dfb92eb
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Feb 12 16:04:08 2024 +1300
netcmd: delegation: initial value not required because of raise below
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit ec6fb98b4a44a106c6b1363d69c7799e5f1b695b
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Feb 12 16:02:22 2024 +1300
netcmd: delegation: move line down where it gets used
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 1608dde944f8580511432bf4accdb0439f6106dd
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Feb 12 15:59:32 2024 +1300
netcmd: delegation: pep8 fix blank lines
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 68092f85fa4f86dfe553357c5f879b25c56a4866
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Feb 8 20:53:01 2024 +1300
netcmd: bugfix: json encoder failed to call super method
This lead to a strange recursion error when a field came up that the JSONEncoder couldn't encode.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit ea63b058fc4716f0017acfb75ace96bee20a6c21
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Feb 12 15:53:53 2024 +1300
netcmd: json encoder supports security descriptor objects
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit de8b61cbbe38702924d6c59a15eb264f679edf84
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Feb 8 23:33:09 2024 +1300
netcmd: support hyphens in top-level commands and convert to underscore
Hyphens in python modules are invalid and makes them only importable by importlib, which makes them harder to import in tests.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 2a95f83c5c3720532dd48b4b1ca0d8140b977387
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Feb 8 20:30:31 2024 +1300
libds: remove unreachable break statements after return
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
.mailmap | 1 +
lib/compression/lzxpress_huffman.c | 2 +-
lib/crypto/gkdi.c | 286 +++++++++++++++++++--
lib/crypto/gkdi.h | 80 +++++-
lib/crypto/gmsa.c | 264 +++++++++++++++++++
lib/crypto/gmsa.h | 54 ++++
lib/crypto/test_gkdi.c | 150 +++++++++++
lib/crypto/test_gkdi_key_derivation.c | 2 +-
lib/crypto/wscript | 11 +
lib/ldb/ABI/ldb-2.10.0.sigs | 1 +
lib/ldb/common/ldb.c | 40 ++-
lib/ldb/common/ldb_controls.c | 47 ++--
lib/ldb/include/ldb.h | 13 +-
lib/ldb/include/ldb_module.h | 16 +-
lib/util/time.c | 10 +-
libcli/security/access_check.h | 2 +
libcli/security/security_descriptor.h | 1 +
libcli/security/session.c | 2 +-
libcli/security/session.h | 2 +-
libds/common/flag_mapping.c | 28 --
pidl/lib/Parse/Pidl/Samba4/Python.pm | 3 +-
python/samba/netcmd/delegation.py | 25 +-
python/samba/netcmd/domain/auth/silo.py | 4 +-
python/samba/netcmd/domain/claim/claim_type.py | 4 +-
python/samba/netcmd/domain/models/__init__.py | 6 +-
python/samba/netcmd/domain/models/auth_policy.py | 4 +-
.../domain/models/{subnet.py => computer.py} | 24 +-
