summaryrefslogtreecommitdiff
path: root/libcli
Commit message (Collapse)AuthorAgeFilesLines
* libcli: Add missing includeJoseph Sutton2023-05-181-0/+2
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Return status code if configuration prohibits NTLMJoseph Sutton2023-05-162-0/+9
| | | | | | | | Currently, we rely on ‘stored_nt’ being NULL to give an NT_STATUS_WRONG_PASSWORD error. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* rpc_server3: Pass winbind_env_set() state through to rpcd_*Volker Lendecke2023-05-161-0/+1
| | | | | | | | | | | | | | | | Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back into winbind for getpwnam. We have the "_NO_WINBINDD" environment variable set in winbind itself for this case, but this is lost on the way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass this information to dcerpc_core, where it sets the variable on every call if requested. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224
* rpc: Remove named_pipe_auth_req_info6->need_idle_serverVolker Lendecke2023-05-162-67/+81
| | | | | | | | Involves bumping up the version number Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* rpc: Add global_sid_Samba_NPA_Flags SIDVolker Lendecke2023-05-162-0/+10
| | | | | | | | | | | This will be used as a flexible way to pass per-RPC-connection flags over ncalrpc to the RPC server without having to modify named_pipe_auth_req_info6 every time something new needs to be passed. It's modeled after global_sid_Samba_SMB3. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli: Add security_token_count_flag_sids()Volker Lendecke2023-05-162-0/+46
| | | | | | | | To be used in a few places when checking special-case Samba SIDs. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* lib/http: Remove unused structureJoseph Sutton2023-05-051-1/+0
| | | | | | | This is just a typo of ‘struct loadparm_context’. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security/tests: test strings for windows and samba SDDL testsDouglas Bagnall2023-04-286-0/+144
| | | | | | | | | | | | | | These are produced by editing `python/samba/test/sddl.py to enable `test_write_test_strings`, the running `make test TESTS='sddl\\b'`. The windows executable from the C file added in a recent commit can run these tests using the `-i` flag. The Samba sddl.py tests can be induced to use them too, but that is only useful for showing they are still in sync. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3/utils: when encoding ace string use "FA", "FR", "FW", "FX" string rightsNoel Power2023-04-281-2/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | prior to this patch rights matching "FA", "FR", "FW", "FX" were outputted as the hex string representing the bit value. While outputting the hex string is perfectly fine, it makes it harder to compare icacls output (which always uses the special string values) Additionally adjust various tests to deal with use of shortcut access masks as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead of hex representation of the bit mask. adjust samba4.blackbox.samba-tool_ntacl samba3.blackbox.large_acl samba.tests.samba_tool.ntacl samba.tests.ntacls samba.tests.posixacl so various string comparisons of the sddl format now pass Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> [abartlet@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex numbers, eg 0x001]
* s3/utils: value for ace_flags value "FA" is incorrectNoel Power2023-04-281-1/+1
| | | | | | | | value for FA should be 0x001f01ff (instead of 0x00001ff) Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* libcli:security:sddl: accept only 8-4-4-4-12 GUIDsDouglas Bagnall2023-04-281-6/+17
| | | | | | | | | | | | | | | | | | | | | | | Before we would take strings in a variety of lengths and formats, which is not what Windows does or [MS-DTYP] says. This was found by looking at evolved fuzz seeds. Note the 16 and 32 byte sequences in GUID position below: $ hd $(ls -t seeds/fuzz_sddl_parse/* | head -1)| head 00000000 44 3a 41 52 50 50 50 50 50 28 4f 4c 3b 3b 46 57 |D:ARPPPPP(OL;;FW| 00000010 3b 30 7e ff ff ff ff ff ff ff 2d 31 38 f5 ff ff |;0~.......-18...| 00000020 fb 3b 3b 52 43 29 28 4f 44 3b 3b 46 57 3b 3b 3b |.;;RC)(OD;;FW;;;| 00000030 52 43 29 28 4f 44 3b 3b 46 57 3b 30 30 ff ff ff |RC)(OD;;FW;00...| 00000040 fb 30 e9 9b 3c cf e6 f5 ff ff fb 3b 3b 52 43 29 |.0..<......;;RC)| 00000050 28 4f 44 3b 3b 46 57 43 52 3b 3b 3b 52 43 29 28 |(OD;;FWCR;;;RC)(| 00000060 4f 44 3b 3b 46 58 47 52 3b 3b 33 43 43 35 38 37 |OD;;FXGR;;3CC587| 00000070 32 35 44 44 44 44 44 44 44 44 44 44 44 44 44 44 |25DDDDDDDDDDDDDD| 00000080 44 44 44 44 44 44 44 44 44 44 3b 52 43 29 28 4f |DDDDDDDDDD;RC)(O| 00000090 44 3b 3b 46 58 3b 3b 3b 52 43 29 28 4f 44 3b 3b |D;;FX;;;RC)(OD;;| Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:security:sddl_decode_access allows spaces between flagsDouglas Bagnall2023-04-281-2/+14
