[SCM] Samba Shared Repository - branch v4-2-stable updated
Karolin Seeger
kseeger at samba.org
Tue Apr 12 17:02:40 UTC 2016
The branch, v4-2-stable has been updated
via cdf4f21 VERSION: Disable git snapshots for the 4.2.11 release.
via aada3ea WHATSNEW: Add release notes for Samba 4.2.11.
via 96331b2 s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
via cb48e70 VERSION: Bump version up to 4.2.11...
via 343f384 VERSION: Disable git snapshots for the 4.2.10 release.
via 5f0e4f1 WHATSNEW: Add release notes for Samba 4.2.10.
via b065ce6 CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against plugin_s4_dc
via 88e9a0a CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
via df411cb CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
via 284894c CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
via 024d3b2 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
via 8e0b06a CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
via 3ef461d CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
via 93a0f92 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
via 0cf3151 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
via 61faaa6 CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
via 2bc6172 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
via ae68d3f CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
via cbf20b4 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
via f556d92 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
via a995740 CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
via 9464684 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
via 02aef97 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
via d30363f CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
via 8d97085 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
via 664d7ac CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
via e39fdce CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
via 1e6b4ab CVE-2015-5370: s3:rpc_server: verify presentation context arrays
via cdefee1 CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
via 0239bfa CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
via 63d21d2 CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
via 8c96ef7 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
via 69280e6 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
via 25bf597 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
via af2582e CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
via 189c0fb CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
via 2a92546 CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
via df51c22 CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
via 9818296 CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
via 81bbffa CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
via acea87f CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
via 19f489d CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
via df3cdf0 CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
via 1ed83c7 CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
via 14a7db6 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
via 71d1c9f CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
via e601549 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
via fbf402c CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
via dd8c942 CVE-2015-5370: s4:rpc_server: check frag_length for requests
via 74de5d8 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
via 772ba3f CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
via 9dd171f CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
via d5916e0 CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
via 5ac7fc8 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
via b430b1f CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
via 0863c95 CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
via 9a52709 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
via 1da3379 CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
via b51da52 CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
via eb3f8a5 CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
via 0d20260 CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
via b40ab6b CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
via 409b8fd CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
via 358af62 CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
via f3c68c6 CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
via 0f4a3c3 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
via 97a19d9 CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
via 494ba35 CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
via 2cf79f9 CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
via ec8b2a3 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
via d7f0712 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
via 1780b43 CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
via 77e7d19 CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
via 2f0c9d6 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
via b075822 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
via c784fcd CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
via 8e8c2da CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
via c0236de CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
via b91112d CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
via 69c7776 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
via 1e88acf CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
via a1c6916 CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
via e767733 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
via 9a3f045 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
via 665b874 CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
via 8266be4 CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
via 2240a39 CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
via 0f7bb07 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
via 84d8692 CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
via e5a4d9a CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
via a20f132 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
via 630dcb5 CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
via 045e9b4 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
via d61cd59 CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
via 9153fc5 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
via b26aabe CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
via d6c4dde CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
via 2d2243c CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
via fce895b CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
via 17d9204 CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
via 416f383 CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via 3410c21 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via 2b1f995 CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
via d33cb24 CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
via e34628f CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
via f0b5e62 CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
via dbb5220 CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
via dd32cfc CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
via b6e3f0c CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
via ee77128 CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
via bbc9a16 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 5a9aa81 CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 29ab0d9 CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
via db01cab CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
via ad99552 CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
via 7847ee8 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
via 52aa7b6 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via dab41de CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via ddbcb11 CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
via 889162a CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
via 08ca648 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
via 1f3708a CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
via 1c06e92 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
via 8ee232f CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
via 27939fc CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
via 54c9e0d CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
via bf4259a CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
via ba52792 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
via 7790d38 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
via 15417d6 CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
via 95e334b CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
via 2e3bcb7 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
via 7f4be89 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
via b7ea999 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
via 1c24db6 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
via 1afcdaa CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
via a8dc7d6 CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
via 543b97d CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
via 32d1130 CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
via d5d1d63 CVE-2016-2115: docs-xml: add "client ipc signing" option
via 7c7f42f CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
via 4eefd40 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
via 5fb616a CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
via a6ab8e7 CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
via dfffc46 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
via 87d7973 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
via 141d4ac CVE-2016-2114: s4:smb2_server: fix session setup with required signing
via ae4b827 CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
via dcf61e4 CVE-2016-2113: selftest: use "tls verify peer = no_check"
via 64f8f67 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
via 95da9fc CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
via 3a73092 CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
via da2065e CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
via d2d2236 CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
via f3d752f CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
via b8c5862 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
via 1c25d638a CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
via 0a1d2b4 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
via 16472fc CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
via ded3595 CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
via 59c4273 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
via 5a5bede CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
via 2612783 CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
via efd47e4 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
via 5a26043 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
via 6256822 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
via f8c3a46 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
via 190de2d CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
via 8e63804 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
via 799557f CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
via 531c5aa CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
via 9d6ffb3 CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
via 2ee2de4 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
via f5e066c CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
via 270f04c CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
via b0c0ffe CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
via 9b983ae CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
via 1e35c14 CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
via 2608fb3 CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
via 9f39d0f CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
via 7188b6a CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
via b1bcc58 CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
via ba33643 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
via c741e86 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 9aae9b11 CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 610229e CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
via eafd2ce CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
via 7f74142 CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
via 96e93b8 CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via 40397d1 CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via fec6dae CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
via 98c1677 CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
via fd1c98f CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
via 2e11c70 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
via 280a371 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
via 65bd884 CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support including MIC checking (as server)
via 48b24ce CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
via bb90457 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
via 530f0d1 CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
via 741c532 CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
via 76318d5 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
via 3d783b7 CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
via 3a8334d CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
via 22bf4ed CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
via 2e35e39 CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
via 65deaae CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
via 639bd4d CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
via 0489a58 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
via a98f718 CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
via c528a17 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
via e073b53 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
via 3c07679 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
via 9c171a5 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
via f78d549 CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
via 332d580 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
via b7d6410 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
via 2c6474b CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
via f789325 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
via 8dcd3cb CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flag
via 8cd4741 s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
via d1ebe5b s3:rpc_server/samr: correctly handle session_extract_session_key() failures
via 9981c0b s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
via 6138f8b libads: Fix CID 1356316 Uninitialized pointer read
via 1993e69 libsmb: Fix CID 1356312 Explicit null dereferenced
via 6891eeb s3-auth: check for return code of cli_credentials_set_machine_account().
via 62f4ee1 s4-smb_server: check for return code of cli_credentials_set_machine_account().
via 3447148 s4:rpc_server: require access to the machine account credentials
via cceb49a auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
via 2b442ce auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
via 592baac s4:torture/rpc/schannel: don't use validation level 6 without privacy
via 89298e5 s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
via e80d4f9 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
via 93863b8 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
via 2d70e9f s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
via 9be91a7 s3:test_rpcclient_samlogon.sh: test samlogon with schannel
via 5e8f48b s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
via 1838e168 selftest: setup information of new samba.example.com CA in the client environment
via f40bc59 selftest: set tls crlfile if it exist
via 9452268 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
via 8b14e45 selftest: add Samba::prepare_keyblobs() helper function
via d93ff57 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
via 9030298 selftest: add CA-samba.example.com (non-binary) files
via 44b5d2d selftest: add config and script to create a samba.example.com CA
via 61e6ca8 selftest: add some helper scripts to mange a CA
via 66df1ed selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!
via ad389f1 s4:rpc_server: dcesrv_generic_session_key should only work on local transports
via 8f0d8f4 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
via a99a012 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
via fc5c623 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
via 3393d9b s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
via 6ae0007 s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
via 1989639 s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
via 54dd7b7 s3:libsmb: remove unused functions in clispnego.c
via 28c23bd s3:libsmb: remove unused cli_session_setup_kerberos*() functions
via 1dd4e36 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
via ac680c1 s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
via 68a32f1 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
via 80c665b s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
via d9c89a5 s3:libsmb: unused ntlmssp.c
via db624e4 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
via a427633 s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
via 24a5cf6 s3:libads: keep service and hostname separately in ads_service_principal
via d4369e3 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
via a1476b9 s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
via 8c9308c s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
via 8368d9d s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
via e5ca0c6 s3:libads: add missing TALLOC_FREE(frame) in error path
via 3fd5063 s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
via 083682b s4:selftest: simplify the loops over samba4.ldb.ldap
via 04a81c9 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
via a2c24e2 s4:libcli/ldap: fix retry authentication after a bad password
via c531695 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
via 4a3c66d auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
via 1e19d98 auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
via c4b08fb auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
via b63aa96 auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
via 679b2c4 auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
via f2600f5 librpc/ndr: add ndr_ntlmssp_find_av() helper function
via 7c7ee91 ntlmssp.idl: make AV_PAIR_LIST public
via 9176107 ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
via 4222e9b security.idl: add LSAP_TOKEN_INFO_INTEGRITY
via a7243e3 auth/ntlmssp: use ntlmssp_version_blob() in the server
via 1526b7e auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
via 4f261d9 auth/ntlmssp: add ntlmssp_version_blob()
via e81031b auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
via d2b612d auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
via e487dba auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
via 7b39ef9 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
via 7b20770 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
via 9cfc310 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
via 637f37b winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
via 53f6f3d s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
via c5a25e8 auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
via 653742d auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
via 0ece92e auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
via b3873ba s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
via 1742cec s3:auth_generic: make use of the top level NTLMSSP client code
via bdbcffc winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
via 23b65d6 s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
via bf52fad selftest/knownfail: s4-winbind doesn't support cached ntlm credentials
via b981475 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
via 77d9b8c s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
via dd2a2b7 s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
via 8acba3b auth/ntlmssp: add gensec_ntlmssp_server_domain()
via c6cbac8 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
via 0dd1f05 s3:auth_generic: add auth_generic_client_start_by_sasl()
via 7b92239 s3:auth_generic: add auth_generic_client_start_by_name()
via 933ca54 auth/gensec: make gensec_security_by_name() public
via 66b2e5d auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
via 3b0fc77 auth/gensec: keep a pointer to a possible child/sub gensec_security context
via 744e043 s4:pygensec: make sig_size() and sign/check_packet() available
via 3353447 s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
via c1f6fe4 s3:librpc/gse: don't log gss_acquire_creds failed at level 0
via ac9a891 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
via a881c5f s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
via 3b4608c s3:librpc/gse: fix debug message in gse_init_client()
via 41ca435 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
via b8fd2d0 wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
via ff2a6f6 s3:libads: remove unused ads_connect_gc()
via 9b4eabb s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
via ebc2711 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
via 4d7fdf1 dcerpc.idl: make WERROR RPC faults available in ndr_print output
via 8104a49 epmapper.idl: make epm_twr_t available in python bindings
via 7e1a935 s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
via 5e4be46 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
via cf4f1bc lib/util_net: add support for .ipv6-literal.net
via 76d4d9d lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
via 84e3a91 spnego: Correctly check asn1_tag_remaining retval
via 9ac8373 s4:torture/ntlmssp fix a compiler warning
via 3dd652e s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
via 7d30bb7 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
via ca3f4c3 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
via cc6803d s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
via 8a09a9e s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
via 31ec805 ntlmssp: when pulling messages it is important to clear memory first.
via c0f4c95 ntlmssp: properly document version defines in IDL (from MS-NLMP).
via 5bcd766 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
via 0973458 ntlmssp: add some missing defines from MS-NLMP to our IDL.
via 0a6405f tls: increase Diffie-Hellman group size to 2048 bits
via 88c76da s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
via 2c5ba35 s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
via 2057efc s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
via 53988ca asn1: Make 'struct asn1_data' private
via d91415e asn1: Remove a reference to asn1_data internals
via 17d663a libcli: Remove a reference to asn1->ofs
via f7ea845 lib: Use asn1_current_ofs()
via f6a2ad0 asn1: Add asn1_current_ofs()
via 9e65ef3 lib: Use asn1_has_nesting
via 12396cf asn1: Add asn1_has_nesting
via 79280a3 lib: Use asn1_extract_blob()
via 2a8a339 asn1: Add asn1_extract_blob()
via 9c520e9 lib: Use asn1_set_error()
via a8b03c4 asn1: Add asn1_set_error()
via 3aba426 lib: Use asn1_has_error()
via 9d86ce3 asn1: Add asn1_has_error()
via afbef75 asn1: Make "struct nesting" private
via 6eca81c asn1: Add some early returns
via 165e6ff asn1: Add overflow check to asn1_write
via afd0849 asn1: Make asn1_peek_full_tag return 0/errno
via 8a8d380 asn1: Remove an unused asn1 function
via 7d64f42 Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
via d2bf0f7 s4:rpc_server: pass the remote address to gensec_set_remote_address()
via 810817f lib/util: globally include herrors in error.h
via fc0df96 s4:selftest: run rpc.netlogon.admin against also ad_dc
via c8a3e03 lib/tls: Change default supported TLS versions.
via 839452e lib/tls: Add new 'tls priority' option
via 986b2a6 docs: Explain that winbindd enforces smb signing by default.
via c4f578f torture: Free the temporary memory context
via 6775efd torture: Correctly invalidate the memory ccache.
via 618bf77 torture: Fix the usage of the MEMORY credential cache.
via 16343ed Convert all uses of uint32/16/8 to _t in source3/rpc_client.
via f0dcb43 Convert all uses of uint32/16/8 to _t in source3/rpc_server.
via c685323 rpc_server: Fix CID 1035535 Uninitialized scalar variable
via 2426e5d rpc_server: Fix CID 1035534 Uninitialized scalar variable
via 73d868b libsmb: Print the principal name that we failed to kinit for.
via b99e5ba Convert all uint32/16/8 to _t in source3/libsmb.
via 235da54 Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
via c892540 security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}
via ecba7a9 s4:gensec/gssapi: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
via 2cdcb2c s3:librpc/gse: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
via c227eb6 auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
via bbff988 heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
via 59986c3 heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
via 075ec8f heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
via 4640ada heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
via f222d62 heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
via e84d1f0 heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
via bbc7426 dcerpc.idl: fix calculatin of uint16 secondary_address_size;
via c8342ed s4:pyrpc: remove pointless alter_context() method
via e2acb2e python:samba/tests: don't use the x.alter_context() method in dcerpc/bare.py
via 320bfd5 s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED in torture_rpc_alter_context()
via 8688510 s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED when a dcerpc connection is not connected
via 7a68f81 libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE instead of EIO
via e5135c2 s3:winbindd: use check dcerpc_binding_handle_is_connected() instead of a specific status
via 505c31e python/samba/tests: let the output of hexdump() match our C code in dump_data_cb()
via 5235af3 python/samba/tests: move hexdump() from DNSTest to TestCase
via ac466c7 python/samba/tests: add fallbacks for assert{Less,Greater}[Equal]()
via 7427812 Implement TestCase.assertIsNotNone for python < 2.7.
