--- /tmp/bronze-bit-samba-4.14-v5.patch 2021-10-28 10:27:49.221713977 +1300 +++ /tmp/bronze-bit-for-samba-4.13-v3.patch 2021-10-28 10:30:37.015885693 +1300 @@ -1,7 +1,389 @@ -From e195e1e8571980edcf6e5e4b8e6185f3ae92363b Mon Sep 17 00:00:00 2001 +From 04e98669c3e403669505922805ac9feb37b578b8 Mon Sep 17 00:00:00 2001 +From: David Mulder +Date: Mon, 14 Sep 2020 11:12:37 -0600 +Subject: [PATCH 001/162] python: Move dsdb_Dn to samdb + +The import dsdb needed for dsdb_Dn causes import +errors when trying to import get_bytes/get_string +in some places. + +Signed-off-by: David Mulder +Reviewed-by: Douglas Bagnall +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 + +[abartlet@samba.org backported from commit 85d2ff2f0003b106ca84866b7e7893723f1dd93c + as the PY2 compat code is still in place in Samba 4.13] +--- + python/samba/common.py | 79 ------------------------- + python/samba/dbchecker.py | 2 +- + python/samba/kcc/kcc_utils.py | 2 +- + python/samba/kcc/ldif_import_export.py | 3 +- + python/samba/samdb.py | 75 +++++++++++++++++++++++ + python/samba/tests/common.py | 4 +- + source4/torture/drs/python/repl_rodc.py | 2 +- + 7 files changed, 81 insertions(+), 86 deletions(-) + +diff --git a/python/samba/common.py b/python/samba/common.py +index 8876e4f4faa..a8faa90065d 100644 +--- a/python/samba/common.py ++++ b/python/samba/common.py +@@ -16,13 +16,6 @@ + # along with this program. If not, see . + # + +- +-import ldb +-from samba import dsdb +-from samba.ndr import ndr_pack +-from samba.dcerpc import misc +-import binascii +- + from samba.compat import PY3 + + +@@ -74,75 +67,3 @@ def normalise_int32(ivalue): + return str(ivalue) + + +-class dsdb_Dn(object): +- '''a class for binary DN''' +- +- def __init__(self, samdb, dnstring, syntax_oid=None): +- '''create a dsdb_Dn''' +- if syntax_oid is None: +- # auto-detect based on string +- if dnstring.startswith("B:"): +- syntax_oid = dsdb.DSDB_SYNTAX_BINARY_DN +- elif dnstring.startswith("S:"): +- syntax_oid = dsdb.DSDB_SYNTAX_STRING_DN +- else: +- syntax_oid = dsdb.DSDB_SYNTAX_OR_NAME +- if syntax_oid in [dsdb.DSDB_SYNTAX_BINARY_DN, dsdb.DSDB_SYNTAX_STRING_DN]: +- # it is a binary DN +- colons = dnstring.split(':') +- if len(colons) < 4: +- raise RuntimeError("Invalid DN %s" % dnstring) +- prefix_len = 4 + len(colons[1]) + int(colons[1]) +- self.prefix = dnstring[0:prefix_len] +- self.binary = self.prefix[3 + len(colons[1]):-1] +- self.dnstring = dnstring[prefix_len:] +- else: +- self.dnstring = dnstring +- self.prefix = '' +- self.binary = '' +- self.dn = ldb.Dn(samdb, self.dnstring) +- +- def __str__(self): +- return self.prefix + str(self.dn.extended_str(mode=1)) +- +- def __cmp__(self, other): +- ''' compare dsdb_Dn values similar to parsed_dn_compare()''' +- dn1 = self +- dn2 = other +- guid1 = dn1.dn.get_extended_component("GUID") +- guid2 = dn2.dn.get_extended_component("GUID") +- +- v = cmp(guid1, guid2) +- if v != 0: +- return v +- v = cmp(dn1.binary, dn2.binary) +- return v +- +- # In Python3, __cmp__ is replaced by these 6 methods +- def __eq__(self, other): +- return self.__cmp__(other) == 0 +- +- def __ne__(self, other): +- return self.__cmp__(other) != 0 +- +- def __lt__(self, other): +- return self.__cmp__(other) < 0 +- +- def __le__(self, other): +- return self.__cmp__(other) <= 0 +- +- def __gt__(self, other): +- return self.__cmp__(other) > 0 +- +- def __ge__(self, other): +- return self.__cmp__(other) >= 0 +- +- def get_binary_integer(self): +- '''return binary part of a dsdb_Dn as an integer, or None''' +- if self.prefix == '': +- return None +- return int(self.binary, 16) +- +- def get_bytes(self): +- '''return binary as a byte string''' +- return binascii.unhexlify(self.binary) +diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py +index d12833d9390..0085b4a8515 100644 +--- a/python/samba/dbchecker.py ++++ b/python/samba/dbchecker.py +@@ -28,7 +28,7 @@ from samba.dcerpc import misc + from samba.dcerpc import drsuapi + from samba.ndr import ndr_unpack, ndr_pack + from samba.dcerpc import drsblobs +-from samba.common import dsdb_Dn ++from samba.samdb import dsdb_Dn + from samba.dcerpc import security + from samba.descriptor import get_wellknown_sds, get_diff_sds + from samba.auth import system_session, admin_session +diff --git a/python/samba/kcc/kcc_utils.py b/python/samba/kcc/kcc_utils.py +index e0712e49c82..9b4a894b743 100644 +--- a/python/samba/kcc/kcc_utils.py ++++ b/python/samba/kcc/kcc_utils.py +@@ -30,7 +30,7 @@ from samba.dcerpc import ( + drsuapi, + misc, + ) +-from samba.common import dsdb_Dn ++from samba.samdb import dsdb_Dn + from samba.ndr import ndr_unpack, ndr_pack + from collections import Counter + +diff --git a/python/samba/kcc/ldif_import_export.py b/python/samba/kcc/ldif_import_export.py +index 86453f1e5c9..7ec553edcb9 100644 +--- a/python/samba/kcc/ldif_import_export.py ++++ b/python/samba/kcc/ldif_import_export.py +@@ -23,8 +23,7 @@ import os + + from samba import Ldb, ldb, read_and_sub_file + from samba.auth import system_session +-from samba.samdb import SamDB +-from samba.common import dsdb_Dn ++from samba.samdb import SamDB, dsdb_Dn + + + class LdifError(Exception): +diff --git a/python/samba/samdb.py b/python/samba/samdb.py +index 36d668c4586..0c8880d5c75 100644 +--- a/python/samba/samdb.py ++++ b/python/samba/samdb.py +@@ -35,7 +35,9 @@ from samba.common import normalise_int32 + from samba.compat import text_type + from samba.compat import binary_type + from samba.compat import get_bytes ++from samba.common import cmp + from samba.dcerpc import security ++import binascii + + __docformat__ = "restructuredText" + +@@ -1422,3 +1424,76 @@ schemaUpdateNow: 1 + if not full_dn.is_child_of(domain_dn): + full_dn.add_base(domain_dn) + return full_dn ++ ++class dsdb_Dn(object): ++ '''a class for binary DN''' ++ ++ def __init__(self, samdb, dnstring, syntax_oid=None): ++ '''create a dsdb_Dn''' ++ if syntax_oid is None: ++ # auto-detect based on string ++ if dnstring.startswith("B:"): ++ syntax_oid = dsdb.DSDB_SYNTAX_BINARY_DN ++ elif dnstring.startswith("S:"): ++ syntax_oid = dsdb.DSDB_SYNTAX_STRING_DN ++ else: ++ syntax_oid = dsdb.DSDB_SYNTAX_OR_NAME ++ if syntax_oid in [dsdb.DSDB_SYNTAX_BINARY_DN, dsdb.DSDB_SYNTAX_STRING_DN]: ++ # it is a binary DN ++ colons = dnstring.split(':') ++ if len(colons) < 4: ++ raise RuntimeError("Invalid DN %s" % dnstring) ++ prefix_len = 4 + len(colons[1]) + int(colons[1]) ++ self.prefix = dnstring[0:prefix_len] ++ self.binary = self.prefix[3 + len(colons[1]):-1] ++ self.dnstring = dnstring[prefix_len:] ++ else: ++ self.dnstring = dnstring ++ self.prefix = '' ++ self.binary = '' ++ self.dn = ldb.Dn(samdb, self.dnstring) ++ ++ def __str__(self): ++ return self.prefix + str(self.dn.extended_str(mode=1)) ++ ++ def __cmp__(self, other): ++ ''' compare dsdb_Dn values similar to parsed_dn_compare()''' ++ dn1 = self ++ dn2 = other ++ guid1 = dn1.dn.get_extended_component("GUID") ++ guid2 = dn2.dn.get_extended_component("GUID") ++ ++ v = cmp(guid1, guid2) ++ if v != 0: ++ return v ++ v = cmp(dn1.binary, dn2.binary) ++ return v ++ ++ # In Python3, __cmp__ is replaced by these 6 methods ++ def __eq__(self, other): ++ return self.__cmp__(other) == 0 ++ ++ def __ne__(self, other): ++ return self.__cmp__(other) != 0 ++ ++ def __lt__(self, other): ++ return self.__cmp__(other) < 0 ++ ++ def __le__(self, other): ++ return self.__cmp__(other) <= 0 ++ ++ def __gt__(self, other): ++ return self.__cmp__(other) > 0 ++ ++ def __ge__(self, other): ++ return self.__cmp__(other) >= 0 ++ ++ def get_binary_integer(self): ++ '''return binary part of a dsdb_Dn as an integer, or None''' ++ if self.prefix == '': ++ return None ++ return int(self.binary, 16) ++ ++ def get_bytes(self): ++ '''return binary as a byte string''' ++ return binascii.unhexlify(self.binary) +diff --git a/python/samba/tests/common.py b/python/samba/tests/common.py +index d326f795f85..b7248b0826e 100644 +--- a/python/samba/tests/common.py ++++ b/python/samba/tests/common.py +@@ -20,8 +20,8 @@ + import samba + import os + import samba.tests +-from samba.common import normalise_int32, dsdb_Dn +-from samba.samdb import SamDB ++from samba.common import normalise_int32 ++from samba.samdb import SamDB, dsdb_Dn + + + class CommonTests(samba.tests.TestCaseInTempDir): +diff --git a/source4/torture/drs/python/repl_rodc.py b/source4/torture/drs/python/repl_rodc.py +index 166ba5ba5db..21e70b8bc6f 100644 +--- a/source4/torture/drs/python/repl_rodc.py ++++ b/source4/torture/drs/python/repl_rodc.py +@@ -37,7 +37,7 @@ from samba.join import DCJoinContext + from samba.dcerpc import drsuapi, misc, drsblobs, security + from samba.drs_utils import drs_DsBind, drs_Replicate + from samba.ndr import ndr_unpack, ndr_pack +-from samba.common import dsdb_Dn ++from samba.samdb import dsdb_Dn + from samba.credentials import Credentials + + import random +-- +2.25.1 + + +From 5e8db6412bd21808f1136899fcc79ca23b9f9434 Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall +Date: Thu, 11 Oct 2018 13:08:38 +1300 +Subject: [PATCH 002/162] python/join: use the provided krbtgt link in + cleanup_old_accounts + +Before we were putting it in an otherwise unused variable, and +deleting the previous krbtgt_dn, if any. + +Signed-off-by: Douglas Bagnall +Reviewed-by: Andreas Schneider +Reviewed-by: David Mulder +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 +(cherry picked from commit 98f6ece5ad03a822180796873197383c17c3c6d9) +--- + python/samba/join.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/samba/join.py b/python/samba/join.py +index 7273f3734d3..a35cf1d9a38 100644 +--- a/python/samba/join.py ++++ b/python/samba/join.py +@@ -259,7 +259,7 @@ class DCJoinContext(object): + ctx.del_noerror(res[0].dn, recursive=True) + + if "msDS-Krbtgtlink" in res[0]: +- new_krbtgt_dn = res[0]["msDS-Krbtgtlink"][0] ++ ctx.new_krbtgt_dn = res[0]["msDS-Krbtgtlink"][0] + ctx.del_noerror(ctx.new_krbtgt_dn) + + res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), +-- +2.25.1 + + +From 34a8c411c41213870db5cfdb2d207277ac971ba6 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 17 Sep 2021 16:43:00 +1200 +Subject: [PATCH 003/162] autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say + from a gitlab variable) + +This allows making a push to do a full test ignoring errors without +needing "HACK!!!" commits on top. + +Use like this: + +git push -o ci.variable='AUTOBUILD_FAIL_IMMEDIATELY=0' + +RN: Samba CI runs can now continue past the first error if AUTOBUILD_FAIL_IMMEDIATELY=0 is set + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14841 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 + +Signed-off-by: Andrew Bartlett +Reviewed-by: Michael Adam + +[abartlet@samba.org backported from commit b81f6f3d71487085bb355392ce7f8eff2db5bb4d + due to changes in 4.15 and later for the autobuild dependent jobs work + that avoids rebuilding Samba in each task] + +Autobuild-User(v4-14-test): Jule Anger +Autobuild-Date(v4-14-test): Thu Sep 23 08:54:03 UTC 2021 on sn-devel-184 + +(cherry picked from commit f53c532c2292d07ab3374920bd83c1266663038e) +--- + script/autobuild.py | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/script/autobuild.py b/script/autobuild.py +index 0f837d0c109..9cfb4f520bc 100755 +--- a/script/autobuild.py ++++ b/script/autobuild.py +@@ -154,7 +154,6 @@ def format_option(name, value=None): + + def make_test( + cmd='make test', +- FAIL_IMMEDIATELY=1, + TESTS='', + include_envs=None, + exclude_envs=None): +@@ -169,7 +168,13 @@ def make_test( + TESTS = (TESTS + ' ' + ' '.join(test_options)).strip() + + _options = [] +- if FAIL_IMMEDIATELY: ++ ++ # Allow getting a full CI with ++ # git push -o ci.variable='AUTOBUILD_FAIL_IMMEDIATELY=0' ++ ++ FAIL_IMMEDIATELY = os.getenv("AUTOBUILD_FAIL_IMMEDIATELY", "1") ++ ++ if int(FAIL_IMMEDIATELY): + _options.append('FAIL_IMMEDIATELY=1') + if TESTS: + _options.append("TESTS='{}'".format(TESTS)) +-- +2.25.1 + + +From 28b33b5296db0da94bdbd2180af93116acbc7ddf Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:39:19 +1200 -Subject: [PATCH 001/159] krb5pac.idl: Add ticket checksum PAC buffer type +Subject: [PATCH 004/162] krb5pac.idl: Add ticket checksum PAC buffer type Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -38,10 +420,10 @@ 2.25.1 -From ca85c935655c243292eaeba06e303a5d906df09d Mon Sep 17 00:00:00 2001 +From 73592c7bcbee7e00d184b6c425544ac6527a32f7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:40:59 +1200 -Subject: [PATCH 002/159] security.idl: Add well-known SIDs for FAST +Subject: [PATCH 005/162] security.idl: Add well-known SIDs for FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -53,10 +435,10 @@ 1 file changed, 3 insertions(+) diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl -index 06bf7449a70..3df96dedbdd 100644 +index a92e8f1518e..9845becd826 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl -@@ -295,6 +295,9 @@ interface security +@@ -292,6 +292,9 @@ interface security const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1"; const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2"; @@ -70,10 +452,10 @@ 2.25.1 -From 0b6008fdf60e3d77cad9eff00c45ddb153e720e4 Mon Sep 17 00:00:00 2001 +From 46c00bf7f6813525413968380fa9b41f50fe888b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:46:42 +1200 -Subject: [PATCH 003/159] tests/krb5: Calculate expected salt if not given +Subject: [PATCH 006/162] tests/krb5: Calculate expected salt if not given explicitly Signed-off-by: Joseph Sutton @@ -111,10 +493,10 @@ 2.25.1 -From 88e37a8ff8fcc2d2c48a284e42af72f91972150f Mon Sep 17 00:00:00 2001 +From cc84aeea6d616ef52c9849b9e614f94214151169 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:50:26 +1200 -Subject: [PATCH 004/159] tests/krb5: Add methods to obtain the length of +Subject: [PATCH 007/162] tests/krb5: Add methods to obtain the length of checksum types Signed-off-by: Joseph Sutton @@ -127,7 +509,7 @@ 1 file changed, 26 insertions(+) diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py -index ce7b00bda4c..4a4a12a66d4 100755 +index c861e3cc96e..2a72969de00 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -478,6 +478,7 @@ class _ChecksumProfile(object): @@ -209,10 +591,10 @@ 2.25.1 -From e32eba62e59cb11234408fb0878688658aad5026 Mon Sep 17 00:00:00 2001 +From 83381c7e903def4b7f74ae23bca940de82e152df Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:57:26 +1200 -Subject: [PATCH 005/159] tests/krb5: Use signed integers to represent key +Subject: [PATCH 008/162] tests/krb5: Use signed integers to represent key version numbers in ASN.1 As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses @@ -274,10 +656,10 @@ 2.25.1 -From ed0c2617186d4f2bd1ef709b0f11c0005d112413 Mon Sep 17 00:00:00 2001 +From 3935e1befe3e22abf21b715f5adbeb94a9bab5e3 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 16:05:39 +1200 -Subject: [PATCH 006/159] tests/krb5: Add KDCOptions flag for constrained +Subject: [PATCH 009/162] tests/krb5: Add KDCOptions flag for constrained delegation Signed-off-by: Joseph Sutton @@ -318,10 +700,10 @@ 2.25.1 -From 9b856ae2c84fb642ac0c0676175e6067c20d08d9 Mon Sep 17 00:00:00 2001 +From e6387afe91c35f9ab864dc72c0c32d4bb2f355bf Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 16:21:55 +1200 -Subject: [PATCH 007/159] tests/krb5: Use more compact dict lookup +Subject: [PATCH 010/162] tests/krb5: Use more compact dict lookup Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -367,10 +749,10 @@ 2.25.1 -From 0d1703f344daf86e6914728014ba6b9c5fb4040b Mon Sep 17 00:00:00 2001 +From 344dd742659be6bccac281a53798dacf6b60a096 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 16:31:56 +1200 -Subject: [PATCH 008/159] tests/krb5: Replace expected_cname_private with +Subject: [PATCH 011/162] tests/krb5: Replace expected_cname_private with expected_anon parameter This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as @@ -608,10 +990,10 @@ 2.25.1 -From 0b1c12cac5d6ec0cd87e8d04843ebc717cb33870 Mon Sep 17 00:00:00 2001 +From 092a1939d7ccc498a078f942a619ea1e235392cc Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 16:34:02 +1200 -Subject: [PATCH 009/159] tests/krb5: Allow specifying an OU to create accounts +Subject: [PATCH 012/162] tests/krb5: Allow specifying an OU to create accounts in Signed-off-by: Joseph Sutton @@ -650,10 +1032,10 @@ 2.25.1 -From 452a870aba4aaf5fb4eb32faa9b1ba129910e85e Mon Sep 17 00:00:00 2001 +From 90da0f10baa817f4e89015a4e899cd36617bbf41 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 16:34:46 +1200 -Subject: [PATCH 010/159] tests/krb5: Allow specifying additional User Account +Subject: [PATCH 013/162] tests/krb5: Allow specifying additional User Account Control flags for account Signed-off-by: Joseph Sutton @@ -705,10 +1087,10 @@ 2.25.1 -From 3c2388566f21a640aebb9cf662026b1b1f70505f Mon Sep 17 00:00:00 2001 +From d8997d65476d8f9789e29d31adf7fcdf285af2ce Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 16:35:58 +1200 -Subject: [PATCH 011/159] tests/krb5: Keep track of account DN in credentials +Subject: [PATCH 014/162] tests/krb5: Keep track of account DN in credentials object Signed-off-by: Joseph Sutton @@ -771,10 +1153,10 @@ 2.25.1 -From 08f7c62550d3fd45e3e067437cf35f67a32ea6c6 Mon Sep 17 00:00:00 2001 +From 2a564b93de1ec94d4988e718afdb87f4fed56461 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 2 Sep 2021 14:27:00 +1200 -Subject: [PATCH 012/159] tests/krb5: Move padata generation methods to base +Subject: [PATCH 015/162] tests/krb5: Move padata generation methods to base class This allows them to be used directly from RawKerberosTest. @@ -849,10 +1231,10 @@ 2.25.1 -From 78407dac18d71204f1b2d3b1a734dfff92be24cc Mon Sep 17 00:00:00 2001 +From c54a7c5877cdba3d7025962e7b8fb49ebe0f5d67 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 2 Sep 2021 14:36:42 +1200 -Subject: [PATCH 013/159] tests/krb5: add options to kdc_exchange_dict to +Subject: [PATCH 016/162] tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS Signed-off-by: Joseph Sutton @@ -982,10 +1364,10 @@ 2.25.1 -From 9af5f1bb152b716f786a26948970d794988ff1a4 Mon Sep 17 00:00:00 2001 +From 97d0e46aecb9eab71a68201082f2d10a592e02b9 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 2 Sep 2021 14:37:27 +1200 -Subject: [PATCH 014/159] tests/krb5: Don't create PAC request manually in +Subject: [PATCH 017/162] tests/krb5: Don't create PAC request manually in as_req_tests Signed-off-by: Joseph Sutton @@ -1100,10 +1482,10 @@ 2.25.1 -From d4e20807271e4d220576ecb9c8f9181f5239f03f Mon Sep 17 00:00:00 2001 +From 1c57d81052e892de4c27814180cd0c2df2cee5d8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 2 Sep 2021 14:38:33 +1200 -Subject: [PATCH 015/159] tests/krb5: Don't create PAC request or options +Subject: [PATCH 018/162] tests/krb5: Don't create PAC request or options manually in fast_tests Signed-off-by: Joseph Sutton @@ -1192,10 +1574,10 @@ 2.25.1 -From 1c4fe313794c2714fb6c788d669540a666fc7415 Mon Sep 17 00:00:00 2001 +From 93457cced299ddaadfe44bd0c5f64e6d45e3f4b3 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 17:46:02 +1200 -Subject: [PATCH 016/159] tests/krb5: Remove magic constants +Subject: [PATCH 019/162] tests/krb5: Remove magic constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -1237,10 +1619,10 @@ 2.25.1 -From c4b81188694c96d94ab1a8454a2cb4b145b6da8a Mon Sep 17 00:00:00 2001 +From 444ed2e7b19e7280f59f39aec220bccdaaec0664 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 19:13:11 +1200 -Subject: [PATCH 017/159] tests/krb5: Allow specifying ticket flags expected to +Subject: [PATCH 020/162] tests/krb5: Allow specifying ticket flags expected to be set or reset Signed-off-by: Joseph Sutton @@ -1407,10 +1789,10 @@ 2.25.1 -From 4cf6730703b4cf98366b24fbf109e2b9eedd23ea Mon Sep 17 00:00:00 2001 +From e151496f35eb717da78fa0c079a23259d6c0938f Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 19:15:17 +1200 -Subject: [PATCH 018/159] tests/krb5: Make time assertion less strict +Subject: [PATCH 021/162] tests/krb5: Make time assertion less strict This assertion could fail if there was a time difference between the KDC and the client. @@ -1441,10 +1823,10 @@ 2.25.1 -From a5cfaf79ee4344bd20544a8298cb5aba9cbdcfe6 Mon Sep 17 00:00:00 2001 +From 182015f34f16f018d5357479fa5d02752f70c832 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 19:34:20 +1200 -Subject: [PATCH 019/159] tests/krb5: Allow Kerberos requests to be sent to DC +Subject: [PATCH 022/162] tests/krb5: Allow Kerberos requests to be sent to DC or RODC If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER' @@ -1602,10 +1984,10 @@ 2.25.1 -From d39c7bc563486e4cdb0b93cba16be3037fa916f4 Mon Sep 17 00:00:00 2001 +From 4b1a967f53550d9ebad219e582567dd01cdbfe2b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 19:43:41 +1200 -Subject: [PATCH 020/159] tests/krb5: Check for presence of 'renew-till' +Subject: [PATCH 023/162] tests/krb5: Check for presence of 'renew-till' element Signed-off-by: Joseph Sutton @@ -1661,10 +2043,10 @@ 2.25.1 -From c20a5a1c9a2470946db2f76aff10775b07a8d2a7 Mon Sep 17 00:00:00 2001 +From 630d758134787c37097e9a10a1e6de219637b267 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 19:45:57 +1200 -Subject: [PATCH 021/159] tests/krb5: Check 'caddr' element +Subject: [PATCH 024/162] tests/krb5: Check 'caddr' element Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -1703,10 +2085,10 @@ 2.25.1 -From 10cf7df564cd14ae98cc6d357ffae783ad732d6a Mon Sep 17 00:00:00 2001 +From 97ecd7fb8cc74c2040b0dfd0692e30ee1063744d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 19:47:27 +1200 -Subject: [PATCH 022/159] tests/krb5: Check for presence of 'key-expiration' +Subject: [PATCH 025/162] tests/krb5: Check for presence of 'key-expiration' element Signed-off-by: Joseph Sutton @@ -1751,10 +2133,10 @@ 2.25.1 -From 97931026fa0bd052e243eb7b2415cd09985c50b5 Mon Sep 17 00:00:00 2001 +From 2124821d5c3c770034aaa3522eee50ef38617849 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 3 Sep 2021 09:18:32 +1200 -Subject: [PATCH 023/159] tests/krb5: Create testing accounts in appropriate +Subject: [PATCH 026/162] tests/krb5: Create testing accounts in appropriate containers Signed-off-by: Joseph Sutton @@ -1799,10 +2181,10 @@ 2.25.1 -From 2f177f9c43f77595221f80e3b023d7e0e8caabf7 Mon Sep 17 00:00:00 2001 +From 92afc8bdbe96ea9887515c1aa0bc8a4951292bec Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 19:26:43 +1200 -Subject: [PATCH 024/159] tests/krb5: Allow specifying status code to be +Subject: [PATCH 027/162] tests/krb5: Allow specifying status code to be checked This allows us to check the status code that may be sent in an error @@ -1872,10 +2254,10 @@ 2.25.1 -From 4365b3ed5f800f16ffaf3060cf2f74a6c561d7a2 Mon Sep 17 00:00:00 2001 +From f02fe473129462610159e5f18943f5fe61eeaf42 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 3 Sep 2021 09:40:02 +1200 -Subject: [PATCH 025/159] tests/krb5: Get expected cname from TGT for TGS-REQ +Subject: [PATCH 028/162] tests/krb5: Get expected cname from TGT for TGS-REQ messages BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -1931,10 +2313,10 @@ 2.25.1 -From a69fe59d1ca93f35743c332ce3c18e1f86a82bce Mon Sep 17 00:00:00 2001 +From cd8a71d62d73e438a794d9154a1c79cecd696730 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 3 Sep 2021 09:55:10 +1200 -Subject: [PATCH 026/159] tests/krb5: Get encpart decryption key from +Subject: [PATCH 029/162] tests/krb5: Get encpart decryption key from kdc_exchange_dict Instead of using check_padata_fn to get the encpart decryption key, we @@ -2245,10 +2627,10 @@ 2.25.1 -From ecfa294660f93327cadce74b1061299631a43b8a Mon Sep 17 00:00:00 2001 +From 8799fd322a9f4127504ead5d8dc79aae0bdb923d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 3 Sep 2021 15:36:24 +1200 -Subject: [PATCH 027/159] tests/krb5: Add get_cached_creds() method to create +Subject: [PATCH 030/162] tests/krb5: Add get_cached_creds() method to create persistent accounts for testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -2524,10 +2906,10 @@ 2.25.1 -From 9451573c242bb6fbc28ad128332de5f3467db34b Mon Sep 17 00:00:00 2001 +From 73990804097d4efdca751e91cc3213bf6d5be0df Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 8 Sep 2021 11:28:52 +1200 -Subject: [PATCH 028/159] tests/krb5: Generate padata for FAST tests +Subject: [PATCH 031/162] tests/krb5: Generate padata for FAST tests This gives us access to parameters of kdc_exchange_dict and enables us to