| | | | | | | because Windows does. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:security: sddl_decode_ace: don't allow junk after SIDDouglas Bagnall2023-04-281-1/+3
| | | | | | | | sddl_decode_sid() will stop at the first non-SID character. Windows doesn't allow white space here, and nor do we. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: sddl_decode_access rejects trailing rubbishDouglas Bagnall2023-04-281-2/+9
| | | | | | | | | Before we just ignored things like negative numbers, because they'd end up being seen as not-numbers, so treated as flags, then as not-flags. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:security: sddl_map_flags rejects trailing nonsenseDouglas Bagnall2023-04-281-7/+15
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: SDDL parse tests to run on WindowsDouglas Bagnall2023-04-282-0/+599
| | | | | | | | | | | The C version tests the public SDDL API on Windows which seems to follow Active Directory closely, though case in hex numbers is reversed vis-a-vis defaultSecurityDescriptor. The python version is less refined and tests powershell functions. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: do not pad sddl flags with zerosDouglas Bagnall2023-04-281-1/+1
| | | | | | | We don't see this happening on Windows. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: ace type is not enum not flagsDouglas Bagnall2023-04-281-1/+9
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: disallow sddl access masks greater than 32 bitsDouglas Bagnall2023-04-281-4/+27
| | | | | | | | | | | | | Our previous behaviour (at least with glibc) was to clip off the extra bits, so that 0x123456789 would become 0x23456789. That's kind of the obvious thing, but is not what Windows does, which is to saturate the value, rounding to 0xffffffff. The effect of this is to turn on all the flags, which quite possibly not what you meant. Now we just return an error. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: allow decimal/octal numbers in SDDL access maskDouglas Bagnall2023-04-281-5/+17
| | | | | | | This follows Windows and [MS-DTYP]. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib/sec/sddl: allow empty non-trailing ACL with flagsDouglas Bagnall2023-04-281-4/+9
| | | | | | | | | | | The string "S:D:P" is parsed by us and Windows into a valid struct, which has an empty DACL with the PROTECTED flag, and an empty SACL. This is reconstructed in canonical order as "D:PS:", which Windows will correctly parse, but Samba has assumed the "S" is a bad DACL flag. Now we don't make that assumption. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/sec/sddl decode: allow hex numbers in SIDsDouglas Bagnall2023-04-281-8/+39
| | | | | | | | | | | | | | | | | | | | | These occur canonically when the indentifier authority is > 2^32, but also are accepted by Windows for any number. There is a tricky case with an "O:" or "G:" SID that is immediately followed by a "D:" dacl, because the "D" looks like a hex digit. When we detect this we need to subtract one from the length. We also need to do look out for trailing garbage. This was not an issue before because any string caught by the strspn(..., "-0123456789") would be either rejected or fully comsumed by dom_sid_parse_talloc(), but with hex digits, a string like "S-1-1-2x0xabcxxx-X" would be successfully parsed as "S-1-1-2", and the "x0xabcxxx-X" would be skipped over. That's why we switch to using dom_sid_parse_endp(), so we can compare the consumed length to the expected length. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/sec/sddl decode: don't ignore random junk.Douglas Bagnall2023-04-281-0/+2
| | | | | | | | previously a string could have anything in it, so long as every second character was ':'. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security/dom_sid: use (unsigned char) in isdigit()Douglas Bagnall2023-04-281-3/+3
| | | | | | | | | | | | The man page notes: The standards require that the argument c for these functions is either EOF or a value that is representable in the type unsigned char. If the argument c is of type char, it must be cast to unsigned char, as in the following example: Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security/dom_sid: hex but not octal is OK for sub-authDouglas Bagnall2023-04-281-2/+9
| | | | | | | | Following Windows, the numbers that would be octal (e.g. "0123") are converted to decimal by skipping over the zeros. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: avoid overflow in subauthsDouglas Bagnall2023-04-281-1/+9
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: stricter identauth parsingDouglas Bagnall2023-04-281-4/+19
| | | | | | | We don't want octal numbers or overflows. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: avoid overflow in revision numberDouglas Bagnall2023-04-281-1/+1
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security/dom_sid: remove a couple of lost commentsDouglas Bagnall2023-04-281-2/+0
