summaryrefslogtreecommitdiff
path: root/python
Commit message (Collapse)AuthorAgeFilesLines
* python:tests: Avoid exceptions in cleanup code if a test fails in smb3unix.pyAndreas Schneider2023-02-101-5/+7
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15301 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit e6f0e4d53285177f7a60559394efeb5a78b6bd53)
* s4-dsdb: Add tests of SamDB.get_nc_root()Andrew Bartlett2023-02-011-0/+122
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 2c7bb58703c1fa26782ac6959ea7d81fccf3905c)
* samba-tool domain: fix a typo in samba-tool passwordsettings option descriptionBjörn Baumbach2023-01-171-1/+1
| | | | | Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Ralph Boehme <slow@samba.org>
* tests/krb5: Use Python bindings for LZ77+Huffman compressionJoseph Sutton2023-01-102-132/+3
| | | | | | | | | | We can now remove our existing decompression implementation in Python. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jan 10 21:18:01 UTC 2023 on sn-devel-184
* python:tests: Use system ldbsearch if we built against system libldbAndreas Schneider2022-12-231-6/+10
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* python:tests: Use system ldbdump if we build with system ldbAndreas Schneider2022-12-231-1/+5
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* python:tests: Use system ldbsearch if we build with system libldbAndreas Schneider2022-12-231-1/+4
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* lib/compression: add simple python bindingsDouglas Bagnall2022-12-221-0/+212
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are four functions, allowing compression and decompression in the two formats we support so far. The functions will accept bytes or unicode strings which are treated as utf-8. The LZ77+Huffman decompression algorithm requires an exact target length to decompress, so this is mandatory. The plain decompression algorithm does not need an exact length, but you can provide one to help it know how much space to allocate. As currently written, you can provide a short length and it will often succeed in decompressing to a different shorter string. These bindings are intended to make ad-hoc investigation easier, not for production use. This is reflected in the guesses about output size that plain_decompress() makes if you don't supply one -- either they are stupidly wasteful or ridiculously insufficient, depending on whether or not you were trying to decompress a 20MB string. >>> a = '12345678' >>> import compression >>> b = compression.huffman_compress(a) >>> b b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 #.... >>> len(b) 262 >>> c = compression.huffman_decompress(b, len(a)) >>> c b'12345678' # note, c is bytes, a is str >>> a '12345678' >>> d = compression.plain_compress(a) >>> d b'\xff\xff\xff\x0012345678' >>> compression.plain_decompress(d) # no size specified, guesses b'12345678' >>> compression.plain_decompress(d,5) b'12345' >>> compression.plain_decompress(d,0) # 0 for auto b'12345678' >>> compression.plain_decompress(d,1) b'1' >>> compression.plain_decompress(a,444) Traceback (most recent call last): compression.CompressionError: unable to decompress data into a buffer of 444 bytes. >>> compression.plain_decompress(b,444) b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 #... That last one decompresses the Huffman compressed file with the plain compressor; pretty much any string is valid for plain decompression. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Don't hide managed/recommended directoriesDavid Mulder2022-12-211-14/+14
| | | | | | | | | | | | | | Making these variables hidden prevents the parent class gp_chromium_ext from reading them when subclassed in gp_chrome_ext. This caused the chrome policies to be installed in the chromium directories. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Dec 21 03:05:46 UTC 2022 on sn-devel-184
* gp: Ensure rsop is tested for every CSEDavid Mulder2022-12-211-4/+101
| | | | | | | | A bug cropped up in the rsop that was causing a crash because this wasn't being tested. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Fix rsop when final value isn't a strDavid Mulder2022-12-211-1/+6
| | | | | | | | | The output must be a string value, or it will crash. Chromium policies output integers, which was causing the parser to crash. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Enable gpupdate output when testingDavid Mulder2022-12-211-0/+1
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Ensure policy changes don't leave files behindDavid Mulder2022-12-211-3/+30
| | | | | | | | | This test exercises the gp_file_applier and ensures that when a policy is modified, no old policy is left behind. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Re-create files if manually removedDavid Mulder2022-12-211-1/+2
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Test that files are re-created if manually removedDavid Mulder2022-12-211-2/+12
| | | | | | | | Currently applied files which are manually removed do not get re-applied. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify Chromium CSE to use new files applierDavid Mulder2022-12-212-2170/+68
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify Cert Auto Enroll CSE to use new applierDavid Mulder2022-12-211-41/+73
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify Centrify Crontab compatible CSE to use new files applierDavid Mulder2022-12-211-17/+21
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify Startup Scripts CSE to use new files applierDavid Mulder2022-12-211-24/+29
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify GNOME Settings CSE to use new files applierDavid Mulder2022-12-211-106/+70
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify Machine Scripts CSE to use new files applierDavid Mulder2022-12-212-22/+33
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify Files CSE to use new files applierDavid Mulder2022-12-211-26/+28