simplify the logic. @@ -2697,10 +3079,10 @@ 2.25.1 -From b69f9a907388949473c8f6161e797781a8b6ed02 Mon Sep 17 00:00:00 2001 +From da9144b8aaa815ee60b8e9ffdef599cca53e8e68 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 13 Sep 2021 21:14:18 +1200 -Subject: [PATCH 029/159] tests/krb5: Sign-extend kvno from 32-bit integer +Subject: [PATCH 032/162] tests/krb5: Sign-extend kvno from 32-bit integer This helps to avoid problems with RODC kvnos that have the high bit set. @@ -2733,10 +3115,10 @@ 2.25.1 -From 56a8d5cc38e842b5f1070c0baf44dfb8b755136c Mon Sep 17 00:00:00 2001 +From 53c3d8ebc0c13d19fe64d846614c0e22ae207bb3 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 13 Sep 2021 20:20:23 +1200 -Subject: [PATCH 030/159] tests/krb5: Add method to get RODC krbtgt credentials +Subject: [PATCH 033/162] tests/krb5: Add method to get RODC krbtgt credentials BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -2852,10 +3234,10 @@ 2.25.1 -From accdbf65bc4d5b593cd47573e04bac93952c7d1a Mon Sep 17 00:00:00 2001 +From 5dc89d29003bfa015a4bbedca1ac5c4f90256db7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 13 Sep 2021 20:58:01 +1200 -Subject: [PATCH 031/159] tests/krb5: Add get_secrets() method to get the +Subject: [PATCH 034/162] tests/krb5: Add get_secrets() method to get the secret attributes of a DN BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -2932,10 +3314,10 @@ 2.25.1 -From dc54b53b9e88101ea682092567578ddeefe847c9 Mon Sep 17 00:00:00 2001 +From 1d552860666e676e4615ca063e11cefa70a3ae4a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 13 Sep 2021 22:13:24 +1200 -Subject: [PATCH 032/159] tests/krb5: Allow replicating accounts to the RODC +Subject: [PATCH 035/162] tests/krb5: Allow replicating accounts to the RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -3167,10 +3549,10 @@ 2.25.1 -From 168c655af8cad05e036e72dd7d577d87922d0ffd Mon Sep 17 00:00:00 2001 +From 2a6990948b7d5efafc14bdc11751002c0a7f2e51 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 13 Sep 2021 21:24:05 +1200 -Subject: [PATCH 033/159] tests/krb5: Create RODC account for testing +Subject: [PATCH 036/162] tests/krb5: Create RODC account for testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -3349,10 +3731,10 @@ 2.25.1 -From df0700ab8f6745474d8185451b7cab9815632de8 Mon Sep 17 00:00:00 2001 +From c6f6b2a5872d955fd691d0fea483918425d7cf82 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 13 Sep 2021 21:24:31 +1200 -Subject: [PATCH 034/159] tests/krb5: Allow replicating accounts to the created +Subject: [PATCH 037/162] tests/krb5: Allow replicating accounts to the created RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -3456,10 +3838,10 @@ 2.25.1 -From 01afea2d97b889a7acf1cc20ab1ffddf8423c4f8 Mon Sep 17 00:00:00 2001 +From 8ee93e08f1c8c373fccef67bcf161b11376c050c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:42:28 +1200 -Subject: [PATCH 035/159] python: Don't leak file handles +Subject: [PATCH 038/162] python: Don't leak file handles Signed-off-by: Joseph Sutton Reviewed-by: Noel Power @@ -3473,10 +3855,10 @@ 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/python/samba/__init__.py b/python/samba/__init__.py -index fa047a813e2..b4d141e95c1 100644 +index d851bf3606c..e87e9c1b371 100644 --- a/python/samba/__init__.py +++ b/python/samba/__init__.py -@@ -217,7 +217,8 @@ class Ldb(_Ldb): +@@ -218,7 +218,8 @@ class Ldb(_Ldb): :param ldif_path: Path to LDIF file. """ @@ -3486,7 +3868,7 @@ def add_ldif(self, ldif, controls=None): """Add data based on a LDIF string. -@@ -279,10 +280,11 @@ def read_and_sub_file(file_name, subst_vars): +@@ -280,10 +281,11 @@ def read_and_sub_file(file_name, subst_vars): :param file_name: File to be read (typically from setup directory) param subst_vars: Optional variables to subsitute in the file. """ @@ -3503,10 +3885,10 @@ diff --git a/python/samba/ms_schema.py b/python/samba/ms_schema.py -index 4b5c4a5df83..b26bbfd4fbd 100644 +index 4946636cbd4..09dfbdde0f7 100644 --- a/python/samba/ms_schema.py +++ b/python/samba/ms_schema.py -@@ -295,9 +295,9 @@ def __parse_schema_file(filename, objectClass): +@@ -296,9 +296,9 @@ def __parse_schema_file(filename, objectClass): out = [] from io import open @@ -3520,7 +3902,7 @@ return "\n\n".join(out) diff --git a/python/samba/schema.py b/python/samba/schema.py -index 54fc9fc3125..a3adc162fa3 100644 +index caea7e358ae..083af5f44b0 100644 --- a/python/samba/schema.py +++ b/python/samba/schema.py @@ -110,8 +110,13 @@ class Schema(object): @@ -3551,10 +3933,10 @@ 2.25.1 -From 441d25f8b9b476219da132462f60829599d088da Mon Sep 17 00:00:00 2001 +From 8412926574b6a1b96aa8f9f5098e5c2e30f8be22 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 10 Sep 2021 14:02:22 +1200 -Subject: [PATCH 036/159] python/join: Check for correct msDS-KrbTgtLink +Subject: [PATCH 039/162] python/join: Check for correct msDS-KrbTgtLink attribute Previously, the wrong case was used when checking for this attribute, @@ -3570,10 +3952,10 @@ 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/python/samba/join.py b/python/samba/join.py -index 59de000a401..79030cdfd29 100644 +index a35cf1d9a38..a512e18c226 100644 --- a/python/samba/join.py +++ b/python/samba/join.py -@@ -257,8 +257,9 @@ class DCJoinContext(object): +@@ -258,8 +258,9 @@ class DCJoinContext(object): ctx.del_noerror(res[0].dn, recursive=True) @@ -3585,7 +3967,7 @@ ctx.del_noerror(ctx.new_krbtgt_dn) res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), -@@ -337,7 +338,7 @@ class DCJoinContext(object): +@@ -338,7 +339,7 @@ class DCJoinContext(object): attrs=["msDS-krbTgtLink", "userAccountControl", "serverReferenceBL", "rIDSetReferences"]) if len(res) == 0: raise Exception("Could not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'" % ctx.samname) @@ -3598,10 +3980,10 @@ 2.25.1 -From cd40da7187413f65243d9ce55a1f5528e1db0acd Mon Sep 17 00:00:00 2001 +From 5c402a5bee9b888ae158e855e2e304a251587879 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 15 Sep 2021 20:56:28 +1200 -Subject: [PATCH 037/159] tests/krb5: Add helper method for modifying PACs +Subject: [PATCH 040/162] tests/krb5: Add helper method for modifying PACs This method can remove or replace a PAC in an authorization-data container, while additionally returning the original PAC. @@ -3684,10 +4066,10 @@ 2.25.1 -From c3bf406346995b1f192caf7fa0b0aa1c90ccf1b4 Mon Sep 17 00:00:00 2001 +From 8d23815be4dcebfb11acfe748e039c09717316e2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 11:22:28 +1200 -Subject: [PATCH 038/159] tests/krb5: Check correct flags element +Subject: [PATCH 041/162] tests/krb5: Check correct flags element BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -3717,10 +4099,10 @@ 2.25.1 -From cf6b4d369bf9479e6c7586559b489e8b73cdaa6f Mon Sep 17 00:00:00 2001 +From b84a6daba10fb74bbdc4fed28390ba3a63f2e782 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 11:13:09 +1200 -Subject: [PATCH 039/159] tests/krb5: Refactor tgs_req() to use +Subject: [PATCH 042/162] tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -3878,10 +4260,10 @@ self.assertElementEqual(ticket_encpart, 'etype', ticket_decryption_key.etype) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index a3f9478059f..c83136d6421 100755 +index d7fedde94a0..423f48b6921 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py -@@ -822,22 +822,26 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") +@@ -800,22 +800,26 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache", environ={ 'ADMIN_USERNAME': '$USERNAME', @@ -3912,7 +4294,7 @@ }) for env in ["ad_dc", smbv1_disabled_testenv]: -@@ -1427,7 +1431,8 @@ planpythontestsuite( +@@ -1393,7 +1397,8 @@ planpythontestsuite( "samba.tests.krb5.kdc_tgs_tests", environ={ 'ADMIN_USERNAME': '$USERNAME', @@ -3922,7 +4304,7 @@ }) planpythontestsuite( "ad_dc", -@@ -1442,7 +1447,8 @@ planpythontestsuite( +@@ -1408,7 +1413,8 @@ planpythontestsuite( "samba.tests.krb5.ms_kile_client_principal_lookup_tests", environ={ 'ADMIN_USERNAME': '$USERNAME', @@ -3936,10 +4318,10 @@ 2.25.1 -From 1e9b10c884f112b694747fdb6cbb4584b6f7cf33 Mon Sep 17 00:00:00 2001 +From 798f109408745d283c4866af3b66e59793d4c4d2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 11:16:27 +1200 -Subject: [PATCH 040/159] tests/krb5: Allow tgs_req() to send additional padata +Subject: [PATCH 043/162] tests/krb5: Allow tgs_req() to send additional padata BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -3990,10 +4372,10 @@ 2.25.1 -From 2de925001c1b64237512260da5fca88684428cd2 Mon Sep 17 00:00:00 2001 +From 9660069aaf6e348b09580a041f6e4262fc9e314a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 11:18:12 +1200 -Subject: [PATCH 041/159] tests/krb5: Allow tgs_req() to specify different +Subject: [PATCH 044/162] tests/krb5: Allow tgs_req() to specify different kdc-options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4030,10 +4412,10 @@ 2.25.1 -From 1f80e9cfd2430da7f36b2b895e44640895e16ccd Mon Sep 17 00:00:00 2001 +From 5b69a82fc2c0f2cd9f23347c62a325707a669fdf Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 11:25:01 +1200 -Subject: [PATCH 042/159] tests/krb5: Allow tgs_req() to send requests to the +Subject: [PATCH 045/162] tests/krb5: Allow tgs_req() to send requests to the RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4075,10 +4457,10 @@ 2.25.1 -From 1ffcbe53ad098d461b89ff97e32ad25f4f385e06 Mon Sep 17 00:00:00 2001 +From 8990895caffb47bf687b91e3f61b43c575cd863f Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 11:52:46 +1200 -Subject: [PATCH 043/159] tests/krb5: Allow as_req() to specify different +Subject: [PATCH 046/162] tests/krb5: Allow as_req() to specify different kdc-options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4114,10 +4496,10 @@ 2.25.1 -From 7ce1a2b4c2b02464c173e457d6b2db269c1aeee9 Mon Sep 17 00:00:00 2001 +From ef63d78c29d064a0d0bfffe7c697bed7265c9461 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 12:06:51 +1200 -Subject: [PATCH 044/159] tests/krb5: Use PAC buffer type constants from +Subject: [PATCH 047/162] tests/krb5: Use PAC buffer type constants from krb5pac.idl BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4172,10 +4554,10 @@ 2.25.1 -From fa0b1a18bfef07791dd99da888306d849efd7edf Mon Sep 17 00:00:00 2001 +From c5b5795c78b235c087de70197dc77e9f29baee54 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 12:13:51 +1200 -Subject: [PATCH 045/159] tests/krb5: Don't manually create PAC request and +Subject: [PATCH 048/162] tests/krb5: Don't manually create PAC request and options in fast_tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4261,10 +4643,10 @@ 2.25.1 -From 253a50feb5010763447379c75622c16869755b51 Mon Sep 17 00:00:00 2001 +From ed0073172c10b466f78c6eca637fac6e0b106cf6 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 12:19:28 +1200 -Subject: [PATCH 046/159] tests/krb5: Set DN of created accounts to ldb.Dn type +Subject: [PATCH 049/162] tests/krb5: Set DN of created accounts to ldb.Dn type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -4334,10 +4716,10 @@ 2.25.1 -From 6bbb01604740dc47ba906d8dc45dbe297ea6e4c3 Mon Sep 17 00:00:00 2001 +From 87c03f9d02c70382ebd63c0b78554dbdc593cc5e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 12:38:38 +1200 -Subject: [PATCH 047/159] tests/krb5: Allow get_service_ticket() to get tickets +Subject: [PATCH 050/162] tests/krb5: Allow get_service_ticket() to get tickets from the RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4377,10 +4759,10 @@ 2.25.1 -From ffb969da6e58d03f667d60a93ae0764d3246a4c3 Mon Sep 17 00:00:00 2001 +From c7830f775c2fa4f8bf57020f698d67486b9c342e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 12:41:46 +1200 -Subject: [PATCH 048/159] tests/krb5: Allow get_tgt() to get tickets from the +Subject: [PATCH 051/162] tests/krb5: Allow get_tgt() to get tickets from the RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4443,10 +4825,10 @@ 2.25.1 -From e1651b016c79b6f16ebb002a22e6327895fe206a Mon Sep 17 00:00:00 2001 +From b1e9a0d2d881e3b17535da39041352ed2522d238 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 13:14:06 +1200 -Subject: [PATCH 049/159] tests/krb5: Allow get_tgt() to specify different +Subject: [PATCH 052/162] tests/krb5: Allow get_tgt() to specify