| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The windows ADDC checks password validity before password expiry. So an
incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not
KDC_ERR_KEY_EXPIRED.
The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to
samba.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15746
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Commit c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to
the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED.
This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints
in expired-password error responses.
Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED
responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and
the FX-COOKIE (type 133). This causes test_pw_expired to fail intermittently
when the expired-password code path is exercised against MIT KDC.
Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19,
so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0)
while still being enforced in strict mode.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224
|
|
The SHA1 hash for KB5014754 SHA1-PUKEY is calculate over the entire
certificate not just the public key.
BUG https://bugzilla.samba.org/show_bug.cgi?id=16001
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
When altSecurityIdentities is set by RSAT / ADUC they store the
Issuer and Subject DN in last to first order i.e.
CN=Common Name, O=Organization, C=Country
Need to reverse that to first to last order, i.e.
C=Country, O=Organization, CN=Common name
Which is how they're stored on the X509 certificates.
Also the serial number is stored in reverse order.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
If AES keys are available in the domain, assume that service accounts support
AES by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
If the test is run against a
require canonicalization = yes
server, requests that do not use the canonicalize flag will be
rejected at the preauth stage, so we check that and nothing more.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
We check here instead of selftest/expectedfail.d/* in part because
on MIT some of these cases will fail to fail to ask for preauth.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
The smb.conf option
kdc name match implicit dollar without canonicalization = no
is supposed to avoid the dollar ticket attack by refusing to consider
"foo$" as a match for "foo" unless canonicalization is requested.
This was rather blunt however, as the only time we care about this is for
the client name in an AS_REQ, and we can easily check whether that is the
case.
This makes the option less intrusive, allowing the use of "SERVER" for a
server name rather than "SERVER$". A number of tests no longer fail.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
REASON: Exception: Exception: Traceback (most recent call last):
File "/home/asn/workspace/prj/oss/samba/asn-fix/bin/python/samba/tests/krb5/lockout_tests.py", line 858, in test_lockout_transaction_bad_pwd_samr_aes
self.do_lockout_transaction(connect_samr_aes, correct_pw=False)
~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/asn/workspace/prj/oss/samba/asn-fix/bin/python/samba/tests/krb5/lockout_tests.py", line 990, in do_lockout_transaction
connect_future = executor.submit(
connect_fn,
...<7 lines>...
workstation=user_creds.get_workstation(),
dn=str(user_dn))
File "/usr/lib64/python3.14/concurrent/futures/process.py", line 816, in submit
self._adjust_process_count()
~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib64/python3.14/concurrent/futures/process.py", line 775, in _adjust_process_count
self._spawn_process()
~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib64/python3.14/concurrent/futures/process.py", line 793, in _spawn_process
p.start()
~~~~~~~^^
File "/usr/lib64/python3.14/multiprocessing/process.py", line 121, in start
self._popen = self._Popen(self)
~~~~~~~~~~~^^^^^^
File "/usr/lib64/python3.14/multiprocessing/context.py", line 300, in _Popen
return Popen(process_obj)
File "/usr/lib64/python3.14/multiprocessing/popen_forkserver.py", line 35, in __init__
super().__init__(process_obj)
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
File "/usr/lib64/python3.14/multiprocessing/popen_fork.py", line 20, in __init__
self._launch(process_obj)
~~~~~~~~~~~~^^^^^^^^^^^^^
File "/usr/lib64/python3.14/multiprocessing/popen_forkserver.py", line 42, in _launch
prep_data = spawn.get_preparation_data(process_obj._name)
File "/usr/lib64/python3.14/multiprocessing/spawn.py", line 164, in get_preparation_data
_check_not_importing_main()
~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib64/python3.14/multiprocessing/spawn.py", line 140, in _check_not_importing_main
raise RuntimeError('''
...<16 lines>...
''')
RuntimeError:
An attempt has been made to start a new process before the
current process has finished its bootstrapping phase.
This probably means that you are not using fork to start your
child processes and you have forgotten to use the proper idiom
in the main module:
if __name__ == '__main__':
freeze_support()
...
The "freeze_support()" line can be omitted if the program
is not going to be frozen to produce an executable.
To fix this issue, refer to the "Safe importing of main module"
section in https://docs.python.org/3/library/multiprocessing.html
In Python 3.14, the default multiprocessing start method changed from fork to
forkserver/spawn. When using ProcessPoolExecutor, the code needs to
either:
1. Explicitly set the start method to fork (the simplest fix for this case)
2. Or ensure proper if __name__ == '__main__': guards (not practical for test
code run by a test framework)
The fix is to explicitly use the fork start method when creating the
ProcessPoolExecutor. This can be done by passing a mp_context parameter:
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
In the ad_dc_ntvfs environment.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Before:
> AssertionError: 6 not found in (20,)
After:
> AssertionError: 6 not found in (20,) : KDC_ERR_C_PRINCIPAL_UNKNOWN not in ['KDC_ERR_TGT_REVOKED']
Useful for people who don't know the codes off by heart.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
to be consistent with all the others.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
signed_attrs is supposed to be a list of key‐value pairs, but we forgot the
values. Because the field was not constructed correctly, the pyasn1 encoder
simply stripped it out.
Also properly separate the signature algorithm and digest algorithms.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov 19 00:32:31 UTC 2025 on atb-devel-224
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Update the tests to check the "kdc always generate pac" configuration and
expect the presence of a PAC accordingly.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
View with ‘git show -b’.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Tests for pkinit with "strong certificate binding enforcement"
See: https://support.microsoft.com/en-us/topic/
kb5014754-certificate-based-authentication-changes-on-windows-domain
-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
KB5014754: Certificate-based authentication changes on Windows
domain controllers
Test environment configuration:
ad_dc none
ad_dc_ntcfs compatibility
ad_dc_smb1 full
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Add tests to verify Key Trust authentication
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
UPN_DNS_INFO
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
selective_auth_allowed_sid
This will add a GUID_DRS_ALLOWED_TO_AUTHENTICATE ace with CONTROL_ACCESS
to the created account.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
expected_[device_]duplicated_groups
This allows us to expect duplicated sids in the PAC.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
device info does not really have RESOURCE_SID,
so we need to map RESOURCE_SID as well as EXTRA_SID (with a S-1-5-21-
prefix) to EXTRA_DOMAIN_SID.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
create_trust() is used for that...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 24 10:28:02 UTC 2025 on atb-devel-224
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
This makes it possible modify the public ticket part well as the enc part.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Review with: git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
This makes debugging easier...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
It can be different from the servers realm.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
