[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Thu Apr 3 10:36:02 UTC 2025
The branch, master has been updated
via 72cb5fcbed3 winbindd: let update_trusted_domains_dc() also call pdb_filter_hints()
via e1ff389173f winbindd: add find_local_sam_domain() helper
via d0788faae57 winbindd: pass for_netlogon to winbind_dual_SamLogon to avoid caching
via fd21c3685a6 s4:auth/ntlm: let auth_winbind pass WB_SAMLOGON_FOR_NETLOGON
via 74d44f50291 s4:auth: let auth_context_create_for_netlogon() remember for_netlogon = true;
via 04968ead5ff s3:auth: let auth_winbind pass WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON if needed
via 0733cfc636f s3:auth: remember make_auth3_context_for_netlogon() was used
via 6919a381a9b winbind.idl: add WB_SAMLOGON_FOR_NETLOGON
via fb891b4387f libwbclient: add WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON to pass WBFLAG_PAM_FOR_NETLOGON
via 22893198cb4 winbind_struct_protocol.h: add WBFLAG_PAM_FOR_NETLOGON
via 9acb34f1c3e s4:librpc/idl: remove unused legacy copy of winbind.idl
via b16fecbd920 auth: let make_user_info_dc_pac() cross check PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID
via f143306dd84 python:tests/krb5: let _{get,modify}_tgt() also change the objectsid in UPN_DNS_INFO
via 163a39334c3 python:tests/krb5: allow set_pac_sids() to take upn_dns_sid
via 7b4b9ae0ea2 python:tests/krb5: let check_device_info() allow an empty rid array
via f569dfe16ef python:tests/krb5: allow create_account_opts() to take selective_auth_allowed_sid
via 22a66b1a5ec python:tests/krb5: allow tgs_exchange_dict() to take expected_[device_]duplicated_groups
via 82ecf6e31ed python:tests/krb5: let check_device_info() handle EXTRA_DOMAIN_SID
via f7bcaa23774 python:tests/krb5: create_account_opts() can't handle self.AccountType.TRUST
via 1af0ccb8731 python:tests/krb5: add KDC_ERR_PATH_NOT_ACCEPTED
via 9a06e014b5b s4:kdc: samba_kdc_add_compounded_auth() should add Compounded_Authentication again if it's already there
via 08bf34c7212 s4:kdc: only use compound authentication with an explicit FAST armor
via e6506c2cf8c s4:kdc: samba_kdc_update_pac() doesn't need explicit delegated_proxy_principal
via 6892988fbde s4:kdc: store pac_princ in struct samba_kdc_entry_pac
via 225fa436bfe s4:kdc: pass pac_princ to samba_kdc_entry_pac()
via 08608dc08ea s4:kdc: pass pac_princ to samba_kdc_entry_pac_from_trusted()
via c87f66ebac3 s4:kdc: let samba_kdc_entry_pac[_from_trusted]() assert krbtgt is valid if pac is valid
via b0f12b05a83 s4:kdc: let hdb_samba4_check_rbcd() fill device_pac_entry() without device_entry
via 291a662f3fd s4:kdc: let samba_wdc_get_pac() use samba_kdc_get_device_pac()
via 18a28c15c46 s4:kdc: let samba_kdc_get_device_pac() always extract device_krbtgt_skdc_entry
via 996d7786c7d s4:kdc: let samba_wdc_reget_pac() use krbtgt_skdc_entry as delegated_proxy_krbtgt_entry
via 9f21b0e10a4 s4:kdc: let mit_samba_check_allowed_to_delegate_from() fetch krbtgt_entry
via c21918fe6e9 s4:kdc: add some checks for SDB_F_S4U2{SELF,PROXY}_PRINCIPAL
via 12a1f504dcf s4:kdc: let SDB_F_CROSS_REALM_PRINCIPAL result in SDB_ERR_NOT_FOUND_HERE
via d587593b935 s4:kdc: pass HDB_F_{CROSS_REALM,S4U2SELF,S4U2PROXY}_PRINCIPAL as SDB_F_*
via 7664b7a8738 s4:kdc: adjust to HDB_INTERFACE_VERSION=12
via 6b0b52399c3 third_party/heimdal: Import lorikeet-heimdal-202503211313 (commit f5c091eff46b975ede09860066239aee5f563bdf)
via 7af09c5fcb6 third_party/heimdal: Import lorikeet-heimdal-202503211047 (commit 752fd2fc0d7e48791df91dd2b45899e64ef65a7a)
via 19ae5c2b52a s4:kdc: specify SDB_F_ values as hex
via c7a89d62fb0 lib/ldb-samba: allow ldb_get_opaque(ldb, "backend_no_debug_connect")
via 2331bf56073 lib/ldb: allow ldb_get_opaque(ldb, "backend_no_debug_connect")
via 2e52c4e8a56 libcli/security: split trust_forest_info_* functions into samba-security-trusts
from 0e4cab78cdf s3/locking: add a comment to share_mode_data_ltdb_store()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 72cb5fcbed3b27deac6464f5a203209445b50d58
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 22 01:03:26 2025 +0100
winbindd: let update_trusted_domains_dc() also call pdb_filter_hints()
On an AD DC we need to update sam_domain->fti, so that
find_routing_from_namespace_noinit() uses the correct
uPNSuffixes and msDS-SPNSuffixes values for the local forest.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Apr 3 10:35:10 UTC 2025 on atb-devel-224
commit e1ff389173fad44a1153291b24c7433564243d05
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 17:38:35 2025 +0100
winbindd: add find_local_sam_domain() helper
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d0788faae576906c8d179f822ddd2d44848a6a69
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 18:49:16 2025 +0100
