[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Mar 28 02:54:02 UTC 2024
The branch, master has been updated
via 06c589aaa1a python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED
via f29693d1311 python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash
via 2fd5166a8c1 python/tests/krb5: Allow getting a TGT in pkinit tests
via b2fe1ea1c6a python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED
via 7cc8f455191 tests/krb5: Fix PK-INIT test framework to allow expired password keys
via 46263c5c202 python/samba/krb5: Allow client address (caddr) to be missing or empty
via 3d1ec5dc676 auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials
via 93f4be16471 netcmd: docs: update documentation for new auth policy command structure
via 6e02c97193c netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group
via dcb6a14fa23 netcmd: auth policy: add service-allowed-to-authenticate-from subcommands
via 97c2ff19daa netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group
via e88be1aed97 netcmd: auth policy: add user-allowed-to-authenticate-from subcommands
via 2cbacad82d6 netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group
via 316a84a5975 netcmd: auth policy: add service-allowed-to-authenticate-to subcommands
via 5db2a1581d3 netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group
via 4ba087f8187 netcmd: auth policy: add user-allowed-to-authenticate-to subcommands
via 49c3bca8033 netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group
via 86d3706bd26 netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands
via 96f00738cec netcmd: auth policy: extract policy base commands into policy.py
via c0e748f0117 netcmd: auth policy: turn policy.py into module
via 13d53ee3e25 netcmd: auth silo: extract silo base commands into silo.py
via a2e9529ee63 netcmd: auth silo: move silo_member.py into silo module
via 4d2c8ea9578 netcmd: auth silo: turn silo.py into module
via 2af65446cfd netcmd: docs: add section headings for auth policies and silos
via 7fbe5156096 netcmd: docs: consistently put <constant> around GROUP and SILO
via 4e1d12835ff netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing
via 26feb09fd10 netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device"
via a7edd5b5367 netcmd: docs: add documentation for service-account group-msa-membership commands
via 03a6740a90b netcmd: docs: add documentation for service-account base command
via cf60e3cad6b netcmd: gmsa: improve descriptions of --dns-host-name and match docs
via 828420b4f09 python: domain: models: add OrganizationalUnit container model
via 5ac4b6969be python: domain: models: move OrganizationalPerson to org.py
via 3c0833ead51 python: domain: models: move MODELS to registry.py because it's not really a constant
via bfd1f8cd467 python: domain: models: MODELS lookup does need to include base Model for shell command
via 0c5d09ae143 python: domain: models: add children method to return a models direct children
via cca0cfe421c python: tests: write a test for the Model.as_dict method
via 917e2a73538 python: tests: computer model tests should clean up
via ed07dee8649 python: domain: models: as_dict() should also exclude empty list fields
via fc982e550f4 s4-dsdb: Create KdfParameters at runtime
via d316e5f0869 s4-dsdb: Indent DH parameters table in gkdi_create_root_key()
via 3687bf22aa1 s4-dsdb: Populate new GKDI root keys from the server configuration object
via 565314f4482 pyldb: Improve search for error string in PyErr_SetLdbError
via 06912de3b2a dsdb: Add API tests for new_gkdi_root_key()
via f379ea8b812 pyldb: Consolidate PyErr_SetLdbError() using the pyldb version
via 287cf82682c plydb: Keep talloc_reference() to the DN in PyDict_AsMessage
via 37327afd0aa pyldb: Fix documentation comment on Message.from_dict() method
from f0a8d832683 s4/torture: Fix misplaced positional arguments for u64 comparison
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 06c589aaa1a30e5577d9de4532246949f30809e5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 20 14:56:47 2024 +1300
python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED
This in particular tests the returned NTLM password buffers as well as
the password rotation on expired accounts described at
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Mar 28 02:53:53 UTC 2024 on atb-devel-224
commit f29693d1311a9675034dc7010076309ba2535d64
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 26 14:29:49 2024 +1300
python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash
We want to use the PAC returned NT hash in the UF_SMARTCARD_REQUIRED case
as it will usually be random bytes so we can not just assert on the
value any more.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 2fd5166a8c1703af97b444077135e1b99e320dec
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 26 14:42:20 2024 +1300
python/tests/krb5: Allow getting a TGT in pkinit tests
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit b2fe1ea1c6aba116b31a1c803b4e0d36ac1a32ee
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 19 14:37:24 2024 +1300
python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 7cc8f455191faacf32efc474c27e99d45ef2e024
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Mar 22 12:58:19 2024 +1300
tests/krb5: Fix PK-INIT test framework to allow expired password keys
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 46263c5c202f6d409ad1b1d45ae523d9304f03d5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 14 12:01:54 2024 +1300
python/samba/krb5: Allow client address (caddr) to be missing or empty
Currently (as of 2024-02) windows 21H2 returns this as [].
