[SCM] Samba Shared Repository - branch v4-3-stable updated
Karolin Seeger
kseeger at samba.org
Tue Apr 12 17:00:52 UTC 2016
The branch, v4-3-stable has been updated
via 4b4a2bd VERSION: Disable git snapshots for the 4.3.8 release.
via 10e9011 WHATSNEW: Add release notes for Samba 4.3.8.
via ad9257b s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
via caa886e VERSION: Bump version up to 4.3.8...
via 6597749 VERSION: Disable git snapshots for the 4.3.7 release.
via 17e1b9f WHATSNEW: Add release notes for Samba 4.3.7.
via 0e2bcca CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
via 9ec6afa CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
via 21fe775 CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
via a141a37 CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
via 6ac5ad0 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
via 51a4a8f CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
via cd2911f CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
via ac0d474 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
via 4449c51 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
via 365fffe CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
via bc001b0 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
via 7ab9a8c CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
via 7f2d791 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
via 73550f4 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
via 46ddaf3 CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
via f3a67c2 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
via 278cdd1 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
via adaf1ae CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
via 14d97d4 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
via dbcd01e CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
via 3f6a270 CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
via 11df891 CVE-2015-5370: s3:rpc_server: verify presentation context arrays
via 9832a22 CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
via e1b75bc CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
via 84cbf3d CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
via d11c5d3 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
via 476c2f5 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
via 8695339 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
via a4a828e CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
via db297a7 CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
via 905313c CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
via 0cf8404 CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
via e87721a CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
via 8e691e7 CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
via f606cfd CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
via f39183c CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
via 28d558e CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
via db30949 CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
via cce7265 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
via 795b44e CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
via 67e2661 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
via f77f9bf CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
via 3239e26 CVE-2015-5370: s4:rpc_server: check frag_length for requests
via d249ce6 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
via 0e26f3c CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
via 6ed0ef7 CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
via 615019f CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
via e0b58a1 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
via cf0a939 CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
via f0d318f CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
via 6228c53 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
via a7d02ec CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
via 1d99eec CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
via 6b2d064 CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
via 26ad208 CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
via 2ed603a CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
via e9511b5 CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
via 5ab994c CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
via 6db7571 CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
via 9f62223 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
via 4ea6765 CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
via 8ba1be0 CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
via 69e1d93 CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
via 5eb3b63 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
via 3165b23 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
via 563d8fe CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
via fd3b82e CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
via 1077b50 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
via 5325276 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
via f8b98b3 CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
via 16e3a4c CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
via 308543b CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
via 08f976d CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
via 0235d72 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
via df2dcc1 CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
via 443e00f CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
via 1551c41 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
via 9b9d307 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
via 735d4ba CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
via 21b9022 CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
via 821d484 CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
via 447f9f1 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
via 220e4ca CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
via e6da619 CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
via 3df2b07 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
via 0899c0a CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
via 71c2c21 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
via e39b737 CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
via 5be0fb1 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
via f64b017 CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
via 47d8c31 CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
via 1c7be37 CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
via 82dd128 CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
via e96791f CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
via 6602e7e CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via 45a9ca1 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via e9718e2 CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
via 4762d25 CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 1ac5f37 CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 3ba93ce CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
via a2d14bb CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 6045947 CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 8f219a0 CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 7869c5f CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 20e4023 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
via ca98500 CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 7b93802 CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
via e7be37e CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
via 979067f CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
via 101e8e8 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
via 9ae9c64 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via d5659c7 CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via 0a3d923 CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
via 9bfa937 CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
via 5eb6341 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
via e8dc268 CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
via 31e7611 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
via fa2630f CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
via 2d68100 CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
via cdad358 CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
via b66500f CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
via 27c66c4 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
via 9339d90 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
via 38552d7 CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
via bdff08d CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
via 2b23bc3 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
via 5859266 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
via e0588d9 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
via 2220923 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
via 60851a0 CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
via 7903203 CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
via c21c9a3 CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
via 2c13697 CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
via 668cc85 CVE-2016-2115: docs-xml: add "client ipc signing" option
via 9fa185c CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
via 2f7d773 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
via 25b05a8 CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
via 8611441 CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
via 7c6c666 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
via 67f8524 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
via 2217276 CVE-2016-2114: s4:smb2_server: fix session setup with required signing
via 641cbcc CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
via d778580 CVE-2016-2113: selftest: use "tls verify peer = no_check"
via dc4f8d0 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
via fdac236 CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
via 389b15e CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
via 54a039d CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
via c20ee1b CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
via fc02668 CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
via 9ca8e88 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
via 27f1625 CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
via 104a691 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
via a027a87 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
via 8dad04c CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
via c7f2a10 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
via 90cc943 CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
via 963236f CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
via b012535 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
via e9cfd12 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
via 5172192 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
via 6977700 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
via e072666 CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
via b723d97 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
via a8c60aa CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
via 60647fa CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
via dbdd9cb CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
via ff1e470 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
via e260f6a CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
via 3643bc9 CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
via 3dbb32c CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
via eaabdc1 CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
via f319256 CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
via f22b75d CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
via a1ae538 CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
via 5dbffb8 CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
via b6899e1 CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
via 8e1e621 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
via 9784d68 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 473bbfa CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 984d024 CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
via 5074d1e CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
via 7434b8d CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
via 630e39d CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via b9b3b1e CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via 2f393b3 CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
via fb8bb0f CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
via b76361d CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
via a6d1056 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
via fc9df72 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
via 95a1c91 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
via 39dd2c6 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
via 299b49f CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
via a278c35 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
via 1cc7fbe CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
via 8cae040 CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
via b5e95cc CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
via 3ae39af CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
via f32ad5c CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
via 3673533 CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
via 9440fa8 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
via efe18dc CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
via 0e3bb02 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
via 8714377 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
via 677e214 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
via 2ee222b CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
via a7a0d2e CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
via d29c945 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
via 4e5c214 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
via f914050 CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
via 8df0d59 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
via 25f0a4c s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
via cce2e6a s3:rpc_server/samr: correctly handle session_extract_session_key() failures
via 343637b s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
via ba36c3f libads: Fix CID 1356316 Uninitialized pointer read
via e681d11 libsmb: Fix CID 1356312 Explicit null dereferenced
via 656795b s3-auth: check for return code of cli_credentials_set_machine_account().
via 6db7be4 s4-smb_server: check for return code of cli_credentials_set_machine_account().
via bca3039 s4:rpc_server: require access to the machine account credentials
via a6e7f49 auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
via c0beb87 auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
via 5cdddba s4:torture/rpc/schannel: don't use validation level 6 without privacy
via 61a09ae s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
via 1cd3836 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
via 8665944 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
via 46f52e7 s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
via 1103a6b s3:test_rpcclient_samlogon.sh: test samlogon with schannel
via 6a3a45d s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
via 3f05c5a selftest: setup information of new samba.example.com CA in the client environment
via 1311631 selftest: set tls crlfile if it exist
via 739e896 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
via 0ad8ef8 selftest: add Samba::prepare_keyblobs() helper function
via f058da2 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
via 8be3031 selftest: add CA-samba.example.com (non-binary) files
via 08976c4 selftest: add config and script to create a samba.example.com CA
via 158e06d selftest: add some helper scripts to mange a CA
via f91a66f selftest: s!addc.samba.example.com!addom.samba.example.com!
via 1346b27 s4:rpc_server: dcesrv_generic_session_key should only work on local transports
via 663ec33 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
via 5182c93 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
via 44e2da8 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
via fd1e4ec s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
via 32ad277 s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
via e09c17a s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
via 2d6afd9 s3:libsmb: remove unused functions in clispnego.c
via 979fc6a s3:libsmb: remove unused cli_session_setup_kerberos*() functions
via 8a1d0a9 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
via 70d546d s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
via c4c3bd6 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
via 1498885 s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
via e8b6ef4 s3:libsmb: unused ntlmssp.c
via bbc4eb8 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
via 59b8032 s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
via d19d039 s3:libads: keep service and hostname separately in ads_service_principal
via e952e63 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
via 3d3725b s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
via 4cbf13e s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
via c63d32b s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
via 383d18d s3:libads: add missing TALLOC_FREE(frame) in error path
via 95461fb s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
via e2bea35 s4:selftest: simplify the loops over samba4.ldb.ldap
via ccc1c51 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
via b000387 s4:libcli/ldap: fix retry authentication after a bad password
via 58478f4 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
via debafe8 auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
via 1016c9d auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
via 294ef73 auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
via 6d08a2a auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
via 192d5be auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
via 3136ede librpc/ndr: add ndr_ntlmssp_find_av() helper function
via 30b4e8f ntlmssp.idl: make AV_PAIR_LIST public
via 983edc9 ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
via c3392f3 security.idl: add LSAP_TOKEN_INFO_INTEGRITY
via 00fbd5b auth/ntlmssp: use ntlmssp_version_blob() in the server
via 3a52567 auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
via 9419ce6 auth/ntlmssp: add ntlmssp_version_blob()
via a575c5e auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
via c8059be auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
via 34ce552 auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
via 6d18d46 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
via 3938b90 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
via db7e894 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
via aea667c winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
via 6ee35d9 s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
via 81745b6 auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
via 7303a10 auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
via 7fcefea auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
via 3585e41 s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
via 993420f s3:auth_generic: make use of the top level NTLMSSP client code
via cb7bf55 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
via c9d2b8d s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
via 0f54d60 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
via 2dac558 s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
via 8800015 s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
via 33f7f44 auth/ntlmssp: add gensec_ntlmssp_server_domain()
via aa0ed80 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
via 14b2a51 s3:auth_generic: add auth_generic_client_start_by_sasl()
via a0feacf s3:auth_generic: add auth_generic_client_start_by_name()
via 9e42312 auth/gensec: make gensec_security_by_name() public
via 35f80cf auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
via 2e6af15 auth/gensec: keep a pointer to a possible child/sub gensec_security context
via b474d13 s4:pygensec: make sig_size() and sign/check_packet() available
via f702a9e s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
via 5a046d5 s3:librpc/gse: don't log gss_acquire_creds failed at level 0
via 47272c3 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
via 2b351b7 s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
via 91e2717 s3:librpc/gse: fix debug message in gse_init_client()
via 4357b22 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
via 88a09dc wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
via 0555445 s3:libads: remove unused ads_connect_gc()
via 49a7697 s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
via 3121494 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
via e7595fa dcerpc.idl: make WERROR RPC faults available in ndr_print output
via 0117f64 epmapper.idl: make epm_twr_t available in python bindings
via 0d53d8a s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
via 16e14f9 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
via 7f24c0b lib/util_net: add support for .ipv6-literal.net
via 6b6fbcf lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
via a70f620 spnego: Correctly check asn1_tag_remaining retval
via 5530d91 s4:torture/ntlmssp fix a compiler warning
via 7019a9c s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
via 14f4002 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
via 97ac363 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
via a54b256 s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
via 109618b s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
via 1865f12 ntlmssp: when pulling messages it is important to clear memory first.
via 42c2d63 ntlmssp: properly document version defines in IDL (from MS-NLMP).
via 1e0e8d6 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
via 5b4999a ntlmssp: add some missing defines from MS-NLMP to our IDL.
via e73cfb9 tls: increase Diffie-Hellman group size to 2048 bits
via 24c6d42 s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
via 62e5169 s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
via 5bbf46e s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
via 83b6653 asn1: Make 'struct asn1_data' private
via 66ea451 asn1: Remove a reference to asn1_data internals
via c27fd04 libcli: Remove a reference to asn1->ofs
via 9c89afd lib: Use asn1_current_ofs()
via 95fa77f asn1: Add asn1_current_ofs()
via 54aecd7 lib: Use asn1_has_nesting
via 9ac8312 asn1: Add asn1_has_nesting
via 2b11481 lib: Use asn1_extract_blob()
via a44d9bb asn1: Add asn1_extract_blob()
via 274c9a4 lib: Use asn1_set_error()
via a330540 asn1: Add asn1_set_error()
via 89d0afc lib: Use asn1_has_error()
via 4b04663 asn1: Add asn1_has_error()
via d51a607 asn1: Make "struct nesting" private
via 6d2f6e1 asn1: Add some early returns
via bb6607a asn1: Add overflow check to asn1_write
via 7ef1333 asn1: Make asn1_peek_full_tag return 0/errno
via 980785a asn1: Remove an unused asn1 function
via b5c5fec Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
via a06c22f VERSION: Bump version up to 4.3.7...
from c7a93d7 VERSION: Disable git snapshots for the 4.3.6 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-stable
- Log -----------------------------------------------------------------
commit 4b4a2bd943995025c013a0c9fa8726755b85cdee
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 11 09:19:58 2016 +0200
VERSION: Disable git snapshots for the 4.3.8 release.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 10e90112b7fb739542709afbe8d5442f1040ce9d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 11 09:13:21 2016 +0200
WHATSNEW: Add release notes for Samba 4.3.8.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11744
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit ad9257bc5464a2d8c2029e19ef6530a3974d987e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 8 10:05:38 2016 +0200
s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9
(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos)
that prevents things like 'net ads join' from working against a Windows 2003 domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit caa886eed6035170783d2f674a0d5f7fe66fb054
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 8 13:56:50 2016 +0200
VERSION: Bump version up to 4.3.8...
and re-enable git snapshots.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 6597749526d747283d435ea37eee5890fe7c46cd
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 29 00:36:56 2016 +0200
VERSION: Disable git snapshots for the 4.3.7 release.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 17e1b9f48ec5151486d639d02f0d3a6a620982c1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 29 00:26:48 2016 +0200
WHATSNEW: Add release notes for Samba 4.3.7.
o CVE-2015-5370 (Multiple errors in DCE-RPC code)
o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
o CVE-2016-2112 (LDAP client and server don't enforce integrity)
o CVE-2016-2113 (Missing TLS certificate validation)
o CVE-2016-2114 ("server signing = mandatory" not enforced)
o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11744
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0e2bccaea901d0f1cda0b45890d44f824749aa44
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 21:05:53 2015 +0200
CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9ec6afaccc184747700052c5f94718bbc2a99c60
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 26 22:42:19 2014 +0100
CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
These are independent from our client library and allow
testing of invalid pdus.
