samba.git/source4/setup, branch talloc-2.4.2 Unnamed repository; edit this file 'description' to name the repository. CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container 2023-10-16T14:39:33+00:00 Stefan Metzmacher metze@samba.org 2016-01-29T22:34:15+00:00 7f8b15faa76d05023c987fac2c4c31f9ac61bb47 This revealed a bug in our dirsync code, so we mark test_search_with_dirsync_deleted_objects as knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:setup: Fix script usage line 2023-09-14T21:35:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-09-05T04:21:50+00:00 2ff2d9bfa15d7c9ab7d96e34a868bf74f1e37deb Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:setup: Fix code spelling 2023-08-14T21:45:29+00:00 Andreas Schneider asn@samba.org 2023-08-03T13:34:24+00:00 5a0201e8b482245748a9bd3af67777dd1bdb0a20 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:provision: use better values for operatingSystem[Version] 2023-07-19T03:31:30+00:00 Stefan Metzmacher metze@samba.org 2015-07-22T10:44:32+00:00 3ed1ba6feddbf7ccaddf49319344787bd7506780 Some clients (e.g. an exchange server) check operatingSystemVersion in order to check if a domain controller is new enough. So we better use a value matching the dc functional level. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.

So we better use a value matching the dc functional level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2023-0614 ldb: Prevent disclosure of confidential attributes 2023-04-05T02:10:35+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-03-03T04:34:29+00:00 d5d0e71279790fdcf7e72749210b42b2faaa53f7 Add a hook, acl_redact_msg_for_filter(), in the aclread module, that marks inaccessible any message elements used by an LDAP search filter that the user has no right to access. Make the various ldb_match_*() functions check whether message elements are accessible, and refuse to match any that are not. Remaining message elements, not mentioned in the search filter, are checked in aclread_callback(), and any inaccessible elements are removed at this point. Certain attributes, namely objectClass, distinguishedName, name, and objectGUID, are always present, and hence the presence of said attributes is always allowed to be checked in a search filter. This corresponds with the behaviour of Windows. Further, we unconditionally allow the attributes isDeleted and isRecycled in a check for presence or equality. Windows is not known to make this special exception, but it seems mostly harmless, and should mitigate the performance impact on searches made by the show_deleted module. As a result of all these changes, our behaviour regarding confidential attributes happens to match Windows more closely. For the test in confidential_attr.py, we can now model our attribute handling with DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.

Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.

Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.

As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID 2023-04-05T02:10:35+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-02-06T20:25:48+00:00 16487691c02b97e6c7d07fe1ae6653f089feabff DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit 08187833fee57a8dba6c67546dfca516cd1f9d7a. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit
08187833fee57a8dba6c67546dfca516cd1f9d7a.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba-tool: let 'domain provision' to use the 2019 schema by default 2023-03-22T22:10:32+00:00 Stefan Metzmacher metze@samba.org 2023-02-23T14:05:01+00:00 f6d9f3760f7df8595a3882b3ad526326abbba1ca Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
setup/adprep: import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md 2023-03-22T22:10:32+00:00 Stefan Metzmacher metze@samba.org 2019-02-23T07:44:05+00:00 c405f2117608a6249494e1239faea711a9c756ca We have Domain-Wide-Updates.md and Read-Only-Domain-Controller-Updates.md only for completeness, they are not parsed/used yet, so we added .unused in order to avoid confusion in future. Initially I tried to go with an ms_domain_updates_markdown.py, but it is easier to add the current updates by hand to domain_update.py, which will follow in the next commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We have Domain-Wide-Updates.md and Read-Only-Domain-Controller-Updates.md only
for completeness, they are not parsed/used yet, so we added .unused in
order to avoid confusion in future.

Initially I tried to go with an ms_domain_updates_markdown.py,
but it is easier to add the current updates by hand to
domain_update.py, which will follow in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
setup/ad-schema: add the latest v1803 and v1903 schema files from Microsoft 2023-03-22T22:10:32+00:00 Stefan Metzmacher metze@samba.org 2019-02-23T07:44:05+00:00 c4b87dd50deacca00dfe70df6ab5872e0cae34e8 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
selftest: Expect setting domain-local group as primary group to fail 2023-02-08T00:03:40+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-12-22T18:29:58+00:00 4f2f31621385209efa8d715e9bee9256d6ddc71e This will no longer be allowed. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This will no longer be allowed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>