via f994c97 Implement TestCase.assertIn for older versions of Python.
via 478d84c Implement assertIsNone for Python < 2.7.
via 8abd8be Handle skips when running on python2.6.
via 44f45c3 Run cleanup after tearDown, for consistency with Python >= 2.7.
via 17cbd88 Use samba TestCase so we get all compatibility functions on Python < 2.7.
via f4b7a42 Provide TestCase.assertIsInstance for python < 2.7.
via 01b5c10 Use Samba TestCase class, as the python 2.6 one doesn't have assertIs, assertIsInstance or addCleanup.
via cc1b47c Add replacement addCleanup.
via 72a7db4 Add custom implementations of TestCase.assertIs and TestCase.assertIsNot, for Python2.6.
via 5cc22fb Fix use of TestCase.skipTest on python2.6 now that we no longer use testtools.
via d82a560 selftest/tests/*.py: remove use of testtools.
via 775c1df Rename TestSkipped to Skiptest, consistent with Python 2.7.
via 2dbf2f2 Avoid importing TestCase and TestSkipped from testtools.
via f8e78f9 s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment
via 858b4bd s4-tests: Print out what the error is in delete_force()
via 2b8a89c python/samba/tests: don't lower case path names in connect_samdb()
via e28c482 s4-tests/env_loadparm: Throw KeyError in case SMB_CONF_PATH
via 427f202 Reduce number of places where sys.path is (possibly) updated for external module paths.
via 417807e librpc/ndr: make use of dump_data_cb() in ndr_dump_data()
via d8bd1cb lib/util: fix output format in dump_data*()
via 6c5078c s4:pyrpc: add base.bind_time_features_syntax(features)
via d0ce818 librpc/rpc: add dcerpc_[extract|construct]_bind_time_features()
via 1e2d23d librpc/rpc: add dcerpc_fault_from_nt_status()
via 008d25b librpc/rpc: add faultcode to nt_status mappings
via 9dddf6a midltests: add valid/midltests_DRS_EXTENSIONS.*
via 0ef2b7a auth/credentials: anonymous should not try to use kerberos
via b1174ad s3:ntlm_auth: don't start gensec backend twice
via 6e50231 auth/gensec: remove unused gensec_[un]wrap_packets() hooks
via 941abd1 s4:auth/gensec: remove unused gensec_socket_init()
via 58789c5 s4:auth/gensec: remove unused include of lib/socket/socket.h
via 6bf16fc s4:auth/gensec: remove unused and untested cyrus_sasl module
via 53c92ba s4:libcli/ldap: conversion to tstream
via b8405b3 s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()
via fa70808 s4:lib/tls: fix tstream_tls_connect_send() define
via e6f746e s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ads_sasl_spnego_ntlmssp_bind
via c14fa4d s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes keys more clear
via 6b4479b s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all backends
via 26405f1 auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL
via 39431e5 s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
via 983b0ea gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
via 8e597a7 s4-gensec: Check if we have delegated credentials.
via 7e7bfe1 s4:auth/gensec_gssapi: remove allow_warnings=True
via 7bc4888 auth/kerberos: remove allow_warnings=True
via 1b04d32 auth/kerberos: avoid compiler warnings
via 4c5fe20 s4:lib/tls: remove allow_warnings=True
via 0d4412a s4:lib/tls: add tls_cert_generate() prototype to tls.h
via 4f3e283 s4:auth/gensec_gssapi: remove compiler warnings
via 3c7f303 VERSION: Bump version up to 4.2.10...
from c0aa427 VERSION: Disable git snapshots for the 4.2.9 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-stable
- Log -----------------------------------------------------------------
commit cdf4f21e282599fc2b00d8d4ff38d92b4af1fd0b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 11 09:20:37 2016 +0200
VERSION: Disable git snapshots for the 4.2.11 release.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit aada3ea25fca8cc6367ba67c34acdb04e1b6727e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 11 09:16:44 2016 +0200
WHATSNEW: Add release notes for Samba 4.2.11.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11744
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 96331b20e36350056ffb9f52570c3ec7558e4c77
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 8 10:05:38 2016 +0200
s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9
(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos)
that prevents things like 'net ads join' from working against a Windows 2003 domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit cb48e70716705d1e3d9f940a48c42a22d2f01ff9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 8 13:57:51 2016 +0200
VERSION: Bump version up to 4.2.11...
and re-enable git snapshots.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 343f384dd39bf05867461fde4c79167604d99f98
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 29 00:36:56 2016 +0200
VERSION: Disable git snapshots for the 4.2.10 release.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 5f0e4f1bcef5805849383fe1fec2bab4d8a6d541
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 29 00:26:48 2016 +0200
WHATSNEW: Add release notes for Samba 4.2.10.
o CVE-2015-5370 (Multiple errors in DCE-RPC code)
o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
o CVE-2016-2112 (LDAP client and server don't enforce integrity)
o CVE-2016-2113 (Missing TLS certificate validation)
o CVE-2016-2114 ("server signing = mandatory" not enforced)
o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11744
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b065ce641b13864eb651ff175e94304a434bd15d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 21:05:53 2015 +0200
CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against plugin_s4_dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 88e9a0a3d5e4fe2f066eee266df486af592d7672
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 26 22:42:19 2014 +0100
CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
These are independent from our client library and allow
testing of invalid pdus.
It can be used like this in standalone mode:
SMB_CONF_PATH=/dev/null SERVER=172.31.9.188 python/samba/tests/dcerpc/raw_protocol.py
or
SMB_CONF_PATH=/dev/null SERVER=172.31.9.188 python/samba/tests/dcerpc/raw_protocol.py -v -f TestDCERPC_BIND.test_invalid_auth_noctx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit df411cbdb4a83443b03efa102ff46ad8043ed985
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 26 22:42:19 2014 +0100
CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
These are independent from our client library and allow
testing of invalid pdus.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 284894c5bfed552a9f58dc77d4ab44ea2ff12c38
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 22 21:13:41 2015 +0100
CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 024d3b263a2879cee4fb7794d70f253c948cc043
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 22 21:23:14 2015 +0100
CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8e0b06a895002842fa7516d5e0364f0fbca85a64
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 11:05:45 2015 +0100
CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3ef461d8304ee36184cd7a3963676eedff4ef1eb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 93a0f92b8ebecb38f92d3b2c9a946b486ee91d3c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 22:51:18 2015 +0200
CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0cf3151c843e2c779b534743b455e630d89e2ba9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 61faaa63e7e610308c72ae4c41a5c7b5b7312685
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2bc617293a5d8652e484af69660b3646f3d48690
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
This is better than using hardcoded values.
We need to use the value the client used in the BIND request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit ae68d3f325c3880144b80385779c9445897646e6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
This is better than using hardcoded values.
We need to use auth_context_id = 1 for authenticated
connections, as old Samba server (before this patchset)
will use a hardcoded value of 1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit cbf20b43d7b40e3b6ccf044f6f51a5adff1f5e6d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f556d9245c13d018d4e772f06d013ebe558703d9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 00:01:37 2015 +0200
CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a995740d4e7fbd8fbb5c8c6280b73eaceae53574
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
An alter context can't change the syntax of an existing context,
a new context_id will be used for that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9464684010461947fa98d8ee084069e9cf362625
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 02aef978ff8f16009a52c2d981d414d019bc8dd9
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jul 11 10:58:07 2015 +0200
CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d30363f08efb81b22055d4445977c96df3737adf
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 12:38:55 2015 +0100
CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8d97085efd8782e48d0f1162e3f56756acb99472
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 12:38:55 2015 +0100
CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 664d7ace0e68b42d2de99583757e0a985647eb4b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 12:40:58 2015 +0100
CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e39fdceb25fc75b6f8c77c097bf8dbd2f4286618
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 16:06:59 2015 +0200
CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1e6b4abac14840e4cee1afc5d4811b0f0277eade
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 16:06:59 2015 +0200
CVE-2015-5370: s3:rpc_server: verify presentation context arrays
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit cdefee174d2f8920323e9e62966df4f4ced49ed3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 16:06:59 2015 +0200
CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0239bfa562ee303c4ac204375b3c66ca287f6cb0
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 7 09:15:39 2015 +0200
CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
The first pdu is always a BIND.
REQUEST pdus are only allowed once the authentication
is finished.
A simple anonymous authentication is finished after the BIND.
Real authentication may need additional ALTER or AUTH3 exchanges.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 63d21d2546a1064be73582a499ec15b0e11e2708
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8c96ef7b4fbd925607b26d351b14ad9a95febd88
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 16:18:45 2015 +0200
CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 69280e6acef7c3941407d4308b659c5e90ed702d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 25bf597124f217c55b5ca71a5ea9cb0ea83943e5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit af2582e7e7c3858d303754f57ef4f0784c6ff223
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
pipe_auth_generic_bind() does all the required checks already
and an explicit DCERPC_AUTH_TYPE_NONE is not supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 189c0fbb7a3405f0893f23e5b8d755d259f98eaf
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 12:38:55 2015 +0100
CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 2a92546590a78760d2fe0e63067a3888dbce53be
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit df51c22bea7fbf906613ceb160f16f298b2e3106
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 22:51:18 2015 +0200
CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 98182969e761429e577064e1a0fd5cbc6b50d7d9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 10 14:48:38 2015 +0200
CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 81bbffa14f5f6faa9801a3bf2d564d2762d49bb6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit acea87f158f02c3240abff45c3e54c7d5fa60b29
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
The does much more validation than dcerpc_pull_dcerpc_auth().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 19f489d32c03ff5fafd34fe86a075d782af1989a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 9 07:59:24 2015 +0200
CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit df3cdf072d1c1e6fd0a58e0374348758f5c65a49
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 9 07:59:24 2015 +0200
CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
This simplifies the callers a lot.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1ed83c7657a3b405db1928db06c29f41d2738186
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Jun 28 01:19:57 2015 +0200
CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
All callers should have already checked that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 14a7db6363a12dd6a9c3ea931013a246ad5f66d7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 10:18:13 2015 +0200
CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 71d1c9f78eca7f8109187fa830cfd568e2f7925e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 10:18:13 2015 +0200
CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
All presentation contexts of a connection use the same association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e6015492f522fc26d7322fb752184b3b48e9fb4a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 17 05:01:26 2015 +0200
CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
It's a protocol error if the client doesn't send all fragments of
a request in one go.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit fbf402cc76d8b4ab91b9e829ffa3c96bfff7fcb1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 14:18:09 2015 +0200
CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit dd8c942360eca5cae4720af415e30ffeee5a6877
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 17:21:05 2015 +0200
CVE-2015-5370: s4:rpc_server: check frag_length for requests
Note this is not the negotiated fragment size, but a hardcoded maximum.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 74de5d8768eeafbf729fe35fff5cabbd49274130
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 10 13:55:27 2015 +0200
CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 772ba3fbfe56002c80305b864f6efcd1226002c6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9dd171fa441c1aa68d8ac09153c8a2974eac6790
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 16:18:45 2015 +0200
CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
Following requests will generate a fault with ACCESS_DENIED.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d5916e0f99a8f9ee048d1a48e2f69a1994ffbfcf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5ac7fc8b9a1c6a9701c4d2145099cf8963cdb5c4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
The basically matches Windows 2012R2, it's not 100%
but it's enough for our raw protocol tests to pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b430b1fbb74dd980a5050a6152e4d930a8a508af
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0863c9595ad843f876c53c91bb8f44b8af68eb2c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9a527091486ef9dda9e754b1043e084113511597
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
BIND is the first pdu, which means the list of contexts is always empty.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1da3379cc071fc3f7cede42ff45e41898a542241
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b51da52c76ef8ee77ef1dcaa3bb21160d42adf25
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit eb3f8a5312c88ffed7a793340a1e3e86a876dc7e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
We should not use one "global" per connection variable to hold the
incoming and outgoing auth_info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0d202609c0db3551ae24a50414596405524f0909
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
The first pdu is always a BIND.
REQUEST pdus are only allowed once the authentication
is finished.
A simple anonymous authentication is finished after the BIND.
Real authentication may need additional ALTER or AUTH3 exchanges.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b40ab6b081e0e4c43d568ac65247e63383f1c980
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
On protocol errors we should send BIND_NAK or FAULT and mark the
connection as to be terminated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 409b8fd6bcdd1c5d3405c03ececec2eee60ed67f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
BIND_NAK or FAULT may mark a connection as to be terminated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 358af6285bcd6d7c5599180e8a1b267929bd3bd7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f3c68c66262aa5e32eb4a5fb363050b8a027216b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
For now we still force \\PIPE\\ in upper case, we may be able to remove
this and change it in our idl files later. But for now we better
behave like a windows server without changing too much.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0f4a3c332d813eb6296811f86a83e782f1a2e1ba
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
This matches Windows 2012R2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 97a19d935c2aee09235b7944289d8281a70c7793
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 494ba35faa766fbc241f51d0b7509caf5b233f9a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
This depends on the type of the incoming pdu.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2cf79f9c54cac16140ff6b153fc3568b91c51e02
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
This matches a Windows 2012R2 server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit ec8b2a33cf8eb2a9d4a4316f7cb461f43db8c9a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d7f0712c498d3ac4e79de4001cdaf31a6ecc6d09
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
These values are controlled by the client but only in a range between
2048 and 5840 (including these values in 8 byte steps).
recv and xmit result always in same min value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1780b43ff6a82ab8091ba757ba9d0fc049819339
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 77e7d19023024193ee3c98f0a20a4c87205a4e41
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2f0c9d61cee48f85e15fac796fa3d058c7b3a7dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b075822116a1ba84de99ae3f1acbd8bfbb3498d2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 16:02:31 2016 +0100
CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit c784fcd6e0e84d1c28552a9f8f7992a3d5920c3a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 11:03:58 2015 +0200
CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
This will simplify checks in the following commits and avoids
derefencing dcesrv_auth->auth_info which is not always arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8e8c2daf7148c66da09428187fc643f2722b586f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit c0236de09e542dbb168969d8ae9f0c150a75198e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
pkt->u.*.auth_info.length is not the correct thing to check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b91112d779a44f78cac3a944b28a6e6f19598d74
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 69c77760deed8c8055ecb8b9531464f73c8fab80
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 10 14:08:46 2015 +0200
CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
We should only allow a combined payload of a response of at max 4 MBytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1e88acf1cef2c60217f0d0365c462a17ad5bf3ee
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a1c69169ff8c37d32827ba39469cbd96b7742ee0
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e767733957764b37d8bfa13957cd0641bbf85ad6
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
This should give better error messages if the server doesn't support
a specific abstract/transfer syntax.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9a3f045244b12ff9f77d2664396137c390042297
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
dcerpc_pull_ncacn_packet() already verifies this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 665b874b6022bfcdec3f13a9f5a844e5d1784aba
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 7 13:05:01 2015 +0200
CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8266be48f455a5e541d0f7f62a1c8c38e0835976
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2240a390f8ed3374af4773a794fa63619994e917
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0f7bb07a825db7739bbe5f549811ef86514b5697
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
We now avoid reusing the same auth_info structure for incoming and outgoing
values. We need to make sure that the remote server doesn't overwrite our own
values.