It can be used like this in standalone mode:
SMB_CONF_PATH=/dev/null SERVER=172.31.9.188 python/samba/tests/dcerpc/raw_protocol.py
or
SMB_CONF_PATH=/dev/null SERVER=172.31.9.188 python/samba/tests/dcerpc/raw_protocol.py -v -f TestDCERPC_BIND.test_invalid_auth_noctx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 21fe7758a3c3fdefee170a55d5ad5a8159b8aec6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 26 22:42:19 2014 +0100
CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
These are independent from our client library and allow
testing of invalid pdus.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit a141a3719eaf3a109399453d02c660f1735e12ba
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 22 21:13:41 2015 +0100
CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 6ac5ad067d9bf80cd2dcd5451c60d60009ab0e79
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 22 21:23:14 2015 +0100
CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 51a4a8f6d808db0f67f1e0ceba4c339b5df5cc6f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 11:05:45 2015 +0100
CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit cd2911fc98b83e1918de93014da6dd14b4356ad0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit ac0d474ce9e01d886aa31d6071bc8910b89614af
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 22:51:18 2015 +0200
CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 4449c51d4faa8d32849c34c00a2320b81e8d7d30
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 365fffebfa032e09788fe7e9dc44426437382d82
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit bc001b09b0213ac1a3c6171d6a9250a924213d67
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
This is better than using hardcoded values.
We need to use the value the client used in the BIND request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 7ab9a8c3b224052c7422ebd02fe83171ed999688
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
This is better than using hardcoded values.
We need to use auth_context_id = 1 for authenticated
connections, as old Samba server (before this patchset)
will use a hardcoded value of 1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 7f2d791d76d9623462c6720047435e84ba755856
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 73550f4c4c58dda0028fd79d0f74623b7a40d79e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 46ddaf320ddfb13919abd14d68572c1ba9d13842
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
An alter context can't change the syntax of an existing context,
a new context_id will be used for that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f3a67c2df66d152437f90e4f88e84c88aadb79f0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 278cdd16c6b8a00369f8e3a7ea308b193f3abde8
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jul 11 10:58:07 2015 +0200
CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit adaf1ae4ad3492a9a2dcda02a5c86bd078fe9709
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 12:38:55 2015 +0100
CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 14d97d42800e7b2c958af0c284d2ac085d40adee
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 12:38:55 2015 +0100
CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit dbcd01e094f34a39be21f6eee868f675a615aeaa
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 12:40:58 2015 +0100
CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3f6a27000b640ada222120559e96769b600de735
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 16:06:59 2015 +0200
CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 11df8918af873a1438976dd2723b64b7044ea437
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 16:06:59 2015 +0200
CVE-2015-5370: s3:rpc_server: verify presentation context arrays
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9832a22799c35922be0f40e6b20033a166537b51
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 16:06:59 2015 +0200
CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e1b75bcc6332165c1a756d6cc8f24cad203b71f8
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 7 09:15:39 2015 +0200
CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
The first pdu is always a BIND.
REQUEST pdus are only allowed once the authentication
is finished.
A simple anonymous authentication is finished after the BIND.
Real authentication may need additional ALTER or AUTH3 exchanges.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 84cbf3dfedeb30cc1c9a08827234904eaadac097
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d11c5d37ba399074e7685ac45c3eb52b34cce48a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 16:18:45 2015 +0200
CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 476c2f56a7875bac0586a1940465e93b8a459850
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8695339ee65c9d5868b6e1ea9ad8b27f6680e130
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a4a828eeca89277ab9388e33a708041b86645774
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
pipe_auth_generic_bind() does all the required checks already
and an explicit DCERPC_AUTH_TYPE_NONE is not supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit db297a7d0c4d8585edc3380b9ca1c01e23f506c0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 12:38:55 2015 +0100
CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 905313c1761217fd80293fb74a473fb06aee8019
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0cf8404c12c1633f49dc058cd2cea990afa23fb0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 22:51:18 2015 +0200
CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e87721a347031204296876f0f4fb78821c65a474
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 10 14:48:38 2015 +0200
CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8e691e7c24389c128f4959b771400efa5d049824
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f606cfd106e6cf33ca35293fe4acc5cdf1a72ad5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
The does much more validation than dcerpc_pull_dcerpc_auth().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f39183cd36a65db939637ca0166bdaa1ce26d26e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 9 07:59:24 2015 +0200
CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 28d558e9b6f2bcbe49d7149a17bb15642ee96142
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 9 07:59:24 2015 +0200
CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
This simplifies the callers a lot.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit db30949c989dec0c312ab12d0d2de4193f46b91f
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Jun 28 01:19:57 2015 +0200
CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
All callers should have already checked that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit cce72652b437aed2a1be49bccef1beb728a94bbf
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 10:18:13 2015 +0200
CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 795b44e428c4e7583c8de23701b5e9cf51c5e83a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 10:18:13 2015 +0200
CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
All presentation contexts of a connection use the same association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 67e26610ab83c5d6e009ddf2e9881cc8132fcf0b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 17 05:01:26 2015 +0200
CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
It's a protocol error if the client doesn't send all fragments of
a request in one go.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f77f9bfdb4462fe191d762118d06becc01f4b9a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 14:18:09 2015 +0200
CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3239e26ad48ed451181a538ccb1269b44a9a5192
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 17:21:05 2015 +0200
CVE-2015-5370: s4:rpc_server: check frag_length for requests
Note this is not the negotiated fragment size, but a hardcoded maximum.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d249ce6fcdfa22e7179c2d919fd0de2c3484cbc6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 10 13:55:27 2015 +0200
CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0e26f3ce2f30efc705d5327764f3c0403474a514
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 6ed0ef77ae57aa0981f05a2702546eae5d7e3677
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 16:18:45 2015 +0200
CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
Following requests will generate a fault with ACCESS_DENIED.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 615019f103553fcc2c39dc285733ffc0081050b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e0b58a15146e780188852f6eea71e63edc139de2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
The basically matches Windows 2012R2, it's not 100%
but it's enough for our raw protocol tests to pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit cf0a93910d21833025736314216237b73405aa6e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f0d318ffee777c400d40eb2fc2c60aae93b725b3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 6228c5336b7dcb590cba4d212009a204301523c2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
BIND is the first pdu, which means the list of contexts is always empty.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a7d02ecba79071bf94b59d2de400bde0faba831e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1d99eec5a73dd56e0bbc7c562af237fa7a7dc7ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 6b2d064dcd0f8208648ea3e974b9c1d569f48279
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
We should not use one "global" per connection variable to hold the
incoming and outgoing auth_info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 26ad208abde55504f08f9d777ebbad589608251d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
The first pdu is always a BIND.
REQUEST pdus are only allowed once the authentication
is finished.
A simple anonymous authentication is finished after the BIND.
Real authentication may need additional ALTER or AUTH3 exchanges.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2ed603a3780dfd246f8c3cd2718f0561f77ca4be
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
On protocol errors we should send BIND_NAK or FAULT and mark the
connection as to be terminated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e9511b55664d0f37fc399ee737e18880b5c9c8ad
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
BIND_NAK or FAULT may mark a connection as to be terminated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5ab994c4ea7da10262633276bc33741d13040279
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 6db7571447c6e15ff3d49cf6eaa3cdae0e2d273b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
For now we still force \\PIPE\\ in upper case, we may be able to remove
this and change it in our idl files later. But for now we better
behave like a windows server without changing too much.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9f62223dd5010ffa18640527c19c6887cf30965b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
This matches Windows 2012R2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 4ea67655ea2b57deb8d97d5ec1d9ad934ccdb17a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8ba1be08827f2ddd12f83a79bf563934666d0353
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
This depends on the type of the incoming pdu.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 69e1d936950771e429420a8635216bfbf7d52c0b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
This matches a Windows 2012R2 server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5eb3b63c294ee7c27324892bd0506358d8771f5e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3165b230b93a383b164ac4488f7fc16fda8c772b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
These values are controlled by the client but only in a range between
2048 and 5840 (including these values in 8 byte steps).
recv and xmit result always in same min value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 563d8fe8c77dc0b435b99001c23927163faf358d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit fd3b82e1ee3cdf077ed240be02a30370f9aa4a0a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1077b508589edc5d9dcad9bd8951753546bc8054
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5325276f96ebd1d6172c0aca84bd8ab3c4bb52b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 16:02:31 2016 +0100
CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f8b98b323ba38c86309b43761ca5ddc4c6d2f5fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 11:03:58 2015 +0200
CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
This will simplify checks in the following commits and avoids
derefencing dcesrv_auth->auth_info which is not always arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 16e3a4c7d98ea234496ee096296eb08336d13b41
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 308543b2c5b2452cc918737759569ab92f4e2598
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
pkt->u.*.auth_info.length is not the correct thing to check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 08f976d92588194973fbe0e1623b9f3a12ff1e14
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0235d724919b945a7a9ba6cb03596c40937e800a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 10 14:08:46 2015 +0200
CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
We should only allow a combined payload of a response of at max 4 MBytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit df2dcc19b12333a45899123bcd0f70ab71c1063e
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 443e00f3039647a442132ad89a870e33aaff105d
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1551c418a439eaa139d3b445401741e54ea552e7
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
This should give better error messages if the server doesn't support
a specific abstract/transfer syntax.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9b9d3077ea81f135351f52ed3d2c07322da76754
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
dcerpc_pull_ncacn_packet() already verifies this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 735d4ba376e4e4b86e7e19b5dea22770aaea23ac
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 21b90228b1d5ba7f3146164c3713f900550ee792
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 821d48478a1937f57131c143f57f843333e0e36f
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 447f9f1a242855ae249e5283be778c69d5b96624
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
We now avoid reusing the same auth_info structure for incoming and outgoing
values. We need to make sure that the remote server doesn't overwrite our own
values.
This will trigger some failures with our currently broken server,
which will be fixed in the next commits.
The broken server requires an dcerpc_auth structure with no credentials
in order to do an alter_context request that just creates a presentation
context without doing authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 220e4ca79dc7a84db9a6e4d65f4b4e9fbf14a7c9
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e6da619500da08cb5b60f723c229ad79a4d9b6ca
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3df2b07571b7b11581c5bbaf38ba48fe760638b1
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
It handles the case of DCERPC_AUTH_TYPE_NONE just fine and it makes it
possible to do some verification in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0899c0ac97c8a92d66c4e4bfa225032d4abb8888
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 71c2c21a68f56696a19016dcf0194629ea404d49
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e39b7372612798e6948da7affc6cf0f354fe8ab0
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
We should avoid using the global dcecli_security->auth_info struct for
individual requests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5be0fb14335a2f0b60dc0e300803dc73321a9632
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
In future we want to verify that the auth_context_id from the server
is what we expect.
As Samba (<= 4.2.3) use a hardcoded value of 1 in responses, we
need to use that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f64b0172e25189d17d3ab5e7060c61cdf53714ee
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
This will simplify the following commits and avoids dereferencing
dcecli_security->auth_info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 47d8c31286572edde38db397fa9ad8ea018e6a7f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 16:25:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1c7be37eca8c9cdee8ca7bb2207e3739cbbde4cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 10:24:45 2015 +0200
CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
All other paranoia checks are done within dcerpc_pull_auth_trailer()
now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 82dd128dec0bff450e049bed3efe5090185dbd06
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Jun 28 01:19:57 2015 +0200
CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e96791f6cf4a209675bbac9fba13f6e5ade04047
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 16 22:46:05 2015 +0200
CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 6602e7e2af0ae743f49a746663adf122d4af34ff
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 28 22:48:11 2016 +0100
CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
This requires transport encryption.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 45a9ca1ada8892ddc76a2f554c97d605431ff5f7
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 28 22:48:11 2016 +0100
CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
This requires transport encryption.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e9718e2b40a558ec4a91119df923f127e7c6420f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 17:03:59 2016 +0100
CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 4762d25f1a1c2bebad913166ecc6988e63981de2
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 08:47:42 2016 +0100
CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 1ac5f3757e98340219523da9b3cc3485376cb5c7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 09:50:30 2015 +0200
CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Pair-Programmed-With: Günther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
commit 3ba93ce2a0bab7865a3618abe469df0fb3e3c44a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 18 04:40:30 2016 +0100
CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.
We sadly need to keep this enabled by default for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Pair-Programmed-With: Günther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
commit a2d14bbc092b970a1714454d3934fefd91ebbe74
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 19:19:04 2016 +0100
CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 60459470505b7188826174100d23807bbba08760
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 19:18:42 2016 +0100
CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 8f219a0b65ae85ef6ec65b8ab5c36519b1c4ada9
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 19:17:40 2016 +0100
CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 7869c5f857d5a8753d6da18431fcd17c4fcc3c72
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 13:52:48 2015 +0200
CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 20e40238171871fb2149fbb80a3425b7c5734128
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 09:50:30 2015 +0200
CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit ca9850029b7310f34aaf8b234e0f4f0f8297806d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 09:50:30 2015 +0200
CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 7b93802473f3c671879fa594cd8759263a6ec950
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 02:46:59 2016 +0100
CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.