winbindd: pass for_netlogon to winbind_dual_SamLogon to avoid caching
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fd21c3685a691b1d2af597df41161e03e9bfe2df
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 18:37:49 2025 +0100
s4:auth/ntlm: let auth_winbind pass WB_SAMLOGON_FOR_NETLOGON
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 74d44f50291dc58fdd3897b6e2ee075c585bd3bf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 18:34:03 2025 +0100
s4:auth: let auth_context_create_for_netlogon() remember for_netlogon = true;
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 04968ead5ff790cc6a2e573b5fb545e135243b4e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 17:08:24 2025 +0100
s3:auth: let auth_winbind pass WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON if needed
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0733cfc636f59328592fd581f33834ad0f41c215
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 17:04:05 2025 +0100
s3:auth: remember make_auth3_context_for_netlogon() was used
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6919a381a9b1050b642af5275447d82928848aca
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 18:36:02 2025 +0100
winbind.idl: add WB_SAMLOGON_FOR_NETLOGON
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fb891b4387fa643dd4810666a4e7e4758cab1bed
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 18:19:34 2025 +0100
libwbclient: add WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON to pass WBFLAG_PAM_FOR_NETLOGON
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 22893198cb439340cc0987ca7db85fdef17a61df
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 17:06:26 2025 +0100
winbind_struct_protocol.h: add WBFLAG_PAM_FOR_NETLOGON
This will be used when auth_winbind is used with
make_auth3_context_for_netlogon().
This will allow winbindd to use different rules
for LogonSamLogon requests compared to
local authentications for smbd.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9acb34f1c3e59e9040ad291da99eebd48f0d7358
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 18:06:25 2025 +0100
s4:librpc/idl: remove unused legacy copy of winbind.idl
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b16fecbd920bec9f93687a7b2205cecea3d1da7b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 12 15:23:11 2025 +0100
auth: let make_user_info_dc_pac() cross check PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID
If there's a mismatch someone doing strange things...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f143306dd84e3ffcae52f43c5674fb55a56943d1
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 12 21:02:03 2025 +0100
python:tests/krb5: let _{get,modify}_tgt() also change the objectsid in UPN_DNS_INFO
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 163a39334c3ae79b4c26140b5334aa929634f868
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 12 15:42:58 2025 +0100
python:tests/krb5: allow set_pac_sids() to take upn_dns_sid
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7b4b9ae0ea2a5f533cf249c9bdd5159f832f40a0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 12 14:14:51 2025 +0100
python:tests/krb5: let check_device_info() allow an empty rid array
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f569dfe16ef8ac0d6556360863dbf1d3b2814143
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 10 19:08:31 2025 +0100
python:tests/krb5: allow create_account_opts() to take selective_auth_allowed_sid
This will add a GUID_DRS_ALLOWED_TO_AUTHENTICATE ace with CONTROL_ACCESS
to the created account.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 22a66b1a5ec0901b66d77eecfa056008dc434e0a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 10 21:03:16 2025 +0100
python:tests/krb5: allow tgs_exchange_dict() to take expected_[device_]duplicated_groups
This allows us to expect duplicated sids in the PAC.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 82ecf6e31ed51539d68b4cf77ca2ec6c3e525f43
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 10 20:51:22 2025 +0100
python:tests/krb5: let check_device_info() handle EXTRA_DOMAIN_SID
device info does not really have RESOURCE_SID,
so we need to map RESOURCE_SID as well as EXTRA_SID (with a S-1-5-21-
prefix) to EXTRA_DOMAIN_SID.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f7bcaa23774870adc1074f997b8476ff70ca316a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 10 19:06:39 2025 +0100
python:tests/krb5: create_account_opts() can't handle self.AccountType.TRUST
create_trust() is used for that...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1af0ccb87313d64f4851e4910265632394ff6f64
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 13 00:44:27 2025 +0100
python:tests/krb5: add KDC_ERR_PATH_NOT_ACCEPTED