This will trigger some failures with our currently broken server,
which will be fixed in the next commits.
The broken server requires an dcerpc_auth structure with no credentials
in order to do an alter_context request that just creates a presentation
context without doing authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 84d86924f736204ddf50c6aeaa7d978551c7dc3b
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e5a4d9aadb2876f8c9ad18590ac92d756efb8ba1
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a20f1327f543e4f371eae00e26ea4de9a1a24d90
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
It handles the case of DCERPC_AUTH_TYPE_NONE just fine and it makes it
possible to do some verification in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 630dcb55ad7a3a89bcd8643c98a5cdbfb8735ef7
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 045e9b454bcbe20db4d6434fb66f870c1353675f
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d61cd595cc86880f4356cc85d0705cf99f03b926
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
We should avoid using the global dcecli_security->auth_info struct for
individual requests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9153fc5fe23dfd8ca6cc9ee4412edd82b87e58cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
In future we want to verify that the auth_context_id from the server
is what we expect.
As Samba (<= 4.2.3) use a hardcoded value of 1 in responses, we
need to use that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b26aabe9b138ef929bbfc638df0bc22f70b16de0
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 10:31:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
This will simplify the following commits and avoids dereferencing
dcecli_security->auth_info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d6c4dde2c04218ed6eae812c2fece337f65523a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 8 16:25:48 2015 +0200
CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2d2243c3383bee5fb138d03381bcce5fe9c8286e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 10:24:45 2015 +0200
CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
All other paranoia checks are done within dcerpc_pull_auth_trailer()
now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit fce895b228ece579ccf8b911b67f5835e11f3fa4
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Jun 28 01:19:57 2015 +0200
CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 17d9204bb239de2b3ec85e953afb754d18c482c5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 16 22:46:05 2015 +0200
CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 416f383cf9c871d89dd0be48b17a2d13e3aa9ca1
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 28 22:48:11 2016 +0100
CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
This requires transport encryption.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3410c21cfe1dbbbabde4939c8cc1e02b2d99d49f
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 28 22:48:11 2016 +0100
CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
This requires transport encryption.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2b1f9958378f99501d806ec9128ba0e12d8e89c9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 17:03:59 2016 +0100
CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit d33cb24f17e18c84243d359b10afdd0bcef0637c
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 08:47:42 2016 +0100
CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit e34628f881993c14f5a450998373f50145594752
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 09:50:30 2015 +0200
CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Pair-Programmed-With: Günther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
commit f0b5e62fe02666c262120dfbae52d9e586f144fa
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 18 04:40:30 2016 +0100
CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.
We sadly need to keep this enabled by default for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Pair-Programmed-With: Günther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
commit dbb522005c11a87ca63c8680d9309598b98ef58d
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 19:19:04 2016 +0100
CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit dd32cfcfd033abcb54327c2b150008de2c5fa9a2
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 19:18:42 2016 +0100
CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit b6e3f0c07522b5577cc5deb00b1f8f7cf34fd408
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 19:17:40 2016 +0100
CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit ee77128046c02c3dfa2209c7316623a6decce308
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 13:52:48 2015 +0200
CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit bbc9a16777c51ab736707da2adb590e954a4d47a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 09:50:30 2015 +0200
CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5a9aa81f0b3310e9d47f3a1a66c196dc27d7ff34
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 09:50:30 2015 +0200
CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 29ab0d99dd14007176f0b1d86f39c660ae33731a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 02:46:59 2016 +0100
CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.
We sadly need to keep this enabled by default for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit db01cab7e6bc93cc100829203a0636967eaae392
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 08:45:11 2016 +0100
CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ad995527d184854eaa485b14f77d43389e8a9d65
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 17:03:59 2016 +0100
CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
We sadly need to allow this for now by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 7847ee85d278adb9ce4fc7da7cf171917227c93f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 16:02:25 2016 +0100
CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 52aa7b60f3ca9325d30af9f8676471afcbda87be
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 14:49:36 2015 +0100
CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 14:49:36 2015 +0100
CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit ddbcb1119e805328c045d14d5ebe8b4053eca612
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 04:06:04 2016 +0100
CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
This matches windows and prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 889162a9be1841506ff0056da5ac4162c703adeb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 14 22:15:00 2016 +0100
CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 08ca648a237ffce5e18935c2360302d8dcb22a98
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 09:13:00 2015 +0200
CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
This is required for the whole interface (which has just one opnum for now).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1f3708a515d7856a27bb550c7a3b2a50ddd1a43e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 09:13:00 2015 +0200
CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
This matches windows and prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1c06e9265e30a38087e6d9b4dcf51dc920933c27
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 14 09:12:18 2015 +0200
CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8ee232f2dc40d15713acd40b3fa5177925ab6d61
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 15 23:52:30 2016 +0100
CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 27939fc0ce563dea185fe70eb5d59e20301a4169
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:04:35 2015 +0100
CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
Use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol() for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 54c9e0da7939976da87c60ac9959bb1c15d4e5fe
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:03:52 2015 +0100
CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit bf4259af9cc0f83d36b140f04474b6dea1ba5b60
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:03:13 2015 +0100
CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ba52792ea155ac581fd72a0c8d4fc8c8478141a3
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:01:59 2015 +0100
CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7790d38de6196142fe041ea0398823aecf86c9e9
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 10:00:09 2015 +0100
CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 15417d62ec9cf05bff98b1841998c080538bf8ee
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 17:16:04 2015 +0100
CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
We need NT1 => LATEST in order to work against all servers which support
DCERPC over ncacn_np.
This is a mini step in using SMB2/3 in our client side by default.
This gives us a higher chance that SMB signing is supported by the
server (as it can't be turned off for SMB2 and higher).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 95e334bef43d2e8bf57e30d5151803cadc4636a5
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 16 09:55:37 2015 +0100
CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
SMB_SIGNING_IPC_DEFAULT must be used from s3 client code when opening
RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2e3bcb74480404c1ce035e23fa70896a5f9a01b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 13:22:16 2015 +0100
CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7f4be89f64baa530b25899faf9c71453b929e526
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:23:58 2016 +0100
CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b7ea9994a0e18645942c816eea01cde1e1c04844
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 28 13:44:29 2014 +0100
CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1c24db6eda0cde18df5e4c9051ce514e2cc67bb1
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:15:38 2016 +0100
CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1afcdaa7d044faf4c367f0db8d9d119716071322
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:15:38 2016 +0100
CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a8dc7d69ab761c49270a333e3d1004ae770e5c6c
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:14:39 2016 +0100
CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 543b97d4220fa51b2d55a3723ee973487db3f1a5
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 04:13:11 2016 +0100
CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 32d113024bf550549c56858a9d400b8f6ca83e58
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 09:04:37 2016 +0100
CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d5d1d63a73d47c3959de114cd40cfedea6ac788e
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 03:43:58 2016 +0100
CVE-2016-2115: docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7c7f42fb382bdd3dda43ed3cda8f9e60b75ac510
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 08:58:32 2016 +0100
CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4eefd4098b7711d16f48fd5f9cf9fea3f18fe58f
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 27 03:45:43 2016 +0100
CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5fb616aed38ba68e11fc64501c3c1b58dcf417b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 10:57:03 2015 +0200
CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a6ab8e7d337ea60e04b59afa2810d2effd892843
Author: Ralph Boehme <slow at samba.org>
Date: Tue Mar 22 16:30:42 2016 +0100
CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
This fixes a regression that was introduced by commit
abb24bf8e874d525382e994af7ae432212775153
("s3:smbd: make use of better SMB signing negotiation").
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit dfffc4688151c9ebb06d051ee5a8f1b7023e2367
Author: Ralph Boehme <slow at samba.org>
Date: Tue Mar 22 16:25:32 2016 +0100
CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 87d7973d7fc0538dcfa197c630c600d4f3b3a623
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 15 10:57:03 2015 +0200
CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.
The main logic for this hides in lpcfg_server_signing_allowed().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 141d4ac742b7c03cd2db560e7391cf9029014cc3
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 16 04:45:16 2015 +0200
CVE-2016-2114: s4:smb2_server: fix session setup with required signing
The client can't sign the session setup request...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit ae4b827062649c2b2dfc24a95e735726793d30a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 16 13:03:08 2016 +0100
CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit dcf61e49d1cab9c06a29959f7dd5b1908f56461d
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 08:38:46 2016 +0100
CVE-2016-2113: selftest: use "tls verify peer = no_check"
Individual tests will check the more secure values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 64f8f67d603c5acfdb7a81fc931066e2172a0ae3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 16 15:07:36 2016 +0100
CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 95da9fcb15188477966bc8bb2cab589e4753c4e3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 16:17:04 2015 +0100
CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3a730923903c6ede0f8e58428eb36d8c25142b62
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 16:17:04 2015 +0100
CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit da2065eb4a6951e028e2f8865a17a5639e9f3579
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 21 03:56:22 2016 +0100
CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d2d22368f9556757a1ee8d0d3ccf61ca95878138
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 09:37:06 2016 +0100
CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit f3d752fce10f962d3cce01d3287c7467eff0f6b4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 22:12:56 2015 +0100
CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b8c5862e02542e67b3f5340eedb3df07c634f740
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 16:17:04 2015 +0100
CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1c25d638a8178df73afaf60f8d79757e5bc113c7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 15:39:48 2015 +0100
CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
The generated ca cert (in ca.pem) was completely useless,
it could be replaced by cert.pem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0a1d2b435640f0d17178bbf6b580ca586fca71db
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 25 19:24:20 2016 +0100
CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 16472fcf686559cd2641e30c953ddb6dc487ed45
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 10:04:48 2015 +0100
CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
We want to test against all "ldap server require strong auth" combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit ded3595c711340c490d5302479c45d6e3a49397f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 10:27:33 2015 +0100
CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
The default is "ldap server require strong auth = yes",
ad_dc_ntvfs uses "ldap server require strong auth = allow_sasl_over_tls",
fl2008r2dc uses "ldap server require strong auth = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 59c427325f05a0c75f08ab5a0d8e4267a8e9b375
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:07:02 2016 +0100
CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
This uses "ldap server require strong auth = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 5a5bedee0c34307b82a1005388bde9c69ec2ad70
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 28 12:19:37 2015 +0200
CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2612783ee38c543a9a42cf9cc565fd1f71e5e674
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 18 09:09:46 2016 +0100
CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit efd47e4f4848568646c4d02c60b1a568708219be
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 12:03:56 2015 +0100
CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5a26043267c5287481f677f773724cf4edb76699
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 12:45:56 2015 +0100
CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 62568224e57cae33b45280cb073dffc3054edb38
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 11:56:29 2015 +0100
CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f8c3a4643ff13f967ad529cf523c0b3259f5095f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 08:29:50 2015 +0100
CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 190de2d2f0be46f427f707d3bcf9550b079e2fe9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 08:29:50 2015 +0100
CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8e63804c62b2ddb13c29280d8b7b4d116e1f7441
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 08:29:50 2015 +0100
CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 799557f226b0d09cbd536cfabb397fcafa640472
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 24 15:50:49 2016 +0100
CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Pair-programmed-with: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
commit 531c5aac2e55b3e765bb9b691b4c0c702eae274f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 15 21:59:42 2016 +0100
CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 9d6ffb37225d260b8663c806792effb674ee7683
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 22:08:38 2016 +0100
CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 2ee2de41f2f936584c2176e3ec02755913816a1b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 10:25:54 2016 +0100
CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f5e066c88cc9e0404691b1fd59175a7862ba9e5a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 10:25:54 2016 +0100
CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 270f04cf6bb509dc8333d80dfb6bfad2f74b7060
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 15 21:02:34 2016 +0100
CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b0c0ffeed40f9e20d3a2ef197854d6ea11cdabb1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 15 21:02:34 2016 +0100
CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9b983aebcc3e617a1cb7c84b06a4618ad5b0fb4d
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Mar 27 01:09:05 2016 +0100
CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 1e35c14ea9e55c73a5a26c083ac87f92f6504677
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:08:16 2016 +0100
CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 2608fb3d766a2048f57d6a7de006b61e6cca0b27
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:08:16 2016 +0100
CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 9f39d0f6a83b129b70027acaece8d6ecd3d71401
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:08:16 2016 +0100
CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 7188b6aac6916531258a0ddc19139e684ee8214e
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 18:08:16 2016 +0100
CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit b1bcc5826208cac3306e435c4147c23517a630c4
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 22:24:23 2016 +0100
CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit ba33643f844275b7becbc10f8fde1d920674f9e6
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 26 22:24:23 2016 +0100
CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit c741e86c405e8cc0bdd61aedbc4b4d8186c6a1f3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 13:12:43 2015 +0100
CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
This prevents spoofing like Microsoft's CVE-2015-0005.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9aae9b11f243b8372e768187d3a3064cc9750010
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 13:12:43 2015 +0100
CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
This prevents spoofing like Microsoft's CVE-2015-0005.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 610229e7b59de2f975349da4f4de680c67cf4d73
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 23 19:08:31 2016 +0100
CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
This is the function that prevents spoofing like
Microsoft's CVE-2015-0005.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit eafd2ce23ac7d2b9a146f6473fec47a66b391e23
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Dec 12 22:23:18 2015 +0100
CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
The computer name of the NTLMv2 blob needs to match
the schannel connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 7f74142a8090d020ba3f8040600277ad64a19e56
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Dec 12 22:23:18 2015 +0100
CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
The computer name of the NTLMv2 blob needs to match
the schannel connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 96e93b880225d41d1a2b8f3f6c950e5c0d2aeb64
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 13:33:17 2015 +0200
CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 40397d1764ebec2c5cba9cd43bfae2e4c12329d8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 13:33:17 2015 +0200
CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit fec6daecac94ec5ac560853c53b626b82cb94ad6
Author: Günther Deschner <gd at samba.org>
Date: Sat Sep 26 01:29:10 2015 +0200
CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
The ensures we apply the "server schannel = yes" restrictions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 98c1677b1cdd844ca2b28b28e015e977eb2ef24f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 9 15:31:23 2016 +0100
CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit fd1c98f8172496f1cd007344b24b542cbdb446ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 15:10:20 2015 +0100
CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
This depends on the DCERPC auth level.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2e11c70b3b92ed561880ad8a204ff092f4592f4d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 15:11:32 2015 +0100
CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
It doesn't make any sense to allow other auth levels.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 280a3719cd7e03281d788c7a5d55cb6473c9dcc8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 19 16:26:49 2015 +0100
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
We now detect a MsvAvTimestamp in target info as indication
of the server to support NTLMSSP_MIC in the AUTH_MESSAGE.