python/samba/netcmd/domain/models/exceptions.py | 2 +-
python/samba/netcmd/domain/models/fields.py | 32 ++-
python/samba/netcmd/domain/models/group.py | 8 +-
python/samba/netcmd/domain/models/model.py | 8 +-
python/samba/netcmd/domain/models/query.py | 6 +-
python/samba/netcmd/domain/models/schema.py | 13 +-
python/samba/netcmd/domain/models/types.py | 136 +++++++++-
python/samba/netcmd/domain/models/user.py | 89 ++++++-
python/samba/netcmd/domain/models/value_type.py | 8 +-
python/samba/netcmd/encoders.py | 6 +-
python/samba/netcmd/main.py | 5 +-
.../user/readpasswords/get_kerberos_ticket.py | 24 +-
python/samba/nt_time.py | 4 +-
python/samba/tests/gkdi.py | 3 +-
python/samba/tests/samba_tool/domain_models.py | 21 +-
.../tests/samba_tool/user_get_kerberos_ticket.py | 10 +-
.../tests/samba_tool/user_getpassword_gmsa.py | 4 +-
.../samba-tool-user-get-kerberos-ticket | 8 +-
selftest/tests.py | 2 +
source3/libads/ldap.c | 1 -
source3/passdb/pdb_samba_dsdb.c | 56 ++--
source4/auth/sam.c | 7 +-
source4/dsdb/common/util.c | 247 +++++++++++++++---
source4/dsdb/common/util.h | 6 +
source4/dsdb/samdb/ldb_modules/acl.c | 44 +---
source4/dsdb/samdb/ldb_modules/acl_read.c | 7 +-
source4/dsdb/samdb/ldb_modules/audit_util.c | 1 -
source4/dsdb/samdb/ldb_modules/objectclass.c | 22 +-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 14 +-
source4/dsdb/samdb/ldb_modules/operational.c | 40 +--
source4/dsdb/samdb/ldb_modules/password_hash.c | 7 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 2 +-
source4/dsdb/samdb/ldb_modules/util.c | 36 +++
source4/dsdb/samdb/ldb_modules/util.h | 12 +-
source4/dsdb/samdb/samdb.h | 8 +
source4/kdc/db-glue.c | 9 +-
source4/kdc/kpasswd-helper.c | 1 -
source4/ldap_server/ldap_backend.c | 18 +-
source4/rpc_server/samr/dcesrv_samr.c | 11 -
source4/rpc_server/samr/samr_password.c | 13 +-
source4/setup/schema_samba4.ldif | 2 +-
testprogs/blackbox/test_net_ads.sh | 8 +-
69 files changed, 1626 insertions(+), 417 deletions(-)
create mode 100644 .mailmap
create mode 100644 lib/crypto/gmsa.c
create mode 100644 lib/crypto/gmsa.h
create mode 100644 lib/crypto/test_gkdi.c
copy python/samba/netcmd/domain/models/{subnet.py => computer.py} (63%)
Changeset truncated at 500 lines:
diff --git a/.mailmap b/.mailmap
new file mode 100644
index 00000000000..a797c26ff4f
--- /dev/null
+++ b/.mailmap
@@ -0,0 +1 @@
+Jo Sutton <josutton at catalyst.net.nz> <josephsutton at catalyst.net.nz>
diff --git a/lib/compression/lzxpress_huffman.c b/lib/compression/lzxpress_huffman.c
index e14419cd96b..63b5ffae8ec 100644
--- a/lib/compression/lzxpress_huffman.c
+++ b/lib/compression/lzxpress_huffman.c
@@ -4,7 +4,7 @@
* Copyright © Catalyst IT 2022
*
* Written by Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- * and Joseph Sutton <josephsutton at catalyst.net.nz>
+ * and Jo Sutton <josutton at catalyst.net.nz>
*
* ** NOTE! The following LGPL license applies to this file.