| | | | | | | | The second one came with code obsoleting the "BIG NOTE" about 10 years ago, but that code later wandered off somewhere else. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:smb: Fix code spellingAndreas Schneider2023-04-279-25/+25
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Apr 27 15:27:21 UTC 2023 on atb-devel-224
* libcli:security: Fix code spellingAndreas Schneider2023-04-278-9/+9
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* libcli:ldap: Fix code spellingAndreas Schneider2023-04-271-2/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* libcli:drsuapi: Fix code spellingAndreas Schneider2023-04-271-2/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* libcli:auth: Fix code spellingAndreas Schneider2023-04-275-9/+9
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* libsmb: Return [MS-SMB2] 2.2.14 SMB2 CREATE Response flags fieldVolker Lendecke2023-04-182-0/+2
| | | | | | | Not used yet, mostly for completeness. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2023-0614 libcli/security: Make some parameters constJoseph Sutton2023-04-052-6/+6
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: Add dom_sid_has_account_domain() to confirm a S-1-5-21 prefixJoseph Sutton2023-03-312-0/+38
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3: libcli: Refuse to connect to any server with zero values for ↵Jeremy Allison2023-03-291-0/+11
| | | | | | | | | | | | | | | | | max_trans_size, max_read_size, max_write_size. There's nothing we can do to such a server (this now matches the behavior for SMB1). Remove knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed Mar 29 18:58:33 UTC 2023 on atb-devel-224
* libcli/security: rewrite calculate_inherited_from_parent()Stefan Metzmacher2023-03-221-55/+192
| | | | | | | | | This allows us to pass the new tests we just added. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: Correctly handle ACL deletionJoseph Sutton2023-03-221-0/+1
| | | | | | | | If there were two consecutive occurrences of an ACL to be deleted, we would miss the second one. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: add security_descriptor_[s|d]acl_insert() helpersStefan Metzmacher2023-03-222-0/+34
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* libcli/security: prepare security_descriptor_acl_add() to place the ace at a ↵Stefan Metzmacher2023-03-221-7/+20
| | | | | | | | | | | | position Often it is important to insert an ace at a specific position in the ACL. As a default we still append by default by using -1, which is the generic version of passing the number of existing aces. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* libcli/security: Reorder SDDL access flags table to match WindowsJoseph Sutton2023-03-211-9/+9
| | | | | | | | | | | | This means that encoding an ACE in string form will now match Windows. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Mar 21 01:19:16 UTC 2023 on atb-devel-224
* libcli/security: prepare sddl machine/forest_sid handlingStefan Metzmacher2023-03-201-21/+66
| | | | | | | | | | | | | | | | | In future we need to pass in 3 sids to sddl_encode() Once we pass in a machine_sid from the caller we need to have a test on a Windows member if the .machine_rid values really belong to the local machine sid. At least [MS-DTYP] 2.4.2.4 Well-Known SID Structures pretents "LA" and "LG" are relative to the local machine sid. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Mar 20 10:53:41 UTC 2023 on atb-devel-224
* libcli/security: simplify sddl_encode_sid()Stefan Metzmacher2023-03-201-20/+24
| | | | | | | | | We should walk the sid_codes array just once. This makes further changes easier... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* libcli/security: simplify rid-based SDDL sid stringsStefan Metzmacher2023-03-201-17/+17
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* libcli/security: introduce struct sddl_transition_stateStefan Metzmacher2023-03-201-21/+40
| | | | | | | | | | | | | | In future we'll need more than 'domain_sid' in order to do the correct transition of SDDL to/from security_descriptor. In the end we most likely add an sddl_transition_{create,encode,decode}() api in order to allow the caller to create an sddl_transition_state once and then pass it to multiple calls to encode/decode. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* libcli: Shrink .data segment by 43264 bytesVolker Lendecke2023-03-091-7/+4
| | | | | | | | A case statement only references const strings, pointers in an array need to be relocated at exec() time. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Shrink .data segment by 43264 bytesVolker Lendecke2023-03-092-8/+6
| | | | | | | | A case statement only references const strings, pointers in an array need to be relocated at exec() time. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* build: Fix a long lineVolker Lendecke2023-03-091-1/+5
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status