We sadly need to keep this enabled by default for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e7be37ec66870be1e34f15b418bcddab3dc6b0d4
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 08:45:11 2016 +0100
CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 979067f6a383adae214ba47ac31c21f739263483
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 17:03:59 2016 +0100
CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
We sadly need to allow this for now by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 101e8e8171b97922512a8197df9d2d9dbdd5c082
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 16:02:25 2016 +0100
CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 9ae9c6485739e17b4fc4a3ae7da3ce2733cac05d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 14:49:36 2015 +0100
CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit d5659c7ec71d4cca19d8a7fed3e331ff908763b4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 14:49:36 2015 +0100
CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 0a3d923d65277718db61ce84948d4d1db0093864
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 04:06:04 2016 +0100
CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
This matches windows and prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9bfa937b8dacc04ea54e8f64aab83ab4c1328ee7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 14 22:15:00 2016 +0100
CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5eb6341e6cfa4ce54229a8c64b4db8acb8255221
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 09:13:00 2015 +0200
CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
This is required for the whole interface (which has just one opnum for now).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e8dc268be5284a947f010b3bf2d726345152c500
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 09:13:00 2015 +0200
CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
This matches windows and prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 31e76110440d89e9d8e61e91bd1214351e9db7f7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 09:12:18 2015 +0200
CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit fa2630fad5ddbfb5eaff3f229d3800b706c4a9f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 15 23:52:30 2016 +0100
CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 2d6810010adde4fa0d2ca6677c4291f573cb666e
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:04:35 2015 +0100
CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
Use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol() for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit cdad358946b0d5281ec6fb878dd08cb1e6224969
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:03:52 2015 +0100
CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b66500f29cf1f4320a5dd7d2becb2d2b8af69e5f
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:03:13 2015 +0100
CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 27c66c4ab6ee9f65dbef70025a50ddbb4689d99c
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:01:59 2015 +0100
CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9339d9008265eb8aedd4f32825978ed33eb69a79
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:00:09 2015 +0100
CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 38552d7ffa7b7e40afb251a170ceb4ee0039a431
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 17:16:04 2015 +0100
CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
We need NT1 => LATEST in order to work against all servers which support
DCERPC over ncacn_np.
This is a mini step in using SMB2/3 in our client side by default.
This gives us a higher chance that SMB signing is supported by the
server (as it can't be turned off for SMB2 and higher).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit bdff08d2d80177f50608c7b4042163c55baff142
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 09:55:37 2015 +0100
CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
SMB_SIGNING_IPC_DEFAULT must be used from s3 client code when opening
RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2b23bc361f9f060ab8d4a7b5e901b9a4b7b795f9
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 13:22:16 2015 +0100
CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 585926601dfcd4e49f64ed4531676d2d031bb131
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:23:58 2016 +0100
CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e0588d9f4c8f4326c9ef69a56f402396dd72ffd1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 28 13:44:29 2014 +0100
CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2220923c13f129676b1c5b791f83ff772d28ed7f
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:15:38 2016 +0100
CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 60851a0e1a2de9e1af25a78633b441c56e7c8670
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:15:38 2016 +0100
CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7903203634d70587f5c407ca5218cc68b437f230
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:14:39 2016 +0100
CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c21c9a3e9a447f791382e0cb32a10cd6f2cfabc8
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:13:11 2016 +0100
CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2c136977c86f6fceac30f410303fe428265ba5ef
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 09:04:37 2016 +0100
CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 668cc85770fd1bcf18ccba5a0a292ba53339c744
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 03:43:58 2016 +0100
CVE-2016-2115: docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9fa185c5ae119974d8066a5066030667104ac915
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 08:58:32 2016 +0100
CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2f7d773829921fd87baa37f758619ff18dbfe9b8
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 03:45:43 2016 +0100
CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 25b05a8e573ffb1a835c791160b2a0d01658b2e9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 10:57:03 2015 +0200
CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 86114412cc12b49b094ab201051d244f40b3f5b4
Author: Ralph Boehme <slow at samba.org>
Date: Tue Mar 22 16:30:42 2016 +0100
CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
This fixes a regression that was introduced by commit
abb24bf8e874d525382e994af7ae432212775153
("s3:smbd: make use of better SMB signing negotiation").
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 7c6c666d8d5206662ae5385d8b8490a622110b5c
Author: Ralph Boehme <slow at samba.org>
Date: Tue Mar 22 16:25:32 2016 +0100
CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 67f8524d271021188cd6219e8765abe36f2ed092
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 10:57:03 2015 +0200
CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.
The main logic for this hides in lpcfg_server_signing_allowed().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 221727689a79167ad16111ce6fa2ae7f567b1417
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 16 04:45:16 2015 +0200
CVE-2016-2114: s4:smb2_server: fix session setup with required signing
The client can't sign the session setup request...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 641cbccc9585f4dec3454a6ce0746c47b7be5cc9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 16 13:03:08 2016 +0100
CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit d778580aa2882b6a946c5c81289bd1a5550f746d
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 08:38:46 2016 +0100
CVE-2016-2113: selftest: use "tls verify peer = no_check"
Individual tests will check the more secure values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit dc4f8d01539009256709a96207e0ccfc031d58be
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 16 15:07:36 2016 +0100
CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit fdac2363f36d6a5237c06ed07e3d669e35a38eb0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 16:17:04 2015 +0100
CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 389b15e298644c112ee1939c846d071410ec4bc1
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 16:17:04 2015 +0100
CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 54a039d341d3ba99702e4f15dfc2b63c662c0966
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 21 03:56:22 2016 +0100
CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit c20ee1bdfea010dfdc2a0ca6d373368787afdd0f
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 09:37:06 2016 +0100
CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit fc026680edf6e4cd1aa170fb463f8124a8025de7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 22:12:56 2015 +0100
CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9ca8e88ea4d42df62524c4385bbb2649f62c97fa
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 16:17:04 2015 +0100
CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 27f16258dad4eeb89e70aece29153b3a20bd2249
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 15:39:48 2015 +0100
CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
The generated ca cert (in ca.pem) was completely useless,
it could be replaced by cert.pem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 104a6911c90042d0841348ad941223f005548e2b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 25 19:24:20 2016 +0100
CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit a027a871031dce63922f1e3b0d420e9c4124dfd8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 10:04:48 2015 +0100
CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
We want to test against all "ldap server require strong auth" combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 8dad04c0ef54634299fe10200ccb40cdc9d401a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 10:27:33 2015 +0100
CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
The default is "ldap server require strong auth = yes",
ad_dc_ntvfs uses "ldap server require strong auth = allow_sasl_over_tls",
fl2008r2dc uses "ldap server require strong auth = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit c7f2a10a86cc867ac6208c26aec0d7b434dcab48
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:07:02 2016 +0100
CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
This uses "ldap server require strong auth = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 90cc9430f973ec9030aeeb73b880ce7b2abf7c21
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 28 12:19:37 2015 +0200
CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 963236fe87bb0d64087edb29e3a1ea75ba9e77d4
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 09:09:46 2016 +0100
CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit b0125355c7be6a2a16cca1e94e8566a48f7bd749
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 12:03:56 2015 +0100
CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e9cfd12449e0c9a5ab56ac1f3fa0b73637cd953b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 12:45:56 2015 +0100
CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 517219296653bd996ed71f1af4745b2d9403965b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 11:56:29 2015 +0100
CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 697770002a18d215d95b42632e907984c9d6b366
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 08:29:50 2015 +0100
CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e072666e9a886a4c741917cf684249e1c933958b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 08:29:50 2015 +0100
CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b723d973611a2315702601eb8149bfa143e5c617
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 08:29:50 2015 +0100
CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a8c60aad5cf3b72cfb3a304bb5751a3860e3f9f6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 24 15:50:49 2016 +0100
CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Pair-programmed-with: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
commit 60647fac987684792c6e555d7f388ba888100e50
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 15 21:59:42 2016 +0100
CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit dbdd9cb9ff4793b891166d6d669823a7cebf4978
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 22:08:38 2016 +0100
CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit ff1e470010c31b8bcfbddcc89473a7280f7517bf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 10:25:54 2016 +0100
CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e260f6a12c5388cd25c6914d9d285275f74a3e10
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 10:25:54 2016 +0100
CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3643bc9f1d9622f39c78a4c4f59e26cd2b5c0950
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 15 21:02:34 2016 +0100
CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3dbb32c996f00e5d572b476a3ff7fe9e2f3d91d6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 15 21:02:34 2016 +0100
CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit eaabdc121948ada4adb5b109f8a30d0a996b6ccf
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Mar 27 01:09:05 2016 +0100
CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit f3192568747dcaf7c9e274a1eb02939b29277c2f
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:08:16 2016 +0100
CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit f22b75dd357f2a98d31febeac2307e8de72c9d2c
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:08:16 2016 +0100
CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit a1ae5380893a045b262b34678cbe033213c27eb9
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:08:16 2016 +0100
CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 5dbffb88ca31069f76b193a661fb653c551e9dd0
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:08:16 2016 +0100
CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit b6899e111c4b4e12098d88adb3374f6a77d28802
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 22:24:23 2016 +0100
CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 8e1e621ef168a5ecf31d17d732c642501b13f230
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 22:24:23 2016 +0100
CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 9784d6899731fbb1bbc3a5c6c0b8850ec990d0dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 13:12:43 2015 +0100
CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
This prevents spoofing like Microsoft's CVE-2015-0005.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 473bbfa5d1321191160626fd72642479336bdcf4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 13:12:43 2015 +0100
CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
This prevents spoofing like Microsoft's CVE-2015-0005.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 984d024a8013bb4b236fbca1f91c46e16b011433
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 23 19:08:31 2016 +0100
CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
This is the function that prevents spoofing like
Microsoft's CVE-2015-0005.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5074d1e5bbea95732b2d97c5ce8d0810ae25ba63
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Dec 12 22:23:18 2015 +0100
CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
The computer name of the NTLMv2 blob needs to match
the schannel connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 7434b8d6a08d4f9cb29607c7fd85f2bd7361d586
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Dec 12 22:23:18 2015 +0100
CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
The computer name of the NTLMv2 blob needs to match
the schannel connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 630e39db071627fbbed394743e3ea35ecd99f85d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 13:33:17 2015 +0200
CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b9b3b1e0c382621051cf43700d682764d8d33cb8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 13:33:17 2015 +0200
CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2f393b3b2b6db58eaef62f3b8cd8948b613d91b2
Author: Günther Deschner <gd at samba.org>
Date: Sat Sep 26 01:29:10 2015 +0200
CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
The ensures we apply the "server schannel = yes" restrictions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit fb8bb0f5482423d4d51450e1c0aab8907127a7a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 9 15:31:23 2016 +0100
CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b76361de16176e36ddef284249ac86f365ce54cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 15:10:20 2015 +0100
CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
This depends on the DCERPC auth level.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a6d1056bc2552b020ce8eef5766ad21a6df1a2e9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 15:11:32 2015 +0100
CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
It doesn't make any sense to allow other auth levels.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit fc9df726daaa1d94d97b2f72a700dc852ac07cbb
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 19 16:26:49 2015 +0100
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
We now detect a MsvAvTimestamp in target info as indication
of the server to support NTLMSSP_MIC in the AUTH_MESSAGE.
If the client uses NTLMv2 we provide
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE and valid MIC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 95a1c91eb3a5dd861e113a8cee98c2edc13fea14
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 19 16:02:58 2015 +0100
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
We now include a MsvAvTimestamp in our target info as indication
for the client to include a NTLMSSP_MIC in the AUTH_MESSAGE.
If the client uses NTLMv2 we check NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE
and require a valid MIC.
This is still disabled if the "map to guest" feature is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 39dd2c6945c7fd9a26d886d218a447225c066d48
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 30 09:13:14 2015 +0100
CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 299b49f94071ae0888cb8d5699921b21f1f4b8f3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 09:31:35 2015 +0100
CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a278c35ab542a6c6dd071ff5fb6fb5cf85ffb988
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 09:29:11 2015 +0100
CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1cc7fbe7e347b5dcdada7b9fd3df4ae4a09576fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 21:24:47 2015 +0100
CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
If we clear CLI_CRED_LANMAN_AUTH and we should also clear the lm_response buffer
and don't send it over the net.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8cae040d4d3b8dee714f44e0c5b325e6aa2dfe99
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 11:49:31 2013 +0100
CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).
The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b5e95ccdda08f9e8e37df94a792fb2e9e82dcccf
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 16 11:27:27 2013 +0100
CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
It's important to check if got the GENSEC_FEATURE_SIGN and if the caller
wanted it.
The caller may only asked for GENSEC_FEATURE_SESSION_KEY which implicitly
negotiates NTLMSSP_NEGOTIATE_SIGN, which might indicate GENSEC_FEATURE_SIGN
to the SPNEGO glue code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3ae39afbe72a86090aac406c5e256a9ef4059839
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 11:49:31 2013 +0100
CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).
This provides the infrastructure for this feature.
The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f32ad5ca491965535d99c8fd67058878b151805d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 20:13:24 2015 +0100
CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
This used to work more or less before, but only for krb5 with the
server finishing first.