If the client uses NTLMv2 we provide
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE and valid MIC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 65bd884149a68c01336c5af462b1e5b2ec66b3d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 19 16:02:58 2015 +0100
CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support including MIC checking (as server)
This fixes the build in 4.2 and older versions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 48b24cebe5c8c516ea29b6cc33c2697e5a42bb2f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 19 16:02:58 2015 +0100
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
We now include a MsvAvTimestamp in our target info as indication
for the client to include a NTLMSSP_MIC in the AUTH_MESSAGE.
If the client uses NTLMv2 we check NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE
and require a valid MIC.
This is still disabled if the "map to guest" feature is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit bb904577b8352915ce4549b7a326dcbf8ad6f0f6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 30 09:13:14 2015 +0100
CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 530f0d1ee1c714b352cbac566821a7b9a45a8e61
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 09:31:35 2015 +0100
CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 741c532edbf5cd0fa1dff2a00c21055be832b833
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 09:29:11 2015 +0100
CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
This fixes the build in 4.2 and older versions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 76318d55fd492f1dfd4aa98902530c9490b2fe2d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 09:29:11 2015 +0100
CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3d783b781675fe25f3d4326721c9ee3c5359ec62
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 21:24:47 2015 +0100
CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
If we clear CLI_CRED_LANMAN_AUTH and we should also clear the lm_response buffer
and don't send it over the net.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3a8334d269d76a9f849c8b58aa45de058e518971
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 11:49:31 2013 +0100
CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).
The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 22bf4ed895c75f67d4e0ccb4b29e2811f9960798
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 16 11:27:27 2013 +0100
CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
It's important to check if got the GENSEC_FEATURE_SIGN and if the caller
wanted it.
The caller may only asked for GENSEC_FEATURE_SESSION_KEY which implicitly
negotiates NTLMSSP_NEGOTIATE_SIGN, which might indicate GENSEC_FEATURE_SIGN
to the SPNEGO glue code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2e35e39fc33071c03f3b1c60641e2f87d37ef3b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 11:49:31 2013 +0100
CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).
This provides the infrastructure for this feature.
The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 65deaae1f249fa4cc1f9d5471cc77cfe8c032b2d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 20:13:24 2015 +0100
CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
This used to work more or less before, but only for krb5 with the
server finishing first.
With NTLMSSP and new_spnego the client will finish first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 639bd4da76f1493592c6d4feee3cc3d7b6dec872
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 11:42:55 2015 +0100
CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.
With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0489a5871e715185bbb0a24a5a69c2cae57341fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 11:42:55 2015 +0100
CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
Even for SMB where the server provides its mech list,
the client needs to remember its own mech list for the
mechListMIC calculation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a98f71802d92241cb1f3309cdc98926dad8d97d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 12:42:35 2013 +0100
CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
This is defined in http://www.ietf.org/rfc/rfc4178.txt.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit c528a17f74e33461f90679d000eb2dda2f4f1721
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 12:42:06 2013 +0100
CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e073b532860f575d1f5b89bd69e1c3b18e97caac
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 14:06:18 2015 +0100
CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
We don't need to change the protocol version because:
1. An old client may provide the "initial_blob"
(which was and is still ignored when going
via the wbcCredentialCache() function)
and the new winbindd won't use new_spnego.
2. A new client will just get a zero byte
from an old winbindd. As it uses talloc_zero() to
create struct winbindd_response.
3. Changing the version number would introduce problems
with backports to older Samba versions.
New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 3c076792a79e2ed410784e600387042f503258ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 14:54:13 2015 +0100
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9c171a50e729aeb00ec70373bb1adc4832a5fa2d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 14:54:13 2015 +0100
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f78d54936f49c3163998d7b01db5ea5857081dcf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 15:06:09 2015 +0100
CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
ntlmssp_handle_neg_flags() can only disable flags, but not
set them. All supported flags are set at start time.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 332d580d2c9e4e6b675ba7af0b3504f0108c4f17
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 15:01:09 2015 +0100
CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
man smb.conf says "client ntlmv2 auth = yes" the default disables,
"client lanman auth = yes":
...
Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
logins will be attempted.
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b7d64104437a131b673d39efa22220d18e9c8be8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 14:58:19 2015 +0100
CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2c6474b5d07beb6328a03743828daf3bba3447f4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 11:01:24 2015 +0100
CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
We now give an error when required flags are missing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f78932505d62508bd4d81f3e094d8d7c99098464
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 08:46:45 2015 +0100
CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
In future we can do a more fine granted negotiation
and assert specific security features.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8dcd3cb2bbe935a7db000ebb8455bd5a3efd234d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 21 23:07:12 2016 +0100
CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flag
NTLMv2 blobs can become large...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8cd4741a8fe7b9ec1ed2f3834a8b543d7dbb22e9
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 21 19:41:53 2016 +0100
s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Mar 22 19:20:38 CET 2016 on sn-devel-144
(cherry picked from commit ef1ad0e122659b5ff9097f0f7046f10fc2f3ec30)
commit d1ebe5bb41856ba7a87e046ef97a6f217636754f
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 28 23:32:50 2016 +0100
s3:rpc_server/samr: correctly handle session_extract_session_key() failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0906d61bb2f3446483d82928b55f5b797bac4804)
commit 9981c0b1f7832d5ac393a86db9b4058e168cb42c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 15:30:00 2015 +0100
s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Mar 18 12:39:51 CET 2016 on sn-devel-144
(cherry picked from commit e8e2386bf6bd05c60a0f897587a9a676c86dee76)
commit 6138f8b9e0a1ce1194bdb69890dd2f270a025ef2
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 15 20:34:27 2016 +0100
libads: Fix CID 1356316 Uninitialized pointer read
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit dcaa88158e6f0a9964ad051b4062d82e9f279b8c)
commit 1993e69653667ec892280c7794ca2574596b6855
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 15 21:00:30 2016 +0100
libsmb: Fix CID 1356312 Explicit null dereferenced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f50c3fb1c58700522f1b742539dab9bd9ae7fd39)
commit 6891eeb6f8d3329850c84574da7ca0f6cd62eb7f
Author: Günther Deschner <gd at samba.org>
Date: Sat Sep 26 02:20:50 2015 +0200
s3-auth: check for return code of cli_credentials_set_machine_account().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144
(cherry picked from commit c06058a99be4cf3ad3431dc263d4595ffc226fcf)
commit 62f4ee1ba2ebb912f5b17aae1d1aefdc9d43b8ce
Author: Günther Deschner <gd at samba.org>
Date: Sat Sep 26 02:18:44 2015 +0200
s4-smb_server: check for return code of cli_credentials_set_machine_account().
We keep anonymous server_credentials structure in order to let
the rpc.spoolss.notify start it's test server.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit fe93a09889a854d7c93f9b349d5794bdbb9403ba)
commit 344714835b563bebc310448c22817cc13b1f3577
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 08:10:46 2015 +0200
s4:rpc_server: require access to the machine account credentials
Even a standalone server should be selfjoined.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 31f07d05629bc05ef99edc86ad2a3e95ec8599f1)
commit cceb49a3b07d62affbbe213a043f95cadd54f67f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 15:08:43 2015 +0100
auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
We only need this logic once.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 57946ac7c19c4e9bd8893c3acb9daf7c4bd02159)
commit 2b442ce72116ed86a8d63aba42c5130f9c03e493
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 10 13:01:47 2015 +0200
auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
ops->auth_type == 0, means the backend doesn't support DCERPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit cc3dea5a8104eef2cfd1f8c05e25da186c334320)
commit 592baac5f92691a1d2f7e36874ce17c2d2b83bd0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 02:55:30 2016 +0100
s4:torture/rpc/schannel: don't use validation level 6 without privacy
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 733ccd13209c20f8e76ae7b47e1741791c1cd6ba)
commit 89298e5e69ee8e58469423c014ba66ec5ef87fba
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 18:09:26 2016 +0100
s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 50581689d924032de1765ec884dbd160652888be)
commit e80d4f9f40bb726515f9b44646f67927cb3c5268
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 14 01:56:07 2016 +0100
s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 050a1d0653716fd7c166d35a7236a014bf1d1516)
commit 93863b8cfd6749f85e5d01b5bfbe3235d4230a07
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 10 17:24:03 2016 +0100
s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 26e5ef68188d2e44d42f75ed6aabf2557c9ce5ce)
commit 2d70e9f200a9782ff0553c506d782a7dc9090fa5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 22 12:10:12 2015 +0100
s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
This create a schannel connection to netlogon, this makes the tests
more realistic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit 1a7d8b8602a687ff6eef45f15f597694e94e14b1)
commit 9be91a71f613291ed858d9720349ff24a69e67f7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 22 09:13:46 2015 +0100
s3:test_rpcclient_samlogon.sh: test samlogon with schannel
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit f9a1915238dc7a573c58dd8c7bac3637689af265)
commit 5e8f48ba9251cc1a91c4ddd8f82d74bd5031eabf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 07:10:06 2015 +0100
s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit 2c36501640207604a5c66fb582c2d5981619147e)
commit 1838e16803043a9022bffdfbda67c476f3589365
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: setup information of new samba.example.com CA in the client environment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b00c38afc6203f1e1f566db31a63cedba632dfab)
commit f40bc59ebf06e9f55a5548176b1236775cc81fe1
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: set tls crlfile if it exist
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b2c0f71db026353060ad47fd0a85241a3df8c703)
commit 9452268ee38669c078db4340985c237ba62ee6b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit c321a59f267d1a997eff6f864a79437ef759adeb)
commit 8b14e45926676e93ce8f38a652c99bfebf7071b3
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: add Samba::prepare_keyblobs() helper function
This copies the certificates from the samba.example.com CA if they
exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit a6447fd6d010b525d235b894d5be62c807922cb5)
commit d93ff571f3730664fca0e7bd56ec491ffd078b57
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 01:06:05 2016 +0100
selftest: mark commands in manage-CA-samba.example.com.sh as DONE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit 2a96885ac706ae3e7c6fd7aaff0215f3f171bc27)
commit 9030298dc586a18637be358f3f2da522f985d4c9
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 01:09:31 2016 +0100
selftest: add CA-samba.example.com (non-binary) files
The binary files will follow in the next, this allows the next
commit to be skipped as the binary files are not used by samba yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit 520c85a15fa1f4718e2e793303327abea22db149)
commit 44b5d2d481e1fd9a960e15c3e91e74904e6dc5de
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 01:08:02 2016 +0100
selftest: add config and script to create a samba.example.com CA
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit bdc1f036a8a66256afe8dc88f8a9dc47655640bd)
commit 61e6ca82cf2955e647ab29477fc18c81aba12f88
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 9 01:06:05 2016 +0100
selftest: add some helper scripts to mange a CA
This is partly based on the SmartCard HowTo from:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b0bdbeeef44259782c9941b5cfff7d4925e1f2f2)
commit 66df1ed7dc97242235c0a6fe179b94317c498a83
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 16 13:57:47 2016 +0100
selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!
It's confusing to have plugindc.samba.example.com as domain name
and plugindc.plugindc.samba.example.com as hostname.
We now have plugindom.samba.example.com as domain name
and plugindc.plugindom.samba.example.com as hostname.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit c561a42ff68bc4561147839e3a65951924f6af21)
commit ad389f1fd077a5fbae93ec68902dfc60d382a42f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 10 10:25:10 2015 +0100
s4:rpc_server: dcesrv_generic_session_key should only work on local transports
This matches modern Windows servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Mar 10 10:15:21 CET 2016 on sn-devel-144
(cherry picked from commit 645e777b0aca7d997867e0b3f0b48bfb138cc25c)
commit 8f0d8f415cbd4a4fabfcab89d0dfad3850da5b9a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 26 16:41:10 2016 +0100
s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
Windows servers doesn't return the raw NT_STATUS_NO_USER_SESSION_KEY
error, but return WRONG_PASSWORD or even hide the error by using a random
session key, that results in an invalid, unknown, random NTHASH.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 58b33896b65c5b51486eaf01f5f935ace2369fd0)
commit a99a012fdcef185b2cf876c4c7d37536877f46f1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 10 10:25:10 2015 +0100
s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 5a397216d40ff18fd1c0980cd9b7b7c0a970bbbb)
commit fc5c623eeedd4d175f5213520e08753f3a346676
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 22:44:24 2015 +0100
s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
This is the only way to get a reliable transport session key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit af8c4ebf9be314ddd13ef9ca17a0237927dd2ede)
commit 3393d9b8948dd5a03d8f26bf67677962d110eadf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 20:18:42 2015 +0100
s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
It requires a transport session key, which is only reliable available
over SMB.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f699eb3b1a0660ace3ca99d3f3b5d79ed5537c80)
commit 6ae0007529cd8f452cd4adde4e6b0df567fdb370
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 29 07:47:39 2016 +0100
s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit c793b23ddb7c048110bc4718574e5b99d5bbcfae)
commit 19896395dbfae5feb87d863485c4565f49844e4e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 17 08:55:03 2015 +0100
s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0400f301e3bcf495748cff009755426a040596fa)
commit 54dd7b751942c87d1baedc70ded7a906d86b4677
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 07:27:41 2016 +0100
s3:libsmb: remove unused functions in clispnego.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 14335018229801dd6d2b18f8d19ab5b45b8394fc)
commit 28c23bd8801b6a29f14d8757040960f4332d2db2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 07:27:16 2016 +0100
s3:libsmb: remove unused cli_session_setup_kerberos*() functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 95b953950d1fd454121ff23a43a8b13a34385ef1)
commit 1dd4e36efa91b086dde2c297437c1df5bc44b734
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 14:58:30 2016 +0100
s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0e1b2ebf884c6f2033b3b9aa7b6f72af54a716b2)
commit ac680c135c223303f7b45afe0ef4b5c20bb399d9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 14:35:21 2016 +0100
s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 907e2b1f665cdafc863f4702ede5dcf16e6cc269)
commit 68a32f1ec951547182fcea6c7c8d386dbe9f9f7f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 15:47:11 2016 +0100
s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
It will be possible to use this for more than just NTLMSSP in future.