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify Sudoers CSEs to use new files applierDavid Mulder2022-12-213-102/+69
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify OpenSSH CSE to use new files applierDavid Mulder2022-12-211-23/+25
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify PAM Access CSE to use new files applierDavid Mulder2022-12-211-25/+23
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Modify Symlink CSE to use new files applierDavid Mulder2022-12-211-13/+15
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Implement appliers for monitoring policy changesDavid Mulder2022-12-211-0/+204
| | | | | | | | | | | | | This is currently a significant drawback of Samba Group Policy. CSEs MUST be aware of policy changes such as modification, removal, etc. This is a complex process, and is easy to mess up. Here I add 'appliers' (the first being for files), which handle the complexty transparently to ensure this is done correctly. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* tests: add a Python test for case insensitive accessRalph Boehme2022-12-201-0/+52
| | | | | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Dec 20 01:32:07 UTC 2022 on sn-devel-184
* tests: Show that in smb1 posix we don't treat dirs as case sensitiveVolker Lendecke2022-12-151-0/+52
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* gp: Fix GNOME Settings writing unreadable user profileDavid Mulder2022-12-141-0/+1
| | | | | | | | This file must be readable by all users, otherwise the policy doesn't get read or applied. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Fix Firewalld RSoP output skipping ZonesDavid Mulder2022-12-141-1/+3
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") ↵Stefan Metzmacher2022-12-1322-73/+82
| | | | | | | | | | | | | | | | before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
* CVE-2022-37966 samba-tool: add 'domain trust modify' commandStefan Metzmacher2022-12-131-0/+121
| | | | | | | | | | | For now it only allows the admin to modify the msDS-SupportedEncryptionTypes values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean ↵Stefan Metzmacher2022-12-132-1/+7
| | | | | | | | | | | | | the default In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 python:tests/krb5: test much more etype combinationsStefan Metzmacher2022-12-131-14/+139
| | | | | | | | | | | | | | | This tests work out the difference between - msDS-SupportedEncryptionTypes value or it's default - software defined extra flags for DC accounts - accounts with only an nt hash being stored - the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert ↵Stefan Metzmacher2022-12-131-2/+2
| | | | | | | | | | message BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation ↵Stefan Metzmacher2022-12-131-6/+32
| | | | | | | | | | | | | of KDCBaseTest This will allow us to create tests accounts with only an nt4 hash stored, without any aes keys. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials ↵Stefan Metzmacher2022-12-131-0/+2
| | | | | | | | | | attributes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed ↵Stefan Metzmacher2022-12-131-3/+8
| | | | | | | | | | KdcTgsBaseTests._{as,tgs}_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022Stefan Metzmacher2022-12-133-7/+39
| | | | | | | | | | | | | | | | | | | | | | I'm using the following options: SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \ SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \ DOMAIN=W2022-L7 REALM=W2022-L7.BASE \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \ CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \ FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1 in order to run these: python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 selftest: Run S4U tests against FL2003 DCJoseph Sutton2022-12-131-4/+57
| | | | | | | | | | | This shows that changes around RC4 encryption types do not break older functional levels where only RC4 keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ↵Joseph Sutton2022-12-137-134/+429
| | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected ↵Joseph Sutton2022-12-131-9/+38
| | | | | | | | | | | | | | Users group Extend the RC4 Protected Users tests to use different preauth etypes. This helps test the nuances of the new expected behaviour and allows the tests to continue passing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objectsJoseph Sutton2022-12-131-2/+5
| | | | | | | | | | | | As we will assume, as part of the fixes for CVE-2022-37966, that trust objects with no msDS-SupportedEncryptionTypes attribute support AES keys, RC4 support must now be explicitly indicated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 samba-tool: Fix 'domain trust create' documentationJoseph Sutton2022-12-131-1/+1
| | | | | | | | | | This option does the opposite of what the documentation claims. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37967 Add new PAC checksumJoseph Sutton2022-12-136-17/+215
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 tests/krb5: Add a test requesting tickets with various ↵Joseph Sutton2022-12-133-0/+363
| | | | | | | | | | | | | encryption types The KDC should leave the choice of ticket encryption type up to the target service, and admit no influence from the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()Joseph Sutton2022-12-131-1/+3
| | | | | | | | | | | This lets us select the encryption types we claim to support in the request body. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 tests/krb5: Split out _tgs_req() into base classJoseph Sutton2022-12-131-131/+133
| | | | | | | | | | We will use it for testing our handling of encryption types. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the ↵Andrew Bartlett2022-12-132-3/+12
| | | | | | | | | | | target_hostname binding string This makes it easier to test against a server that is not accessible via DNS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
View Lorry Controller Status