different kdc-options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4492,10 +4874,10 @@ 2.25.1 -From 2b9e63cca00a3cf1a8c568ba2c92f1554a459017 Mon Sep 17 00:00:00 2001 +From adb99fa3f3cb2a5746b92c231a0cc9fd86dcf0e7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 13:14:45 +1200 -Subject: [PATCH 050/159] tests/krb5: Allow get_tgt() to specify expected and +Subject: [PATCH 053/162] tests/krb5: Allow get_tgt() to specify expected and unexpected flags BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4536,10 +4918,10 @@ 2.25.1 -From 3c8751165de2de474496ff5d0cd462102ecbbe98 Mon Sep 17 00:00:00 2001 +From 9a4def4de24fb5e6c6b4daa4c6d8097c3a388884 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 13:24:46 +1200 -Subject: [PATCH 051/159] tests/krb5: Move get_tgt() and get_service_ticket() +Subject: [PATCH 054/162] tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -4872,10 +5254,10 @@ 2.25.1 -From f07f057d16d462a6824f7eb7d0ec6a4cc23937ec Mon Sep 17 00:00:00 2001 +From f8c07893d33fe3ec4d4dc6fe777ebf6f6bc7cdd7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Sep 2021 11:51:05 +1200 -Subject: [PATCH 052/159] tests/krb5: Return encpart from get_tgt() as part of +Subject: [PATCH 055/162] tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds The encpart is already contained in ticket_creds, so it no longer needs @@ -4960,10 +5342,10 @@ 2.25.1 -From 97c1f50ab88bd80d009c8c4e92697d9ad0cb2d8e Mon Sep 17 00:00:00 2001 +From 0ea7045df10e52e8c8517b708c87ced4f5fa79e0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Sep 2021 11:51:20 +1200 -Subject: [PATCH 053/159] tests/krb5: Cache obtained tickets +Subject: [PATCH 056/162] tests/krb5: Cache obtained tickets Now tickets obtained with get_tgt() and get_service_ticket() make use of a cache so they can be reused, unless the 'fresh' parameter is specified @@ -5049,10 +5431,10 @@ 2.25.1 -From 9fd4feacc9e9b35b7f6fca69bc5206c2ee21ee3b Mon Sep 17 00:00:00 2001 +From 48c23938fe62ea370fb0f0f6b1c76ac52bbabc9b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 16:54:57 +1200 -Subject: [PATCH 054/159] tests/krb5: Add methods for creating zeroed checksums +Subject: [PATCH 057/162] tests/krb5: Add methods for creating zeroed checksums and verifying checksums Creating a zeroed checksum is needed for signing a PAC. @@ -5106,10 +5488,10 @@ 2.25.1 -From 58347c25364de6c3795b797c99aa5cb0960c69d1 Mon Sep 17 00:00:00 2001 +From 65051b32d3e60811356c79e4a278dbe505ff0e45 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 16 Sep 2021 17:20:22 +1200 -Subject: [PATCH 055/159] tests/krb5: Add RodcPacEncryptionKey type allowing +Subject: [PATCH 058/162] tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures Signatures created by an RODC have an RODCIdentifier appended to them @@ -5209,10 +5591,10 @@ 2.25.1 -From 5cfcba51d0251f4410e65440d7c28fae8b2a5270 Mon Sep 17 00:00:00 2001 +From 69aa2a144d60386d8dd58bd7d11938e44685468c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 17 Sep 2021 14:56:51 +1200 -Subject: [PATCH 056/159] tests/krb5: Add method to verify ticket PAC checksums +Subject: [PATCH 059/162] tests/krb5: Add method to verify ticket PAC checksums BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -5379,10 +5761,10 @@ 2.25.1 -From 79800968075d3cd3517e4bbf5811b2e31b536950 Mon Sep 17 00:00:00 2001 +From b4a53aa05365791db98a28e5784f2e4e26581293 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 17 Sep 2021 15:26:12 +1200 -Subject: [PATCH 057/159] tests/krb5: Add method for modifying a ticket and +Subject: [PATCH 060/162] tests/krb5: Add method for modifying a ticket and creating PAC checksums BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -5644,10 +6026,10 @@ 2.25.1 -From 717714f91b1eb1bb76f674fd005353ee2f35be39 Mon Sep 17 00:00:00 2001 +From 8f426d28cfeb8f2171d73a0d646dd6a454322f8e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Sep 2021 13:33:16 +1200 -Subject: [PATCH 058/159] tests/krb5: Simplify adding authdata to ticket by +Subject: [PATCH 061/162] tests/krb5: Simplify adding authdata to ticket by using modified_ticket() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -5762,10 +6144,10 @@ 2.25.1 -From 55b266f2f571ec6455fe4739b5ff7bf5e59fccff Mon Sep 17 00:00:00 2001 +From a80e22b7cbea4e3c99abc33ab331416077cd1003 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Sep 2021 17:01:12 +1200 -Subject: [PATCH 059/159] tests/krb5: Make get_default_enctypes() return a set +Subject: [PATCH 062/162] tests/krb5: Make get_default_enctypes() return a set of enctype constants This is often more convenient than a bitfield. @@ -5817,10 +6199,10 @@ 2.25.1 -From e3fa88c1c19beb1ff93ce76f46117d6b3b971d5d Mon Sep 17 00:00:00 2001 +From 1f19c94165cd424e19ec77cd6ad32eae21f7332c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Sep 2021 21:01:46 +1200 -Subject: [PATCH 060/159] tests/krb5: Add methods to convert between enctypes +Subject: [PATCH 063/162] tests/krb5: Add methods to convert between enctypes and bitfields These methods are useful for converting a collection of encryption types @@ -5937,10 +6319,10 @@ 2.25.1 -From d4114c295fecd0fe07fca34213f945fd25a4b064 Mon Sep 17 00:00:00 2001 +From a2614f8fa385f00cf6e8b1edf8cc4983d37d90b6 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Sep 2021 17:10:49 +1200 -Subject: [PATCH 061/159] tests/krb5: Get supported enctypes for credentials +Subject: [PATCH 064/162] tests/krb5: Get supported enctypes for credentials from database Look up the account's msDS-SupportedEncryptionTypes attribute to get the @@ -6099,10 +6481,10 @@ 2.25.1 -From 838f74345f309efc0a68bf417dce28e0ac87f10a Mon Sep 17 00:00:00 2001 +From d57ff78f799b321a0ce5aee5dbdf53aa89ad3f0b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Sep 2021 17:11:28 +1200 -Subject: [PATCH 062/159] tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES +Subject: [PATCH 065/162] tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -6258,10 +6640,10 @@ 2.25.1 -From 152132539a07ce92c149a48706a3128b26f5c218 Mon Sep 17 00:00:00 2001 +From 1b7e570a4e89e1b7051116027ebd7e3556868c88 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 20 Sep 2021 13:54:39 +1200 -Subject: [PATCH 063/159] tests/krb5: Set key version number for all accounts +Subject: [PATCH 066/162] tests/krb5: Set key version number for all accounts created with create_account() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -6308,10 +6690,10 @@ 2.25.1 -From 5c3a7f2dce8bf83d2ba7acd91e3acef6a7ed89bb Mon Sep 17 00:00:00 2001 +From 2a995642fed6022e4b1bc031808ffecc49f0a3ce Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 20 Sep 2021 13:59:24 +1200 -Subject: [PATCH 064/159] tests/krb5: Allow tgs_req() to check the returned +Subject: [PATCH 067/162] tests/krb5: Allow tgs_req() to check the returned ticket enc-part BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -6362,10 +6744,10 @@ 2.25.1 -From 42dee785c7fccd0172f131885f742c1d6465a73d Mon Sep 17 00:00:00 2001 +From 5b2376d614e25de22710ac57426209495f804a59 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 20 Sep 2021 13:58:09 +1200 -Subject: [PATCH 065/159] tests/krb5: Add method to get DC credentials +Subject: [PATCH 068/162] tests/krb5: Add method to get DC credentials BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -6434,10 +6816,10 @@ 2.25.1 -From 9ec0873fbc49c874f9b9075e0d0d2f8b34a9b640 Mon Sep 17 00:00:00 2001 +From 0533b1f8b3a6765bc71800f713d08ea880717875 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 20 Sep 2021 14:08:16 +1200 -Subject: [PATCH 066/159] tests/krb5: Fix checking for presence of +Subject: [PATCH 069/162] tests/krb5: Fix checking for presence of authorization data BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -6574,10 +6956,10 @@ 2.25.1 -From fcbbc7747f52d6f8a583b03b68ed77b240aaee40 Mon Sep 17 00:00:00 2001 +From 945d6e9ec20e7eed959b83e89a08e0db38a2db7a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 22 Sep 2021 11:41:45 +1200 -Subject: [PATCH 067/159] tests/krb5: Provide ticket enc-part key to tgs_req() +Subject: [PATCH 070/162] tests/krb5: Provide ticket enc-part key to tgs_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -6735,10 +7117,10 @@ 2.25.1 -From 101b874203099dbb8b4b59968b1495073e4691dc Mon Sep 17 00:00:00 2001 +From f9bb0a161157247ef5dfffd2263a4f365429c9f1 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 20 Sep 2021 14:05:58 +1200 -Subject: [PATCH 068/159] tests/krb5: Simplify account creation +Subject: [PATCH 071/162] tests/krb5: Simplify account creation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -6794,10 +7176,10 @@ 2.25.1 -From e040cad6827843cdf06e6a6c7c0ab5baa3fadc36 Mon Sep 17 00:00:00 2001 +From 8a1d041941e65b56a9fed9e8034d7bcd71cb170d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Sep 2021 13:54:47 +1200 -Subject: [PATCH 069/159] tests/krb5: Add get_rodc_krbtgt_creds() to +Subject: [PATCH 072/162] tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -6836,10 +7218,10 @@ 2.25.1 -From 080c3b0d474157f2263357bd29b73566f1dc2181 Mon Sep 17 00:00:00 2001 +From 27ca6f762a518ee03ec5470be355b3673dcb8b3a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 20 Sep 2021 14:10:07 +1200 -Subject: [PATCH 070/159] tests/krb5: Verify checksums of tickets obtained from +Subject: [PATCH 073/162] tests/krb5: Verify checksums of tickets obtained from the KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -6915,10 +7297,10 @@ 2.25.1 -From 0c89db611f0d541201477a3a41f6a63df01825dc Mon Sep 17 00:00:00 2001 +From 0ec6f8a7977e3ed56ba3e03061175cf2c36bd27e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 20 Sep 2021 15:06:18 +1200 -Subject: [PATCH 071/159] tests/krb5: Add method to determine if principal is +Subject: [PATCH 074/162] tests/krb5: Add method to determine if principal is krbtgt BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -6959,10 +7341,10 @@ 2.25.1 -From 681687d95f2bfaec412d9eeeeb64e24363ec1a60 Mon Sep 17 00:00:00 2001 +From 51e7799ab826b38ebfcf298dac898002dff6a49a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 20 Sep 2021 15:10:35 +1200 -Subject: [PATCH 072/159] tests/krb5: Add classes for testing invalid checksums +Subject: [PATCH 075/162] tests/krb5: Add classes for testing invalid checksums BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -7016,10 +7398,10 @@ 2.25.1 -From b754e69e548e8a61e6bbd42e1ec512debb37b0e1 Mon Sep 17 00:00:00 2001 +From 44cb91b37a4b86bd8bd6f6299bdd3e0c0b9bcf81 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 11:16:24 +1300 -Subject: [PATCH 073/159] tests/krb5: Rename method parameter +Subject: [PATCH 076/162] tests/krb5: Rename method parameter For class methods, the name given to the first parameter is generally 'cls' rather than 'self'. @@ -7073,10 +7455,10 @@ 2.25.1 -From 572ef6db32daba4956f8671193c73b3a60c547f5 Mon Sep 17 00:00:00 2001 +From e049a8dc8cc535da4c4de050c7e3a9d4a5606ead Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 11:16:51 +1300 -Subject: [PATCH 074/159] tests/krb5: Remove unused parameter +Subject: [PATCH 077/162] tests/krb5: Remove unused parameter BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -7120,10 +7502,10 @@ 2.25.1 -From 5458bcb9bb60c46ec7f6cff31aa8a95863bb5618 Mon Sep 17 00:00:00 2001 +From ed813475b9dbbe0160266c1aff245c466ff898a5 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 11:23:17 +1300 -Subject: [PATCH 075/159] tests/krb5: Allow for missing msDS-KeyVersionNumber +Subject: [PATCH 078/162] tests/krb5: Allow for missing msDS-KeyVersionNumber attribute BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -7157,10 +7539,10 @@ 2.25.1 -From d1b1da69b8f1daba4681e17566fe1dfeb7d70921 Mon Sep 17 00:00:00 2001 +From dc33097e4cce158eef762db5070bebdc5e6d0c24 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 30 Sep 2021 10:51:01 +1300 -Subject: [PATCH 076/159] tests/krb5: Fix sending PA-PAC-OPTIONS and +Subject: [PATCH 079/162] tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST These padata were not being sent if other FAST padata was not specified. @@ -7198,10 +7580,10 @@ 2.25.1 -From 0ac26e181af9bf23825551d3dd96fd26b8e13635 Mon Sep 17 00:00:00 2001 +From e76ad0051a20bfc02d800130ce2074fb8f70c658 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 30 Sep 2021 10:54:33 +1300 -Subject: [PATCH 077/159] tests/krb5: Fix PA-PAC-OPTIONS checking +Subject: [PATCH 080/162] tests/krb5: Fix PA-PAC-OPTIONS checking Make the check work correctly if bits other than the claims bit are specified. @@ -7329,10 +7711,10 @@ 2.25.1 -From 6f3ef190e4eeab04ec9aafc3ef9fb189b85624fb Mon Sep 17 00:00:00 2001 +From 93837b635c1a9ecb7ea0356b712b6566ded96270 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 11:47:39 +1300 -Subject: [PATCH 078/159] tests/krb5: Rename allowed_to_delegate_to parameter +Subject: [PATCH 081/162] tests/krb5: Rename allowed_to_delegate_to parameter for clarity This helps to distinguish resourced-based and non-resource-based @@ -7392,10 +7774,10 @@ 2.25.1 -From 20a5c954a0b15c060f9a91ba7b42f7118500244d Mon Sep 17 00:00:00 2001 +From 39f312c100768b2904bc8c705e0d3c55347597aa Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 11:50:36 +1300 -Subject: [PATCH 079/159] tests/krb5: Allow created accounts to use +Subject: [PATCH 082/162] tests/krb5: Allow created accounts to use resource-based constrained delegation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -7483,10 +7865,10 @@ 2.25.1 -From 0d0c2b1a5efe802dd70ef8d64270a41b603f4a35 Mon Sep 17 00:00:00 2001 +From 86c12bf22b0ce718850ef7bd76d89b20f20458ea Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 11:52:17 +1300 -Subject: [PATCH 080/159] tests/krb5: Add assertion to make failures clearer +Subject: [PATCH 083/162] tests/krb5: Add assertion to make failures clearer These failures may occur if tests are not run against an RODC. @@ -7516,10 +7898,10 @@ 2.25.1 -From 36bc124d181ee9c757dfb1d2ef6dd94431d47e51 Mon Sep 17 00:00:00 2001 +From 6ef06e0fc508b383e65e4621e885101ad78d55c7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 11:54:49 +1300 -Subject: [PATCH 081/159] tests/krb5: Introduce helper method for creating +Subject: [PATCH 084/162] tests/krb5: Introduce helper method for creating invalid length checksums BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -7566,10 +7948,10 @@ 2.25.1 -From 523b52e7d931c3df7397cce92ab2438caa3fdb22 Mon Sep 17 00:00:00 2001 +From 15778005784cd0a1b7419778b78962718f1fb453 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 11:56:21 +1300 -Subject: [PATCH 082/159] tests/krb5: Fix method for creating invalid length +Subject: [PATCH 085/162] tests/krb5: Fix method for creating invalid length zeroed checksum Previously the base class method was being used. @@ -7602,10 +7984,10 @@ 2.25.1 -From 3ac077e988b65c31aa9d5637cb0668dcdb8a5bd6 Mon Sep 17 00:00:00 2001 +From a94085f8bb506d04b2b3ae640d4c1e6390bdc3e6 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 11:59:42 +1300 -Subject: [PATCH 083/159] tests/krb5: Fix checksum generation and verification +Subject: [PATCH 086/162] tests/krb5: Fix checksum generation and verification The KDC and server checksums may be generated using the same key, but only the KDC checksum should have an RODCIdentifier. To fix this, @@ -7763,10 +8145,10 @@ 2.25.1 -From 22d766e823fcab412b69ba6ed0b673105a379639 Mon Sep 17 00:00:00 2001 +From 349f9c13b362304446b98f6e04cfea932f0b4177 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 12:03:33 +1300 -Subject: [PATCH 084/159] tests/krb5: Allow excluding the PAC server checksum +Subject: [PATCH 087/162] tests/krb5: Allow excluding the PAC server checksum BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -7798,10 +8180,10 @@ 2.25.1 -From 2dc8ddc9c80756a29e6d629fef414745c6f84f35 Mon Sep 17 00:00:00 2001 +From a4cedfe59db888129f8e224faf70fff718c880ff Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 12:06:03 +1300 -Subject: [PATCH 085/159] tests/krb5: Fix handling authdata with missing PAC +Subject: [PATCH 088/162] tests/krb5: Fix handling authdata with missing PAC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -7847,10 +8229,10 @@ 2.25.1 -From 623e1c88fb1bb84eb591add09f45423837730364 Mon Sep 17 00:00:00 2001 +From 27251bc68be942a2995046865a75dfbc7ade398c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 12:16:58 +1300 -Subject: [PATCH 086/159] tests/krb5: Fix status code checking +Subject: [PATCH 089/162] tests/krb5: Fix status code checking The type used to encode the status code is actually KERB-ERROR-DATA, rather than PA-DATA. @@ -8037,10 +8419,10 @@ 2.25.1 -From 2442fc8337a95942eaca079ed5a4b2f6aaae116e Mon Sep 17 00:00:00 2001 +From 01a3d358b030bac0151224cf0ec851c17adef123 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 13:01:30 +1300 -Subject: [PATCH 087/159] tests/krb5: Make expected_sname checking more +Subject: [PATCH 090/162] tests/krb5: Make expected_sname checking more explicit BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -8190,10 +8572,10 @@ 2.25.1 -From f03a675183f15fbbf5992cb86dd691df37ad8e9a Mon Sep 17 00:00:00 2001 +From 45bd19b51bcb7df3de3ec3f9fb8b7dd26cbab820 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 13:03:49 +1300 -Subject: [PATCH 088/159] tests/krb5: Fix assertElementFlags() +Subject: [PATCH 091/162] tests/krb5: Fix assertElementFlags() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -8248,10 +8630,10 @@ 2.25.1 -From daece552364da4dc00e8ffc585aff25c5627e14e Mon Sep 17 00:00:00 2001 +From f3745e6f922ae5d952336917feab8c6e1452bcb5 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 14:02:37 +1300 -Subject: [PATCH 089/159] tests/krb5: Remove unneeded parameters from ticket +Subject: [PATCH 092/162] tests/krb5: Remove unneeded parameters from ticket cache key BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -8282,10 +8664,10 @@ 2.25.1 -From 40aa7f266bdf1f50e4410a9285bbbee9c51c0516 Mon Sep 17 00:00:00 2001 +From 4e3ade7f737231daa051ea72a786478978d16cf9 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 15:48:58 +1300 -Subject: [PATCH 090/159] tests/krb5: Fix checking for presence of error data +Subject: [PATCH 093/162] tests/krb5: Fix checking for presence of error data BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -8562,10 +8944,10 @@ 2.25.1 -From 4055fc3d8ade7dd706168a955693e459ba4b6646 Mon Sep 17 00:00:00 2001 +From 963db6229f95e2c5a05d9f66b55fa101338c94f9 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 16:10:07 +1300 -Subject: [PATCH 091/159] tests/krb5: Add expect_claims parameter to +Subject: [PATCH 094/162] tests/krb5: Add expect_claims parameter to kdc_exchange_dict BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -8618,10 +9000,10 @@ 2.25.1 -From 31a2b4221ca6ab2508ac76cefd2aedabde049086 Mon Sep 17 00:00:00 2001 +From cc31f545638e8196d0ea7434b392339809c07def Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 16:15:26 +1300 -Subject: [PATCH 092/159] tests/krb5: Check buffer types in PAC with +Subject: [PATCH 095/162] tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -8730,10 +9112,10 @@ 2.25.1 -From 1ef4641c28ec084ba0b4cb2e40976972581d71d5 Mon Sep 17 00:00:00 2001 +From 59b129bb590b4b9fd1625bd70e96fd360ca87913 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 16:26:54 +1300 -Subject: [PATCH 093/159] tests/krb5: Check constrained delegation PAC buffer +Subject: [PATCH 096/162] tests/krb5: Check constrained delegation PAC buffer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -8795,10 +9177,10 @@ 2.25.1 -From 0f3a5ab6a41a85aa99eb1e225f6515588ff9b781 Mon Sep 17 00:00:00 2001 +From 1ea174685400761c982d9b1384e3472b59be2d74 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 16:41:23 +1300 -Subject: [PATCH 094/159] tests/krb5: Save account SPN +Subject: [PATCH 097/162] tests/krb5: Save account SPN This is useful for testing delegation. @@ -8854,10 +9236,10 @@ 2.25.1 -From b4d1f97a9887ca0d398f5e68f9bbed937fdb67bc Mon Sep 17 00:00:00 2001 +From a6bfa7318b4f466d08d290dedb1af580ff8e5f5a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 16:48:50 +1300 -Subject: [PATCH 095/159] tests/krb5: Allow specifying options and expected +Subject: [PATCH 098/162] tests/krb5: Allow specifying options and expected flags when obtaining a ticket BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -8960,10 +9342,10 @@ 2.25.1 -From d8631f5a28d34a34a7d42f6b47b6b0737bc25889 Mon Sep 17 00:00:00 2001 +From e4ca6061acb1ce2c2e576dd5098a44caf8c01811 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 16:52:01 +1300 -Subject: [PATCH 096/159] tests/krb5: Supply supported account enctypes in +Subject: [PATCH 099/162] tests/krb5: Supply supported account enctypes in tgs_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -9003,10 +9385,10 @@ 2.25.1 -From 483b623ca8eca70002f0fd493da8f289bc947fc9 Mon Sep 17 00:00:00 2001 +From 66ec4236cadd1bff830b9dd4838c0fa7aa12c0aa Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 30 Sep 2021 16:53:35 +1300 -Subject: [PATCH 097/159] tests/krb5: Add parameter to enforce presence of +Subject: [PATCH 100/162] tests/krb5: Add parameter to enforce presence of ticket checksums This allows existing tests to pass before this functionality is @@ -9101,10 +9483,10 @@ 2.25.1 -From 95cc7ea52f62c4c6d44ea47bb45e36e25bc77f0a Mon Sep 17 00:00:00 2001 +From 2572b6ce3efd78201aed6bc84d1e3957d3e4e81a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 14 Oct 2021 16:43:05 +1300 -Subject: [PATCH 098/159] tests/krb5: Add compatability tests for ticket +Subject: [PATCH 101/162] tests/krb5: Add compatability tests for ticket checksums BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -9213,10 +9595,10 @@ +# +^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_ticket_signature diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index c83136d6421..92e5b8f5946 100755 +index 423f48b6921..dfd5b271cd2 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py -@@ -1424,7 +1424,12 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests", +@@ -1390,7 +1390,12 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests", 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD' }) @@ -9234,10 +9616,10 @@ 2.25.1 -From 6b06fb1dc61f62dde6619e9845b5e15b5fbef255 Mon Sep 17 00:00:00 2001 +From 50f5ba15889f33153d6e89a3d998a266f408e638 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 11 Oct 2021 14:37:03 +1300 -Subject: [PATCH 099/159] tests/krb5: Use correct principal name type +Subject: [PATCH 102/162] tests/krb5: Use correct principal name type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -9274,10 +9656,10 @@ 2.25.1 -From 5e150a9aaabaf31f2eadc9f17b7e5aa2241ff033 Mon Sep 17 00:00:00 2001 +From 4c6bf1bf929d7edbb40b1959618661b5d459186c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 11 Oct 2021 14:39:26 +1300 -Subject: [PATCH 100/159] tests/krb5: Clarify checksum type assertion message +Subject: [PATCH 103/162] tests/krb5: Clarify checksum type assertion message BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -9307,10 +9689,10 @@ 2.25.1 -From b7d628065e848460318305052e792758e59685f2 Mon Sep 17 00:00:00 2001 +From 980992e8c8ea3bf2c30c565dc133bf61cb7d2051 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 11 Oct 2021 16:15:43 +1300 -Subject: [PATCH 101/159] tests/krb5: Fix padata checking at functional level +Subject: [PATCH 104/162] tests/krb5: Fix padata checking at functional level 2003 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -9354,10 +9736,10 @@ 2.25.1 -From e95adf228ae031ea9281d48466e0d93d8f34677f Mon Sep 17 00:00:00 2001 +From a5bc3d294ca7172582730cdc23b12ddfa65ef11d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 12 Oct 2021 11:34:59 +1300 -Subject: [PATCH 102/159] tests/krb5: Add environment variable to specify KDC +Subject: [PATCH 105/162] tests/krb5: Add environment variable to specify KDC FAST support BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -9390,10 +9772,10 @@ def setUp(self): super().setUp() diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 92e5b8f5946..c34d25d81d5 100755 +index dfd5b271cd2..ae8da7c8e34 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py -@@ -809,39 +809,47 @@ planoldpythontestsuite("nt4_dc", "samba.tests.netbios", extra_args=['-U"$USERNAM +@@ -787,39 +787,47 @@ planoldpythontestsuite("nt4_dc", "samba.tests.netbios", extra_args=['-U"$USERNAM planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$USERNAME%$PASSWORD"']) @@ -9448,7 +9830,7 @@ }) for env in ["ad_dc", smbv1_disabled_testenv]: -@@ -1402,6 +1410,7 @@ for env in ["fl2008r2dc", "fl2003dc"]: +@@ -1368,6 +1376,7 @@ for env in ["fl2008r2dc", "fl2003dc"]: 