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 3d1ec5dc676f59d6f8cbcf9869521bf6c67605e5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 20 14:42:31 2024 +1300
auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials
This function is based on a flawed premise that the
pointer is a talloc context, but the second element
in an array and any element in a structure is not a
talloc context.
The type has already been checked above.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 93f4be164714ddd36e52bcc28d8278361ba6bf2f
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Mar 25 13:46:47 2024 +1300
netcmd: docs: update documentation for new auth policy command structure
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6e02c97193cdae6c2e557b8a151a71a96cf6f2a0
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Mar 21 10:24:12 2024 +1300
netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dcb6a14fa234678141c7dc9fae0c10dfe53e4dbd
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Mar 21 09:58:02 2024 +1300
netcmd: auth policy: add service-allowed-to-authenticate-from subcommands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 97c2ff19daa7ee1717d0cdc1128ca03b5e8d3144
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Mar 21 09:48:25 2024 +1300
netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e88be1aed978fc3109ba9bc9ea0ccc5a20f7a480
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Mar 21 09:04:37 2024 +1300
netcmd: auth policy: add user-allowed-to-authenticate-from subcommands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2cbacad82d62c9a952aadbf290b92c8fde564256
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Mar 21 00:10:11 2024 +1300
netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 316a84a5975bee3e3c6bbf90342d4bc8aace36b4
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 23:44:28 2024 +1300
netcmd: auth policy: add service-allowed-to-authenticate-to subcommands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5db2a1581d39f383e7e098d34175e661a852abc6
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 23:29:12 2024 +1300
netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ba087f8187c07890d4ec5ecf5a979daadc58523
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 22:56:18 2024 +1300
netcmd: auth policy: add user-allowed-to-authenticate-to subcommands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 49c3bca80334869274156a9fad5811a410063a91
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 22:31:48 2024 +1300
netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 86d3706bd26d4d875d98eba13d32d9d559f3f008
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 19:40:34 2024 +1300
netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 96f00738cec72224487522c2c134862661f2b0e4
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 19:20:06 2024 +1300
netcmd: auth policy: extract policy base commands into policy.py
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c0e748f0117308d36323001e1cf4387ca6c18297
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 18:54:12 2024 +1300
netcmd: auth policy: turn policy.py into module
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 13d53ee3e2547332b83424304c50d523d254bcf1
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 19:14:32 2024 +1300
netcmd: auth silo: extract silo base commands into silo.py
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a2e9529ee631447f8da4dfb44b1ffbd954a8c7f6
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 19:02:50 2024 +1300
netcmd: auth silo: move silo_member.py into silo module
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4d2c8ea95783cafcbf954f7bfb040225cb693a68
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 18:55:46 2024 +1300
netcmd: auth silo: turn silo.py into module
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2af65446cfd3bf4eba39cdc5ba3bea9d06712ccc
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Mar 25 12:51:22 2024 +1300
netcmd: docs: add section headings for auth policies and silos
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7fbe515609671b0def8c8c481d9fb4ef254a6407
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Mar 25 13:10:52 2024 +1300
netcmd: docs: consistently put <constant> around GROUP and SILO
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4e1d12835ffe57c047adae16f7209b3f5ea4e529
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Mar 25 13:33:38 2024 +1300
netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 26feb09fd103cf791ca4d36ec2957611f09dca2b
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Mar 25 13:29:43 2024 +1300
netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device"
Make it consistent with --service-allowed-to-authenticate-from-device-silo by adding =SILO
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a7edd5b5367fa777299584a333b6f7efccbfefb4
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Mar 25 18:26:57 2024 +1300