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9a06e014b5bf3f1f921897f4376e75f881aad287
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 12 16:17:58 2025 +0100
s4:kdc: samba_kdc_add_compounded_auth() should add Compounded_Authentication again if it's already there
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 08bf34c7212426a568825e13714b51b20f884271
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 13 01:50:23 2025 +0100
s4:kdc: only use compound authentication with an explicit FAST armor
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e6506c2cf8c2a3399b960349e5c2abf6ccce219a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 13 01:46:09 2025 +0100
s4:kdc: samba_kdc_update_pac() doesn't need explicit delegated_proxy_principal
It comes along as delegated_proxy.pac_princ now.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6892988fbdea8b21872cf7666f88dbe9f9c98834
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 13 01:41:40 2025 +0100
s4:kdc: store pac_princ in struct samba_kdc_entry_pac
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 225fa436bfe12049fe79381078c0e0bc3d96e647
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 13 01:40:18 2025 +0100
s4:kdc: pass pac_princ to samba_kdc_entry_pac()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 08608dc08ea7b5d44b259dbfdf6945359b1a34f0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 13 01:21:03 2025 +0100
s4:kdc: pass pac_princ to samba_kdc_entry_pac_from_trusted()
For mit_samba_update_pac() we can only pass it optionally.
This should be fixed in future, but it requires changes
in MIT Kerberos.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c87f66ebac37d4bab7c34f95ec0f3c347360e894
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 11 11:44:25 2025 +0100
s4:kdc: let samba_kdc_entry_pac[_from_trusted]() assert krbtgt is valid if pac is valid
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b0f12b05a83836c6c9bf33a9660cecdde589e0f0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 11 12:09:43 2025 +0100
s4:kdc: let hdb_samba4_check_rbcd() fill device_pac_entry() without device_entry
If we have a device_pac we also have device_server/krbtgt_entry, while
device_entry is optional.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 291a662f3fdf11142ead123a506e63d93f9e2df7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 11 12:08:47 2025 +0100
s4:kdc: let samba_wdc_get_pac() use samba_kdc_get_device_pac()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 18a28c15c462df3a6e745c8b69371b4e1f434671
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 11 00:13:20 2025 +0100
s4:kdc: let samba_kdc_get_device_pac() always extract device_krbtgt_skdc_entry
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 996d7786c7d0ae63fe440f3b991f90a316e27b35
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 11 11:40:45 2025 +0100
s4:kdc: let samba_wdc_reget_pac() use krbtgt_skdc_entry as delegated_proxy_krbtgt_entry
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9f21b0e10a47120303be9a886a8b4d48ead2a325
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 11 11:37:30 2025 +0100
s4:kdc: let mit_samba_check_allowed_to_delegate_from() fetch krbtgt_entry
samba_kdc_entry_pac_from_trusted() will soon assert that
it has a valid krbtgt_entry.
In the long run this should be passed from the caller...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c21918fe6e908715610f7b65fc0235625a4e52c6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 20 02:15:28 2025 +0100
s4:kdc: add some checks for SDB_F_S4U2{SELF,PROXY}_PRINCIPAL
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 12a1f504dcf42a5c243aebb57502f5fd0b199540
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 20 02:02:11 2025 +0100
s4:kdc: let SDB_F_CROSS_REALM_PRINCIPAL result in SDB_ERR_NOT_FOUND_HERE
It means the client is remote and the kdc logic has to live without
an sdb_entry.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d587593b93570cdc752141fe354112fbecc3735c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 20 01:50:11 2025 +0100
s4:kdc: pass HDB_F_{CROSS_REALM,S4U2SELF,S4U2PROXY}_PRINCIPAL as SDB_F_*
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7664b7a8738bc065339b788552e2d843605911ac
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 13 02:59:22 2025 +0100
s4:kdc: adjust to HDB_INTERFACE_VERSION=12
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6b0b52399c3ec93f45ea82ac2923a1c581407ea2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 21 13:23:41 2025 +0100
third_party/heimdal: Import lorikeet-heimdal-202503211313 (commit f5c091eff46b975ede09860066239aee5f563bdf)
This is a rebase on Heimdal master as well as
some patches to prepare sid-filtering support in Samba.