This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 285c342f01a6e9a892f03360f8d2d0097e7a41cb)
commit 80c665b184dfc80ec1bad46573dd0720778c06db
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 18:31:50 2016 +0100
s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 576257f6e1488a623306dc368c806e218b1fcdf2)
commit d9c89a5cbaf77e590c1e6df26a83880d5a42fd0e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 11:49:37 2015 +0100
s3:libsmb: unused ntlmssp.c
Everything uses the top level ntlmssp code via gensec now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit afffe797547a97ec839913e1ca89045989bbea49)
commit db624e43fcc3da2a9bd8d229cbd6e4cb20d2a57f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 14:34:46 2015 +0100
s3:libsmb: make use gensec based SPNEGO/NTLMSSP
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4f6fe27c7020822dd1ce88b7dd63725d6082b190)
commit a4276332d832cae7270b0ac09620c00e44daf708
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 11:42:51 2016 +0100
s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9)
commit 24a5cf6054349091aaf91bde09ddf9cca3960d58
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 11:33:04 2016 +0100
s3:libads: keep service and hostname separately in ads_service_principal
Caller will use them instead of the full principal in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c5d7956364047925dee5d6f71a5b92a38c73e5a6)
commit d4369e305d017b1baef378b6e130a335de5ae054
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 11:31:01 2016 +0100
s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0c204e11925982d8bd835830985479792b8cc820)
commit a1476b9a25a18f9a830e0849aafe7e101a529b0b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 13:14:05 2015 +0100
s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
It will be possible to use this for more than just NTLMSSP in future.
Similar to https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 139ce7d8b687cc54560ce353ea6f86a4d2d2ae04)
commit 8c9308cf24814a026201464e5e32bd8c2b42ca32
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 15:02:29 2015 +0100
s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
This avoids using the hand made spnego code, that
doesn't support the GENSEC_FEATURE_NEW_SPNEGO protection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit c6f79cfa86e23217a510c6fe205da0c18ef2a9b2)
commit 8368d9d794020ccdfef16ebfeaa659eff678efb4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 15:04:02 2015 +0100
s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
This is more generic and will handle the
ntlmssp_[un]wrap() behaviour at the right level.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 357d37fa11b7d944e9f5fe2e0cc6730d498bc2dc)
commit e5ca0c6a913c8e65091917c25516998d2a309c66
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 5 02:53:45 2016 +0100
s3:libads: add missing TALLOC_FREE(frame) in error path
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8f9a9633e4f55f85a3f68bf2e8c78414f31511ea)
commit 3fd5063bee36365e0094392ec92301de8be5bdef
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:51:57 2015 +0100
s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 0ebe929810e922e7cf7742a1f3e4ad222006377f)
commit 083682b313078f96e2ceb3dccfa4bca43659af9b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 11:46:22 2015 +0100
s4:selftest: simplify the loops over samba4.ldb.ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit c431543fb989938898e33e1ffdb80cb97e4a3bb2)
commit 04a81c9a7f2f3254846f000ef0121c3ef313bde7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 09:54:08 2015 +0100
s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
The LDAP client library uses tstream and that handles non blocking
sockets natively.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit 5cf8546674a4f49618bdade1567fac00d72db454)
commit a2c24e213cfb98a8fb24a0a7053bfa4189a08590
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 13:10:58 2015 +0100
s4:libcli/ldap: fix retry authentication after a bad password
We need to start with an empty input buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d9d0d2d5a2667ea8984772b678272650a8719c21)
commit c5316958677d03e3beafa4c4b949d73eb23dc730
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:51:57 2015 +0100
s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d04663b8b075a69141fe2f45d0906b528d99ab85)
commit 4a3c66de526a6bc1a4ce3695454525fc85d99aa7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 12:58:51 2016 +0100
auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
This is now handled by GENSEC_FEATURE_LDAP_STYLE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 59301830e27bf537d04808d2ac37d6cf9ef56713)
commit 1e19d98db5940f93641f4f258fc24f80ad809462
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:48:14 2015 +0100
auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
We want also work against old Samba servers which didn't had
GENSEC_FEATURE_LDAP_STYLE we negotiate SEAL too. We may remove this in a few
years. As all servers should support GENSEC_FEATURE_LDAP_STYLE by then.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 122a5f6b58e6cead061a7ee64033ccc1940742ed)
commit c4b08fbb67be0bbd826b7cbbcc71447173fde42a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:48:14 2015 +0100
auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
We need to handle NTLMSSP_NEGOTIATE_SIGN as
NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
is requested.
This works arround a bug in Windows, which allow signed only
messages using NTLMSSP and LDAP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit f3dbe19e14eaf7a462f14485c6a9138a7348db2e)
commit b63aa969da80ea7ee09a00aed678983310c653a6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:48:14 2015 +0100
auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
This will be used for LDAP connections and may trigger
backend specific behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 069aee42c2f12ed5feb23c19dc0a4771d913619a)
commit 679b2c45bb7633d5521b3cd785bc8bd06a84bfde
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 19 00:40:12 2009 +0200
auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f6b9e1feab8d435b1e44fef81e867c01ed01db95)
commit f2600f593a84034915b6f838cdee1b33118c6524
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 15:40:29 2015 +0100
librpc/ndr: add ndr_ntlmssp_find_av() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit c1e2a1f0a75605a8792b615a41392fc018198a10)
commit 7c7ee91f25d8b5b74ba98efc89ce17d8d96c7e33
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 19 15:38:02 2015 +0100
ntlmssp.idl: make AV_PAIR_LIST public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit f4ff3510164748977de056bb8cdbbd22e5fedb3c)
commit 9176107fdef231087a72f38a03f64a435d64576f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 09:07:57 2015 +0100
ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit ab54e0fd7040e7717fe979b54fb4dfa16813524f)
commit 4222e9bc95c00db995e05daffe7e1d41e0b7a2f0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 09:06:56 2015 +0100
security.idl: add LSAP_TOKEN_INFO_INTEGRITY
This is used in [MS-KILE] and implicit in [MS-NLMP].
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 1f88812316144b06b11eb3dc90a6081cb57783da)
commit a7243e3b932997e0685046528f9b6888da5e604c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 14:07:23 2015 +0100
auth/ntlmssp: use ntlmssp_version_blob() in the server
We already set NTLMSSP_NEGOTIATE_VERSION in
gensec_ntlmssp_server_start(), so it's always
set in chal_flags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8af6b8d2eb6b873620131b4b5b570ec24985d86a)
commit 1526b7e3ab73be513139508676937b766a8a05a1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 10:52:29 2015 +0100
auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
This matches a modern Windows client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 4a1809cb14dcb03e9ba386af5b90650400377875)
commit 4f261d96804f7f72ebc6ee707b495a800ddf4682
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 14:05:17 2015 +0100
auth/ntlmssp: add ntlmssp_version_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit a61ab398ccc1036edce677e00569fd7f58b70995)
commit e81031baf841609f5e0330c189c2f677b948837c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 10:52:29 2015 +0100
auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
We don't set NTLMSSP_NEGOTIATE_OEM_{DOMAIN,WORKSTATION}_SUPPLIED anyway.
This matches modern Windows clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 4fca8eaaae23955e704dc9c45d373fe78bf88201)
commit d2b612dcbd8a34a6cafdd8129549771e1fa8dd1a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 8 13:59:42 2015 +0100
auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
This matches a modern Windows client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit efd4986794889f1315dbd011b94b8673d785053a)
commit e487dbaefcfa287adba111a96c337a3dd7f26938
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 11:01:24 2015 +0100
auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit afba38dbf5c954abbcfc485a81f510255b69a426)
commit 7b39ef9909abf9f846979b2b9c86a674d14c7424
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 10:52:29 2015 +0100
auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
NTLMSSP_NEGOTIATE_VERSION only indicates the existence of the version
information in the packet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 30d626024c7e8f275d64f835632717b0130be4b2)
commit 7b207701e08d1241cc8f85db276d91d118826e13
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 11:16:02 2015 +0100
auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit e63442a1c27c475e373048893d9cf04859dd1792)
commit 9cfc310624115bf3b6c66b9e680bea08e2bc2837
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 10:54:56 2015 +0100
s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
This implicitly fixes bug #10708.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10708
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 279d58c1e68c9466a76e4a67d2cfea22e8719d31)
commit 637f37bbb4e5ba4382806446ccb19f326969d821
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:46:52 2015 +0100
winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 716e78f3b294210130f3cf253f496391534819b0)
commit 53f6f3db6983c8fe9990f66e94a853e8440bd3aa
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 10 15:42:51 2015 +0100
s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
This will be used by winbindd in order to correctly implement WINBINDD_CCACHE_NTLMAUTH.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8bcde9ec625547df42915e9138d696deeabdb62d)
commit c5a25e87242e7b69949703f9a4e5c6c8301ba379
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 15:35:40 2015 +0100
auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
This can used in order to use the WINBINDD_CCACHE_NTLMAUTH
code of winbindd to do NTLMSSP authentication with a cached
password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b133f66e0da5ed05bbe81098e52c744bac4b48ac)
commit 653742dc707a95523f65b062c44aebc8363fa094
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 13:42:30 2015 +0100
auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 0a93cad337578a7ba61f12726c9a15ecf869db7b)
commit 0ece92ec562f6c551ce3ff8d476ac475f890809d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 25 21:41:23 2015 +0100
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
These can be used to implement the winbindd side of
the WINBINDD_CCACHE_NTLMAUTH call.
It can properly get the initial NEGOTIATE messages
injected if available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b3d4523ff7810279dc4d3201a09a868545d4d253)
commit b3873ba45f61fff027c46574c16253a431a79c09
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 11 12:47:40 2015 +0100
s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 52c03c07151a12e84fb4d34443864e59583c0db9)
commit 1742cec138ee36b23eb31cd8ce75a5d16b3e12b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:45:33 2015 +0100
s3:auth_generic: make use of the top level NTLMSSP client code
There's no reason to use gensec_ntlmssp3_client_ops, the
WINBINDD_CCACHE_NTLMAUTH isn't available via gensec anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 0d66e2d34f656028eb3adb35acb653a45c041890)
commit bdbcffc2e76fe50e088a38ee5ba043c79c085f00
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 09:07:33 2015 +0100
winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
We should avoid using NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 871e8a9fd029bbcbccb79bd17f9c6a2617b8be55)
commit 23b65d6b3074f7079fbe3774f88d1e9b6bdfa1df
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 16:15:13 2015 +0100
s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 9bd1ecffffd070333a22ef2449a179cee3effe5d)
commit bf52fad5167be7ae8975ad1d3dfba622eca5c5c5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 14 15:49:02 2016 +0100
selftest/knownfail: s4-winbind doesn't support cached ntlm credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b98147575a596bdd02528c915601cb2f13e6a17b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 16:15:13 2015 +0100
s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 1289130ad2aeded63990bf1bde6f169505c62280)
commit 77d9b8ca72c54bc6275617390209e5e4ff0e3b59
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 11 12:11:05 2015 +0100
s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit cf2ea04135774853d1cebca82c60bed890135163)
commit dd2a2b7fb9d5c2dd4981ab001cc8549d2f3d35fd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 21:23:33 2015 +0100
s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 69a7ec794213e8adec5dcbd9ca45172df13292c1)
commit 8acba3bf2bc969af279edce13b9eb6552dc4ee8a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 12:06:50 2016 +0100
auth/ntlmssp: add gensec_ntlmssp_server_domain()
This is a hack in order to temporary export the server domain
from NTLMSSP through the gensec stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a85a02b631609cd9c16e1048c62dbe9661128279)
commit c6cbac8404bcac7b4f4c41ea69a6daa9bda7dd99
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 22:15:50 2016 +0100
auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0a9e37a0db86815d2baf7ab791721b6a7e04a717)
commit 0dd1f05847b6ec5ac06a05a63b4e6024ef5a5523
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 19:39:04 2016 +0100
s3:auth_generic: add auth_generic_client_start_by_sasl()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 79a6fc0532936558421eb4321f795655b5280763)
commit 7b9223961484f958c70394260966e52a759c6ae7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:44:02 2015 +0100
s3:auth_generic: add auth_generic_client_start_by_name()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit ccfd2647c7e65c3e2ad92dbc27c21570da0706d4)
commit 933ca54cf1cd2bbf3fadae26c3aa7db4e4e201f4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:43:02 2015 +0100
auth/gensec: make gensec_security_by_name() public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8efcb4943585f015c9956118d8f42be89d5c7677)
commit 66b2e5d57bb9d50cab1214df075f88f958399f97
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 19:29:40 2016 +0100
auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
We do that for all other gensec_security_by_*() functions already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 64364e365c56c93e86305a536c5c68450d154d2a)
commit 3b0fc77b7c7aefb375694620a53d7489faffe39d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 12:06:50 2016 +0100
auth/gensec: keep a pointer to a possible child/sub gensec_security context
This is a hack in order to temporary implement something like:
gensec_ntlmssp_server_domain(), which may be used within spnego.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5e913af833721733c4f79f2636fc3ae19d5f42f0)
commit 744e043c1db12a5936e8481a8a2f24f29f3e8b08
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 19 10:53:34 2015 +0200
s4:pygensec: make sig_size() and sign/check_packet() available
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0f6713826dfe73b7f338b8110c53ce52d42efbda)
commit 3353447c417ed82138debf158c079ab9899c48db
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 5 02:52:29 2016 +0100
s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
This is important in order to support gensec_[un]wrap() with GENSEC_SEAL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dec9d085f3eea8d49fa129c05c030bdd779cba54)
commit c1f6fe421d2005e68fe7cf6509929186b56f4a20
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 07:42:41 2016 +0100
s3:librpc/gse: don't log gss_acquire_creds failed at level 0
Some callers just retry after a kinit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 79bf88353488b5912435e0c7f8e77f2d075ce134)
commit ac9a891cac5d824c5258726714c97aa64a4ec1a9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 17:37:38 2016 +0100
s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e4aebd7e28e7b00a13246b367eb2e7de5ae7b57b)
commit a881c5fe1eae8f6e81aa7726b9f51d18a6a13a80
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:22:44 2015 +0200
s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a8fa078f1acbd9fb1a1681033922731dce855aad)
commit 3b4608c40a77e4f3e9fa828fbbd7b30837f8392b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:21:53 2015 +0200
s3:librpc/gse: fix debug message in gse_init_client()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 84c66f1a388c8b5105f3740a3cd5d4d5a27f6ee8)
commit 41ca435d0b3d6a0f1abb0ee3f0c5e452edccbbcb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:21:05 2015 +0200
s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 46b92525181fa32c5797c914e8de92f3c226e3c7)
commit b8fd2d000121ecd7c48c9f93dbf1bd62f444acaa
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:18:22 2015 +0200
wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
Newer MIT versions (maybe krb5-1.14) will also support this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fd5bdafbddfd0ad2926ef50a0cb7d07956ddd44)
commit ff2a6f64251babd602ed45792f3c887a32f69e7f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 14:36:14 2016 +0100
s3:libads: remove unused ads_connect_gc()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit cd8af25d4bf87a9156cb2afb3dd206c68b1bedd7)
commit 9b4eabbb543ad377228fe62d94e96f04a25c27cd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 11:06:47 2015 +0100
s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 960b0adfb398eeabd48213393bc560654baeed5b)
commit ebc2711a9ead271b165dcd0938c21e2ab2721d6b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 17 03:36:36 2015 +0200
librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit e9e9ba7eaecf2b6d95e79fbe424e1479e9468d63)
commit 4d7fdf1543178dcf026648666de10c7211111adf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 17 03:35:19 2015 +0200
dcerpc.idl: make WERROR RPC faults available in ndr_print output
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 5afc2d85b3d17b32ca9bd2856958114af146f80e)
commit 8104a49dc0afa25e8efde9ceb567e502dfd5dc1d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 16 17:15:24 2015 +0200
epmapper.idl: make epm_twr_t available in python bindings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2e71f5d9351b9660a5ef94309674e09fdeb7ab48)
commit 7e1a935586168a796f237c458d3891edbf0b1fc8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 15:53:21 2016 +0100
s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 2c9f9557e4d7e02b4f588aa0a6551a6881ac57af)
commit 5e4be46aea75ed036efbd71353c033ab3060dd2c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 15:47:59 2016 +0100
s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e906739553ee6112426af0cf29e33ef1920a316c)
commit cf4f1bcd43adf5db33cd2ff2952b3ca21186ffb1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 4 02:18:38 2016 +0100
lib/util_net: add support for .ipv6-literal.net
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6400bbb5eee958babbdd578c2f80b0c65d6f6e7a)
commit 76d4d9d239fe78f747e4e2f1d0f8ca26f7d61ad5
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 4 02:18:38 2016 +0100
lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 771042a2387b596fff2ab59a1a68d75c6c27b2cc)
commit 84e3a91865dd0dc809f585170f708ebd8727643d
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 11 21:49:21 2016 +0100
spnego: Correctly check asn1_tag_remaining retval
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 024c619fa82960ae4f8af029b6872102202ffd07)
commit 9ac8373ec48120ef29f85c41278e2aad7bce04d5
Author: Christian Ambach <ambi at samba.org>
Date: Mon Feb 8 23:20:19 2016 +0100
s4:torture/ntlmssp fix a compiler warning
about invalid array subscript
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Christian Ambach <ambi at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 8ca0f14b5c4ac85e40c9c96f8f5ebb569335f031)
commit 3dd652ea13a10a7bd1898f9812df4df8e7c478d5
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:35:29 2015 +0100
s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit e073f3c0b622f49ffad7082b9b4fbc429c48d530)
commit 7d30bb7d6881fd719c1bf5fdc47dc7929cbe6b51
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:32:28 2015 +0100
s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 68b9b18e6cd346e2aa32418642b0746cee593be3)
commit ca3f4c3cac925bb3d4656a94eea13041988e38ca
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:30:16 2015 +0100
s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fe1be37c71a816458173082fa9213a3f279a0b79)
commit cc6803d0897aa1af90713007124ded2f0fcef0b8
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:29:16 2015 +0100
s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4ac7a6572149ec5b43a91a303c2008e73e467a56)
commit 8a09a9e52e79200cc704d9ff6dc0780921948ec9
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 18:27:29 2015 +0100
s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 68d043faa0aa9e5e0d289806e1aa2acba3f07af5)
commit 31ec80537f6a2c7e1f533bf59f58e67689d801ac
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 15:35:29 2015 +0100
ntlmssp: when pulling messages it is important to clear memory first.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 30386c23ae0a6afd2060e626c73df9a3691a71fb)
commit c0f4c95b4ec17c065e00cb4ead0814fa5dd7ccda
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 15:34:47 2015 +0100
ntlmssp: properly document version defines in IDL (from MS-NLMP).