netcmd: docs: add documentation for service-account group-msa-membership commands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 03a6740a90b2c6e5bdb7182444b5eb17b3fb98c1
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Mar 25 18:07:02 2024 +1300
netcmd: docs: add documentation for service-account base command
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cf60e3cad6bde875e3566e06d135d2f512eaa048
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 27 10:11:26 2024 +1300
netcmd: gmsa: improve descriptions of --dns-host-name and match docs
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 828420b4f0984e1bca45c340fe0df8c10cfd5e79
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Fri Mar 22 11:54:39 2024 +1300
python: domain: models: add OrganizationalUnit container model
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5ac4b6969be802a3cdefff4f36b5542a94736295
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Fri Mar 22 11:33:17 2024 +1300
python: domain: models: move OrganizationalPerson to org.py
There are other models like OrganizationalUnit which can go in org.py better if this is done first
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3c0833ead5180492d958af66ad94db392e87ed07
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Fri Mar 22 11:02:50 2024 +1300
python: domain: models: move MODELS to registry.py because it's not really a constant
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bfd1f8cd467d081eac4dbdd3bd0e90ca1a7de1a0
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 26 08:29:24 2024 +1300
python: domain: models: MODELS lookup does need to include base Model for shell command
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0c5d09ae14311f18deb3b1a5013152b4c26eb161
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 26 08:24:53 2024 +1300
python: domain: models: add children method to return a models direct children
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cca0cfe421c9ea226d9028ac4c5602a266786c95
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Mar 25 23:02:30 2024 +1300
python: tests: write a test for the Model.as_dict method
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 917e2a735383ae7dc2e67a540c66e87d6302cadb
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Mar 25 22:04:19 2024 +1300
python: tests: computer model tests should clean up
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ed07dee8649eaf4266965e959e3d4c0b7e1c8a3e
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Sun Mar 24 23:36:22 2024 +1300
python: domain: models: as_dict() should also exclude empty list fields
Empty list fields happen if many=True is used on the field. This means that the field is automatically initialised as an empty list, so this can only ever be sa list or None.
The side-effect of this was that it appears in as_dict() when it shouldn't, because the field isn't populated. This fixes it.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fc982e550f4c5824c189704efaf79038c0d78413
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 22 16:58:40 2024 +1300
s4-dsdb: Create KdfParameters at runtime
While this is by definition less efficient, I prefer not to have the magic
buffer of pre-caclulated bytes, we don't create Root Keys very often.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d316e5f0869f0b0f0fdc7f2dab4a40fd28baccf9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 22 16:43:38 2024 +1300
s4-dsdb: Indent DH parameters table in gkdi_create_root_key()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3687bf22aa1ce2515997b06efb536d5da4294c9a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 22 14:08:22 2024 +1300
s4-dsdb: Populate new GKDI root keys from the server configuration object
This honours MS-GKDI 3.1.4.1.1 Creating a New Root Key
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 565314f448236ff41d9c6c532949c19ee85b6425
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 25 12:44:29 2024 +1300
pyldb: Improve search for error string in PyErr_SetLdbError
We allow a fallback to ldb_strerror() even if there was an LDB context,
allowing failing functions to reset a previous error string but not
set a new one.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 06912de3b2ae84c795f5d3e7ee03872937260ee4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 26 10:28:38 2024 +1300
dsdb: Add API tests for new_gkdi_root_key()
These show that the new root key should be based on the server
configuration object, not just hardcoded defaults.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f379ea8b81251efad05ebb913ed0a0205fa0bcd5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 25 12:36:35 2024 +1300
pyldb: Consolidate PyErr_SetLdbError() using the pyldb version
Now that pyldb-util is a private library to Samba, we have no excuses not to
consolidate helper functions like this.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 287cf82682c0f70a57e7d90748778e3b3fc36cda