* ** It does NOT imply that all of Samba is released under the LGPL
diff --git a/lib/crypto/gkdi.c b/lib/crypto/gkdi.c
index 6799dcfd70e..92348f286ac 100644
--- a/lib/crypto/gkdi.c
+++ b/lib/crypto/gkdi.c
@@ -26,11 +26,13 @@
#include "lib/util/bytearray.h"
+#include "librpc/ndr/libndr.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/gen_ndr/gkdi.h"
#include "librpc/gen_ndr/ndr_gkdi.h"
#include "lib/crypto/gkdi.h"
+#include "lib/util/data_blob.h"
static const uint8_t kds_service[] = {
/* “KDS service” as a NULL‐terminated UTF‐16LE string. */
@@ -38,6 +40,182 @@ static const uint8_t kds_service[] = {
'r', 0, 'v', 0, 'i', 0, 'c', 0, 'e', 0, 0, 0,
};
+static struct Gkid gkid_from_u32_indices(const uint32_t l0_idx,
+ const uint32_t l1_idx,
+ const uint32_t l2_idx)
+{
+ /* Catch out‐of‐range indices. */
+ if (l0_idx > INT32_MAX || l1_idx > INT8_MAX || l2_idx > INT8_MAX) {
+ return invalid_gkid;
+ }
+
+ return Gkid(l0_idx, l1_idx, l2_idx);
+}
+
+NTSTATUS gkdi_pull_KeyEnvelope(TALLOC_CTX *mem_ctx,
+ const DATA_BLOB *key_env_blob,
+ struct KeyEnvelope *key_env_out)
+{
+ NTSTATUS status = NT_STATUS_OK;
+ enum ndr_err_code err;
+
+ if (key_env_blob == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (key_env_out == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ err = ndr_pull_struct_blob(key_env_blob,
+ mem_ctx,
+ key_env_out,
+ (ndr_pull_flags_fn_t)ndr_pull_KeyEnvelope);
+ status = ndr_map_error2ntstatus(err);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* If we felt so inclined, we could check the version field here. */
+
+ return status;
+}
+
+/*
+ * Retrieve the GKID and root key ID from a KeyEnvelope blob. The returned
+ * structure is guaranteed to have a valid GKID.
+ */
+const struct KeyEnvelopeId *gkdi_pull_KeyEnvelopeId(
+ const DATA_BLOB key_env_blob,
+ struct KeyEnvelopeId *key_env_out)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct KeyEnvelope key_env;
+ const struct KeyEnvelopeId *key_env_ret = NULL;
+ NTSTATUS status;
+
+ if (key_env_out == NULL) {
+ goto out;
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ goto out;
+ }
+
+ status = gkdi_pull_KeyEnvelope(tmp_ctx, &key_env_blob, &key_env);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ {
+ const struct Gkid gkid = gkid_from_u32_indices(
+ key_env.l0_index, key_env.l1_index, key_env.l2_index);
+ if (!gkid_is_valid(gkid)) {
+ /* The KeyId is not valid: we can’t use it. */
+ goto out;
+ }
+
+ *key_env_out = (struct KeyEnvelopeId){
+ .root_key_id = key_env.root_key_id, .gkid = gkid};
+ }
+
+ /* Return a pointer to the buffer passed in by the caller. */
+ key_env_ret = key_env_out;
+
+out:
+ TALLOC_FREE(tmp_ctx);
+ return key_env_ret;
+}
+
+NTSTATUS ProvRootKey(TALLOC_CTX *mem_ctx,
+ const struct GUID root_key_id,
+ const int32_t version,
+ const DATA_BLOB root_key_data,
+ const NTTIME create_time,
+ const NTTIME use_start_time,
+ const char *const domain_id,
+ const struct KdfAlgorithm kdf_algorithm,
+ const struct ProvRootKey **const root_key_out)
+{
+ NTSTATUS status = NT_STATUS_OK;
+ struct ProvRootKey *root_key = NULL;
+
+ if (root_key_out == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ *root_key_out = NULL;
+
+ root_key = talloc(mem_ctx, struct ProvRootKey);
+ if (root_key == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *root_key = (struct ProvRootKey){
+ .id = root_key_id,
+ .data = {.data = talloc_steal(root_key, root_key_data.data),
+ .length = root_key_data.length},
+ .create_time = create_time,
+ .use_start_time = use_start_time,
+ .domain_id = talloc_steal(root_key, domain_id),
+ .kdf_algorithm = kdf_algorithm,
+ .version = version,
+ };
+
+ *root_key_out = root_key;
+ return status;
+}
+
+struct Gkid gkdi_get_interval_id(const NTTIME time)
+{
+ return Gkid(time / (gkdi_l1_key_iteration * gkdi_l2_key_iteration *
+ gkdi_key_cycle_duration),
+ time / (gkdi_l2_key_iteration * gkdi_key_cycle_duration) %
+ gkdi_l1_key_iteration,
+ time / gkdi_key_cycle_duration % gkdi_l2_key_iteration);
+}
+
+NTTIME gkdi_get_key_start_time(const struct Gkid gkid)
+{
+ return (gkid.l0_idx * gkdi_l1_key_iteration * gkdi_l2_key_iteration +
+ gkid.l1_idx * gkdi_l2_key_iteration + gkid.l2_idx) *
+ gkdi_key_cycle_duration;
+}
+
+/*
+ * This returns the equivalent of
+ * gkdi_get_key_start_time(gkdi_get_interval_id(time)).