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7af09c5fcb6f70c475ec807eab4c2086958ddaa7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 20 00:22:34 2025 +0100
third_party/heimdal: Import lorikeet-heimdal-202503211047 (commit 752fd2fc0d7e48791df91dd2b45899e64ef65a7a)
kdc: Constrained delegation requires a local delegating server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15837
MR: https://github.com/heimdal/heimdal/pull/1274
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 19ae5c2b52a952d968b0af49e50adc9bdada3a92
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 20 01:47:23 2025 +0100
s4:kdc: specify SDB_F_ values as hex
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c7a89d62fb0ed0dc71919d19bc8f6b7442a0a411
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 6 17:23:39 2025 +0100
lib/ldb-samba: allow ldb_get_opaque(ldb, "backend_no_debug_connect")
We don't want expected connect/bind failures in the log output...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2331bf560737ab6f758bf07e3c02ad9fa87e4cc4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 6 17:23:39 2025 +0100
lib/ldb: allow ldb_get_opaque(ldb, "backend_no_debug_connect")
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2e52c4e8a56f659edd4fce8e4c964f193266f13d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 14 09:30:03 2025 +0100
libcli/security: split trust_forest_info_* functions into samba-security-trusts
This will avoid dependency loops in following commits.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_sam_reply.c | 34 +
auth/common_auth.h | 2 +
lib/ldb-samba/ldb_ildap.c | 18 +
lib/ldb/common/ldb_modules.c | 6 +
libcli/lsarpc/util_lsarpc.c | 947 ---------------------
libcli/lsarpc/util_lsarpc.h | 35 -
libcli/security/security.h | 1 +
.../util_lsarpc.c => security/trust_forest_info.c} | 349 +-------
.../util_lsarpc.h => security/trust_forest_info.h} | 24 +-
libcli/security/wscript_build | 12 +
librpc/idl/winbind.idl | 5 +
nsswitch/libwbclient/wbc_pam.c | 4 +
nsswitch/libwbclient/wbclient.h | 1 +
nsswitch/winbind_struct_protocol.h | 1 +
python/samba/tests/krb5/kdc_base_test.py | 36 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 13 +
python/samba/tests/krb5/raw_testcase.py | 74 +-
python/samba/tests/krb5/rfc4120_constants.py | 1 +
source3/auth/auth.c | 9 +-
source3/auth/auth_winbind.c | 4 +
source3/include/auth.h | 2 +
source3/winbindd/winbindd_dual_srv.c | 6 +
source3/winbindd/winbindd_pam.c | 14 +
source3/winbindd/winbindd_proto.h | 2 +
source3/winbindd/winbindd_util.c | 25 +
source3/wscript_build | 1 +
source4/auth/ntlm/auth.c | 7 +-
source4/auth/ntlm/auth_winbind.c | 4 +
source4/dsdb/wscript_build | 2 +-
source4/kdc/db-glue.c | 39 +
source4/kdc/hdb-samba4-plugin.c | 2 +-
source4/kdc/hdb-samba4.c | 26 +-
source4/kdc/kdc-glue.c | 27 +-
source4/kdc/mit_samba.c | 59 +-
source4/kdc/pac-glue.c | 53 +-
source4/kdc/pac-glue.h | 21 +-
source4/kdc/sdb.h | 39 +-
source4/kdc/wdc-samba4.c | 55 +-
source4/librpc/idl/winbind.idl | 35 -
third_party/heimdal/.gitignore | 4 +
third_party/heimdal/appl/test/auditdns.c | 4 +
third_party/heimdal/cf/find-func-no-libs2.m4 | 2 +-
third_party/heimdal/cf/have-struct-field.m4 | 3 +-
third_party/heimdal/kdc/fast.c | 8 +
third_party/heimdal/kdc/kdc-accessors.h | 10 +
third_party/heimdal/kdc/kdc-plugin.c | 6 +
third_party/heimdal/kdc/kdc.h | 6 +-
third_party/heimdal/kdc/kdc_locl.h | 2 +-
third_party/heimdal/kdc/kerberos5.c | 18 +-
third_party/heimdal/kdc/krb5tgs.c | 41 +-
third_party/heimdal/kdc/libkdc-exports.def | 2 +
third_party/heimdal/kdc/mssfu.c | 36 +-
third_party/heimdal/kdc/version-script.map | 2 +
third_party/heimdal/lib/gssapi/krb5/arcfour.c | 14 +-
third_party/heimdal/lib/gssapi/krb5/cfx.c | 52 +-
third_party/heimdal/lib/gssapi/krb5/sequence.c | 2 +-