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 25 22:33:02 2024 +1300
plydb: Keep talloc_reference() to the DN in PyDict_AsMessage
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 37327afd0aa486c8e07bb8a7ad0cc1d8641931e1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 25 22:30:29 2024 +1300
pyldb: Fix documentation comment on Message.from_dict() method
This method does not take keyword arguments.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/pycredentials.c | 13 +-
docs-xml/manpages/samba-tool.8.xml | 590 +++++++++++++++------
lib/crypto/gkdi.h | 2 +
lib/ldb-samba/pyldb.c | 10 -
lib/ldb/pyldb.c | 34 +-
lib/ldb/pyldb.h | 2 +
lib/ldb/pyldb_util.c | 31 ++
python/samba/domain/models/__init__.py | 5 +-
python/samba/domain/models/constants.py | 4 -
python/samba/domain/models/model.py | 16 +-
python/samba/domain/models/{person.py => org.py} | 20 +-
python/samba/domain/models/person.py | 13 +-
python/samba/domain/models/query.py | 2 +-
.../domain/{__init__.py => models/registry.py} | 6 +-
python/samba/domain/models/user.py | 2 +-
python/samba/netcmd/domain/auth/policy/__init__.py | 68 +++
.../policy/computer_allowed_to_authenticate_to.py | 125 +++++
.../netcmd/domain/auth/{ => policy}/policy.py | 239 +--------
.../policy/service_allowed_to_authenticate_from.py | 123 +++++
.../policy/service_allowed_to_authenticate_to.py | 123 +++++
.../policy/user_allowed_to_authenticate_from.py | 123 +++++
.../auth/policy/user_allowed_to_authenticate_to.py | 125 +++++
.../netcmd/domain/{claim => auth/silo}/__init__.py | 24 +-
.../domain/auth/{silo_member.py => silo/member.py} | 0
python/samba/netcmd/domain/auth/{ => silo}/silo.py | 17 +-
.../netcmd/service_account/service_account.py | 4 +-
python/samba/netcmd/shell.py | 1 +
python/samba/tests/blackbox/claims.py | 23 +-
python/samba/tests/dsdb_quiet_provision_tests.py | 211 ++++++++
python/samba/tests/krb5/kdc_base_test.py | 19 +-
python/samba/tests/krb5/pkinit_tests.py | 264 ++++++++-
python/samba/tests/krb5/raw_testcase.py | 30 +-
python/samba/tests/krb5/rfc4120_constants.py | 1 +
.../samba/tests/samba_tool/domain_auth_policy.py | 442 +++++----------
python/samba/tests/samba_tool/domain_models.py | 51 +-
selftest/knownfail_heimdal_kdc | 3 +
selftest/knownfail_mit_kdc_1_20 | 4 +
source4/dsdb/common/util.c | 6 +-
source4/dsdb/gmsa/gkdi.c | 330 ++++++++----
source4/dsdb/pydsdb.c | 10 -
40 files changed, 2159 insertions(+), 957 deletions(-)
copy python/samba/domain/models/{person.py => org.py} (84%)
copy python/samba/domain/{__init__.py => models/registry.py} (87%)
create mode 100644 python/samba/netcmd/domain/auth/policy/__init__.py
create mode 100644 python/samba/netcmd/domain/auth/policy/computer_allowed_to_authenticate_to.py
rename python/samba/netcmd/domain/auth/{ => policy}/policy.py (55%)
create mode 100644 python/samba/netcmd/domain/auth/policy/service_allowed_to_authenticate_from.py
create mode 100644 python/samba/netcmd/domain/auth/policy/service_allowed_to_authenticate_to.py
create mode 100644 python/samba/netcmd/domain/auth/policy/user_allowed_to_authenticate_from.py
create mode 100644 python/samba/netcmd/domain/auth/policy/user_allowed_to_authenticate_to.py
copy python/samba/netcmd/domain/{claim => auth/silo}/__init__.py (55%)
rename python/samba/netcmd/domain/auth/{silo_member.py => silo/member.py} (100%)
rename python/samba/netcmd/domain/auth/{ => silo}/silo.py (96%)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index a16be546901..5cdbe7796e6 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -574,11 +574,7 @@ static PyObject *py_creds_set_nt_hash(PyObject *self, PyObject *args)
return NULL;
}
- pwd = pytalloc_get_type(py_cp, struct samr_Password);
- if (pwd == NULL) {
- /* pytalloc_get_type sets TypeError */
- return NULL;
- }
+ pwd = pytalloc_get_ptr(py_cp);
return PyBool_FromLong(cli_credentials_set_nt_hash(creds, pwd, obt));
}
@@ -1093,7 +1089,12 @@ static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
return NULL;
}
- pwd = pytalloc_get_type(py_cp, struct netr_CryptPassword);
+ if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.netlogon", "netr_CryptPassword")) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ pwd = pytalloc_get_ptr(py_cp);
if (pwd == NULL) {
/* pytalloc_get_type sets TypeError */
return NULL;
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index e6c0c08c240..62ce4e690d4 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -599,6 +599,11 @@
<para>Restore the domain's DB from a backup-file.</para>
</refsect3>
+<refsect2>
+ <title>domain auth policy</title>
+ <para>Manage authentication policies.</para>
+</refsect2>
+
<refsect3>
<title>domain auth policy list</title>
<para>List authentication policies on the domain.</para>
@@ -756,22 +761,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>--user-allowed-to-authenticate-from-silo</term>
- <listitem>
- <para>
- User is allowed to
- authenticate, if the device they
- authenticate from is assigned
- and granted membership of a
- given silo.