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ded0f3c8b7b4132d250907022ba59e88b45a6ed0)
commit 5bcd76653eab724b15cd6837dab62bf3023ed076
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 17 16:42:08 2015 +0100
ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4be7451d9a7ed122c61a08bcf977bebeef4749dd)
commit 0973458c749b5505c47e2af79c5fdaed7a67534c
Author: Günther Deschner <gd at samba.org>
Date: Mon Nov 16 16:31:27 2015 +0100
ntlmssp: add some missing defines from MS-NLMP to our IDL.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit feb4ee62c5271b45877c1d3bc1d8b327439e5fd4)
commit 0a6405f8dee27697e98b5ce0cf3b2beb3315b65f
Author: Björn Jacke <bj at sernet.de>
Date: Wed Sep 2 12:37:12 2015 +0200
tls: increase Diffie-Hellman group size to 2048 bits
1024 bits is already the minimum accepted size of current TLS libraries. 2048
is recommended for servers, see https://weakdh.org/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Bjoern Jacke <bj at sernet.de>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 3 03:47:48 CEST 2015 on sn-devel-104
(cherry picked from commit 22a37c453d83c39634fbae72de592024d9b8ba4a)
commit 88c76da886d218271e83a7e34e1a1b3fe8c57697
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 14:48:20 2016 +0100
s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 2c5ba3505ad887b7f918d1a9f0a54e4724b270fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 28 15:50:06 2016 +0100
s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
asn1_extract_blob() stops further asn1 processing by setting has_error.
Don't call asn1_has_error() after asn1_extract_blob() has been successful
otherwise we get an "Failed to build krb5 wrapper at" message
on success.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11702
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 14f1a94b6fb3a55be1e60fe0d28740f04fd94b3f)
(cherry picked from commit c17b1f697c388bd2e0190c4a3574d951b8be483e)
commit 2057efc0c363949cf24faf784cae9a3795bfd05b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 6 15:03:47 2016 -0800
s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
Don't call asn1_has_error() after asn1_extract_blob() has been successful
otherwise we get an "Failed to build negTokenInit at offset" message
on success.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Jan 7 16:00:02 CET 2016 on sn-devel-144
(cherry picked from commit 8108f0d320013c560339723d8d70ab601350d0c4)
commit 53988ca3202e8223a151b68b85e4d201b48b57f5
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 3 21:26:50 2016 +0100
asn1: Make 'struct asn1_data' private
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d865ed20062cc5fc62313c25e7a6cb90763d0158)
commit d91415e7cf944c54e0509a38f7bdd3bd746c7a63
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:42:11 2016 +0100
asn1: Remove a reference to asn1_data internals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 44c56fc66788adf7b58f1d77a1e7d79d840ea9f6)
commit 17d663a57e26ce4d44536b488d06ca7266c573c5
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:30:35 2016 +0100
libcli: Remove a reference to asn1->ofs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3c340d81d8bf2e7b8488b150452bbcc4e3b521b6)
commit f7ea845f566a4e591f7c391925bcea2d7b57a018
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jan 5 10:55:44 2016 +0100
lib: Use asn1_current_ofs()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b7f0e29fd2c30024d5a7da7aa6a1f0084612f9d2)
commit f6a2ad0238eabc7ee7da5dea7231157852e8cc6f
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:25:41 2016 +0100
asn1: Add asn1_current_ofs()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 927bbed6aaed9d454e8750aa053c5fa9fb1f1005)
commit 9e65ef35d5ebf579a9a30351b89354916922c72b
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:24:01 2016 +0100
lib: Use asn1_has_nesting
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1282f6063d53b2b86c91cf80c9b0d6a2cdb4ad7b)
commit 12396cf674a3c72f24d89cdb6eb8f7b15570a77d
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 10:23:20 2016 +0100
asn1: Add asn1_has_nesting
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2a5141a772f531ca113b9c2649ad79400c283749)
commit 79280a3e0c4e6b4362848028d9d7eeb78455359b
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 2 20:10:53 2016 +0100
lib: Use asn1_extract_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit a93946b2fee6d6fedb9830d1dec593fca15fefc8)
commit 2a8a339d449227b2451f7758cf13b132633c8728
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 21:53:23 2016 +0100
asn1: Add asn1_extract_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7b7aa016df35ed7f8388a9df08d66a816adc1bf7)
commit 9c520e95ccba0f2c0d2ca31b9b251d0f18c5dccb
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 21:51:07 2016 +0100
lib: Use asn1_set_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8cfb6a313937964902940a7ebada7bacab7dbbb8)
commit a8b03c4a3252c6b79d8f56f46c45b26d8ab5cde6
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 4 21:50:49 2016 +0100
asn1: Add asn1_set_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 94b44598a581539958d8f537742fcab44d21de4c)
commit 3aba426607c7e344740f2fb7b1d98ff4c7275fb5
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 2 18:11:00 2016 +0100
lib: Use asn1_has_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 57a0bc9a9f3a02f809153dc19537110c4c796338)
commit 9d86ce38cacfd6ef23411c02c93c476d27c42596
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 2 17:58:21 2016 +0100
asn1: Add asn1_has_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit fa207fe9d17d27060e5e2989c19980103fd4778d)
commit afbef756fcdc01247bd9b943d06a836975e944dd
Author: Volker Lendecke <vl at samba.org>
Date: Sun Dec 27 11:18:47 2015 +0100
asn1: Make "struct nesting" private
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ef8049b24353ea657d6fba989a294939c58895cb)
commit 6eca81cb6633043836b7356238613b74b3b09dad
Author: Volker Lendecke <vl at samba.org>
Date: Sun Dec 27 10:57:07 2015 +0100
asn1: Add some early returns
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f908e6560bcb06938bee9019d43b622eb31fb2c3)
commit 165e6fffdca32f9fad9c31b17dd2f75ae5fbd441
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 22 13:50:54 2015 +0100
asn1: Add overflow check to asn1_write
Found by pure code reading :-)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 249202d8c04fae245ee373e7926484e33822c905)
commit afd0849bbc29beca4ce993100c18a3940ceb27d9
Author: Volker Lendecke <vl at samba.org>
Date: Mon Dec 21 10:41:39 2015 +0100
asn1: Make asn1_peek_full_tag return 0/errno
We don't need the full power of NTSTATUS here. This was the only
NTSTATUS in asn1.h, so I think it's worth removing it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ad630a681e345cc7765f2a2f2dc1ba25ee0200c2)
commit 8a8d380217752f4fcadcfaf143f5ac3f30b246a3
Author: Volker Lendecke <vl at samba.org>
Date: Sun Dec 20 21:49:26 2015 +0100
asn1: Remove an unused asn1 function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 45800223fd5fb8d35770d101882cfb2b19465944)
commit 7d64f42716f7462222ef9d705be425160b961524
Author: Richard Sharpe <rsharpe at samba.org>
Date: Mon Aug 24 20:26:42 2015 -0700
Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Richard Sharpe <rsharpe at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 25 21:45:18 CEST 2015 on sn-devel-104
(cherry picked from commit dba9e631bd1e1c7e00430b72f0c60b32ee4eeb33)
commit d2bf0f7c553c3032fe8c599974bb474277e42ff9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 22 13:05:15 2015 +0000
s4:rpc_server: pass the remote address to gensec_set_remote_address()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit efebf3c80c9d89d012942d99ce955225c218790a)
commit 810817fafe19c1b29334993682222b75f0b37b5b
Author: Günther Deschner <gd at samba.org>
Date: Mon Apr 7 15:46:32 2014 +0200
lib/util: globally include herrors in error.h
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5b68527f2b2b5be0cd27bfbbdd87921ac4373e48)
commit fc0df962a3f87e95551804883870379eafce18b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 23 20:37:23 2015 +0100
s4:selftest: run rpc.netlogon.admin against also ad_dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit c9f68df7987ad17c83217c7fad46cd7ee59ecde2)
commit c8a3e039fa602cb8923cf90b2fc6ab4283af9053
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 20 11:46:36 2015 +1200
lib/tls: Change default supported TLS versions.
The new default is to disable SSLv3, as this is no longer considered
secure after CVE-2014-3566. Newer GnuTLS versions already disable SSLv3.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
(similar to commit 06f378fa652e0ff3cb5aae1b30eee4f73b570664)
commit 839452e426233402be61ccb38f2af2edb2fcffe9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 20 11:22:46 2015 +1200
lib/tls: Add new 'tls priority' option
This adds a new option to the smb.conf to allow administrators to disable
TLS protocols in GnuTLS without changing the code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 374d73617d71abf594cc92d335cd8bc60c10a1b7)
commit 986b2a6a446cdf41d013b0fe1cd166cf812cedb7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 1 20:49:23 2014 +1300
docs: Explain that winbindd enforces smb signing by default.
Change-Id: I9341fa3bd7480836ac5e0c18e28458175b42d44a
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 0f6ad5370e0ed5201a63e047b7e3fef5b27b3149)
commit c4f578f63a0e601da5a46bbd5a2edb11b4d02ac4
Author: Andreas Schneider <asn at samba.org>
Date: Tue Apr 14 10:56:53 2015 +0200
torture: Free the temporary memory context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Apr 15 11:20:22 CEST 2015 on sn-devel-104
(cherry picked from commit e8951eb9b837c05bd3c53de9368702c5de644ada)
commit 6775efd711fa106c6e4346c7723651d35b1d8ac9
Author: Andreas Schneider <asn at samba.org>
Date: Mon Apr 13 15:37:58 2015 +0200
torture: Correctly invalidate the memory ccache.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit ba6ffdbbcc954b9c58547eb9505fce75234d593d)
commit 618bf77a3bfa00beb245400895169adc31c778a2
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 26 17:03:44 2015 +0100
torture: Fix the usage of the MEMORY credential cache.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sat Mar 21 02:03:34 CET 2015 on sn-devel-104
(cherry picked from commit c07a54b2941c0d5dc69eb435405daddac1b994bf)
commit 16343ed07af5ed711eda88a2b4f77e97fd23ff1e
Author: Richard Sharpe <rsharpe at samba.org>
Date: Sat May 9 09:49:04 2015 -0700
Convert all uses of uint32/16/8 to _t in source3/rpc_client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Richard Sharpe <rsharpe at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8bcdd677ce616c636c81c0fa6f077c56dc269707)
commit f0dcb43f9ff66166267fbb9c2f2b1c555804672c
Author: Richard Sharpe <rsharpe at samba.org>
Date: Sat May 9 10:02:05 2015 -0700
Convert all uses of uint32/16/8 to _t in source3/rpc_server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Richard Sharpe <rsharpe at gmail.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit a685404dce06d0f227f24b745629b0d0b46b925a)
commit c6853233f901503fa045e0d36ce2219c4f999ab4
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 4 10:47:03 2015 +0100
rpc_server: Fix CID 1035535 Uninitialized scalar variable
I believe this can't happen, but better be safe than sorry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Autobuild-User(master): David Disseldorp <ddiss at samba.org>
Autobuild-Date(master): Wed Mar 4 17:14:53 CET 2015 on sn-devel-104
(cherry picked from commit 40a317f092829aa78a35cc0421f524a4b0233f10)
commit 2426e5d45a4b4faee9edbd9274d579db692036a5
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 4 10:47:03 2015 +0100
rpc_server: Fix CID 1035534 Uninitialized scalar variable
I believe this can't happen, but better be safe than sorry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
(cherry picked from commit 8f7bdc8194a6e666c795da0d27feb316b0a8dd37)
commit 73d868b4813e6fe8f20bb0dc6a4f6791806e0e91
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Oct 4 07:06:35 2014 +1300
libsmb: Print the principal name that we failed to kinit for.