third_party/heimdal/lib/gssapi/krb5/unwrap.c | 20 +-
third_party/heimdal/lib/gssapi/krb5/verify_mic.c | 8 +-
.../heimdal/lib/hcrypto/libtommath/bn_mp_2expt.c | 4 +
.../heimdal/lib/hcrypto/libtommath/bn_mp_grow.c | 4 +
.../lib/hcrypto/libtommath/bn_mp_init_size.c | 5 +
.../heimdal/lib/hcrypto/libtommath/bn_mp_mul_2d.c | 4 +
.../lib/hcrypto/libtommath/bn_s_mp_mul_digs.c | 4 +
.../lib/hcrypto/libtommath/bn_s_mp_mul_digs_fast.c | 4 +
.../lib/hcrypto/libtommath/bn_s_mp_mul_high_digs.c | 4 +
.../libtommath/bn_s_mp_mul_high_digs_fast.c | 4 +
third_party/heimdal/lib/hdb/hdb.h | 18 +-
third_party/heimdal/lib/krb5/fast.c | 2 +-
third_party/heimdal/lib/krb5/fcache.c | 38 +-
third_party/heimdal/lib/krb5/krbhst.c | 39 +-
third_party/heimdal/lib/krb5/salt-des.c | 4 +
third_party/heimdal/lib/otp/otp_db.c | 7 +-
72 files changed, 812 insertions(+), 1564 deletions(-)
copy libcli/{lsarpc/util_lsarpc.c => security/trust_forest_info.c} (73%)
copy libcli/{lsarpc/util_lsarpc.h => security/trust_forest_info.h} (71%)
delete mode 100644 source4/librpc/idl/winbind.idl
Changeset truncated at 500 lines:
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 2123094bf0a..a21093059cd 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -969,6 +969,40 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
if (pac_upn_dns_info->flags & PAC_UPN_DNS_FLAG_CONSTRUCTED) {
user_info_dc->info->user_principal_constructed = true;
}
+
+ if (pac_upn_dns_info->flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID) {
+ const struct PAC_UPN_DNS_INFO_SAM_NAME_AND_SID *ei =
+ &pac_upn_dns_info->ex.sam_name_and_sid;
+ const struct auth_SidAttr *psid =
+ &user_info_dc->sids[PRIMARY_USER_SID_INDEX];
+ bool match = true;
+
+ if (ei->objectsid != NULL) {
+ match = dom_sid_equal(ei->objectsid, &psid->sid);
+ }
+ if (!match) {
+ struct dom_sid_buf sb1 = {};
+ struct dom_sid_buf sb2 = {};
+
+ DBG_WARNING("Mismatching PAC_UPN_DNS "
+ "objectSid[%s] LOGON_INFO[%s]\n",
+ dom_sid_str_buf(ei->objectsid, &sb1),
+ dom_sid_str_buf(&psid->sid, &sb2));
+ talloc_free(user_info_dc);
+ return NT_STATUS_INVALID_TOKEN;
+ }
+
+ match = strequal(ei->samaccountname,
+ user_info_dc->info->account_name);
+ if (!match) {
+ DBG_WARNING("Mismatching PAC_UPN_DNS "
+ "sAMAccountName[%s] LOGON_INFO[%s]\n",
+ ei->samaccountname,
+ user_info_dc->info->account_name);
+ talloc_free(user_info_dc);
+ return NT_STATUS_INVALID_TOKEN;
+ }
+ }
}
*_user_info_dc = user_info_dc;
diff --git a/auth/common_auth.h b/auth/common_auth.h
index ef507211453..97f1323d2ee 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -136,6 +136,8 @@ struct auth4_context {
/* Kerberos context, set up on demand */
struct smb_krb5_context *smb_krb5_context;
+ bool for_netlogon;
+
struct tevent_req *(*check_ntlm_password_send)(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct auth4_context *auth_ctx,
diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c
index 0c051f143a7..8ddb0ae9b8d 100644
--- a/lib/ldb-samba/ldb_ildap.c
+++ b/lib/ldb-samba/ldb_ildap.c
@@ -916,6 +916,12 @@ static int ildb_connect(struct ldb_context *ldb, const char *url,
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
struct cli_credentials *creds;
struct loadparm_context *lp_ctx;
+ const char *no_debug_str = ldb_get_opaque(ldb, "backend_no_debug_connect");
+ bool no_debug = false;
+
+ if (no_debug_str != NULL && no_debug_str[0] == '1') {
+ no_debug = true;
+ }
lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
struct loadparm_context);
@@ -948,6 +954,10 @@ static int ildb_connect(struct ldb_context *ldb, const char *url,
status = ldap_connect(ildb->ldap, url);
if (!NT_STATUS_IS_OK(status)) {
+ if (no_debug) {
+ goto failed;
+ }
+
ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to connect to ldap URL '%s' - %s",
url, ldap_errstr(ildb->ldap, module, status));