- </para>
- <para>
- This attribute avoids the need to write SDDL by hand and
- cannot be used with --user-allowed-to-authenticate-from
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>--user-allowed-to-authenticate-to=SDDL</term>
<listitem>
@@ -792,42 +781,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>--user-allowed-to-authenticate-to-by-group=GROUP</term>
- <listitem>
- <para>
- The user account, offering a
- network service, covered by
- this policy, will only be allowed
- access from other accounts
- that are members of the given
- <constant>GROUP</constant>.
- </para>
- <para>
- This attribute avoids the need to write SDDL by hand and
- cannot be used with --user-allowed-to-authenticate-to
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>--user-allowed-to-authenticate-to-by-silo=SILO</term>
- <listitem>
- <para>
- The user account, offering a
- network service, covered by
- this policy, will only be
- allowed access from other accounts
- that are assigned to,
- granted membership of (and
- meet any authentication
- conditions of) the given SILO.
- </para>
- <para>
- This attribute avoids the need to write SDDL by hand and
- cannot be used with --user-allowed-to-authenticate-to
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>--service-tgt-lifetime-mins</term>
<listitem>
@@ -868,41 +821,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>--service-allowed-to-authenticate-from-device-silo=SILO</term>
- <listitem>
- <para>
- The service account (eg a Managed
- Service Account, Group Managed
- Service Account) is allowed to
- authenticate, if the device it
- authenticates from is assigned
- and granted membership of a
- given <constant>SILO</constant>.
- </para>
- <para>
- This attribute avoids the need to write SDDL by hand and
- cannot be used with --service-allowed-to-authenticate-from
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>--service-allowed-to-authenticate-from-device-group=GROUP</term>
- <listitem>
- <para>
- The service account (eg a Managed
- Service Account, Group Managed
- Service Account) is allowed to
- authenticate, if the device it
- authenticates from is a member
- of the given <constant>group</constant>.
- </para>
- <para>
- This attribute avoids the need to write SDDL by hand and
- cannot be used with --service-allowed-to-authenticate-from
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>--service-allowed-to-authenticate-to=SDDL</term>
<listitem>
@@ -923,42 +841,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>--service-allowed-to-authenticate-to-by-group=GROUP</term>
- <listitem>
- <para>
- The service account (eg a Managed
- Service Account, Group Managed
- Service Account), will only be
- allowed access by other accounts
- that are members of the given
- <constant>GROUP</constant>.
- </para>
- <para>
- This attribute avoids the need to write SDDL by hand and
- cannot be used with --service-allowed-to-authenticate-to
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>--service-allowed-to-authenticate-to-by-silo=SILO</term>
- <listitem>
- <para>
- The service account (eg a
- Managed Service Account, Group
- Managed Service Account), will
- only be allowed access by other
- accounts that are assigned
- to, granted membership of (and
- meet any authentication
- conditions of) the given SILO.
- </para>
- <para>
- This attribute avoids the need to write SDDL by hand and
- cannot be used with --service-allowed-to-authenticate-to
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>--computer-tgt-lifetime-mins</term>
<listitem>
@@ -986,43 +868,7 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>--computer-allowed-to-authenticate-to-by-group=GROUP</term>
- <listitem>
- <para>
- The computer account (eg a server
- or workstation), will only be
- allowed access by other accounts
- that are members of the given
- <constant>GROUP</constant>.
- </para>
- <para>
- This attribute avoids the need to write SDDL by hand and
- cannot be used with --computer-allowed-to-authenticate-to
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>--computer-allowed-to-authenticate-to-by-silo=SILO</term>
- <listitem>
- <para>
- The computer account (eg a
- server or workstation), will
- only be allowed access by
- other accounts that are
- assigned to, granted
- membership of (and meet any
- authentication conditions of)
- the given SILO.