+ */
+NTTIME gkdi_get_interval_start_time(const NTTIME time)
+{
+ return time % gkdi_key_cycle_duration;
+}
+
+bool gkid_less_than_or_equal_to(const struct Gkid g1, const struct Gkid g2)
+{
+ if (g1.l0_idx != g2.l0_idx) {
+ return g1.l0_idx < g2.l0_idx;
+ }
+
+ if (g1.l1_idx != g2.l1_idx) {
+ return g1.l1_idx < g2.l1_idx;
+ }
+
+ return g1.l2_idx <= g2.l2_idx;
+}
+
+bool gkdi_rollover_interval(const int64_t managed_password_interval,
+ NTTIME *result)
+{
+ if (managed_password_interval < 0) {
+ return false;
+ }
+
+ *result = (uint64_t)managed_password_interval * 24 / 10 *
+ gkdi_key_cycle_duration;
+ return true;
+}
+
struct GkdiContextShort {
uint8_t buf[sizeof((struct GUID_ndr_buf){}.buf) + sizeof(int32_t) +
sizeof(int32_t) + sizeof(int32_t)];
@@ -71,7 +249,7 @@ static NTSTATUS make_gkdi_context_security_descriptor(
enum ndr_err_code ndr_err;
struct GkdiDerivationCtx ctx_with_sd = *ctx;
- if (ctx_with_sd.target_security_descriptor.length) {
+ if (ctx_with_sd.target_security_descriptor.length != 0) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -164,13 +342,12 @@ out:
return status;
}
-static NTSTATUS compute_l1_seed_key(
- TALLOC_CTX *mem_ctx,
- struct GkdiContext *ctx,
- const DATA_BLOB security_descriptor,
- const struct ProvRootKey *const root_key,
- const struct Gkid gkid,
- uint8_t key[static const GKDI_KEY_LEN])
+static NTSTATUS compute_l1_seed_key(TALLOC_CTX *mem_ctx,
+ struct GkdiContext *ctx,
+ const DATA_BLOB security_descriptor,
+ const struct ProvRootKey *const root_key,
+ const struct Gkid gkid,
+ uint8_t key[static const GKDI_KEY_LEN])
{
NTSTATUS status = NT_STATUS_OK;
struct GkdiContextShort short_ctx;
@@ -308,7 +485,7 @@ out:
return status;
}
-static enum GkidType gkid_key_type(const struct Gkid gkid)
+enum GkidType gkid_key_type(const struct Gkid gkid)
{
if (gkid.l0_idx == -1) {
return GKID_DEFAULT;
@@ -325,7 +502,7 @@ static enum GkidType gkid_key_type(const struct Gkid gkid)
return GKID_L2_SEED_KEY;
}
-static bool gkid_is_valid(const struct Gkid gkid)
+bool gkid_is_valid(const struct Gkid gkid)
{
if (gkid.l0_idx < -1) {
return false;
@@ -350,12 +527,11 @@ static bool gkid_is_valid(const struct Gkid gkid)
return true;
}
-NTSTATUS compute_seed_key(
- TALLOC_CTX *mem_ctx,
- const DATA_BLOB target_security_descriptor,
- const struct ProvRootKey *const root_key,
- const struct Gkid gkid,
- uint8_t key[static const GKDI_KEY_LEN])
+NTSTATUS compute_seed_key(TALLOC_CTX *mem_ctx,
+ const DATA_BLOB target_security_descriptor,
+ const struct ProvRootKey *const root_key,
+ const struct Gkid gkid,
+ uint8_t key[static const GKDI_KEY_LEN])
{
NTSTATUS status = NT_STATUS_OK;
enum GkidType gkid_type;
@@ -394,3 +570,81 @@ NTSTATUS compute_seed_key(
out:
return status;
}
+
+NTSTATUS kdf_sp_800_108_from_params(