goto failed;
@@ -970,6 +980,10 @@ static int ildb_connect(struct ldb_context *ldb, const char *url,
const char *password = cli_credentials_get_password(creds);
status = ldap_bind_simple(ildb->ldap, bind_dn, password);
if (!NT_STATUS_IS_OK(status)) {
+ if (no_debug) {
+ goto failed;
+ }
+
ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s",
ldap_errstr(ildb->ldap, module, status));
goto failed;
@@ -977,6 +991,10 @@ static int ildb_connect(struct ldb_context *ldb, const char *url,
} else {
status = ldap_bind_sasl(ildb->ldap, creds, lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
+ if (no_debug) {
+ goto failed;
+ }
+
ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s",
ldap_errstr(ildb->ldap, module, status));
goto failed;
diff --git a/lib/ldb/common/ldb_modules.c b/lib/ldb/common/ldb_modules.c
index 08d251f9bdd..04f27e6918f 100644
--- a/lib/ldb/common/ldb_modules.c
+++ b/lib/ldb/common/ldb_modules.c
@@ -223,6 +223,12 @@ int ldb_module_connect_backend(struct ldb_context *ldb,
ret = be->ops->connect_fn(ldb, url, ldb->flags, options, backend_module);
if (ret != LDB_SUCCESS) {
+ const char *no_debug = ldb_get_opaque(ldb, "backend_no_debug_connect");
+
+ if (no_debug != NULL && no_debug[0] == '1') {
+ return ret;
+ }
+
ldb_debug(ldb, LDB_DEBUG_ERROR,
"Failed to connect to '%s' with backend '%s': %s", url, be->ops->name, ldb_errstring(ldb));
return ret;
diff --git a/libcli/lsarpc/util_lsarpc.c b/libcli/lsarpc/util_lsarpc.c
index 2a5752b4610..96c98487a7e 100644
--- a/libcli/lsarpc/util_lsarpc.c
+++ b/libcli/lsarpc/util_lsarpc.c
@@ -18,11 +18,9 @@
*/
#include "includes.h"
-#include "lib/util/dns_cmp.h"
#include "../librpc/gen_ndr/ndr_drsblobs.h"
#include "../librpc/gen_ndr/ndr_lsa.h"
#include "libcli/lsarpc/util_lsarpc.h"
-#include "libcli/security/dom_sid.h"
static NTSTATUS ai_array_2_trust_domain_info_buffer(TALLOC_CTX *mem_ctx,
uint32_t count,
@@ -359,948 +357,3 @@ NTSTATUS auth_info_2_auth_blob(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-
-static NTSTATUS trust_forest_record_from_lsa(TALLOC_CTX *mem_ctx,
- const struct lsa_ForestTrustRecord2 *lftr,
- struct ForestTrustInfoRecord *ftr)
-{
- struct ForestTrustString *str = NULL;
- const struct lsa_StringLarge *lstr = NULL;
- const struct lsa_ForestTrustDomainInfo *linfo = NULL;
- struct ForestTrustDataDomainInfo *info = NULL;
- DATA_BLOB blob = { .length = 0, };
-
- if (lftr == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- ftr->flags = lftr->flags;
- ftr->timestamp = lftr->time;
-
- switch (lftr->type) {
- case LSA_FOREST_TRUST_TOP_LEVEL_NAME:
- ftr->type = FOREST_TRUST_TOP_LEVEL_NAME;
-
- lstr = &lftr->forest_trust_data.top_level_name;
- str = &ftr->data.name;
-
- str->string = talloc_strdup(mem_ctx, lstr->string);
- if (str->string == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- return NT_STATUS_OK;
-
- case LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX:
- ftr->type = FOREST_TRUST_TOP_LEVEL_NAME_EX;
-
- lstr = &lftr->forest_trust_data.top_level_name_ex;
- str = &ftr->data.name;
-
- str->string = talloc_strdup(mem_ctx, lstr->string);
- if (str->string == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- return NT_STATUS_OK;
-
- case LSA_FOREST_TRUST_DOMAIN_INFO:
- ftr->type = FOREST_TRUST_DOMAIN_INFO;
-
- linfo = &lftr->forest_trust_data.domain_info;
- info = &ftr->data.info;
-
- if (linfo->domain_sid == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
- info->sid = *linfo->domain_sid;
-
- lstr = &linfo->dns_domain_name;
- str = &info->dns_name;
- str->string = talloc_strdup(mem_ctx, lstr->string);
- if (str->string == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- lstr = &linfo->netbios_domain_name;
- str = &info->netbios_name;
- str->string = talloc_strdup(mem_ctx, lstr->string);