With NTLMSSP and new_spnego the client will finish first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 36735336442e9bae9988a6655a0cb2bab6a4da1a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 11:42:55 2015 +0100
CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.
With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9440fa898f857f62bd43fcc39a912bd93f5948c5
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 11:42:55 2015 +0100
CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
Even for SMB where the server provides its mech list,
the client needs to remember its own mech list for the
mechListMIC calculation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit efe18dc91b0ccdb0df582ab8d43962b20615ce88
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 12:42:35 2013 +0100
CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
This is defined in http://www.ietf.org/rfc/rfc4178.txt.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0e3bb02242a1aef844e84974e110f2d0c493edc1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 12:42:06 2013 +0100
CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8714377b6906abddd79892321b4534e1234c3527
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 14:06:18 2015 +0100
CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
We don't need to change the protocol version because:
1. An old client may provide the "initial_blob"
(which was and is still ignored when going
via the wbcCredentialCache() function)
and the new winbindd won't use new_spnego.
2. A new client will just get a zero byte
from an old winbindd. As it uses talloc_zero() to
create struct winbindd_response.
3. Changing the version number would introduce problems
with backports to older Samba versions.
New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 677e214a83b643e31f53745a78453448b7a56abf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 14:54:13 2015 +0100
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2ee222b77e181d1d80f679261d28192b75c4121e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 14:54:13 2015 +0100
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a7a0d2ee6cab8bc76f1f3cb8471bbb2ef0507d59
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 15:06:09 2015 +0100
CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
ntlmssp_handle_neg_flags() can only disable flags, but not
set them. All supported flags are set at start time.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d29c9450093e470d99cb82e70cd421db4240cf63
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 15:01:09 2015 +0100
CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
man smb.conf says "client ntlmv2 auth = yes" the default disables,
"client lanman auth = yes":
...
Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
logins will be attempted.
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 4e5c214a6f3d4b745696d7c2a2e349cc23e7466e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 14:58:19 2015 +0100
CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f914050c720619dcdfde613d5f82c48f8094ec4d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 11:01:24 2015 +0100
CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
We now give an error when required flags are missing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8df0d59e3f6f52ba56128ce93a0a52cf7b916d38
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 08:46:45 2015 +0100
CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
In future we can do a more fine granted negotiation
and assert specific security features.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 25f0a4cde636e65b9ad2cd1365ebccd35c1860f2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 21 19:41:53 2016 +0100
s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Mar 22 19:20:38 CET 2016 on sn-devel-144
(cherry picked from commit ef1ad0e122659b5ff9097f0f7046f10fc2f3ec30)
commit cce2e6a6354e1f17b775990832f0b61a0d7ddea4
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 28 23:32:50 2016 +0100
s3:rpc_server/samr: correctly handle session_extract_session_key() failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0906d61bb2f3446483d82928b55f5b797bac4804)
commit 343637b4b7474a435b2806d857a3f1a6d54d0de0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 15:30:00 2015 +0100
s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Mar 18 12:39:51 CET 2016 on sn-devel-144
(cherry picked from commit e8e2386bf6bd05c60a0f897587a9a676c86dee76)
commit ba36c3f1c0b80f742196d1346059f79c83d6cc6d
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 15 20:34:27 2016 +0100
libads: Fix CID 1356316 Uninitialized pointer read
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit dcaa88158e6f0a9964ad051b4062d82e9f279b8c)
commit e681d118bb59e47bf438b3929284f75b7cc81ce8
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 15 21:00:30 2016 +0100
libsmb: Fix CID 1356312 Explicit null dereferenced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f50c3fb1c58700522f1b742539dab9bd9ae7fd39)
commit 656795bced3a264642227cbd9fd57cb1ffc56594
Author: Günther Deschner <gd at samba.org>
Date: Sat Sep 26 02:20:50 2015 +0200
s3-auth: check for return code of cli_credentials_set_machine_account().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144
(cherry picked from commit c06058a99be4cf3ad3431dc263d4595ffc226fcf)
commit 6db7be4a5341b788b4141ae3df14a80de9981578
Author: Günther Deschner <gd at samba.org>
Date: Sat Sep 26 02:18:44 2015 +0200
s4-smb_server: check for return code of cli_credentials_set_machine_account().
We keep anonymous server_credentials structure in order to let
the rpc.spoolss.notify start it's test server.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit fe93a09889a854d7c93f9b349d5794bdbb9403ba)
commit bca3039c0ce0a6554bb9935d325c1f602f700585
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
s4:rpc_server: require access to the machine account credentials
Even a standalone server should be selfjoined.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 31f07d05629bc05ef99edc86ad2a3e95ec8599f1)
commit a6e7f4995b25083403ee2e3d5f791c9944708bb7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 15:08:43 2015 +0100
auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
We only need this logic once.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 57946ac7c19c4e9bd8893c3acb9daf7c4bd02159)
commit c0beb87b632b57e3c15e53fab805db126743cb6f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 10 13:01:47 2015 +0200
auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
ops->auth_type == 0, means the backend doesn't support DCERPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit cc3dea5a8104eef2cfd1f8c05e25da186c334320)
commit 5cdddba8c7de8e6968905a3f40142dc824f2cbe3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 02:55:30 2016 +0100
s4:torture/rpc/schannel: don't use validation level 6 without privacy
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 733ccd13209c20f8e76ae7b47e1741791c1cd6ba)
commit 61a09ae4e544298ff8c3feb192a7d5df635b74f0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 18:09:26 2016 +0100
s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 50581689d924032de1765ec884dbd160652888be)
commit 1cd38365e423ffa1fd55e110ef04bd3919673dbf
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 14 01:56:07 2016 +0100
s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 050a1d0653716fd7c166d35a7236a014bf1d1516)
commit 866594408d3c1b1589c1b59863a72f0295213b2c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 17:24:03 2016 +0100
s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 26e5ef68188d2e44d42f75ed6aabf2557c9ce5ce)
commit 46f52e7ad857265955469a0389c085a514db1d19
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 22 12:10:12 2015 +0100
s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
This create a schannel connection to netlogon, this makes the tests
more realistic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 1a7d8b8602a687ff6eef45f15f597694e94e14b1)
commit 1103a6b3d08a6d5e2a947e4f4891239b8359cb75
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 22 09:13:46 2015 +0100
s3:test_rpcclient_samlogon.sh: test samlogon with schannel
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit f9a1915238dc7a573c58dd8c7bac3637689af265)
commit 6a3a45ddaea243cf2cabd8709d466f9d2ca5204b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 07:10:06 2015 +0100
s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 2c36501640207604a5c66fb582c2d5981619147e)
commit 3f05c5a2aafc72919477769e6d72eeaf51e9be6f
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: setup information of new samba.example.com CA in the client environment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b00c38afc6203f1e1f566db31a63cedba632dfab)
commit 1311631f611c1eb5dd9ecfdaf6d58aa09dcaf599
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: set tls crlfile if it exist
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b2c0f71db026353060ad47fd0a85241a3df8c703)
commit 739e8964859ca15dc26db4986e165b04584e7712
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit c321a59f267d1a997eff6f864a79437ef759adeb)
commit 0ad8ef883f42db2336b6ec34b01d23191f968737
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: add Samba::prepare_keyblobs() helper function
This copies the certificates from the samba.example.com CA if they
exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit a6447fd6d010b525d235b894d5be62c807922cb5)
commit f058da26ede7b03e8286c795d54eb66b3efaa5a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 01:06:05 2016 +0100
selftest: mark commands in manage-CA-samba.example.com.sh as DONE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 2a96885ac706ae3e7c6fd7aaff0215f3f171bc27)
commit 8be303170b8f1afd59ff0430ac220c4bacd8f17a
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 01:09:31 2016 +0100
selftest: add CA-samba.example.com (non-binary) files
The binary files will follow in the next, this allows the next
commit to be skipped as the binary files are not used by samba yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit 520c85a15fa1f4718e2e793303327abea22db149)
commit 08976c41d8bd19a1957b7e9c960137044fb61a2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 01:08:02 2016 +0100
selftest: add config and script to create a samba.example.com CA
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit bdc1f036a8a66256afe8dc88f8a9dc47655640bd)
commit 158e06df56d51663d3b97f935a2aa32e6c93929a
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 01:06:05 2016 +0100
selftest: add some helper scripts to mange a CA
This is partly based on the SmartCard HowTo from:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b0bdbeeef44259782c9941b5cfff7d4925e1f2f2)
commit f91a66f4562fdd784efe0d6e95e45e699e02b1c3
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 16 13:57:47 2016 +0100
selftest: s!addc.samba.example.com!addom.samba.example.com!
It's confusing to have addc.samba.example.com as domain name
and addc.addc.samba.example.com as hostname.
We now have addom.samba.example.com as domain name
and addc.addom.samba.example.com as hostname.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit c561a42ff68bc4561147839e3a65951924f6af21)
commit 1346b27f07d5c1b8bfa4c76c40ff29ca0e191e15
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 10 10:25:10 2015 +0100
s4:rpc_server: dcesrv_generic_session_key should only work on local transports
This matches modern Windows servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Mar 10 10:15:21 CET 2016 on sn-devel-144
(cherry picked from commit 645e777b0aca7d997867e0b3f0b48bfb138cc25c)
commit 663ec33c69640bf833db578254fe55e60c05e11f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 26 16:41:10 2016 +0100
s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
Windows servers doesn't return the raw NT_STATUS_NO_USER_SESSION_KEY
error, but return WRONG_PASSWORD or even hide the error by using a random
session key, that results in an invalid, unknown, random NTHASH.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 58b33896b65c5b51486eaf01f5f935ace2369fd0)
commit 5182c933647fca05380e89b67f7db8735d73f493
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 10 10:25:10 2015 +0100
s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5a397216d40ff18fd1c0980cd9b7b7c0a970bbbb)
commit 44e2da84106abae82ecd1e682f6b8f3d50334e01
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 22:44:24 2015 +0100
s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
This is the only way to get a reliable transport session key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit af8c4ebf9be314ddd13ef9ca17a0237927dd2ede)
commit fd1e4ec2ab156639e7aed4edb49552fc003b6b65
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 20:18:42 2015 +0100
s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
It requires a transport session key, which is only reliable available
over SMB.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f699eb3b1a0660ace3ca99d3f3b5d79ed5537c80)
commit 32ad277f7fca918376bbb8a27fb070b96aa9a238
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 29 07:47:39 2016 +0100
s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit c793b23ddb7c048110bc4718574e5b99d5bbcfae)
commit e09c17a8a7b61813005a31ade185d2c72c7f6560
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 17 08:55:03 2015 +0100
s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0400f301e3bcf495748cff009755426a040596fa)
commit 2d6afd96eded051d1f9b356593d875bd59214403
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 07:27:41 2016 +0100
s3:libsmb: remove unused functions in clispnego.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 14335018229801dd6d2b18f8d19ab5b45b8394fc)
commit 979fc6a5c252e6ac5065066a19a66c9acc9f02ce
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 07:27:16 2016 +0100
s3:libsmb: remove unused cli_session_setup_kerberos*() functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 95b953950d1fd454121ff23a43a8b13a34385ef1)
commit 8a1d0a95f77360fed9a30f04f4c01be20a164c49
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 14:58:30 2016 +0100
s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0e1b2ebf884c6f2033b3b9aa7b6f72af54a716b2)
commit 70d546d10ab96379ced93c4bff8fe37e73c2a170
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 14:35:21 2016 +0100
s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 907e2b1f665cdafc863f4702ede5dcf16e6cc269)
commit c4c3bd6bbae1b2bd07b37ab2fa76b7b0272f9c3b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 15:47:11 2016 +0100
s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
It will be possible to use this for more than just NTLMSSP in future.
This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 285c342f01a6e9a892f03360f8d2d0097e7a41cb)
commit 14988855e2e9d11fe5f8f20035de665e06ca0fbb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 18:31:50 2016 +0100
s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 576257f6e1488a623306dc368c806e218b1fcdf2)
commit e8b6ef4d1b8b0b92887067daa059b6dcf5ae5074
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 11:49:37 2015 +0100
s3:libsmb: unused ntlmssp.c
Everything uses the top level ntlmssp code via gensec now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit afffe797547a97ec839913e1ca89045989bbea49)
commit bbc4eb8f2fb47e13eea0c801266bf5cfdfdb3c1b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 14:34:46 2015 +0100
s3:libsmb: make use gensec based SPNEGO/NTLMSSP
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4f6fe27c7020822dd1ce88b7dd63725d6082b190)
commit 59b80321d5565402b596fd4deaa4bd2da20574dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 11:42:51 2016 +0100
s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9)
commit d19d03926677b95e08e4f90b1ce021df753fff16
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 11:33:04 2016 +0100
s3:libads: keep service and hostname separately in ads_service_principal
Caller will use them instead of the full principal in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c5d7956364047925dee5d6f71a5b92a38c73e5a6)
commit e952e6308fa7f0351e0b6c5d7dc91023b7272fb0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 11:31:01 2016 +0100
s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0c204e11925982d8bd835830985479792b8cc820)
commit 3d3725b670f22dc8dd85e843bd20f5a15c42e0b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 13:14:05 2015 +0100
s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
It will be possible to use this for more than just NTLMSSP in future.