+ const DATA_BLOB *const kdf_param,
+ struct KdfAlgorithm *const kdf_algorithm_out)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ NTSTATUS status = NT_STATUS_OK;
+ enum ndr_err_code err;
+ enum KdfSp800_108Param sp800_108_param = KDF_PARAM_SHA256;
+ struct KdfParameters kdf_parameters;
+
+ if (kdf_param != NULL) {
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ err = ndr_pull_struct_blob(kdf_param,
+ tmp_ctx,
+ &kdf_parameters,
+ (ndr_pull_flags_fn_t)
+ ndr_pull_KdfParameters);
+ if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
+ status = ndr_map_error2ntstatus(err);
+ DBG_WARNING("KdfParameters pull failed: %s\n",
+ nt_errstr(status));
+ goto out;
+ }
+
+ if (kdf_parameters.hash_algorithm == NULL) {
+ status = NT_STATUS_NOT_SUPPORTED;
+ goto out;
+ }
+
+ /* These string comparisons are case‐sensitive. */
+ if (strcmp(kdf_parameters.hash_algorithm, "SHA1") == 0) {
+ sp800_108_param = KDF_PARAM_SHA1;
+ } else if (strcmp(kdf_parameters.hash_algorithm, "SHA256") == 0)
+ {
+ sp800_108_param = KDF_PARAM_SHA256;
+ } else if (strcmp(kdf_parameters.hash_algorithm, "SHA384") == 0)
+ {
+ sp800_108_param = KDF_PARAM_SHA384;
+ } else if (strcmp(kdf_parameters.hash_algorithm, "SHA512") == 0)
+ {
+ sp800_108_param = KDF_PARAM_SHA512;
+ } else {
+ status = NT_STATUS_NOT_SUPPORTED;
+ goto out;
+ }
+ }
+
+ *kdf_algorithm_out = (struct KdfAlgorithm){
+ .id = KDF_ALGORITHM_SP800_108_CTR_HMAC,
+ .param.sp800_108 = sp800_108_param,
+ };
+out:
+ talloc_free(tmp_ctx);
+ return status;
+}
+
+NTSTATUS kdf_algorithm_from_params(const char *const kdf_algorithm_id,
+ const DATA_BLOB *const kdf_param,
+ struct KdfAlgorithm *const kdf_algorithm_out)
+{
+ if (kdf_algorithm_id == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* This string comparison is case‐sensitive. */
+ if (strcmp(kdf_algorithm_id, "SP800_108_CTR_HMAC") == 0) {
+ return kdf_sp_800_108_from_params(kdf_param, kdf_algorithm_out);
+ }
+
+ /* Unknown algorithm. */
+ return NT_STATUS_NOT_SUPPORTED;
+}
diff --git a/lib/crypto/gkdi.h b/lib/crypto/gkdi.h
index 892bcc4b380..0786d228a19 100644
--- a/lib/crypto/gkdi.h
+++ b/lib/crypto/gkdi.h
@@ -65,6 +65,16 @@ struct ProvRootKey {
int32_t version;
};
+NTSTATUS ProvRootKey(TALLOC_CTX *mem_ctx,
+ const struct GUID root_key_id,
+ const int32_t version,
+ const DATA_BLOB root_key_data,
+ const NTTIME create_time,
+ const NTTIME use_start_time,
+ const char *const domain_id,
+ const struct KdfAlgorithm kdf_algorithm,
+ const struct ProvRootKey **const root_key_out);
+
struct Gkid {
int32_t l0_idx;
int8_t l1_idx; /* [range(0, 31)] */
@@ -78,22 +88,76 @@ enum GkidType {
GKID_L2_SEED_KEY = 2,
};
+/*
+ * Construct a GKID. The caller must check the returned GKID is valid before
+ * using it!