This should aid debugging when this is called from an automated process.
Andrew Bartlett
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: I2c7291ab3f67f9f7462d7c52c8c9a4b042f7ec5a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit e9472f8e821acd988fee9a1a288986282a138fc6)
commit b99e5ba87f02ef5e210ae7c525a3242be9e1d7c8
Author: Richard Sharpe <rsharpe at samba.org>
Date: Sat May 9 16:59:45 2015 -0700
Convert all uint32/16/8 to _t in source3/libsmb.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Richard Sharpe <rsharpe at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 5c1f8adc331a33c8fdd8e3995284d5833dc29f38)
commit 235da54aacdb6ca5b2da81411541bf8e10a93521
Author: Richard Sharpe <rsharpe at samba.org>
Date: Sat Apr 18 08:40:14 2015 -0700
Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Richard Sharpe <rsharpe at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Apr 22 06:22:29 CEST 2015 on sn-devel-104
(cherry picked from commit 5074cf825d046c0523de501e00cbfb4fbb814149)
commit c892540bf024b1c41a8b5b5e027397be17767c30
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 23:14:38 2015 +0100
security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}
These are not encryption types, but flags for specific kerberos features.
See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 1d299f1d7b0544c5e1ea5a8a89c96554fc619fb7)
commit ecba7a9286db41d0efbd21546c176f8178adaa7a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 23 12:32:34 2015 +0200
s4:gensec/gssapi: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
This way are able to support GENSEC_FEATURE_SIGN_PKT_HEADER also together with
GENSEC_FEATURE_SEAL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Jun 24 04:00:43 CEST 2015 on sn-devel-104
(cherry picked from commit fa4f4fed2ea20166f48fc40b895ef57aa608ace9)
commit 2cdcb2ca3a313d04960cfe5e977e50403c67509c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 01:23:16 2015 +0200
s3:librpc/gse: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
This way are able to support GENSEC_FEATURE_SIGN_PKT_HEADER.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f643677d3fe62978b6ca7f1da9ec8b1e450b7bcb)
commit c227eb67f439600b6da423213f5b81ce509c6efd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 25 08:34:48 2008 +0200
auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
These make use of gss_[un]wrap_iov[_length]() where required and support
header signing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8a4c0abb3eaf1ae80d1ce476cc123c5a195cd15d)
commit bbff9886a9b26e3907ba15459d879752ad4d3883
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 11 19:48:50 2009 +0200
heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c245d4f33e233f16aafb29a1737f8f1fa96724d7)
commit 59986c385729a3f8b06e8561415b97dbc1d5fc0c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 18 14:07:43 2015 +0200
heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 571a05c64951f28c41c73541f5824458a3bba909)
commit 075ec8f712b5493965e268ea6774263f32fb25d4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 18 15:42:03 2015 +0200
heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 688c537ab1fb9690e58a448f8a06d5cc65eafbb4)
commit 4640adab26545992a991a68e88e2e40f9abd2c4e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 18 14:06:57 2015 +0200
heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3269ebfcbfefb2bf41c92eca270ea5feefdb9d05)
commit f222d629f0e9a6942502687cbc3b7a077282b8d7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 18 12:20:26 2015 +0200
heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
Now it matches _gk_unwrap_iov() and _gk_wrap_iov_length().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 01350c76ade6962f7974513afd81632494a8efaa)
commit e84d1f0637502c5b80ff04f24d2f811dfdf9de89
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 18 15:43:32 2015 +0200
heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9414d9867c51c0db3d7166b4afcf5ff5b39d64a1)
commit bbc742679e6675589b0b2c6197af54f22ecd48f6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 26 22:12:49 2015 +0200
dcerpc.idl: fix calculatin of uint16 secondary_address_size;
This should be 0 for secondary_address = "".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 9c165e550491339fbea1222b26b78e75658ec876)
commit c8342edaaa427039d5609b501a80ec273e744f46
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 10:07:17 2015 +0200
s4:pyrpc: remove pointless alter_context() method
This will always result in a rpc protocol error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 3cdac4a85521974e3c71488ad4078c09245e3b7d)
commit e2acb2e5f23cd0366d19ba78428d25322a5b6000
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 10:03:40 2015 +0200
python:samba/tests: don't use the x.alter_context() method in dcerpc/bare.py
Establishing a new context on a given connection using alter_context
is supposed to be done by using y = ClientConnection(..., basis_connection=x)
The current x.alter_context() can work as it's not allowed to
change the abstract or transfer syntax of an existing presentation
context.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 84993440aa9dadd89d8739102c3b7771774064fa)
commit 320bfd52c5ea7531f206cc2c8ccc21f45b69ff9e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 09:49:05 2015 +0200
s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED in torture_rpc_alter_context()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 828e1d3f831fd8e44d5b859d8ad9b05bf9e6d9e4)
commit 868851002b3c627a39ad54548dbf79d3e65d4573
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 09:46:57 2015 +0200
s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED when a dcerpc connection is not connected
We still also allow NT_STATUS_INVALID_HANDLE and NT_STATUS_IO_DEVICE_ERROR for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 58a874111b0534ecda3f5036b188ff4bd046ad2b)
commit 7a68f8126a0146da15be9fb451fde40b13073eab
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 27 22:55:22 2015 +0200
libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE instead of EIO
This maps to NT_STATUS_CONNECTION_DISCONNECTED instead of
NT_STATUS_IO_DEVICE_ERROR.
EPIPE, NT_STATUS_CONNECTION_DISCONNECTED matches what other tstream backends
e.g. tcp and unix report.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 7e095eb334068a9c25064a52fd3e9c995ddf220e)
commit e5135c20b5975dbdc9b390e297e61614ae049353
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 09:52:45 2015 +0200
s3:winbindd: use check dcerpc_binding_handle_is_connected() instead of a specific status
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 793af3f2aeb036727981e00b709b88b9996fc25d)
commit 505c31e990cea69c8b0ceebcc6afa7dcdb667af6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 25 14:06:40 2015 +0200
python/samba/tests: let the output of hexdump() match our C code in dump_data_cb()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit c7e9968cf830d567d44d2a0bd3ca5d1217d8847c)
commit 5235af306875c3118e45d62d942d2c6ea35ae7de
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 25 10:28:31 2015 +0200
python/samba/tests: move hexdump() from DNSTest to TestCase
This is useful in a lot of test cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(similar to commit 7a07f6a7647b63eab560a0e75b46b047f46d1f7e)
commit ac466c7cc38a9d5e0cbbb83ec783ccb9d8a899ee
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 29 08:41:22 2015 +0200
python/samba/tests: add fallbacks for assert{Less,Greater}[Equal]()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 24ea9175f41e391ce48d21dedf0e79fb16f7352e)
commit 7427812dd67e6e17c56b53cf15b7dae6e58190e1
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Thu Feb 5 22:04:44 2015 +0100
Implement TestCase.assertIsNotNone for python < 2.7.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: Ieaefdc77495e27bad791075d985a70908e9be1ad
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Mar 6 07:11:43 CET 2015 on sn-devel-104
(cherry picked from commit 7004ccc441f700692b95dba89f8d3c4f30f2ca18)
commit f994c970e98a5a9f053ba444ac23c3ad5f29982c
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Thu Feb 5 19:57:26 2015 +0100
Implement TestCase.assertIn for older versions of Python.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: I17d855166b439c0bd9344a17a454ea5bc6e057aa
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a6b2110abd061b0e03d8b684e5a2edd12fbc1c64)
commit 478d84c6ce199fe2bdec0b7412df00c9f9267cd5
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Thu Feb 5 10:25:53 2015 +0100
Implement assertIsNone for Python < 2.7.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: I3937acb16ca0c5430b70f0af305997878da53c37
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d459096e7c35f7bc7a83fd69cf0f70fc5ae4e15f)
commit 8abd8be8b964498583511b6851031a91f26b4bb4
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Wed Feb 4 16:40:29 2015 +0100
Handle skips when running on python2.6.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: I8b0a15760a72f41800d23150232c2b0e59e32c32
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1988e11585f8e928b2c52d2d97bf1269253b18d0)
commit 44f45c343eee7dbb570d5673349986347983d817
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Fri Jan 30 02:16:05 2015 +0100
Run cleanup after tearDown, for consistency with Python >= 2.7.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: Ic3ce975e3b2e4b30e07643efb4496ebf36a93284
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b53a6df3d0587b7f865b425f66cee8361117b99f)
commit 17cbd88a9fdded1bf7d5db8448bdc758322e2081
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Fri Jan 30 02:06:33 2015 +0100
Use samba TestCase so we get all compatibility functions on Python < 2.7.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: Iba87e3c8fa9331c4d5438ab60a8385379da634d7
Signed-Off-By: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0acb1d49a78d6d63013ee9b7352e70cb8dd9b2c6)
commit f4b7a42477c2c019c11b19e652c7b6be8a840376
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Wed Jan 28 23:17:13 2015 +0100
Provide TestCase.assertIsInstance for python < 2.7.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: Id6d3c8a7dc56cb560eccc3db897a83c638dec7a6
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fe231bedecace7e97da22add0cf48f1fd3772544)
commit 01b5c107a01634445d88c56e4db39d36b97a6f43
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Wed Jan 28 22:17:41 2015 +0100
Use Samba TestCase class, as the python 2.6 one doesn't have assertIs, assertIsInstance or addCleanup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: I3daeffade0dac9795f61f91ee0da35fee0143a38
Signed-Off-By: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit to cef4861906633be00cfb91a2d5e38f9870f749f4)
commit cc1b47cf02798a387331563be03b7af3435a13ca
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Tue Jan 27 03:44:10 2015 +0100
Add replacement addCleanup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: Ie85756effde344fc4cc9b693c4a28611ea091677
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9a4a7b9d3e91439145e8a54c37da4a84754fe152)
commit 72a7db40a7c0f9cd1e99f18fc0d4d4cdd84229b7
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Tue Jan 27 03:40:34 2015 +0100
Add custom implementations of TestCase.assertIs and TestCase.assertIsNot, for Python2.6.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: I3b806abdaf9540b7c39c961c179c2d2b15d327fe
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e3a9feb6984136172616260293130095e19051e2)
commit 5cc22fbecaa338d63f1cf4ab803447d8af1c3dd6
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Mon Dec 15 17:35:24 2014 +0000
Fix use of TestCase.skipTest on python2.6 now that we no longer use testtools.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: I630e4073bf1553dfc77e9fe7e843ee8b71907683
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 85c1dc99083598339050ab5326ba9e0766eacdc8)
commit d82a56025ed7df7b03428bd56e7cdde1e75cf6e7
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Thu Dec 11 01:11:41 2014 +0000
selftest/tests/*.py: remove use of testtools.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: Ia692c6b3037b7d867310c3793980f9f953d31680
Signed-Off-By: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3f1ecfd2d04b919cd488692ff4bcf02dcac60205)
commit 775c1df7e1989d204a45adedc6962697da81306c
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Sun Dec 14 20:03:28 2014 +0000
Rename TestSkipped to Skiptest, consistent with Python 2.7.
Change-Id: I023df54363328333f1cb6c3ae3c1a406befa8f7b
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 940c277d83737367617a7b06e49f71b6a2ab4fde)
commit 2dbf2f295370bfa1ec6dadc8f94e091f9d0a518e
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Sun Dec 14 19:59:13 2014 +0000
Avoid importing TestCase and TestSkipped from testtools.
Change-Id: I34488ddf253decd336a67a8634e7039096bdd160
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cb7d4b53eec0bea355a94388bfcce320b36ddfc)
commit f8e78f9a51cfecdc2ac34d565c3ffe2af563e4ac
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Wed Nov 5 06:26:25 2014 +0100
s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment
this is to help me port Python tests to be more Unit test alike
and remove all global handling
Starting from a new test suite - tombstone_reanimation.py
Andrew Bartlett rose his concerns that passing parameters
through environment may make tests hard to trace for
failures. However, passing parameters on command line
is not Unit test alike either. After discussing this with him
offline, we agreed to continue this approach, but prefix
environment variables with "TEST_". So that an env var
should not be used by coincidence.
Change-Id: I29445c42cdcafede3897c8dd1f1529222a74afc9
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 599187ead61340d8d3bd3e9db7eab034175bfd7b)
commit 858b4bd87819da6bac02173f2999e9d7f8445bf1
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Nov 2 17:11:20 2014 +0100
s4-tests: Print out what the error is in delete_force()
Change-Id: Iaa631179dc79fa756416be8eaf8c55e3b0c1a29f
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit e33c54914306ae0fc726d8e066456346aac6ca6c)
commit 2b8a89c9099ac38abbb30148424da3fbeadf562f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 26 08:31:10 2015 +0100
python/samba/tests: don't lower case path names in connect_samdb()
We should not lower case file names, because we may get a path to sam.ldb.
Now we only lower case ldap urls.