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', 'STRICT_CHECKING': '0', @@ -9456,7 +9838,7 @@ }) -@@ -1422,22 +1431,26 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: +@@ -1388,22 +1397,26 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests", environ={ 'ADMIN_USERNAME': '$USERNAME', @@ -9486,7 +9868,7 @@ }) planpythontestsuite( "ad_dc", -@@ -1446,6 +1459,7 @@ planpythontestsuite( +@@ -1412,6 +1425,7 @@ planpythontestsuite( 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', 'STRICT_CHECKING': '0', @@ -9494,7 +9876,7 @@ }) planpythontestsuite( "ad_dc", -@@ -1453,7 +1467,8 @@ planpythontestsuite( +@@ -1419,7 +1433,8 @@ planpythontestsuite( environ={ 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', @@ -9508,10 +9890,10 @@ 2.25.1 -From b2e245b90f10c1cfc98e555dfc6234dc62078790 Mon Sep 17 00:00:00 2001 +From bb248ff2b2458da767b193aa78cfdbbeb13a0ea7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 11 Oct 2021 14:45:45 +1300 -Subject: [PATCH 103/159] tests/krb5: Check padata types when STRICT_CHECKING=0 +Subject: [PATCH 106/162] tests/krb5: Check padata types when STRICT_CHECKING=0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -9607,10 +9989,10 @@ 2.25.1 -From 27bb27a4460ffc3c3ac61d2c74d00e0e8258cb07 Mon Sep 17 00:00:00 2001 +From 4f6ca6e7c6b2e89aa8aef86bbad1dddf1381581b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 11 Oct 2021 14:48:03 +1300 -Subject: [PATCH 104/159] tests/krb5: Check logon name in PAC +Subject: [PATCH 107/162] tests/krb5: Check logon name in PAC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -9643,10 +10025,10 @@ 2.25.1 -From 6913a289a5433b526b48b3f6069d6f2beb50899a Mon Sep 17 00:00:00 2001 +From b2fa01bcae41c7cf6c0e474eaa2833e78ba1a7b0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 11 Oct 2021 14:49:34 +1300 -Subject: [PATCH 105/159] tests/krb5: Simplify padata checking +Subject: [PATCH 108/162] tests/krb5: Simplify padata checking BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -9883,10 +10265,10 @@ 2.25.1 -From beb9319d983f0ae0ba2875b308c4fa977a1ab86b Mon Sep 17 00:00:00 2001 +From 3ef3de37f21877d154594a366a048e3afc449332 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 8 Oct 2021 11:48:41 +1300 -Subject: [PATCH 106/159] tests/krb5: Disable debugging output for tests +Subject: [PATCH 109/162] tests/krb5: Disable debugging output for tests This reduces the time spent running the tests in a testenv. @@ -10085,10 +10467,10 @@ 2.25.1 -From 35a5a29c7ccca0ef9c3d4917240fb8003d1c38b0 Mon Sep 17 00:00:00 2001 +From c9222f4faf454e72a868fcaf75f85b44fc4cdce7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 5 Oct 2021 19:47:22 +1300 -Subject: [PATCH 107/159] tests/krb5: Provide clearer assertion messages for +Subject: [PATCH 110/162] tests/krb5: Provide clearer assertion messages for test failures BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -10123,10 +10505,10 @@ 2.25.1 -From b8a1f5192d9726df85ab360073cfdca8086a89e1 Mon Sep 17 00:00:00 2001 +From e38096812777ce3109b1122f181e7614963b5704 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 5 Oct 2021 16:32:01 +1300 -Subject: [PATCH 108/159] tests/krb5: Fix sha1 checksum type +Subject: [PATCH 111/162] tests/krb5: Fix sha1 checksum type Previously, sha1 signatures were being designated as rsa-md5-des3 signatures. @@ -10142,7 +10524,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py -index 4a4a12a66d4..4bf38d3c36b 100755 +index 2a72969de00..a919b785ad1 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -81,8 +81,8 @@ class Cksumtype(object): @@ -10159,10 +10541,10 @@ 2.25.1 -From 1ed3af883f6d7b93583104738a669e8f8a9a7192 Mon Sep 17 00:00:00 2001 +From 0d6554253af915680d9abb7cb519148201ca6589 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 13 Oct 2021 12:26:22 +1300 -Subject: [PATCH 109/159] selftest/dbcheck: Fix up RODC one-way links +Subject: [PATCH 112/162] selftest/dbcheck: Fix up RODC one-way links Test accounts were replicated to the RODC and then deleted, causing state links to remain in the database. @@ -10194,10 +10576,10 @@ 2.25.1 -From 202ba79036c22a96987da0635ba8b68cbf89c3e4 Mon Sep 17 00:00:00 2001 +From a3977b4e784cc00f5f3db35836011300c4224936 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 14 Oct 2021 16:58:15 +1300 -Subject: [PATCH 110/159] tests/krb5: Add TKT_SIG_SUPPORT environment variable +Subject: [PATCH 113/162] tests/krb5: Add TKT_SIG_SUPPORT environment variable This lets us indicate that service tickets should be issued with ticket checksums in the PAC. @@ -10232,10 +10614,10 @@ super().setUp() self.do_asn1_print = False diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index c34d25d81d5..f7b34baba8a 100755 +index ae8da7c8e34..4432ce2fbdc 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py -@@ -810,46 +810,54 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNA +@@ -788,46 +788,54 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNA planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$USERNAME%$PASSWORD"']) have_fast_support = int('SAMBA_USES_MITKDC' in config_hash) @@ -10297,7 +10679,7 @@ }) for env in ["ad_dc", smbv1_disabled_testenv]: -@@ -1410,7 +1418,8 @@ for env in ["fl2008r2dc", "fl2003dc"]: +@@ -1376,7 +1384,8 @@ for env in ["fl2008r2dc", "fl2003dc"]: 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', 'STRICT_CHECKING': '0', @@ -10307,7 +10689,7 @@ }) -@@ -1432,7 +1441,8 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests", +@@ -1398,7 +1407,8 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests", environ={ 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', @@ -10317,7 +10699,7 @@ }) planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests", environ={ -@@ -1440,9 +1450,11 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests", +@@ -1406,9 +1416,11 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests", 'ADMIN_PASSWORD': '$PASSWORD', 'STRICT_CHECKING': '0', 'FAST_SUPPORT': have_fast_support, @@ -10330,7 +10712,7 @@ planpythontestsuite( "ad_dc", "samba.tests.krb5.kdc_tgs_tests", -@@ -1450,7 +1462,8 @@ planpythontestsuite( +@@ -1416,7 +1428,8 @@ planpythontestsuite( 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', 'STRICT_CHECKING': '0', @@ -10340,7 +10722,7 @@ }) planpythontestsuite( "ad_dc", -@@ -1459,7 +1472,8 @@ planpythontestsuite( +@@ -1425,7 +1438,8 @@ planpythontestsuite( 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', 'STRICT_CHECKING': '0', @@ -10350,7 +10732,7 @@ }) planpythontestsuite( "ad_dc", -@@ -1468,7 +1482,8 @@ planpythontestsuite( +@@ -1434,7 +1448,8 @@ planpythontestsuite( 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', 'STRICT_CHECKING': '0', @@ -10364,10 +10746,10 @@ 2.25.1 -From 1ccfb869ed22f8fc32631f4fea505723225863c8 Mon Sep 17 00:00:00 2001 +From 02852a10be1d9075fd0c86c36aa8616d06c65883 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 5 Oct 2021 15:39:11 +1300 -Subject: [PATCH 111/159] tests/krb5: Require ticket checksums if decryption +Subject: [PATCH 114/162] tests/krb5: Require ticket checksums if decryption key is available We perform this check conditionally, because MIT doesn't currently add @@ -10409,10 +10791,10 @@ 2.25.1 -From 4601d2b117f41a3de47c62fb9f98d7c5f252d357 Mon Sep 17 00:00:00 2001 +From ea284630a167f027e3ed90ead2d15e7ee26dbb83 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 6 Oct 2021 16:35:47 +1300 -Subject: [PATCH 112/159] tests/krb5: Verify tickets obtained with +Subject: [PATCH 115/162] tests/krb5: Verify tickets obtained with get_service_ticket() We only require the ticket checksum with Heimdal, because MIT currently @@ -10451,10 +10833,10 @@ 2.25.1 -From 100cb097015f2efb1645d69de8a4f3826de1ce71 Mon Sep 17 00:00:00 2001 +From aef477136f4407c42e741e5d85f7b25ccaa30405 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 30 Sep 2021 15:03:04 +1300 -Subject: [PATCH 113/159] tests/krb5: Add constrained delegation tests +Subject: [PATCH 116/162] tests/krb5: Add constrained delegation tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -11573,10 +11955,10 @@ if __name__ == "__main__": global_asn1_print = False diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py -index 7cdf25b48ae..0a9aac1f2cc 100644 +index 29990ec9511..e1711b532d7 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py -@@ -103,6 +103,7 @@ EXCLUDE_USAGE = { +@@ -102,6 +102,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', 'python/samba/tests/krb5/as_req_tests.py', 'python/samba/tests/krb5/fast_tests.py', @@ -11622,10 +12004,10 @@ +# +^samba.tests.krb5.rodc_tests.samba.tests.krb5.rodc_tests.RodcKerberosTests.test_rodc_ticket_signature diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index f7b34baba8a..5d3c4ac4bfd 100755 +index 4432ce2fbdc..187cdd18132 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py -@@ -817,9 +817,16 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", +@@ -795,9 +795,16 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support}) planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", @@ -11648,10 +12030,10 @@ 2.25.1 -From 4e0213ce6607b414b4a126b7a7a0331a1371e521 Mon Sep 17 00:00:00 2001 +From 2ed907cd2af84e74981de9ef5acc4b23eff5cc2a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 12:07:40 +1300 -Subject: [PATCH 114/159] tests/krb5: Don't include empty AD-IF-RELEVANT +Subject: [PATCH 117/162] tests/krb5: Don't include empty AD-IF-RELEVANT BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -11698,10 +12080,10 @@ 2.25.1 -From 80bdce644a8e7bb641f27f0f6cfb1fa8e33b1f47 Mon Sep 17 00:00:00 2001 +From 6860972c1660a8c2599440a05d43ff97d5dd76ec Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 8 Oct 2021 15:41:35 +1300 -Subject: [PATCH 115/159] tests/krb5: Allow bypassing cache when creating +Subject: [PATCH 118/162] tests/krb5: Allow bypassing cache when creating accounts BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -11749,10 +12131,10 @@ 2.25.1 -From 4e9e106e3906fcf41734519eb5d1d18b418fa0ee Mon Sep 17 00:00:00 2001 +From 800647adf0fad416291884de960a2f8e5a61a9a3 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 8 Oct 2021 15:40:39 +1300 -Subject: [PATCH 116/159] tests/krb5: Fix duplicate account creation +Subject: [PATCH 119/162] tests/krb5: Fix duplicate account creation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -11812,10 +12194,10 @@ 2.25.1 -From 27ea32d36b78b2a84a4219981c24319c32feb1d8 Mon Sep 17 00:00:00 2001 +From 6fa37392eedf04f5aef42468025e5916d4347727 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 8 Oct 2021 16:06:58 +1300 -Subject: [PATCH 117/159] s4:kdc: Simplify samba_kdc_update_pac_blob() to take +Subject: [PATCH 120/162] s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -11917,10 +12299,10 @@ 2.25.1 -From 6c36f76f2ae1941100b3380f7185785da8d3bc58 Mon Sep 17 00:00:00 2001 +From 7f289a20640fe7f12984701ba074a9895a5501e6 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 6 Oct 2021 16:40:21 +1300 -Subject: [PATCH 118/159] s4:kdc: Fix debugging messages +Subject: [PATCH 121/162] s4:kdc: Fix debugging messages BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -12030,10 +12412,10 @@ 2.25.1 -From 0a21ac5ff9ce639751a568876a2bee4e795818c3 Mon Sep 17 00:00:00 2001 +From ee7f00da9bc590fc48c4a39fb1d534f8df495a94 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 8 Oct 2021 15:42:29 +1300 -Subject: [PATCH 119/159] s4/torture: Expect ticket checksum PAC buffer +Subject: [PATCH 122/162] s4/torture: Expect ticket checksum PAC buffer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -12197,10 +12579,10 @@ 2.25.1 -From 330ec109145ec100da8104168816dfaddd1fa94d Mon Sep 17 00:00:00 2001 +From 28dd954461e32719f7d58373a91ae9f4edd9b885 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 28 Dec 2020 22:07:10 +0200 -Subject: [PATCH 120/159] kdc: remove KRB5SignedPath, to be replaced with PAC +Subject: [PATCH 123/162] kdc: remove KRB5SignedPath, to be replaced with PAC KRB5SignedPath was a Heimdal-specific authorization data element used to protect the authenticity of evidence tickets when used in constrained @@ -12673,10 +13055,10 @@ 2.25.1 -From 24c5c89e7150ce6b0ed24bccba192352223f3bfe Mon Sep 17 00:00:00 2001 +From a8df96e2baa6cd867c5d1f8e691518f1ad0123ae Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 13 Aug 