+ */
+static inline struct Gkid Gkid(int32_t l0_idx, int8_t l1_idx, int8_t l2_idx)
+{
+ return (struct Gkid){l0_idx, l1_idx, l2_idx};
+}
+
+static const struct Gkid invalid_gkid = {
+ INT32_MIN,
+ INT8_MIN,
+ INT8_MIN,
+};
+
+static const uint32_t key_envelope_magic = 0x4b53444b; /* ‘KDSK’ */
+
+struct KeyEnvelopeId {
+ struct GUID root_key_id;
+ struct Gkid gkid;
+};
+
+struct KeyEnvelope;
+NTSTATUS gkdi_pull_KeyEnvelope(TALLOC_CTX *mem_ctx,
+ const DATA_BLOB *pwd_id_blob,
+ struct KeyEnvelope *pwd_id_out);
+
+const struct KeyEnvelopeId *gkdi_pull_KeyEnvelopeId(
+ const DATA_BLOB key_env,
+ struct KeyEnvelopeId *key_env_out);
+
+enum GkidType gkid_key_type(const struct Gkid gkid);
+
+bool gkid_is_valid(const struct Gkid gkid);
+
static const int gkdi_l1_key_iteration = 32;
static const int gkdi_l2_key_iteration = 32;
-static const int64_t gkdi_key_cycle_duration = 360000000000;
-static const int64_t gkdi_max_clock_skew = 3000000000;
+static const int64_t gkdi_key_cycle_duration = 360000000000; /* ten hours */
+static const int64_t gkdi_max_clock_skew = 3000000000; /* five minutes */
#define GKDI_KEY_LEN 64
+struct Gkid gkdi_get_interval_id(const NTTIME time);
+
+NTTIME gkdi_get_key_start_time(const struct Gkid gkid);
+
+NTTIME gkdi_get_interval_start_time(const NTTIME time);
+
+bool gkid_less_than_or_equal_to(const struct Gkid g1, const struct Gkid g2);
+
+bool gkdi_rollover_interval(const int64_t managed_password_interval,
+ NTTIME *result);
+
gnutls_mac_algorithm_t get_sp800_108_mac_algorithm(
const struct KdfAlgorithm kdf_algorithm);
-NTSTATUS compute_seed_key(
- TALLOC_CTX *mem_ctx,
- const DATA_BLOB target_security_descriptor,
- const struct ProvRootKey *const root_key,
- const struct Gkid gkid,
- uint8_t out[static const GKDI_KEY_LEN]);
+NTSTATUS compute_seed_key(TALLOC_CTX *mem_ctx,
+ const DATA_BLOB target_security_descriptor,
+ const struct ProvRootKey *const root_key,
+ const struct Gkid gkid,
+ uint8_t out[static const GKDI_KEY_LEN]);
+
+NTSTATUS kdf_sp_800_108_from_params(
+ const DATA_BLOB *const kdf_param,
+ struct KdfAlgorithm *const kdf_algorithm_out);
+
+NTSTATUS kdf_algorithm_from_params(
+ const char *const kdf_algorithm_id,
+ const DATA_BLOB *const kdf_param,
+ struct KdfAlgorithm *const kdf_algorithm_out);
#endif /* LIB_CRYPTO_GKDI_H */
diff --git a/lib/crypto/gmsa.c b/lib/crypto/gmsa.c
new file mode 100644
index 00000000000..1cd7a0e6973
--- /dev/null
+++ b/lib/crypto/gmsa.c
@@ -0,0 +1,264 @@
+/*
+ Unix SMB/CIFS implementation.
+ Group Managed Service Account functions
+
+ Copyright (C) Catalyst.Net Ltd 2024
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list