Similar to https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 139ce7d8b687cc54560ce353ea6f86a4d2d2ae04)
commit 4cbf13e411f24d23f60dd89f5580a987d89d6718
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 15:02:29 2015 +0100
s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
This avoids using the hand made spnego code, that
doesn't support the GENSEC_FEATURE_NEW_SPNEGO protection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit c6f79cfa86e23217a510c6fe205da0c18ef2a9b2)
commit c63d32b69eb2e1ec8acbc34649e6d019f160d5e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 15:04:02 2015 +0100
s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
This is more generic and will handle the
ntlmssp_[un]wrap() behaviour at the right level.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 357d37fa11b7d944e9f5fe2e0cc6730d498bc2dc)
commit 383d18d96d45bccc9f93cab666078d7f6aba7c89
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 5 02:53:45 2016 +0100
s3:libads: add missing TALLOC_FREE(frame) in error path
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8f9a9633e4f55f85a3f68bf2e8c78414f31511ea)
commit 95461fbf0d8c3e3faa035902010e70f9f1d64ebb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:51:57 2015 +0100
s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 0ebe929810e922e7cf7742a1f3e4ad222006377f)
commit e2bea35bafa3917b47e7e3997db814dd8f374f6e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 11:46:22 2015 +0100
s4:selftest: simplify the loops over samba4.ldb.ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit c431543fb989938898e33e1ffdb80cb97e4a3bb2)
commit ccc1c51bf4eb4967763db11426bee7406428d737
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 09:54:08 2015 +0100
s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
The LDAP client library uses tstream and that handles non blocking
sockets natively.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 5cf8546674a4f49618bdade1567fac00d72db454)
commit b0003873bd2ac26821ce5f9a7b201d3696e0bf36
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 13:10:58 2015 +0100
s4:libcli/ldap: fix retry authentication after a bad password
We need to start with an empty input buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d9d0d2d5a2667ea8984772b678272650a8719c21)
commit 58478f440a32af2bb0d6a2223579b8b4b8b8d88e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:51:57 2015 +0100
s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d04663b8b075a69141fe2f45d0906b528d99ab85)
commit debafe8c47c8c6342c5001ed7291b643a304c3d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 12:58:51 2016 +0100
auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
This is now handled by GENSEC_FEATURE_LDAP_STYLE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 59301830e27bf537d04808d2ac37d6cf9ef56713)
commit 1016c9dea7a8da9fd80bb0509ff56618150a4338
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:48:14 2015 +0100
auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
We want also work against old Samba servers which didn't had
GENSEC_FEATURE_LDAP_STYLE we negotiate SEAL too. We may remove this in a few
years. As all servers should support GENSEC_FEATURE_LDAP_STYLE by then.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 122a5f6b58e6cead061a7ee64033ccc1940742ed)
commit 294ef7306d5d8cfb919bedffb643c1846d54c819
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:48:14 2015 +0100
auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
We need to handle NTLMSSP_NEGOTIATE_SIGN as
NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
is requested.
This works arround a bug in Windows, which allow signed only
messages using NTLMSSP and LDAP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit f3dbe19e14eaf7a462f14485c6a9138a7348db2e)
commit 6d08a2ae7a923df2ce94fd5975f5499868010349
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:48:14 2015 +0100
auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
This will be used for LDAP connections and may trigger
backend specific behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 069aee42c2f12ed5feb23c19dc0a4771d913619a)
commit 192d5bebff8725803e4e02f177e0722c3b78d5d2
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 19 00:40:12 2009 +0200
auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f6b9e1feab8d435b1e44fef81e867c01ed01db95)
commit 3136ede9e6e926dd9ffc29809dd03aff81f9063c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 15:40:29 2015 +0100
librpc/ndr: add ndr_ntlmssp_find_av() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit c1e2a1f0a75605a8792b615a41392fc018198a10)
commit 30b4e8fe2d4b892966d21f2eab2f255739f63ab9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 19 15:38:02 2015 +0100
ntlmssp.idl: make AV_PAIR_LIST public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit f4ff3510164748977de056bb8cdbbd22e5fedb3c)
commit 983edc9a689859e65bce4cf17ed648ef6c7da2e7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 09:07:57 2015 +0100
ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit ab54e0fd7040e7717fe979b54fb4dfa16813524f)
commit c3392f3a207f8ce4640a17295b4fcdfe8971b1ff
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 09:06:56 2015 +0100
security.idl: add LSAP_TOKEN_INFO_INTEGRITY
This is used in [MS-KILE] and implicit in [MS-NLMP].
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 1f88812316144b06b11eb3dc90a6081cb57783da)
commit 00fbd5bc3c4504a95602deffcba87571d992835d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 14:07:23 2015 +0100
auth/ntlmssp: use ntlmssp_version_blob() in the server
We already set NTLMSSP_NEGOTIATE_VERSION in
gensec_ntlmssp_server_start(), so it's always
set in chal_flags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8af6b8d2eb6b873620131b4b5b570ec24985d86a)
commit 3a5256774db74cbc6c0a44c1794e7d03b568d8d8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 10:52:29 2015 +0100
auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
This matches a modern Windows client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 4a1809cb14dcb03e9ba386af5b90650400377875)
commit 9419ce654ae6fffa81260f71ced1ed4bc79a1270
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 14:05:17 2015 +0100
auth/ntlmssp: add ntlmssp_version_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit a61ab398ccc1036edce677e00569fd7f58b70995)
commit a575c5e81f09675bf0c8888da4a4147ebd812c16
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 10:52:29 2015 +0100
auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
We don't set NTLMSSP_NEGOTIATE_OEM_{DOMAIN,WORKSTATION}_SUPPLIED anyway.
This matches modern Windows clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 4fca8eaaae23955e704dc9c45d373fe78bf88201)
commit c8059be0cf59595fc2dba7b8c8737e3c13d9e48d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 8 13:59:42 2015 +0100
auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
This matches a modern Windows client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit efd4986794889f1315dbd011b94b8673d785053a)
commit 34ce552e22fa937ef7cfaffc4d51040c5310b19a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 11:01:24 2015 +0100
auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit afba38dbf5c954abbcfc485a81f510255b69a426)
commit 6d18d462f90e120bc2615fd704dc326fed6a8256
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 10:52:29 2015 +0100
auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
NTLMSSP_NEGOTIATE_VERSION only indicates the existence of the version
information in the packet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 30d626024c7e8f275d64f835632717b0130be4b2)
commit 3938b9087b1194777c80ec6ed25e6ad3f66e21d2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 11:16:02 2015 +0100
auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit e63442a1c27c475e373048893d9cf04859dd1792)
commit db7e89478225403e0b80345246e1539e615d9cdc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 10:54:56 2015 +0100
s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
This implicitly fixes bug #10708.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10708
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 279d58c1e68c9466a76e4a67d2cfea22e8719d31)
commit aea667cd26216682d3a52f406c967facc59b1d04
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:46:52 2015 +0100
winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 716e78f3b294210130f3cf253f496391534819b0)
commit 6ee35d96e3a7e62d7bfe821b9502c65a2e3c5d09
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 10 15:42:51 2015 +0100
s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
This will be used by winbindd in order to correctly implement WINBINDD_CCACHE_NTLMAUTH.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8bcde9ec625547df42915e9138d696deeabdb62d)
commit 81745b67877267f884f8594fd08f40f8a534b7b3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 15:35:40 2015 +0100
auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
This can used in order to use the WINBINDD_CCACHE_NTLMAUTH
code of winbindd to do NTLMSSP authentication with a cached
password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b133f66e0da5ed05bbe81098e52c744bac4b48ac)
commit 7303a100d377accbc6893fc8c90b5623cac13eee
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 13:42:30 2015 +0100
auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 0a93cad337578a7ba61f12726c9a15ecf869db7b)
commit 7fcefea18f575bc493d5b536803256104efbe47a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 25 21:41:23 2015 +0100
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
These can be used to implement the winbindd side of
the WINBINDD_CCACHE_NTLMAUTH call.
It can properly get the initial NEGOTIATE messages
injected if available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b3d4523ff7810279dc4d3201a09a868545d4d253)
commit 3585e415e987ddeb6ff65493a97154b7a1fb6fbe
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 11 12:47:40 2015 +0100
s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 52c03c07151a12e84fb4d34443864e59583c0db9)
commit 993420f27a293d7c8a03a49790c9fb023ad1ea31
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:45:33 2015 +0100
s3:auth_generic: make use of the top level NTLMSSP client code
There's no reason to use gensec_ntlmssp3_client_ops, the
WINBINDD_CCACHE_NTLMAUTH isn't available via gensec anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 0d66e2d34f656028eb3adb35acb653a45c041890)
commit cb7bf55b3bb2ea8c3eb5a29de210a9404950a6d9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 09:07:33 2015 +0100
winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
We should avoid using NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 871e8a9fd029bbcbccb79bd17f9c6a2617b8be55)
commit c9d2b8decbf6929650846d80ad12ea15759ac92c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 16:15:13 2015 +0100
s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 9bd1ecffffd070333a22ef2449a179cee3effe5d)
commit 0f54d603deababb9ac3837434ae11dedc995549d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 16:15:13 2015 +0100
s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 1289130ad2aeded63990bf1bde6f169505c62280)
commit 2dac5586c8338b654a6d11c75a2abd41ea3dc1e8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 11 12:11:05 2015 +0100
s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit cf2ea04135774853d1cebca82c60bed890135163)
commit 8800015770e47428ee7fcff22b0884873f961b74
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 21:23:33 2015 +0100
s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 69a7ec794213e8adec5dcbd9ca45172df13292c1)
commit 33f7f44c7073bcca999759e66966f72efff18db7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 12:06:50 2016 +0100
auth/ntlmssp: add gensec_ntlmssp_server_domain()
This is a hack in order to temporary export the server domain
from NTLMSSP through the gensec stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a85a02b631609cd9c16e1048c62dbe9661128279)
commit aa0ed80b53d8977a3d3574b46911e7b7345f7a57
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 22:15:50 2016 +0100
auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0a9e37a0db86815d2baf7ab791721b6a7e04a717)
commit 14b2a516105ddd90246fb7e06bf3852c93c08302
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 19:39:04 2016 +0100
s3:auth_generic: add auth_generic_client_start_by_sasl()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 79a6fc0532936558421eb4321f795655b5280763)
commit a0feacff89272a3888ca3f71239f8e0012f6f72e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:44:02 2015 +0100
s3:auth_generic: add auth_generic_client_start_by_name()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit ccfd2647c7e65c3e2ad92dbc27c21570da0706d4)
commit 9e4231229a94f8a317fba99620b81f3097fade64
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:43:02 2015 +0100
auth/gensec: make gensec_security_by_name() public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8efcb4943585f015c9956118d8f42be89d5c7677)
commit 35f80cfef2a913fd27e727f2e34f7e79eb77855b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 19:29:40 2016 +0100
auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
We do that for all other gensec_security_by_*() functions already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 64364e365c56c93e86305a536c5c68450d154d2a)
commit 2e6af15eb08e9a3f9e6a6845d7a8fcb3acc0b18b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 12:06:50 2016 +0100
auth/gensec: keep a pointer to a possible child/sub gensec_security context
This is a hack in order to temporary implement something like:
gensec_ntlmssp_server_domain(), which may be used within spnego.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5e913af833721733c4f79f2636fc3ae19d5f42f0)
commit b474d135de2453bfd82ce748cc33ca3bc3ba5447
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 19 10:53:34 2015 +0200
s4:pygensec: make sig_size() and sign/check_packet() available
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0f6713826dfe73b7f338b8110c53ce52d42efbda)
commit f702a9e2092af33c9191663c86816be8cb512bfe
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 5 02:52:29 2016 +0100
s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
This is important in order to support gensec_[un]wrap() with GENSEC_SEAL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dec9d085f3eea8d49fa129c05c030bdd779cba54)
commit 5a046d57dff28f94b5d482668b7eead6b9f51af9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 07:42:41 2016 +0100
s3:librpc/gse: don't log gss_acquire_creds failed at level 0
Some callers just retry after a kinit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 79bf88353488b5912435e0c7f8e77f2d075ce134)
commit 47272c3643192c8b2359a15dd8a09a94decacc2c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 17:37:38 2016 +0100
s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e4aebd7e28e7b00a13246b367eb2e7de5ae7b57b)
commit 2b351b7e3d935dd734e9dd793484af80eeb0e255
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:22:44 2015 +0200
s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a8fa078f1acbd9fb1a1681033922731dce855aad)
commit 91e27173d08bbf2e4ee339b0349255356c5641b6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:21:53 2015 +0200
s3:librpc/gse: fix debug message in gse_init_client()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 84c66f1a388c8b5105f3740a3cd5d4d5a27f6ee8)
commit 4357b220b40b8913592735df41952e3b6f4f9bb2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:21:05 2015 +0200
s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 46b92525181fa32c5797c914e8de92f3c226e3c7)
commit 88a09dce1506e8e3abd54230978fa64b3b877c23
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:18:22 2015 +0200
wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
Newer MIT versions (maybe krb5-1.14) will also support this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fd5bdafbddfd0ad2926ef50a0cb7d07956ddd44)
commit 0555445606e1ecad4488c4d443592dbeb4fa00f9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 14:36:14 2016 +0100
s3:libads: remove unused ads_connect_gc()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cd8af25d4bf87a9156cb2afb3dd206c68b1bedd7)
commit 49a7697ae0bf4a5930a5b243b4177313fb4827e5
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 11:06:47 2015 +0100
s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 960b0adfb398eeabd48213393bc560654baeed5b)
commit 3121494929c4a2ef6b8c82f1d36d18d85fe3134b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 17 03:36:36 2015 +0200
librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit e9e9ba7eaecf2b6d95e79fbe424e1479e9468d63)
commit e7595fa3698453d46f5285156c4fff6961fc4fa6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 17 03:35:19 2015 +0200
dcerpc.idl: make WERROR RPC faults available in ndr_print output
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 5afc2d85b3d17b32ca9bd2856958114af146f80e)
commit 0117f648896577fd1459568a3c2c2df647475c2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 16 17:15:24 2015 +0200
epmapper.idl: make epm_twr_t available in python bindings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2e71f5d9351b9660a5ef94309674e09fdeb7ab48)
commit 0d53d8a83dcc6f80dc980a7b4eb3f18603f873d7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 15:53:21 2016 +0100
s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2c9f9557e4d7e02b4f588aa0a6551a6881ac57af)
commit 16e14f9382d3201ee5951d052ad979c58ca327ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 15:47:59 2016 +0100
s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e906739553ee6112426af0cf29e33ef1920a316c)
commit 7f24c0bf7d7037752c02e322ae535503631074cf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 4 02:18:38 2016 +0100
lib/util_net: add support for .ipv6-literal.net
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6400bbb5eee958babbdd578c2f80b0c65d6f6e7a)
commit 6b6fbcfd1a2c7c348eb794c8cffd6cbaaedfaac0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 4 02:18:38 2016 +0100
lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 771042a2387b596fff2ab59a1a68d75c6c27b2cc)
commit a70f6207f8f2373bc2b23dc19dd806e8dd871965
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 11 21:49:21 2016 +0100
spnego: Correctly check asn1_tag_remaining retval
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 024c619fa82960ae4f8af029b6872102202ffd07)
commit 5530d91be121e3a1d6ead107b392686ff82d9260
Author: Christian Ambach <ambi at samba.org>
Date: Mon Feb 8 23:20:19 2016 +0100
s4:torture/ntlmssp fix a compiler warning
about invalid array subscript
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Christian Ambach <ambi at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 8ca0f14b5c4ac85e40c9c96f8f5ebb569335f031)
commit 7019a9c3124645321dccb9a3d2e93f995c83b797
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:35:29 2015 +0100
s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit e073f3c0b622f49ffad7082b9b4fbc429c48d530)
commit 14f400242d86f6eb154d50656387e70902782e5a
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:32:28 2015 +0100
s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 68b9b18e6cd346e2aa32418642b0746cee593be3)
commit 97ac363c1d9bb788cd50f306a1ca3694b2841663
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:30:16 2015 +0100
s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fe1be37c71a816458173082fa9213a3f279a0b79)
commit a54b256ea5e20ef443ef2ab56493476a52479f6e
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:29:16 2015 +0100
s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4ac7a6572149ec5b43a91a303c2008e73e467a56)
commit 109618bd6da62faf3871e4531f23752a5a40837a
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:27:29 2015 +0100
s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 68d043faa0aa9e5e0d289806e1aa2acba3f07af5)
commit 1865f1240f7aa59684a25832e59cbb5e1bf803d6
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 15:35:29 2015 +0100
ntlmssp: when pulling messages it is important to clear memory first.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 30386c23ae0a6afd2060e626c73df9a3691a71fb)
commit 42c2d631a4b3f8d11751791921e134d8cedb21a8
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 15:34:47 2015 +0100
ntlmssp: properly document version defines in IDL (from MS-NLMP).