2021 12:44:37 +0300 -Subject: [PATCH 121/159] kdc: sign ticket using Windows PAC +Subject: [PATCH 124/162] kdc: sign ticket using Windows PAC Split Windows PAC signing and verification logic, as the signing has to be when the ticket is ready. @@ -14284,10 +14666,10 @@ _krb5_pk_kdf; _krb5_pk_load_id; diff --git a/source4/heimdal_build/wscript_build b/source4/heimdal_build/wscript_build -index 09c525c2957..39e3f5d56e8 100644 +index 9904b245218..f151788dcfd 100644 --- a/source4/heimdal_build/wscript_build +++ b/source4/heimdal_build/wscript_build -@@ -617,7 +617,7 @@ if not bld.CONFIG_SET("USING_SYSTEM_KRB5"): +@@ -606,7 +606,7 @@ if not bld.CONFIG_SET("USING_SYSTEM_KRB5"): KRB5_SOURCE = [os.path.join('lib/krb5/', x) for x in to_list( '''acache.c add_et_list.c addr_families.c appdefault.c @@ -14297,10 +14679,10 @@ changepw.c codec.c config_file.c constants.c convert_creds.c diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 5d3c4ac4bfd..c2a6256029f 100755 +index 187cdd18132..7aba1c6ce55 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py -@@ -810,7 +810,7 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNA +@@ -788,7 +788,7 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNA planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$USERNAME%$PASSWORD"']) have_fast_support = int('SAMBA_USES_MITKDC' in config_hash) @@ -14313,10 +14695,10 @@ 2.25.1 -From 96e065369c397c3b2a0910f3c12fce6bd07dbfd4 Mon Sep 17 00:00:00 2001 +From 6718286ede5d0a95eb628210802d545fae55a6ae Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sun, 19 Sep 2021 15:04:14 +0300 -Subject: [PATCH 122/159] krb5: allow NULL parameter to krb5_pac_free() +Subject: [PATCH 125/162] krb5: allow NULL parameter to krb5_pac_free() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -14363,10 +14745,10 @@ 2.25.1 -From f5e8a2f16a89a2d477bdd4387aa0dd122af998bf Mon Sep 17 00:00:00 2001 +From 78fa18ee101a2727c0c522aed1e68628878828f9 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sun, 19 Sep 2021 15:16:58 +0300 -Subject: [PATCH 123/159] krb5: rework PAC validation loop +Subject: [PATCH 126/162] krb5: rework PAC validation loop Avoid allocating the PAC on error. @@ -14563,10 +14945,10 @@ 2.25.1 -From 5c9787564497ba26ac3ed3e607adbbf34308df52 Mon Sep 17 00:00:00 2001 +From b6e4b6660f4edc0d6ec044f331a5f1c683d073b3 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Fri, 17 Sep 2021 13:57:57 +1000 -Subject: [PATCH 124/159] krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC +Subject: [PATCH 127/162] krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if @@ -14609,10 +14991,10 @@ 2.25.1 -From 3c8070cc255f3fee2dee2fffadf54989e91fde19 Mon Sep 17 00:00:00 2001 +From 59ac0d07c0b44e0b021d401bb4d3b3dd77bba5fd Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sun, 6 Jan 2019 17:54:58 +1100 -Subject: [PATCH 125/159] kdc: only set HDB_F_GET_KRBTGT when requesting TGS +Subject: [PATCH 128/162] kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -14665,10 +15047,10 @@ 2.25.1 -From b60f9da0c3225dc3101d938e68d33ac638125f67 Mon Sep 17 00:00:00 2001 +From 1c53dc31f20268c71925ef3d5665a4b736a8896b Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 23 Sep 2021 14:39:35 +1000 -Subject: [PATCH 126/159] kdc: use ticket client name when signing PAC +Subject: [PATCH 129/162] kdc: use ticket client name when signing PAC The principal in the PAC_LOGON_NAME buffer is expected to match the client name in the ticket. Previously we were setting this to the canonical client name, @@ -14729,10 +15111,10 @@ 2.25.1 -From 1d95a5fc6e904426ad683e9b7058ffaff9b320b8 Mon Sep 17 00:00:00 2001 +From 18ba837a32e9371b5872e66b1ad83d1b490cd53d Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 23 Sep 2021 17:51:51 +1000 -Subject: [PATCH 127/159] kdc: correctly generate PAC TGS signature +Subject: [PATCH 130/162] kdc: correctly generate PAC TGS signature When generating an AS-REQ, the TGS signature was incorrectly generated using the server key, which would fail to validate if the server was not also the @@ -14849,10 +15231,10 @@ 2.25.1 -From 79db1253d80255fc48994971cb147fefff058b3e Mon Sep 17 00:00:00 2001 +From 62171bed64bceac8053e7d35aca244e987d461f1 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 11 Aug 2021 13:27:11 +1200 -Subject: [PATCH 128/159] s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match +Subject: [PATCH 131/162] s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -14918,10 +15300,10 @@ 2.25.1 -From 797dd463c02733c899a0925b28147c7c4914aade Mon Sep 17 00:00:00 2001 +From e915ea464fa5af1162fc43f10f5ff4262bd1daa1 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 8 Oct 2021 15:43:41 +1300 -Subject: [PATCH 129/159] heimdal: Make _krb5_pac_get_kdc_checksum_info() into +Subject: [PATCH 132/162] heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function This lets us call it from Samba. @@ -14980,10 +15362,10 @@ 2.25.1 -From b9672524f8eaf4bebf7bc742638734e51031144d Mon Sep 17 00:00:00 2001 +From 49eaac8b67d633b4ba76297e5fbbf5330ac9f696 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 8 Oct 2021 16:08:39 +1300 -Subject: [PATCH 130/159] s4:kdc: Check ticket signature +Subject: [PATCH 133/162] s4:kdc: Check ticket signature BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -15369,10 +15751,10 @@ 2.25.1 -From d052d76ea7cdd77ff9648441649efef0cd3d72c4 Mon Sep 17 00:00:00 2001 +From 07585981198226c0e1cb01700e3871f359b60acb Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Sun, 10 Oct 2021 21:55:59 -0500 -Subject: [PATCH 131/159] krb5: Fix PAC signature leak affecting KDC +Subject: [PATCH 134/162] krb5: Fix PAC signature leak affecting KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -15600,10 +15982,10 @@ 2.25.1 -From bbe816ff36ba6230abad147e7f1e106faacee9aa Mon Sep 17 00:00:00 2001 +From 2ec564e67fe132854322e452529a4c281b843759 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 15 Oct 2021 13:09:20 +1300 -Subject: [PATCH 132/159] selftest/dbcheck: Fix up RODC one-way links (use +Subject: [PATCH 135/162] selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) The previous commit was correct on intention, but it was not noticed @@ -15649,10 +16031,10 @@ 2.25.1 -From 911c18e64a6fa6e19323fc21c325e1eb3a2418d6 Mon Sep 17 00:00:00 2001 +From 9c991d900f691c62b16f40a47a3048e3b78b6cf0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 15 Oct 2021 12:12:30 +1300 -Subject: [PATCH 133/159] heimdal:kdc: Fix ticket signing without a PAC +Subject: [PATCH 136/162] heimdal:kdc: Fix ticket signing without a PAC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -15687,10 +16069,10 @@ 2.25.1 -From 577aaab559853f6178f9b78d47034bc50b667bbc Mon Sep 17 00:00:00 2001 +From 6f18441e7541276cd0f4f686a1b985b058ded805 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 15 Oct 2021 14:26:40 +1300 -Subject: [PATCH 134/159] tests/krb5: Allow get_tgt() to request including or +Subject: [PATCH 137/162] tests/krb5: Allow get_tgt() to request including or omitting a PAC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -15743,10 +16125,10 @@ 2.25.1 -From 6dda5a9cbe4c9eaa7ca71cebd04775033d3f5f65 Mon Sep 17 00:00:00 2001 +From 27066e1d739ac340a19d7fcf2c8037a9dd499c78 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 15 Oct 2021 14:27:15 +1300 -Subject: [PATCH 135/159] tests/krb5: Allow specifying whether to expect a PAC +Subject: [PATCH 138/162] tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -15783,10 +16165,10 @@ 2.25.1 -From bc9e321e39bb2fc042bf020bacc103334dbdbc27 Mon Sep 17 00:00:00 2001 +From 27ef24fa2096911c0b765f6b7f2548deb7ac8dda Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 15 Oct 2021 14:27:25 +1300 -Subject: [PATCH 136/159] tests/krb5: Add method to get the PAC from a ticket +Subject: [PATCH 139/162] tests/krb5: Add method to get the PAC from a ticket BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -15822,10 +16204,10 @@ 2.25.1 -From 6e69925b32675462f7a6cba0d14a4578898a26db Mon Sep 17 00:00:00 2001 +From 4a8278b602d609ce0151b9a1d243a5ed3fdd27e0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 15 Oct 2021 14:29:26 +1300 -Subject: [PATCH 137/159] tests/krb5: Add tests for requesting a service ticket +Subject: [PATCH 140/162] tests/krb5: Add tests for requesting a service ticket without a PAC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -16025,10 +16407,10 @@ 2.25.1 -From c2d7ee5d37dff8fe8141104e31c47e67f104ae5a Mon Sep 17 00:00:00 2001 +From 4c7ce74f0425f7d32689f419b7c6f360a638eafe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 18 Oct 2021 15:21:50 +1300 -Subject: [PATCH 138/159] kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client +Subject: [PATCH 141/162] kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED @@ -16114,10 +16496,10 @@ 2.25.1 -From 4b19b3713a9590dc78e4be7ed7cc4d97c1430c2a Mon Sep 17 00:00:00 2001 +From 75b847ed5bc06954c16041607744ead5169c60fe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 18 Oct 2021 16:00:45 +1300 -Subject: [PATCH 139/159] kdc: Correctly strip PAC, rather than error on +Subject: [PATCH 142/162] kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause @@ -16230,10 +16612,10 @@ 2.25.1 -From 12b500a11b887588455aac5b7288a573b61a481e Mon Sep 17 00:00:00 2001 +From 6d63f48a94eb1b181e6cf582e5a0c33bb8fbd8b2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 18 Oct 2021 16:05:19 +1300 -Subject: [PATCH 140/159] tests/krb5: Ensure PAC is not present if expect_pac +Subject: [PATCH 143/162] tests/krb5: Ensure PAC is not present if expect_pac is false BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 @@ -16282,10 +16664,10 @@ 2.25.1 -From 5fc8d65cffd859c5d72f53546cc0e9afb72e7a5a Mon Sep 17 00:00:00 2001 +From 9a453932f2922a626040e86e40d062b54c6644a5 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 18 Oct 2021 16:07:11 +1300 -Subject: [PATCH 141/159] tests/krb5: Add tests for constrained delegation to +Subject: [PATCH 144/162] tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 @@ -16483,10 +16865,10 @@ 2.25.1 -From ec38a49933d42e22d4823a8c4d1005f4a73f80ac Mon Sep 17 00:00:00 2001 +From 7e66447d134ed8778a67fb80ecdf95eced18e411 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Wed, 10 Aug 2016 23:31:14 +0000 -Subject: [PATCH 142/159] HEIMDAL:kdc: Fix transit path validation +Subject: [PATCH 145/162] HEIMDAL:kdc: Fix transit path validation CVE-2017-6594 Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm @@ -16577,10 +16959,10 @@ 2.25.1 -From 5618149ada61adb3ae5858e191096c03e7b1828f Mon Sep 17 00:00:00 2001 +From bde4bd981c78b89ec556f6d680473c303bbafffa Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Wed, 8 Sep 2021 17:01:26 +1200 -Subject: [PATCH 143/159] pytest/rodc_rwdc: try to avoid race. +Subject: [PATCH 146/162] pytest/rodc_rwdc: try to avoid race. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -16611,10 +16993,10 @@ 2.25.1 -From d191e00a5fc476781054b12c0370b6740922f8a7 Mon Sep 17 00:00:00 2001 +From 8f3d5dd7f3fd6cf9d7efedc4d8b0e2ad8a3571ca Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 20 Sep 2021 16:27:40 +1200 -Subject: [PATCH 144/159] selftest: Increase account lockout windows to make +Subject: [PATCH 147/162] selftest: Increase account lockout windows to make test more realiable BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868 @@ -16652,10 +17034,10 @@ 2.25.1 -From 7c0e2643f585bcdbc5bd4fc3056df969c7c158f7 Mon Sep 17 00:00:00 2001 +From 7cd0018584ce76323cfab333d11a59fe07249b51 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 6 Aug 2021 11:08:10 +1200 -Subject: [PATCH 145/159] pytest: dynamic tests optionally add __doc__ +Subject: [PATCH 148/162] pytest: dynamic tests optionally add __doc__ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -16668,10 +17050,10 @@ 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py -index a5a8acdcc41..c75f9c1ebe7 100644 +index 38f65f17e35..d895802c34f 100644 --- a/python/samba/tests/__init__.py +++ b/python/samba/tests/__init__.py -@@ -69,7 +69,7 @@ class TestCase(unittest.TestCase): +@@ -71,7 +71,7 @@ class TestCase(unittest.TestCase): """A Samba test case.""" @classmethod @@ -16680,7 +17062,7 @@ """ fnname is something like "test_dynamic_sum" suffix is something like "1plus2" -@@ -82,6 +82,7 @@ class TestCase(unittest.TestCase): +@@ -84,6 +84,7 @@ class TestCase(unittest.TestCase): """ def fn(self): getattr(self, "_%s_with_args" % fnname)(*args) @@ -16692,10 +17074,10 @@ 2.25.1 -From ff3f84525837d5fa0fe0372212a33db6a7f6ff52 Mon Sep 17 00:00:00 2001 +From 7254c308d05eca527c46319522bd671a8ea912cf Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 8 Oct 2021 15:40:09 +1300 -Subject: [PATCH 146/159] selftest: krb5 account creation: clarify account type +Subject: [PATCH 149/162] selftest: krb5 account creation: clarify account type as an enum This makes the code clearer with a symbolic constant rather @@ -17196,10 +17578,10 @@ 2.25.1 -From 60683736be7e7d27a6e68c6708b1e89612c49f5d Mon Sep 17 00:00:00 2001 +From 74fe73c5a8535ce3e22ef2da42be1be3893568cc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 18 Oct 2021 20:44:54 +1300 -Subject: [PATCH 147/159] selftest: Remove duplicate setup of $base_dn and +Subject: [PATCH 150/162] selftest: Remove duplicate setup of $base_dn and $ldbmodify These are already set up to the same values above for the full @@ -17217,7 +17599,7 @@ 1 file changed, 4 deletions(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index f58190706b1..09cedcb05f1 100755 +index 99990fea2df..8bd489ea6a5 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1108,10 +1108,6 @@ servicePrincipalName: http/testupnspn.