- if (str->string == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- return NT_STATUS_OK;
-
- case LSA_FOREST_TRUST_BINARY_DATA:
- ftr->type = FOREST_TRUST_BINARY_DATA;
-
- blob = data_blob_talloc_named(mem_ctx,
- lftr->forest_trust_data.data.data,
- lftr->forest_trust_data.data.length,
- "BINARY_DATA");
- if (blob.length != lftr->forest_trust_data.data.length) {
- return NT_STATUS_NO_MEMORY;
- }
- ftr->data.binary.data = blob.data;
- ftr->data.binary.size = blob.length;
-
- return NT_STATUS_OK;
-
- case LSA_FOREST_TRUST_SCANNER_INFO:
- ftr->type = FOREST_TRUST_SCANNER_INFO;
-
- linfo = &lftr->forest_trust_data.scanner_info;
- info = &ftr->data.scanner_info.info;
-
- ftr->data.scanner_info.sub_type = FOREST_TRUST_SCANNER_INFO;
-
- if (linfo->domain_sid != NULL) {
- info->sid = *linfo->domain_sid;
- } else {
- info->sid = (struct dom_sid) { .sid_rev_num = 0, };
- }
-
- lstr = &linfo->dns_domain_name;
- str = &info->dns_name;
- str->string = talloc_strdup(mem_ctx, lstr->string);
- if (str->string == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- lstr = &linfo->netbios_domain_name;
- str = &info->netbios_name;
- str->string = talloc_strdup(mem_ctx, lstr->string);
- if (str->string == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- return NT_STATUS_OK;
- }
-
- return NT_STATUS_NOT_SUPPORTED;
-}
-
-static NTSTATUS trust_forest_record_lsa_resolve_binary(TALLOC_CTX *mem_ctx,
- uint32_t flags,
- NTTIME time,
- const struct lsa_ForestTrustBinaryData *binary,
- struct lsa_ForestTrustRecord2 *lftr2)
-{
- enum ForestTrustInfoRecordType sub_type = FOREST_TRUST_BINARY_DATA;
- DATA_BLOB blob = { .length = 0, };
-
- if (binary == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /*
- * Note 'binary' may points to
- * lftr2->forest_trust_data.data
- *
- * So we remember the relevant
- * information in blob and clear
- * the binary pointer in order
- * to avoid touching it again.
- *
- * Because we likely change
- * the lftr2->forest_trust_data union
- */
- blob.data = binary->data;
- blob.length = binary->length;
- binary = NULL;
-
- /*
- * We need at least size and subtype
- */
- if (blob.length < 5) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- sub_type = PULL_LE_U8(blob.data, 4);
-
- /*
- * Only levels above LSA_FOREST_TRUST_DOMAIN_INFO
- * are handled as binary.
- */
- if (sub_type <= FOREST_TRUST_BINARY_DATA) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- lftr2->flags = flags;
- lftr2->time = time;
-
- /*
- * Depending if the sub_type is wellknown the information is upgraded,
- * currently only for the LSA_FOREST_TRUST_SCANNER_INFO records.
- */
-
- if (sub_type == FOREST_TRUST_SCANNER_INFO) {
- struct lsa_ForestTrustDomainInfo *d_sdi = NULL;
- union ForestTrustData fta = { .unknown = { .size = 0, }, };
- const struct ForestTrustDataDomainInfo *s_sdi = NULL;
- enum ndr_err_code ndr_err;
-
- ndr_err = ndr_pull_union_blob(&blob,
- mem_ctx,
- &fta,
- FOREST_TRUST_SCANNER_INFO,
- (ndr_pull_flags_fn_t)ndr_pull_ForestTrustData);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- return ndr_map_error2ntstatus(ndr_err);
- }
-
- if (fta.scanner_info.sub_type != FOREST_TRUST_SCANNER_INFO) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- s_sdi = &fta.scanner_info.info;
- d_sdi = &lftr2->forest_trust_data.scanner_info;
-
- d_sdi->dns_domain_name.string = s_sdi->dns_name.string;
- d_sdi->netbios_domain_name.string = s_sdi->netbios_name.string;
-
- if (s_sdi->sid_size != 0) {
- d_sdi->domain_sid = dom_sid_dup(mem_ctx,
- &s_sdi->sid);
- if (d_sdi->domain_sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- } else {
- d_sdi->domain_sid = NULL;
- }
-
- lftr2->type = LSA_FOREST_TRUST_SCANNER_INFO;
-
- return NT_STATUS_OK;
- }
-
- /*
- * In all other cases lftr->type is downgraded to
- * LSA_FOREST_TRUST_BINARY_DATA.