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ded0f3c8b7b4132d250907022ba59e88b45a6ed0)
commit 1e0e8d601a5068abebd4ffefe2daf24ffd854ccc
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 16:42:08 2015 +0100
ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4be7451d9a7ed122c61a08bcf977bebeef4749dd)
commit 5b4999ab1e3b7e14b06b3b026e2e078c4123f7f9
Author: Günther Deschner <gd at samba.org>
Date: Mon Nov 16 16:31:27 2015 +0100
ntlmssp: add some missing defines from MS-NLMP to our IDL.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit feb4ee62c5271b45877c1d3bc1d8b327439e5fd4)
commit e73cfb9f2fe351535209b39e4b297c5457dfa878
Author: Björn Jacke <bj at sernet.de>
Date: Wed Sep 2 12:37:12 2015 +0200
tls: increase Diffie-Hellman group size to 2048 bits
1024 bits is already the minimum accepted size of current TLS libraries. 2048
is recommended for servers, see https://weakdh.org/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Bjoern Jacke <bj at sernet.de>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 3 03:47:48 CEST 2015 on sn-devel-104
(cherry picked from commit 22a37c453d83c39634fbae72de592024d9b8ba4a)
commit 24c6d426b7b390dd16cd3d60479669bd1d444197
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 14:48:20 2016 +0100
s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 62e5169cd7666c0c14eb0a4f256642d9f5f6f1ac
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 28 15:50:06 2016 +0100
s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
asn1_extract_blob() stops further asn1 processing by setting has_error.
Don't call asn1_has_error() after asn1_extract_blob() has been successful
otherwise we get an "Failed to build krb5 wrapper at" message
on success.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11702
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 14f1a94b6fb3a55be1e60fe0d28740f04fd94b3f)
(cherry picked from commit c17b1f697c388bd2e0190c4a3574d951b8be483e)
commit 5bbf46e2045229c4f09c1a7ce8a2b730af16b7c4
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 6 15:03:47 2016 -0800
s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
Don't call asn1_has_error() after asn1_extract_blob() has been successful
otherwise we get an "Failed to build negTokenInit at offset" message
on success.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Jan 7 16:00:02 CET 2016 on sn-devel-144
(cherry picked from commit 8108f0d320013c560339723d8d70ab601350d0c4)
commit 83b6653657f4ed89cd2be00dc7b321cc92b9efba
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 3 21:26:50 2016 +0100
asn1: Make 'struct asn1_data' private
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d865ed20062cc5fc62313c25e7a6cb90763d0158)
commit 66ea451a2bd5e82033a9451422e55302e225c399
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:42:11 2016 +0100
asn1: Remove a reference to asn1_data internals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 44c56fc66788adf7b58f1d77a1e7d79d840ea9f6)
commit c27fd0414ad9fb364ab9dea1e807e4435e7c8443
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:30:35 2016 +0100
libcli: Remove a reference to asn1->ofs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3c340d81d8bf2e7b8488b150452bbcc4e3b521b6)
commit 9c89afd873826eec507f477256dd735bd113f89e
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jan 5 10:55:44 2016 +0100
lib: Use asn1_current_ofs()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b7f0e29fd2c30024d5a7da7aa6a1f0084612f9d2)
commit 95fa77f0977d435e751b136b6ae608bc528edc3f
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:25:41 2016 +0100
asn1: Add asn1_current_ofs()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 927bbed6aaed9d454e8750aa053c5fa9fb1f1005)
commit 54aecd70fd55043f76663a7c466aefdfb9aaf631
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:24:01 2016 +0100
lib: Use asn1_has_nesting
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1282f6063d53b2b86c91cf80c9b0d6a2cdb4ad7b)
commit 9ac83120db612a49f7c2f3cc6113c6bc5fbfe348
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:23:20 2016 +0100
asn1: Add asn1_has_nesting
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2a5141a772f531ca113b9c2649ad79400c283749)
commit 2b11481b85dda386b1f4087a818358bcaf5f0a58
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 2 20:10:53 2016 +0100
lib: Use asn1_extract_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit a93946b2fee6d6fedb9830d1dec593fca15fefc8)
commit a44d9bbee4e18b8d251cb4801906a3dc60c5af9f
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 21:53:23 2016 +0100
asn1: Add asn1_extract_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7b7aa016df35ed7f8388a9df08d66a816adc1bf7)
commit 274c9a4461bde9f2500bebaf4e0f92b56f72e378
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 21:51:07 2016 +0100
lib: Use asn1_set_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8cfb6a313937964902940a7ebada7bacab7dbbb8)
commit a330540ab7659eb0d4062432c1b15496223a3a7b
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 21:50:49 2016 +0100
asn1: Add asn1_set_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 94b44598a581539958d8f537742fcab44d21de4c)
commit 89d0afc13d89f1aa0d8140e24e85b08d58355416
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 2 18:11:00 2016 +0100
lib: Use asn1_has_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 57a0bc9a9f3a02f809153dc19537110c4c796338)
commit 4b04663d7598ff9511aef96be31c904fa83928ef
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 2 17:58:21 2016 +0100
asn1: Add asn1_has_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit fa207fe9d17d27060e5e2989c19980103fd4778d)
commit d51a607a42f2c43e5cbb954103da7b36f07ec715
Author: Volker Lendecke <vl at samba.org>
Date: Sun Dec 27 11:18:47 2015 +0100
asn1: Make "struct nesting" private
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ef8049b24353ea657d6fba989a294939c58895cb)
commit 6d2f6e1d50fdc4d2de7e72e70834164d1b036d16
Author: Volker Lendecke <vl at samba.org>
Date: Sun Dec 27 10:57:07 2015 +0100
asn1: Add some early returns
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f908e6560bcb06938bee9019d43b622eb31fb2c3)
commit bb6607a56ff9e14b76f58193a19b2d59f61a02d0
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 22 13:50:54 2015 +0100
asn1: Add overflow check to asn1_write
Found by pure code reading :-)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 249202d8c04fae245ee373e7926484e33822c905)
commit 7ef13330191b3bd033c90e2a1c5f30f0cd760314
Author: Volker Lendecke <vl at samba.org>
Date: Mon Dec 21 10:41:39 2015 +0100
asn1: Make asn1_peek_full_tag return 0/errno
We don't need the full power of NTSTATUS here. This was the only
NTSTATUS in asn1.h, so I think it's worth removing it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ad630a681e345cc7765f2a2f2dc1ba25ee0200c2)
commit 980785ab1355ce4dfcc16c3b4c6d2b3928706bec
Author: Volker Lendecke <vl at samba.org>
Date: Sun Dec 20 21:49:26 2015 +0100
asn1: Remove an unused asn1 function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 45800223fd5fb8d35770d101882cfb2b19465944)
commit b5c5fec889b967eb3eafb3b29b186edbed87c2fe
Author: Richard Sharpe <rsharpe at samba.org>
Date: Mon Aug 24 20:26:42 2015 -0700
Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Richard Sharpe <rsharpe at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 25 21:45:18 CEST 2015 on sn-devel-104
(cherry picked from commit dba9e631bd1e1c7e00430b72f0c60b32ee4eeb33)
commit a06c22fdab5897343e14371bccdbddb3c6e659dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 14:28:06 2016 +0100
VERSION: Bump version up to 4.3.7...