- </para>
- <para>
- This attribute avoids the need to write SDDL by hand and
- cannot be used with --computer-allowed-to-authenticate-to
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
+ </variablelist>
</refsect3>
<refsect3>
@@ -1056,6 +902,220 @@
</variablelist>
</refsect3>
+<refsect3>
+ <title>domain auth policy user-allowed-to-authenticate-from set</title>
+ <para>Set the user-allowed-to-authenticate-from property by scenario.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--name</term>
+ <listitem><para>
+ Name of authentication policy.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--by-group=GROUP</term>
+ <listitem><para>
+ User is allowed to
+ authenticate, if the device they
+ authenticate from is assigned
+ and granted membership of a
+ given <constant>GROUP</constant>.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--silo=SILO</term>
+ <listitem><para>
+ User is allowed to
+ authenticate, if the device they
+ authenticate from is assigned
+ and granted membership of a
+ given <constant>SILO</constant>.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>domain auth policy user-allowed-to-authenticate-to set</title>
+ <para>Set the user-allowed-to-authenticate-to property by scenario.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--name</term>
+ <listitem><para>
+ Name of authentication policy.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--group=GROUP</term>
+ <listitem><para>
+ The user account, offering a
+ network service, covered by
+ this policy, will only be allowed
+ access from other accounts
+ that are members of the given
+ <constant>GROUP</constant>.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--silo=SILO</term>
+ <listitem><para>
+ The user account, offering a
+ network service, covered by
+ this policy, will only be
+ allowed access from other accounts
+ that are assigned to,
+ granted membership of (and
+ meet any authentication
+ conditions of) the given <constant>SILO</constant>.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>domain auth policy service-allowed-to-authenticate-from set</title>
+ <para>Set the service-allowed-to-authenticate-from property by scenario.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--name</term>
+ <listitem><para>
+ Name of authentication policy.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--group=GROUP</term>
+ <listitem><para>
+ The service account (eg a Managed
+ Service Account, Group Managed
+ Service Account) is allowed to
+ authenticate, if the device it
+ authenticates from is a member
+ of the given <constant>GROUP</constant>.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--silo=SILO</term>
+ <listitem><para>
+ The service account (eg a Managed
+ Service Account, Group Managed
+ Service Account) is allowed to
+ authenticate, if the device it
+ authenticates from is assigned
+ and granted membership of a
+ given <constant>SILO</constant>.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>domain auth policy service-allowed-to-authenticate-to set</title>
+ <para>Set the service-allowed-to-authenticate-to property by scenario.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--name</term>
+ <listitem><para>
+ Name of authentication policy.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--group=GROUP</term>
+ <listitem><para>
+ The service account (eg a Managed
+ Service Account, Group Managed
+ Service Account), will only be
+ allowed access by other accounts
+ that are members of the given
+ <constant>GROUP</constant>.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--silo=SILO</term>
+ <listitem><para>
+ The service account (eg a
+ Managed Service Account, Group
+ Managed Service Account), will
+ only be allowed access by other
+ accounts that are assigned
+ to, granted membership of (and
+ meet any authentication
+ conditions of) the given <constant>SILO</constant>.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>domain auth policy computer-allowed-to-authenticate-to set</title>
+ <para>Set the computer-allowed-to-authenticate-to property by scenario.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--name</term>
+ <listitem><para>
+ Name of authentication policy.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--group=GROUP</term>
+ <listitem><para>
+ The computer account (eg a server
+ or workstation), will only be
+ allowed access by other accounts
+ that are members of the given
+ <constant>GROUP</constant>.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--silo=SILO</term>
+ <listitem><para>
+ The computer account (eg a
+ server or workstation), will
+ only be allowed access by
+ other accounts that are
+ assigned to, granted
+ membership of (and meet any
+ authentication conditions of)
+ the given <constant>SILO</constant>.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect2>
+ <title>domain auth silo</title>
+ <para>Manage authentication silos.</para>
+</refsect2>
+
<refsect3>
<title>domain auth silo list</title>
<para>List authentication silos on the domain.</para>
@@ -1635,6 +1695,216 @@
</variablelist>
</refsect3>
+<refsect2>
+ <title>service-account</title>
+ <para>Service account management.</para>
+</refsect2>
+
+<refsect3>
+ <title>service-account list</title>
+ <para>List service accounts on the domain.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--json</term>
+ <listitem><para>
+ View service accounts as JSON instead of a list.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>service-account view</title>
+ <para>View a single service account on the domain.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
--
Samba Shared Repository
More information about the samba-cvs
mailing list