- */
-
- lftr2->type = LSA_FOREST_TRUST_BINARY_DATA;
- lftr2->forest_trust_data.data.data = blob.data;
- lftr2->forest_trust_data.data.length = blob.length;
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS trust_forest_record_lsa_1to2(TALLOC_CTX *mem_ctx,
- const struct lsa_ForestTrustRecord *lftr,
- struct lsa_ForestTrustRecord2 *lftr2)
-{
- const struct lsa_ForestTrustBinaryData *binary = NULL;
-
- if (lftr == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- lftr2->flags = lftr->flags;
- lftr2->time = lftr->time;
-
- switch (lftr->type) {
- case LSA_FOREST_TRUST_TOP_LEVEL_NAME:
- lftr2->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
- lftr2->forest_trust_data.top_level_name =
- lftr->forest_trust_data.top_level_name;
-
- return NT_STATUS_OK;
-
- case LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX:
- lftr2->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX;
- lftr2->forest_trust_data.top_level_name_ex =
- lftr->forest_trust_data.top_level_name_ex;
-
- return NT_STATUS_OK;
-
- case LSA_FOREST_TRUST_DOMAIN_INFO:
- lftr2->type = LSA_FOREST_TRUST_DOMAIN_INFO;
- lftr2->forest_trust_data.domain_info =
- lftr->forest_trust_data.domain_info;
-
- return NT_STATUS_OK;
-
- case LSA_FOREST_TRUST_BINARY_DATA:
- case LSA_FOREST_TRUST_SCANNER_INFO:
- /* just to avoid the missing enum switch warning */
- break;
- }
-
- /*
- * All levels above LSA_FOREST_TRUST_DOMAIN_INFO are handled as binary.
- *
- * Depending if the sub_type is wellknown the information is upgraded,
- * currently only for the LSA_FOREST_TRUST_SCANNER_INFO records.
- *
- * In all other cases lftr->type is downgraded to
- * LSA_FOREST_TRUST_BINARY_DATA.
- */
-
- binary = &lftr->forest_trust_data.data;
-
- return trust_forest_record_lsa_resolve_binary(mem_ctx,
- lftr->flags,
- lftr->time,
- binary,
- lftr2);
-}
-
-NTSTATUS trust_forest_info_from_lsa(TALLOC_CTX *mem_ctx,
- const struct lsa_ForestTrustInformation *lfti,
- struct ForestTrustInfo **_fti)
-{
- struct ForestTrustInfo *fti;
- uint32_t i;
-
- *_fti = NULL;
-
- fti = talloc_zero(mem_ctx, struct ForestTrustInfo);
- if (fti == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- fti->version = 1;
- fti->count = lfti->count;
- fti->records = talloc_zero_array(fti,
- struct ForestTrustInfoRecordArmor,
- fti->count);
- if (fti->records == NULL) {
- TALLOC_FREE(fti);
- return NT_STATUS_NO_MEMORY;
- }
-
- for (i = 0; i < fti->count; i++) {
- const struct lsa_ForestTrustRecord *lftr = lfti->entries[i];
- struct lsa_ForestTrustRecord2 lftr2 = { .flags = 0, };
- struct ForestTrustInfoRecord *ftr = &fti->records[i].record;
- TALLOC_CTX *frame = talloc_stackframe();
- NTSTATUS status;
-
- status = trust_forest_record_lsa_1to2(frame,
- lftr,
- &lftr2);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(frame);
- TALLOC_FREE(fti);
- return status;
- }
-
- status = trust_forest_record_from_lsa(fti->records,
- &lftr2,
- ftr);
- TALLOC_FREE(frame);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(fti);
- return status;
- }
- }
-
- *_fti = fti;
- return NT_STATUS_OK;
-}
-
-static NTSTATUS trust_forest_record_to_lsa(TALLOC_CTX *mem_ctx,
- const struct ForestTrustInfoRecord *ftr,
- struct lsa_ForestTrustRecord2 *lftr)
-{
- const struct ForestTrustString *str = NULL;
- struct lsa_StringLarge *lstr = NULL;
- const struct ForestTrustDataDomainInfo *info = NULL;
- struct lsa_ForestTrustDomainInfo *linfo = NULL;
- DATA_BLOB blob = { .length = 0, };
-
- lftr->flags = ftr->flags;
- lftr->time = ftr->timestamp;
-
- switch (ftr->type) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list