and re-enable git snapshots.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit b28fea7d4803d074c8e20764affca4bb8b71d959)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 561 +++++
auth/credentials/credentials.h | 5 +-
auth/credentials/credentials_ntlm.c | 12 +-
auth/gensec/gensec.c | 113 +-
auth/gensec/gensec.h | 4 +
auth/gensec/gensec_internal.h | 7 +
auth/gensec/gensec_start.c | 18 +-
auth/gensec/gensec_util.c | 2 +-
auth/gensec/schannel.c | 22 +-
auth/gensec/spnego.c | 301 ++-
auth/ntlmssp/gensec_ntlmssp.c | 9 +
auth/ntlmssp/gensec_ntlmssp_server.c | 44 +-
auth/ntlmssp/ntlmssp.c | 91 +-
auth/ntlmssp/ntlmssp.h | 17 +
auth/ntlmssp/ntlmssp_client.c | 534 +++-
auth/ntlmssp/ntlmssp_ndr.c | 1 +
auth/ntlmssp/ntlmssp_private.h | 10 +-
auth/ntlmssp/ntlmssp_server.c | 424 +++-
auth/ntlmssp/ntlmssp_sign.c | 103 +-
auth/ntlmssp/ntlmssp_util.c | 176 +-
auth/ntlmssp/wscript_build | 2 +-
.../ldap/ldapserverrequirestrongauth.xml | 26 +
.../smbdotconf/protocol/clientipcmaxprotocol.xml | 29 +
.../smbdotconf/protocol/clientipcminprotocol.xml | 29 +
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 9 +-
docs-xml/smbdotconf/protocol/clientminprotocol.xml | 6 +
docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 +
.../security/allowdcerpcauthlevelconnect.xml | 27 +
docs-xml/smbdotconf/security/clientipcsigning.xml | 26 +
docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 +
docs-xml/smbdotconf/security/clientsigning.xml | 12 +-
docs-xml/smbdotconf/security/rawntlmv2auth.xml | 19 +
docs-xml/smbdotconf/security/serversigning.xml | 2 +-
docs-xml/smbdotconf/security/tlsverifypeer.xml | 47 +
lib/param/loadparm.c | 47 +-
lib/param/loadparm.h | 6 +
lib/param/param_table.c | 83 +
lib/util/asn1.c | 109 +-
lib/util/asn1.h | 25 +-
lib/util/tests/asn1_tests.c | 6 +-
lib/util/util_net.c | 247 +-
lib/util/util_net.h | 1 +
libcli/auth/proto.h | 6 +
libcli/auth/smbencrypt.c | 170 +-
libcli/auth/spnego.h | 8 +-
libcli/auth/spnego_parse.c | 55 +-
libcli/cldap/cldap.c | 12 +-
libcli/ldap/ldap_message.c | 32 +-
libcli/smb/smbXcli_base.c | 1 +
libcli/smb/smb_constants.h | 1 +
libcli/smb/smb_signing.c | 4 +
libcli/smb/tstream_smbXcli_np.c | 4 +
librpc/idl/dcerpc.idl | 15 +-
librpc/idl/epmapper.idl | 2 +-
librpc/idl/ntlmssp.idl | 48 +-
librpc/idl/security.idl | 9 +
librpc/ndr/ndr_ntlmssp.c | 16 +
librpc/ndr/ndr_ntlmssp.h | 2 +
librpc/rpc/binding.c | 2 +-
librpc/rpc/dcerpc_error.c | 6 +-
librpc/rpc/dcerpc_util.c | 141 +-
librpc/rpc/rpc_common.h | 9 +-
nsswitch/libwbclient/wbc_pam.c | 21 +-
nsswitch/winbind_struct_protocol.h | 1 +
python/samba/tests/__init__.py | 525 ++++
python/samba/tests/dcerpc/dnsserver.py | 2 +-
python/samba/tests/dcerpc/raw_protocol.py | 2623 ++++++++++++++++++++
selftest/knownfail | 28 +
.../DC-addc.addom.samba.example.com-S02-cert.pem | 191 ++
.../DC-addc.addom.samba.example.com-S02-key.pem | 54 +
...DC-addc.addom.samba.example.com-S02-openssl.cnf | 250 ++
...ddc.addom.samba.example.com-S02-private-key.pem | 51 +
.../DC-addc.addom.samba.example.com-S02-req.pem | 30 +
.../DC-addc.addom.samba.example.com-cert.pem | 1 +
...DC-addc.addom.samba.example.com-private-key.pem | 1 +
.../DC-localdc.samba.example.com-S00-cert.pem | 190 ++
.../DC-localdc.samba.example.com-S00-key.pem | 54 +
.../DC-localdc.samba.example.com-S00-openssl.cnf | 250 ++
...C-localdc.samba.example.com-S00-private-key.pem | 51 +
.../DC-localdc.samba.example.com-S00-req.pem | 30 +
.../DC-localdc.samba.example.com-cert.pem | 1 +
.../DC-localdc.samba.example.com-private-key.pem | 1 +
.../manage-ca/CA-samba.example.com/NewCerts/00.pem | 190 ++
.../manage-ca/CA-samba.example.com/NewCerts/01.pem | 169 ++
.../manage-ca/CA-samba.example.com/NewCerts/02.pem | 191 ++
.../manage-ca/CA-samba.example.com/NewCerts/03.pem | 169 ++
.../Private/CA-samba.example.com-crlnumber.txt | 1 +
.../Private/CA-samba.example.com-crlnumber.txt.old | 1 +
.../Private/CA-samba.example.com-index.txt | 4 +
.../Private/CA-samba.example.com-index.txt.attr | 1 +
.../CA-samba.example.com-index.txt.attr.old | 1 +
.../Private/CA-samba.example.com-index.txt.old | 3 +
.../Private/CA-samba.example.com-openssl.cnf | 203 ++
.../Private/CA-samba.example.com-private-key.pem | 102 +
.../Private/CA-samba.example.com-serial.txt | 1 +
.../Private/CA-samba.example.com-serial.txt.old | 1 +
.../Public/CA-samba.example.com-cert.pem | 62 +
.../Public/CA-samba.example.com-crl.pem | 32 +
...inistrator at addom.samba.example.com-S03-cert.pem | 169 ++
...ministrator at addom.samba.example.com-S03-key.pem | 30 +
...strator at addom.samba.example.com-S03-openssl.cnf | 242 ++
...tor at addom.samba.example.com-S03-private-key.pem | 27 +
...ministrator at addom.samba.example.com-S03-req.pem | 19 +
...-administrator at addom.samba.example.com-cert.pem | 1 +
...strator at addom.samba.example.com-private-key.pem | 1 +
...ER-administrator at samba.example.com-S01-cert.pem | 169 ++
...SER-administrator at samba.example.com-S01-key.pem | 30 +
...administrator at samba.example.com-S01-openssl.cnf | 242 ++
...nistrator at samba.example.com-S01-private-key.pem | 27 +
...SER-administrator at samba.example.com-S01-req.pem | 19 +
.../USER-administrator at samba.example.com-cert.pem | 1 +
...administrator at samba.example.com-private-key.pem | 1 +
selftest/manage-ca/manage-CA-samba.example.com.cnf | 21 +
selftest/manage-ca/manage-CA-samba.example.com.sh | 18 +
selftest/manage-ca/manage-ca.sh | 387 +++
.../manage-CA-example.com.cnf | 17 +
.../openssl-BASE-template.cnf | 201 ++
.../manage-ca.templates.d/openssl-CA-template.cnf | 2 +
.../manage-ca.templates.d/openssl-DC-template.cnf | 49 +
.../openssl-USER-template.cnf | 41 +
selftest/selftest.pl | 40 +
selftest/target/Samba.pm | 105 +
selftest/target/Samba3.pm | 1 +
selftest/target/Samba4.pm | 232 +-
source3/auth/auth_domain.c | 2 +-
source3/auth/auth_samba4.c | 4 +-
source3/auth/auth_util.c | 15 +
source3/include/auth_generic.h | 7 +-
source3/include/proto.h | 48 +-
source3/lib/netapi/cm.c | 2 +-
source3/lib/tldap.c | 6 +-
source3/libads/ads_proto.h | 1 -
source3/libads/ldap.c | 134 -
source3/libads/sasl.c | 671 ++---
source3/libnet/libnet_join.c | 6 +-
source3/librpc/crypto/gse.c | 81 +-
source3/librpc/rpc/dcerpc.h | 10 +-
source3/librpc/rpc/dcerpc_helpers.c | 98 +-
source3/libsmb/auth_generic.c | 51 +-
source3/libsmb/cliconnect.c | 669 ++---
source3/libsmb/clientgen.c | 9 +
source3/libsmb/clispnego.c | 283 +--
source3/libsmb/ntlmssp.c | 765 ------
source3/libsmb/ntlmssp_wrap.c | 135 -
source3/libsmb/passchange.c | 7 +-
source3/pam_smbpass/wscript_build | 2 +-
source3/param/loadparm.c | 43 +-
source3/rpc_client/cli_pipe.c | 314 ++-
source3/rpc_server/netlogon/srv_netlog_nt.c | 57 +-
source3/rpc_server/rpc_handles.c | 1 +
source3/rpc_server/rpc_ncacn_np.c | 3 +-
source3/rpc_server/rpc_pipes.h | 11 +
source3/rpc_server/rpc_server.c | 12 +
source3/rpc_server/samr/srv_samr_nt.c | 21 +-
source3/rpc_server/srv_pipe.c | 494 ++--
source3/rpcclient/rpcclient.c | 5 +-
source3/script/tests/test_ntlm_auth_s3.sh | 2 +
source3/script/tests/test_rpcclient_samlogon.sh | 11 +-
source3/script/tests/test_smbclient_auth.sh | 11 +
source3/selftest/tests.py | 7 +-
source3/smbd/negprot.c | 6 +-
source3/smbd/sesssetup.c | 4 +-
source3/smbd/smb2_negprot.c | 10 +-
source3/smbd/smb2_sesssetup.c | 3 +-
source3/torture/test_ntlm_auth.py | 553 +++--
source3/utils/net_ads.c | 2 +-
source3/utils/net_rpc.c | 2 +-
source3/utils/net_util.c | 2 +-
source3/utils/ntlm_auth.c | 803 +-----
source3/winbindd/winbindd_ccache_access.c | 44 +-
source3/winbindd/winbindd_cm.c | 6 +-
source3/wscript_build | 10 +-
source4/auth/gensec/gensec_krb5.c | 11 +-
source4/auth/gensec/pygensec.c | 83 +
source4/auth/ntlm/auth_util.c | 4 +-
source4/ldap_server/ldap_bind.c | 50 +-
source4/ldap_server/ldap_server.c | 6 +
source4/ldap_server/ldap_server.h | 2 +
source4/lib/tls/tls.c | 2 +-
source4/lib/tls/tls.h | 23 +
source4/lib/tls/tls_tstream.c | 251 +-
source4/lib/tls/tlscert.c | 18 +-
source4/lib/tls/wscript | 5 +
source4/libcli/cliconnect.c | 2 +-
source4/libcli/ldap/ldap_bind.c | 62 +-
source4/libcli/ldap/ldap_client.c | 9 +-
source4/libcli/ldap/ldap_controls.c | 48 +-
source4/libcli/raw/libcliraw.h | 1 +
source4/libcli/raw/rawnegotiate.c | 11 +-
source4/libcli/smb2/connect.c | 7 +-
source4/libcli/smb_composite/connect.c | 1 +
source4/libcli/smb_composite/sesssetup.c | 35 +-
source4/librpc/rpc/dcerpc.c | 351 ++-
source4/librpc/rpc/dcerpc.h | 14 +-
source4/librpc/rpc/dcerpc_auth.c | 93 +-
source4/librpc/rpc/dcerpc_connect.c | 22 +
source4/librpc/rpc/dcerpc_roh.c | 13 +-
source4/librpc/rpc/dcerpc_util.c | 22 +-
source4/param/loadparm.c | 3 +-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 13 +-
source4/rpc_server/common/reply.c | 49 +-
source4/rpc_server/dcerpc_server.c | 812 ++++--
source4/rpc_server/dcerpc_server.h | 57 +-
source4/rpc_server/dcesrv_auth.c | 261 +-
source4/rpc_server/dcesrv_mgmt.c | 8 +
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 8 +
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 8 +
source4/rpc_server/echo/rpc_echo.c | 7 +
source4/rpc_server/epmapper/rpc_epmapper.c | 8 +
source4/rpc_server/handles.c | 8 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 8 +
source4/rpc_server/lsa/lsa_lookup.c | 12 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 46 +-
source4/rpc_server/remote/dcesrv_remote.c | 8 +-
source4/rpc_server/samr/dcesrv_samr.c | 12 +
source4/rpc_server/samr/samr_password.c | 25 +-
source4/selftest/tests.py | 75 +-
source4/smb_server/smb/negprot.c | 6 +-
source4/smb_server/smb/sesssetup.c | 10 +
source4/smb_server/smb2/negprot.c | 7 +-
source4/smb_server/smb2/sesssetup.c | 8 -
source4/torture/basic/base.c | 20 +-
source4/torture/ndr/ntlmssp.c | 183 +-
source4/torture/raw/samba3misc.c | 7 +
source4/torture/rpc/backupkey.c | 21 +-
source4/torture/rpc/forest_trust.c | 12 +-
source4/torture/rpc/lsa.c | 14 +-
source4/torture/rpc/netlogon.c | 101 +-
source4/torture/rpc/netlogon.h | 7 +
source4/torture/rpc/remote_pac.c | 39 +-
source4/torture/rpc/samba3rpc.c | 61 +-
source4/torture/rpc/samlogon.c | 3 +-
source4/torture/rpc/samr.c | 4 +-
source4/torture/rpc/schannel.c | 29 +-
source4/torture/rpc/testjoin.c | 35 +-
testprogs/blackbox/test_ldb_simple.sh | 41 +
wscript_configure_system_mitkrb5 | 4 +-
238 files changed, 15105 insertions(+), 4869 deletions(-)
create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
create mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml
create mode 100755 python/samba/tests/dcerpc/raw_protocol.py
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
create mode 100755 selftest/manage-ca/manage-ca.sh
create mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
delete mode 100644 source3/libsmb/ntlmssp.c
delete mode 100644 source3/libsmb/ntlmssp_wrap.c
create mode 100755 testprogs/blackbox/test_ldb_simple.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 2dec4b2..3339e83 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a47ede4..435ae45 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,565 @@
=============================
+ Release Notes for Samba 4.3.8
+ April 12, 2016
+ =============================
+
+This is a security release containing one additional
+regression fix for the security release 4.3.7.
+
+This fixes a regression that prevents things like 'net ads join'
+from working against a Windows 2003 domain.
+
+Changes since 4.3.7:
+====================
+
+o Stefan Metzmacher <metze at samba.org>
+ * Bug 11804 - prerequisite backports for the security release on
+ April 12th, 2016
+
+Release notes for the original 4.3.7 release follows:
+-----------------------------------------------------
+
+ =============================
+ Release Notes for Samba 4.3.7
+ April 12, 2016
+ =============================
+
+
+This is a security release in order to address the following CVEs:
+
+o CVE-2015-5370 (Multiple errors in DCE-RPC code)
+
+o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
+
+o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
+
+o CVE-2016-2112 (LDAP client and server don't enforce integrity)
+
+o CVE-2016-2113 (Missing TLS certificate validation)
+
+o CVE-2016-2114 ("server signing = mandatory" not enforced)
+
+o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
+
+o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+
+The number of changes are rather huge for a security release,
+compared to typical security releases.
+
+Given the number of problems and the fact that they are all related
+to man in the middle attacks we decided to fix them all at once
+instead of splitting them.
+
+In order to prevent the man in the middle attacks it was required
+to change the (default) behavior for some protocols. Please see the
+"New smb.conf options" and "Behavior changes" sections below.
+
+=======
+Details
+=======
+
+o CVE-2015-5370
+
+ Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
+ denial of service attacks (crashes and high cpu consumption)
+ in the DCE-RPC client and server implementations. In addition,
+ errors in validation of the DCE-RPC packets can lead to a downgrade
+ of a secure connection to an insecure one.
+
+ While we think it is unlikely, there's a nonzero chance for
+ a remote code execution attack against the client components,
+ which are used by smbd, winbindd and tools like net, rpcclient and
+ others. This may gain root access to the attacker.