$ctx->{dnsname} @@ -17235,10 +17617,10 @@ 2.25.1 -From 2fea719852110483c9af0fc55ba2ff240e9248a8 Mon Sep 17 00:00:00 2001 +From 1b10de86ae8123cc939452faedd192b76256aab0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 18 Oct 2021 11:55:14 +1300 -Subject: [PATCH 148/159] selftest: Improve error handling and perl style when +Subject: [PATCH 151/162] selftest: Improve error handling and perl style when setting up users in Samba4.pm This catches errors and avoids using global varibles (the old @@ -17255,7 +17637,7 @@ 1 file changed, 53 insertions(+), 19 deletions(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index 09cedcb05f1..615e8b240b4 100755 +index 8bd489ea6a5..7c17060dcb0 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -239,12 +239,19 @@ sub wait_for_start($$) @@ -17408,10 +17790,10 @@ 2.25.1 -From 1460a095fc895cc28d0a3bd4adb69d5f8dad4be1 Mon Sep 17 00:00:00 2001 +From 56a86c4bc2567282d80e8fbf0bc527ca3b73ad02 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 4 Oct 2021 13:02:35 +0200 -Subject: [PATCH 149/159] waf: Allow building with MIT KRB5 >= 1.20 +Subject: [PATCH 152/162] waf: Allow building with MIT KRB5 >= 1.20 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -17450,10 +17832,10 @@ 2.25.1 -From 5534e6e04e3d4c9cd4aaffe04286fd2d4b062d41 Mon Sep 17 00:00:00 2001 +From 66d7d1808a17e2caede36f5b5b57b7071a64fdde Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 18:04:55 +0200 -Subject: [PATCH 150/159] selftest/Samba3: remove unused close(USERMAP); calls +Subject: [PATCH 153/162] selftest/Samba3: remove unused close(USERMAP); calls BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -17468,10 +17850,10 @@ 1 file changed, 4 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 4afcc47b82b..f781fe7bf57 100755 +index c15057fa80b..8679a48dd54 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm -@@ -771,7 +771,6 @@ sub provision_ad_member +@@ -733,7 +733,6 @@ sub provision_ad_member mkdir($_, 0777) foreach(@dirs); @@ -17479,7 +17861,7 @@ $ret->{DOMAIN} = $dcvars->{DOMAIN}; $ret->{REALM} = $dcvars->{REALM}; $ret->{DOMSID} = $dcvars->{DOMSID}; -@@ -920,7 +919,6 @@ sub setup_ad_member_rfc2307 +@@ -882,7 +881,6 @@ sub setup_ad_member_rfc2307 $ret or return undef; @@ -17487,7 +17869,7 @@ $ret->{DOMAIN} = $dcvars->{DOMAIN}; $ret->{REALM} = $dcvars->{REALM}; $ret->{DOMSID} = $dcvars->{DOMSID}; -@@ -1018,7 +1016,6 @@ sub setup_ad_member_idmap_rid +@@ -980,7 +978,6 @@ sub setup_ad_member_idmap_rid $ret or return undef; @@ -17495,7 +17877,7 @@ $ret->{DOMAIN} = $dcvars->{DOMAIN}; $ret->{REALM} = $dcvars->{REALM}; $ret->{DOMSID} = $dcvars->{DOMSID}; -@@ -1118,7 +1115,6 @@ sub setup_ad_member_idmap_ad +@@ -1078,7 +1075,6 @@ sub setup_ad_member_idmap_ad $ret or return undef; @@ -17507,10 +17889,10 @@ 2.25.1 -From 5ce5053e969781b90f328aec11ab1ff800d2cd34 Mon Sep 17 00:00:00 2001 +From ba314857e07dfac08adb15920f8d9debc63b40e2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 16:42:00 +0200 -Subject: [PATCH 151/159] selftest/Samba3: replace (winbindd => "yes", +Subject: [PATCH 154/162] selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline") This is much more flexible and concentrates the logic in a single place. @@ -17528,10 +17910,10 @@ 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index f781fe7bf57..4ec95e237a7 100755 +index 8679a48dd54..8de5fe6a374 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm -@@ -827,7 +827,7 @@ sub provision_ad_member +@@ -789,7 +789,7 @@ sub provision_ad_member nmbd => "yes", winbindd => "yes", smbd => "yes")) { @@ -17540,7 +17922,7 @@ } $ret->{DC_SERVER} = $dcvars->{SERVER}; -@@ -1909,7 +1909,7 @@ sub check_or_start($$) { +@@ -1874,7 +1874,7 @@ sub check_or_start($$) { LOG_FILE => $env_vars->{WINBINDD_TEST_LOG}, PCAP_FILE => "env-$ENV{ENVNAME}-winbindd", }; @@ -17549,7 +17931,7 @@ $daemon_ctx->{SKIP_DAEMON} = 1; } -@@ -3131,13 +3131,17 @@ sub wait_for_start($$$$$) +@@ -3069,13 +3069,17 @@ sub wait_for_start($$$$$) } } @@ -17573,10 +17955,10 @@ 2.25.1 -From 2208433a58c2ab12fef297002d1b56b2da8f9438 Mon Sep 17 00:00:00 2001 +From 5123a9d724f44ebfeeab1124e7d3e51b0d92df42 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 20 Oct 2021 12:39:05 +1300 -Subject: [PATCH 152/159] tests/krb5: Decrease length of test account prefix +Subject: [PATCH 155/162] tests/krb5: Decrease length of test account prefix This allows us more room to test with different account names. @@ -17607,10 +17989,10 @@ 2.25.1 -From 3865de6879342e283835bb3b7cf2d7b58e222b2d Mon Sep 17 00:00:00 2001 +From 8c3f47a4c95ab6cc6301088c19d35f9350addfe8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 20 Oct 2021 12:41:39 +1300 -Subject: [PATCH 153/159] tests/krb5: Allow specifying prefix or suffix for +Subject: [PATCH 156/162] tests/krb5: Allow specifying prefix or suffix for test account names BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 @@ -17660,10 +18042,10 @@ 2.25.1 -From 0585dd5f180220957717ff00918d92eb98c1af5a Mon Sep 17 00:00:00 2001 +From ecdca0b83792e263dd26179bff7dbf25c1733e1f Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 20 Oct 2021 12:44:19 +1300 -Subject: [PATCH 154/159] tests/krb5: Allow creating machine accounts without a +Subject: [PATCH 157/162] tests/krb5: Allow creating machine accounts without a trailing dollar BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 @@ -17736,10 +18118,10 @@ 2.25.1 -From 4dfd80c056f615131382ea477d3050b299fb3c36 Mon Sep 17 00:00:00 2001 +From d5bea3beb6bbac7c3dcbb5d40a5d70cf096a4672 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 20 Oct 2021 12:45:08 +1300 -Subject: [PATCH 155/159] tests/krb5: Allow specifying the UPN for test +Subject: [PATCH 158/162] tests/krb5: Allow specifying the UPN for test accounts BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 @@ -17818,10 +18200,10 @@ 2.25.1 -From d4cf26226873f9e38a36d2fa6cb6dd78442ff42d Mon Sep 17 00:00:00 2001 +From ee450c6d09822dbe109ec82ae22b83e5fd11c76c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 20 Oct 2021 12:45:47 +1300 -Subject: [PATCH 156/159] tests/krb5: Fix account salt calculation to match +Subject: [PATCH 159/162] tests/krb5: Fix account salt calculation to match Windows BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 @@ -17867,10 +18249,10 @@ 2.25.1 -From e96ddf186e906226b94be6077720192f17ae3a1c Mon Sep 17 00:00:00 2001 +From 6f125af9c21866c43553d03c4d36a240e1372fa3 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 20 Oct 2021 12:46:36 +1300 -Subject: [PATCH 157/159] tests/krb5: Add tests for account salt calculation +Subject: [PATCH 160/162] tests/krb5: Add tests for account salt calculation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 @@ -18254,10 +18636,10 @@ + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py -index 0a9aac1f2cc..af118242a1b 100644 +index e1711b532d7..4b68a2b798c 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py -@@ -104,6 +104,7 @@ EXCLUDE_USAGE = { +@@ -103,6 +103,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/as_req_tests.py', 'python/samba/tests/krb5/fast_tests.py', 'python/samba/tests/krb5/rodc_tests.py', @@ -18403,10 +18785,10 @@ # FAST tests # diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index c2a6256029f..c2175486aae 100755 +index 7aba1c6ce55..0703e5ceddf 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py -@@ -1429,6 +1429,14 @@ for env in ["fl2008r2dc", "fl2003dc"]: +@@ -1395,6 +1395,14 @@ for env in ["fl2008r2dc", "fl2003dc"]: 'TKT_SIG_SUPPORT': tkt_sig_support }) @@ -18425,10 +18807,10 @@ 2.25.1 -From bc7e3d0837d3f0c5910a5d16475410c1d3a2b989 Mon Sep 17 00:00:00 2001 +From ee07da2c75e5e467b3a480a6090c87e0e177c3ea Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 19 Oct 2021 16:01:36 +1300 -Subject: [PATCH 158/159] dsdb: Allow special chars like "@" in samAccountName +Subject: [PATCH 161/162] dsdb: Allow special chars like "@" in samAccountName when generating the salt BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 @@ -18451,10 +18833,10 @@ 6 files changed, 195 insertions(+), 66 deletions(-) diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c -index d7b1c430841..2338d9f114b 100644 +index 20e677e521a..61e55f7032d 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c -@@ -1200,12 +1200,12 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, +@@ -1199,12 +1199,12 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, break; } @@ -18770,10 +19152,10 @@ -^samba.tests.krb5.salt_tests.samba.tests.krb5.salt_tests.SaltTests.test_salt_double_at_user ^samba.tests.krb5.salt_tests.samba.tests.krb5.salt_tests.SaltTests.test_salt_upn_at_realm_user diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c -index d81f79c705b..1964eb5a448 100644 +index 5cda8f065c4..7c103d0a6e4 100644 --- a/source3/passdb/machine_account_secrets.c +++ b/source3/passdb/machine_account_secrets.c -@@ -1574,11 +1574,11 @@ NTSTATUS secrets_store_JoinCtx(const struct libnet_JoinCtx *r) +@@ -1573,11 +1573,11 @@ NTSTATUS secrets_store_JoinCtx(const struct libnet_JoinCtx *r) if (info->salt_principal == NULL && r->out.domain_is_ad) { char *p = NULL; @@ -18791,10 +19173,10 @@ status = krb5_to_nt_status(ret); DBG_ERR("smb_krb5_salt_principal() failed " diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c -index 5bdd23c13e9..9f38a31c8dd 100644 +index bfdfa51595a..82d9e8ebd2e 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c -@@ -688,8 +688,8 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) +@@ -685,8 +685,8 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) { struct ldb_context *ldb; krb5_error_code krb5_ret; @@ -18805,7 +19187,7 @@ krb5_data salt; krb5_keyblock key; krb5_data cleartext_data; -@@ -700,11 +700,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) +@@ -697,11 +697,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) cleartext_data.length = io->n.cleartext_utf8->length; uac_flags = io->u.userAccountControl & UF_ACCOUNT_TYPE_MASK; @@ -18819,7 +19201,7 @@ &salt_principal); if (krb5_ret) { ldb_asprintf_errstring(ldb, -@@ -718,8 +718,10 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) +@@ -715,8 +715,10 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) /* * create salt from salt_principal */ @@ -18832,7 +19214,7 @@ if (krb5_ret) { ldb_asprintf_errstring(ldb, "setup_kerberos_keys: " -@@ -728,12 +730,17 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) +@@ -725,12 +727,17 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) krb5_ret, io->ac)); return LDB_ERR_OPERATIONS_ERROR; } @@ -18856,10 +19238,10 @@ 2.25.1 -From f3eeec100f16186fed7cb7a226ac6a5be2475de2 Mon Sep 17 00:00:00 2001 +From 63558be187c5aad165785fd2937271e3bd065026 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 22 Oct 2021 10:50:36 +1300 -Subject: [PATCH 159/159] lib/krb5_wrap: Fix missing error check in new salt +Subject: [PATCH 162/162] lib/krb5_wrap: Fix missing error check in new salt code CID 1492905: Control flow issues (DEADCODE)