+
+ The above applies all possible server roles Samba can operate in.
+
+ Note that versions before 3.6.0 had completely different marshalling
+ functions for the generic DCE-RPC layer. It's quite possible that
+ that code has similar problems!
+
+ The downgrade of a secure connection to an insecure one may
+ allow an attacker to take control of Active Directory object
+ handles created on a connection created from an Administrator
+ account and re-use them on the now non-privileged connection,
+ compromising the security of the Samba AD-DC.
+
+o CVE-2016-2110:
+
+ There are several man in the middle attacks possible with
+ NTLMSSP authentication.
+
+ E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
+ can be cleared by a man in the middle.
+
+ This was by protocol design in earlier Windows versions.
+
+ Windows Server 2003 RTM and Vista RTM introduced a way
+ to protect against the trivial downgrade.
+
+ See MsvAvFlags and flag 0x00000002 in
+ https://msdn.microsoft.com/en-us/library/cc236646.aspx
+
+ This new feature also implies support for a mechlistMIC
+ when used within SPNEGO, which may prevent downgrades
+ from other SPNEGO mechs, e.g. Kerberos, if sign or
+ seal is finally negotiated.
+
+ The Samba implementation doesn't enforce the existence of
+ required flags, which were requested by the application layer,
+ e.g. LDAP or SMB1 encryption (via the unix extensions).
+ As a result a man in the middle can take over the connection.
+ It is also possible to misguide client and/or
+ server to send unencrypted traffic even if encryption
+ was explicitly requested.
+
+ LDAP (with NTLMSSP authentication) is used as a client
+ by various admin tools of the Samba project,
+ e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
+
+ As an active directory member server LDAP is also used
+ by the winbindd service when connecting to domain controllers.
+
+ Samba also offers an LDAP server when running as
+ active directory domain controller.
+
+ The NTLMSSP authentication used by the SMB1 encryption
+ is protected by smb signing, see CVE-2015-5296.
+
+o CVE-2016-2111:
+
+ It's basically the same as CVE-2015-0005 for Windows:
+
+ The NETLOGON service in Microsoft Windows Server 2003 SP2,
+ Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
+ and R2, when a Domain Controller is configured, allows remote
+ attackers to spoof the computer name of a secure channel's
+ endpoint, and obtain sensitive session information, by running a
+ crafted application and leveraging the ability to sniff network
+ traffic, aka "NETLOGON Spoofing Vulnerability".
+
+ The vulnerability in Samba is worse as it doesn't require
+ credentials of a computer account in the domain.
+
+ This only applies to Samba running as classic primary domain controller,
+ classic backup domain controller or active directory domain controller.
+
+ The security patches introduce a new option called "raw NTLMv2 auth"
+ ("yes" or "no") for the [global] section in smb.conf.
+ Samba (the smbd process) will reject client using raw NTLMv2
+ without using NTLMSSP.
+
+ Note that this option also applies to Samba running as
+ standalone server and member server.
+
+ You should also consider using "lanman auth = no" (which is already the default)
+ and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
+ as they might impact compatibility with older clients. These also
+ apply for all server roles.
+
+o CVE-2016-2112:
+
+ Samba uses various LDAP client libraries, a builtin one and/or the system
+ ldap libraries (typically openldap).
+
+ As active directory domain controller Samba also provides an LDAP server.
+
+ Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
+ for LDAP connections, including possible integrity (sign) and privacy (seal)
+ protection.
+
+ Samba has support for an option called "client ldap sasl wrapping" since version
+ 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
+
+ Tools using the builtin LDAP client library do not obey the
+ "client ldap sasl wrapping" option. This applies to tools like:
+ "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
+ options like "--sign" and "--encrypt". With the security update they will
+ also obey the "client ldap sasl wrapping" option as default.
+
+ In all cases, even if explicitly request via "client ldap sasl wrapping",
+ "--sign" or "--encrypt", the protection can be downgraded by a man in the
+ middle.
+
+ The LDAP server doesn't have an option to enforce strong authentication
+ yet. The security patches will introduce a new option called
+ "ldap server require strong auth", possible values are "no",
+ "allow_sasl_over_tls" and "yes".
+
+ As the default behavior was as "no" before, you may
+ have to explicitly change this option until all clients have
+ been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
+ Windows clients and Samba member servers already use
+ integrity protection.
+
+o CVE-2016-2113:
+
+ Samba has support for TLS/SSL for some protocols:
+ ldap and http, but currently certificates are not
+ validated at all. While we have a "tls cafile" option,
+ the configured certificate is not used to validate
+ the server certificate.
+
+ This applies to ldaps:// connections triggered by tools like:
+ "ldbsearch", "ldbedit" and more. Note that it only applies
+ to the ldb tools when they are built as part of Samba or with Samba
+ extensions installed, which means the Samba builtin LDAP client library is
+ used.
+
+ It also applies to dcerpc client connections using ncacn_http (with https://),
+ which are only used by the openchange project. Support for ncacn_http
+ was introduced in version 4.2.0.
+
+ The security patches will introduce a new option called
+ "tls verify peer". Possible values are "no_check", "ca_only",
+ "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
+
+ If you use the self-signed certificates which are auto-generated
+ by Samba, you won't have a crl file and need to explicitly
+ set "tls verify peer = ca_and_name".
+
+o CVE-2016-2114
+
+ Due to a regression introduced in Samba 4.0.0,
+ an explicit "server signing = mandatory" in the [global] section
+ of the smb.conf was not enforced for clients using the SMB1 protocol.
+
+ As a result it does not enforce smb signing and allows man in the middle attacks.
+
+ This problem applies to all possible server roles:
+ standalone server, member server, classic primary domain controller,
+ classic backup domain controller and active directory domain controller.
+
+ In addition, when Samba is configured with "server role = active directory domain controller"
+ the effective default for the "server signing" option should be "mandatory".
+
+ During the early development of Samba 4 we had a new experimental
+ file server located under source4/smb_server. But before
+ the final 4.0.0 release we switched back to the file server
+ under source3/smbd.
+
+ But the logic for the correct default of "server signing" was not
+ ported correctly ported.
+
+ Note that the default for server roles other than active directory domain
+ controller, is "off" because of performance reasons.
+
+o CVE-2016-2115:
+
+ Samba has an option called "client signing", this is turned off by default
+ for performance reasons on file transfers.
+
+ This option is also used when using DCERPC with ncacn_np.
+
+ In order to get integrity protection for ipc related communication
+ by default the "client ipc signing" option is introduced.
+ The effective default for this new option is "mandatory".
+
+ In order to be compatible with more SMB server implementations,
+ the following additional options are introduced:
+ "client ipc min protocol" ("NT1" by default) and
+ "client ipc max protocol" (the highest support SMB2/3 dialect by default).
+ These options overwrite the "client min protocol" and "client max protocol"
+ options, because the default for "client max protocol" is still "NT1".
+ The reason for this is the fact that all SMB2/3 support SMB signing,
+ while there are still SMB1 implementations which don't offer SMB signing
+ by default (this includes Samba versions before 4.0.0).
+
+ Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
+ against active directory domain controllers despite of the
+ "client signing" and "client ipc signing" options.
+
+o CVE-2016-2118 (a.k.a. BADLOCK):
+
+ The Security Account Manager Remote Protocol [MS-SAMR] and the
+ Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
+ are both vulnerable to man in the middle attacks. Both are application level
+ protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
+
+ These protocols are typically available on all Windows installations
+ as well as every Samba server. They are used to maintain
+ the Security Account Manager Database. This applies to all
+ roles, e.g. standalone, domain member, domain controller.
+
+ Any authenticated DCERPC connection a client initiates against a server
+ can be used by a man in the middle to impersonate the authenticated user
+ against the SAMR or LSAD service on the server.
+
+ The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
+ and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
+ in this case. A man in the middle can change auth level to CONNECT
+ (which means authentication without message protection) and take over
+ the connection.
+
+ As a result, a man in the middle is able to get read/write access to the
+ Security Account Manager Database, which reveals all passwords
+ and any other potential sensitive information.
+
+ Samba running as an active directory domain controller is additionally
+ missing checks to enforce PKT_PRIVACY for the
+ Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
+ and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
+ The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
+ is not enforcing at least PKT_INTEGRITY.
+
+====================
+New smb.conf options
+====================
+
+ allow dcerpc auth level connect (G)
+
+ This option controls whether DCERPC services are allowed to be used with
+ DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
+ message integrity nor privacy protection.
+
+ Some interfaces like samr, lsarpc and netlogon have a hard-coded default
+ of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
+
+ The behavior can be overwritten per interface name (e.g. lsarpc,
+ netlogon, samr, srvsvc, winreg, wkssvc ...) by using
+ 'allow dcerpc auth level connect:interface = yes' as option.
+
+ This option yields precedence to the implementation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+
+ Default: allow dcerpc auth level connect = no
+
+ Example: allow dcerpc auth level connect = yes
+
+ client ipc signing (G)
+
+ This controls whether the client is allowed or required to use
+ SMB signing for IPC$ connections as DCERPC transport. Possible
+ values are auto, mandatory and disabled.
+
+ When set to mandatory or default, SMB signing is required.
+
+ When set to auto, SMB signing is offered, but not enforced and
+ if set to disabled, SMB signing is not offered either.
+
+ Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.
+
+ Default: client ipc signing = default
+
+ client ipc max protocol (G)
+
+ The value of the parameter (a string) is the highest protocol level that will
+ be supported for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the latest supported protocol, currently SMB3_11.
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc max protocol = default
+
+ Example: client ipc max protocol = SMB2_10
+
+ client ipc min protocol (G)
+
+ This setting controls the minimum protocol version that the will be
+ attempted to use for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the higher value of NT1 and the
+ effective value of "client min protocol".
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc min protocol = default
+
+ Example: client ipc min protocol = SMB3_11
+
+ ldap server require strong auth (G)
+
+ The ldap server require strong auth defines whether the
+ ldap server requires ldap traffic to be signed or
+ signed and encrypted (sealed). Possible values are no,
+ allow_sasl_over_tls and yes.
+
+ A value of no allows simple and sasl binds over all transports.
+
+ A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
+ over TLS encrypted connections. Unencrypted connections only
+ allow sasl binds with sign or seal.
+
+ A value of yes allows only simple binds over TLS encrypted connections.
+ Unencrypted connections only allow sasl binds with sign or seal.
+
+ Default: ldap server require strong auth = yes
+
+ raw NTLMv2 auth (G)
+
+ This parameter determines whether or not smbd(8) will allow SMB1 clients
+ without extended security (without SPNEGO) to use NTLMv2 authentication.
+
+ If this option, lanman auth and ntlm auth are all disabled, then only
+ clients with SPNEGO support will be permitted. That means NTLMv2 is only
+ supported within NTLMSSP.
+
+ Default: raw NTLMv2 auth = no
+
+ tls verify peer (G)
+
+ This controls if and how strict the client will verify the peer's
+ certificate and name. Possible values are (in increasing order): no_check,
+ ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
+
+ When set to no_check the certificate is not verified at all,
+ which allows trivial man in the middle attacks.
+
+ When set to ca_only the certificate is verified to be signed from a ca
+ specified in the "tls ca file" option. Setting "tls ca file" to a valid file
+ is required. The certificate lifetime is also verified. If the "tls crl file"
+ option is configured, the certificate is also verified against
+ the ca crl.
+
+ When set to ca_and_name_if_available all checks from ca_only are performed.
+ In addition, the peer hostname is verified against the certificate's
+ name, if it is provided by the application layer and not given as
+ an ip address string.
+
+ When set to ca_and_name all checks from ca_and_name_if_available are performed.
+ In addition the peer hostname needs to be provided and even an ip
+ address is checked against the certificate's name.
+
+ When set to as_strict_as_possible all checks from ca_and_name are performed.
+ In addition the "tls crl file" needs to be configured. Future versions
+ of Samba may implement additional checks.
+
+ Default: tls verify peer = as_strict_as_possible
+
+ tls priority (G) (backported from Samba 4.3 to Samba 4.2)
+
+ This option can be set to a string describing the TLS protocols to be
+ supported in the parts of Samba that use GnuTLS, specifically the AD DC.
+
+ The default turns off SSLv3, as this protocol is no longer considered
+ secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+ in HTTPS applications.
+
+ The valid options are described in the GNUTLS Priority-Strings
+ documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
+
+ Default: tls priority = NORMAL:-VERS-SSL3.0
+
+================
+Behavior changes
+================
+
+o The default auth level for authenticated binds has changed from
+ DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
+ That means ncacn_ip_tcp:server is now implicitly the same
+ as ncacn_ip_tcp:server[sign] and offers a similar protection
+ as ncacn_np:server, which relies on smb signing.
+
+o The following constraints are applied to SMB1 connections:
+
+ - "client lanman auth = yes" is now consistently
+ required for authenticated connections using the
+ SMB1 LANMAN2 dialect.
+ - "client ntlmv2 auth = yes" and "client use spnego = yes"
+ (both the default values), require extended security (SPNEGO)
+ support from the server. That means NTLMv2 is only used within
+ NTLMSSP.
+
+o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
+ default of "client ldap sasl wrapping = sign". Even with
+ "client ldap sasl wrapping = plain" they will automatically upgrade
+ to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
+ server.
+
+Changes since 4.3.6:
+====================
+
+o Jeremy Allison <jra at samba.org>
--
Samba Shared Repository
More information about the samba-cvs
mailing list