For a long time I got failing private autobuild like this:
[1623(9233)/1718 at 1h28m9s] samba4.urgent_replication.python(dc)(dc:local)
Failed to connect to ldap URL
'ldap:///memdisk/metze/w/b12985/samba/bin/ab/dc/private/sam.ldb' - LDAP client
internal error: NT_STATUS_NO_MEMORY
Failed to connect to
'ldap:///memdisk/metze/w/b12985/samba/bin/ab/dc/private/sam.ldb' with backend
'ldap': (null)
UNEXPECTED(error):
samba4.urgent_replication.python(dc).__main__.UrgentReplicationTests.test_attributeSchema_object(dc:local)
REASON: _StringException: _StringException: Content-Type:
text/x-traceback;charset=utf8,language=python
traceback
322
The problem is that /memdisk/metze/W/ is my test directory instead
of /memdisk/metze/w/.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
(cherry picked from commit 0e37189dab01a80c10143a54b80859229e181e9b)
commit e28c4824a2d06eb25ad7a0f9d55c8cf711992028
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Tue Dec 2 05:04:40 2014 +0100
s4-tests/env_loadparm: Throw KeyError in case SMB_CONF_PATH
A bit more specific for the caller to "know" that env key is missing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: I4d4c2121af868d79f46f865f420336222bc67347
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
Autobuild-User(master): Kamen Mazdrashki <kamenim at samba.org>
Autobuild-Date(master): Mon Dec 8 05:27:34 CET 2014 on sn-devel-104
(cherry picked from commit 29732b0d427472041bf3a586f3eeb281ccd408d5)
commit 427f20285d4cf32cfd3d3857b5dec69261a8a52c
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Tue Nov 4 20:37:41 2014 +0000
Reduce number of places where sys.path is (possibly) updated for external module paths.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Change-Id: I69d060f27ea090d14405e884d1ce271975358c56
Signed-Off-By: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Jelmer Vernooij <jelmer at samba.org>
Autobuild-Date(master): Sun Nov 30 20:54:04 CET 2014 on sn-devel-104
(cherry picked from commit 7dbc58f524fbde517966d671da138b69566929d7)
commit 417807e257c306610eecf024379325ac12614d8a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 25 14:05:37 2015 +0200
librpc/ndr: make use of dump_data_cb() in ndr_dump_data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 2b163012aa243e682c5ba7bb23f1af265783a940)
commit d8bd1cbb175b83746eb76c7ee1c7a74514efe2fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 25 13:53:41 2015 +0200
lib/util: fix output format in dump_data*()
This changes:
[0000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 05 82 08 60 NTLMSSP. .......`
[0010] 09 00 09 00 20 00 00 00 00 00 00 00 29 00 00 00 .... ... ....)...
[0020] 57 4F 52 4B 47 52 4F 55 50 WORKGROU P
into:
[0000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 05 82 08 60 NTLMSSP. .......`
[0010] 09 00 09 00 20 00 00 00 00 00 00 00 29 00 00 00 .... ... ....)...
[0020] 57 4F 52 4B 47 52 4F 55 50 WORKGROU P
Note the alignment of 'WORKGROU P'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 4a0370bdfdb599aa1798855a6074210583dd7cc4)
commit 6c5078c9b35311d4cc5d7708228149fb9462523a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 2 19:53:18 2014 +0200
s4:pyrpc: add base.bind_time_features_syntax(features)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 8c9612e1144e33aafd94f28fb7fa4b6b8444b05c)
commit d0ce818ea289d9763a61e0f1b5606c8b54c94f36
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 9 12:35:58 2014 +0100
librpc/rpc: add dcerpc_[extract|construct]_bind_time_features()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit e1498ac674ed099394777e10065b34805bd24054)
commit 1e2d23d16215f6c839ebb18b7fb84d9e13932a05
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 19 22:22:58 2014 +0100
librpc/rpc: add dcerpc_fault_from_nt_status()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 18dce19ef988d5398ba3f3ae59931b121dd85e3d)
commit 008d25bcaedff88483b18765b21695caccec62d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 19 22:17:11 2014 +0100
librpc/rpc: add faultcode to nt_status mappings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 1eef70872930fa4f9d3dedd23476b34cae638428)
commit 9dddf6ae90b16d93d83f3c99972826c6d73a84fd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 25 21:53:46 2014 +0200
midltests: add valid/midltests_DRS_EXTENSIONS.*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit cb8c156671530296b746d8b71fd62e677fa88cd0)
commit 0ef2b7a847195b269c3f3725d206fb71c2847c94
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 25 20:30:43 2015 +0200
auth/credentials: anonymous should not try to use kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit f3f1c3892596e438c716172c053a016ee4ba464a)
commit b1174add0aaf998ae0ede04102787189cca15787
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 20 16:54:33 2015 +0200
s3:ntlm_auth: don't start gensec backend twice
ntlm_auth_start_ntlmssp_server() was used in two cases
and both call gensec_start_mech_by_oid() again.
So we remove gensec_start_mech_by_oid() and rename the function
to ntlm_auth_prepare_gensec_server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 965d9ce5559f01bc8f2e0d5fc95547a9ea7d5078)
commit 6e502315266719ff007ab97a3e1e1231cbe08c10
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 19 12:47:10 2015 +0200
auth/gensec: remove unused gensec_[un]wrap_packets() hooks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2cd3e51e19c0ae851ea2f294125c387f72d4432c)
commit 941abd128b563ce794782ae873ce2bb654c48f8f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 19 12:46:27 2015 +0200
s4:auth/gensec: remove unused gensec_socket_init()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 37041e41589d529aedfeb0d39de2d542cd9c8798)
commit 58789c5eb08f766aea336d8b6add4d78121988d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 19 13:47:29 2015 +0200
s4:auth/gensec: remove unused include of lib/socket/socket.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7943ffbb77bd3ee3a47d20ccdcbbcfe0e2b74b1e)
commit 6bf16fc6d48862a012f106ab0f49e2b22fc17d1e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 19 13:30:54 2015 +0200
s4:auth/gensec: remove unused and untested cyrus_sasl module
There's not a high chance that this module worked at all.
Requesting SASL_SSF in order to get the max input length
is completely broken.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(similar to commit beb84d0c26305b80c8c56711782d62212e7abf86)
commit 53c92ba15c41e0bd749c3f5a72f0fce42e4a96a8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 19 12:26:06 2015 +0200
s4:libcli/ldap: conversion to tstream
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 67c5d5849efb6dc9ff04088e0599056bcfad1aee)
commit b8405b32a4289dd162846c57e0216997429e5ea1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 19 13:30:10 2015 +0200
s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 6f2c29a13cfee0e816499f8aea4076aaee9e2f85)
commit fa70808c79711f4bd2d78d9d069f44d11e472633
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 19 12:26:55 2015 +0200
s4:lib/tls: fix tstream_tls_connect_send() define
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3d298b994d949786c0eda47ece4a2d7b1c6f3104)
commit e6f746ed689ce283543e976a9fadfc9362386cee
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 19 01:07:49 2015 +0200
s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ads_sasl_spnego_ntlmssp_bind
gensec_sig_size() is for gensec_{sign,seal}_packet() instead of gensec_wrap().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8dbe9d785bd3b3d7bdca1e9854dc0516047d5e5a)
commit c14fa4de9871b40ce239e3c98c4786e2cc253290
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 18 21:07:58 2015 +0200
s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes keys more clear
This way the result matches what gss_wrap_iov_length() would return.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7b916b5f9a3db5b268639d2d68cfa85e20a83266)
commit 6b4479b038a133a6ed4688ba237a0c79c3afd0b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 18 23:18:58 2015 +0200
s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all backends
This avoids calls to gensec_gssapi_sig_size() as fallback in
gensec_max_input_size().
gensec_gssapi_sig_size() needs to report the sig size
gensec_{sign,seal}_packet(), which could be different to the
overhead produced by gensec_wrap().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ac5283f7888d3b0bbc4d3a53102cc47d32366d06)
commit 26405f1d29aeb29d04caab10f21c7cf47b7c182a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:17:33 2015 +0200
auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL
Newer MIT versions also have this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 57579453d12429adba08b80c1eb6936cc422a2fd)
commit 39431e58db1e4efd4140e33b7c74bf3a5b400232
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:17:10 2015 +0200
s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 01499617bdd7f7b202ddd1e1c35e21b5c042ac65)
commit 983b0ea18ad2d9c85d63b3d76e2e33bf61b5064c
Author: Günther Deschner <gd at samba.org>
Date: Sat Feb 7 10:48:30 2015 +0100
gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
When requesting initiator credentials fails, we need to map the error code
KRB5KRB_AP_ERR_BAD_INTEGRITY to NT_STATUS_LOGON_FAILURE as well. This is what
current MIT kerberos returns.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit de6021127d2d666280d11ebcf41dd2a64f6591f3)
commit 8e597a7a0c6d710f5704e137ef5100dfe851d0af
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 29 12:33:49 2014 +0200
s4-gensec: Check if we have delegated credentials.
With MIT Kerberos it is possible that the GSS_C_DELEG_FLAG is set, but
the delegated_cred_handle is NULL which results in a NULL-pointer
dereference. This way we fix it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f05fbc14105096da9c9ecd75a6913d57e58c218f)
commit 7e7bfe14165c68eaa9a215f0317510d030410197
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 18 21:52:12 2015 +0100
s4:auth/gensec_gssapi: remove allow_warnings=True
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f99d9548fd77496e848283bb8f2fd5c42ee9e884)
commit 7bc4888e7ca9f588da9b3bb5164f72536559eef6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 18 21:49:32 2015 +0100
auth/kerberos: remove allow_warnings=True
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit bf77d78fd8ff442e6cefdaec1d9ee0f344c075d7)
commit 1b04d3203397f4e1ae7cf2ca13a93f33a6698ba8
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 18 21:49:05 2015 +0100
auth/kerberos: avoid compiler warnings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 21ed0efac0b8371a7d56320875b88fbde161990e)
commit 4c5fe209d42adf0b7ceaba54d10db7188f2a842f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 18 21:43:00 2015 +0100
s4:lib/tls: remove allow_warnings=True
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 0a4adb6730d0ec0e681ca9606b5a06934cf5ee7a)
commit 0d4412a212aac9a07162cf09c66abed8d6289909
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 18 21:42:19 2015 +0100
s4:lib/tls: add tls_cert_generate() prototype to tls.h
This avoids compiler warnings...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f074e271a15215fe5e30f83bb170bd99a6e0ae92)
commit 4f3e283b5b6b3d48b5e4af660b9a480da9a632fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 18 21:52:12 2015 +0100
s4:auth/gensec_gssapi: remove compiler warnings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2bf79c419ddef693e74bcf33375ba56533b4774b)
commit 3c7f303263edc4559ecc5db5aa81b753594e0dc1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 29 00:36:26 2016 +0200
VERSION: Bump version up to 4.2.10...
and re-enable git snapshots.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 581 ++++-
auth/credentials/credentials.c | 1 +
auth/credentials/credentials.h | 5 +-
auth/credentials/credentials_krb5.c | 5 +-
auth/credentials/credentials_ntlm.c | 12 +-
auth/gensec/gensec.c | 113 +-
auth/gensec/gensec.h | 25 +-
auth/gensec/gensec_internal.h | 19 +-
auth/gensec/gensec_start.c | 18 +-
auth/gensec/gensec_util.c | 118 +-
auth/gensec/schannel.c | 22 +-
auth/gensec/spnego.c | 357 ++-
auth/gensec/wscript_build | 2 +-
auth/kerberos/gssapi_helper.c | 395 +++
auth/kerberos/gssapi_helper.h | 55 +
auth/kerberos/gssapi_pac.c | 16 +-
auth/kerberos/wscript_build | 3 +-
auth/ntlmssp/gensec_ntlmssp.c | 9 +
auth/ntlmssp/gensec_ntlmssp_server.c | 44 +-
auth/ntlmssp/ntlmssp.c | 91 +-
auth/ntlmssp/ntlmssp.h | 17 +
auth/ntlmssp/ntlmssp_client.c | 534 +++-
auth/ntlmssp/ntlmssp_ndr.c | 1 +
auth/ntlmssp/ntlmssp_private.h | 10 +-
auth/ntlmssp/ntlmssp_server.c | 422 +++-
auth/ntlmssp/ntlmssp_sign.c | 103 +-
auth/ntlmssp/ntlmssp_util.c | 176 +-
auth/ntlmssp/wscript_build | 2 +-
.../ldap/ldapserverrequirestrongauth.xml | 26 +
.../smbdotconf/protocol/clientipcmaxprotocol.xml | 29 +
.../smbdotconf/protocol/clientipcminprotocol.xml | 29 +
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 9 +-
docs-xml/smbdotconf/protocol/clientminprotocol.xml | 6 +
docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 +
.../security/allowdcerpcauthlevelconnect.xml | 27 +
docs-xml/smbdotconf/security/clientipcsigning.xml | 26 +
docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 +
docs-xml/smbdotconf/security/clientsigning.xml | 13 +-
docs-xml/smbdotconf/security/rawntlmv2auth.xml | 19 +
docs-xml/smbdotconf/security/serversigning.xml | 2 +-
docs-xml/smbdotconf/security/tlspriority.xml | 22 +
docs-xml/smbdotconf/security/tlsverifypeer.xml | 47 +
lib/param/loadparm.c | 48 +-
lib/param/loadparm.h | 6 +
lib/param/param_table.c | 91 +
lib/util/asn1.c | 109 +-
lib/util/asn1.h | 25 +-
lib/util/tests/asn1_tests.c | 6 +-
lib/util/util.c | 2 +-
lib/util/util_net.c | 247 +-
lib/util/util_net.h | 1 +
libcli/auth/proto.h | 6 +
libcli/auth/smbencrypt.c | 170 +-
libcli/auth/spnego.h | 8 +-
libcli/auth/spnego_parse.c | 55 +-
libcli/cldap/cldap.c | 12 +-
libcli/ldap/ldap_message.c | 32 +-
libcli/smb/smbXcli_base.c | 1 +
libcli/smb/smb_constants.h | 1 +
libcli/smb/smb_signing.c | 4 +
libcli/smb/tstream_smbXcli_np.c | 12 +-
libcli/util/error.h | 1 +
librpc/idl/dcerpc.idl | 17 +-
librpc/idl/epmapper.idl | 2 +-
librpc/idl/ntlmssp.idl | 48 +-
librpc/idl/security.idl | 18 +-
librpc/ndr/ndr_basic.c | 39 +-
librpc/ndr/ndr_ntlmssp.c | 16 +
librpc/ndr/ndr_ntlmssp.h | 2 +
librpc/rpc/binding.c | 2 +-
librpc/rpc/dcerpc_error.c | 164 +-
librpc/rpc/dcerpc_util.c | 204 +-
librpc/rpc/rpc_common.h | 40 +-
nsswitch/libwbclient/wbc_pam.c | 21 +-
nsswitch/winbind_struct_protocol.h | 1 +
python/samba/tests/__init__.py | 685 ++++-
python/samba/tests/dcerpc/bare.py | 13 +-
python/samba/tests/dcerpc/dnsserver.py | 2 +-
python/samba/tests/dcerpc/raw_protocol.py | 2623 ++++++++++++++++++++
python/samba/tests/dcerpc/srvsvc.py | 6 +-
python/samba/tests/dns.py | 12 -
python/samba/tests/docs.py | 3 +-
python/samba/tests/ntacls.py | 7 +-
python/samba/tests/subunitrun.py | 4 +-
python/samba/tests/xattr.py | 10 +-
selftest/filter-subunit | 11 +-
selftest/format-subunit | 10 +-
selftest/knownfail | 30 +
.../DC-localdc.samba.example.com-S00-cert.pem | 190 ++
.../DC-localdc.samba.example.com-S00-key.pem | 54 +
.../DC-localdc.samba.example.com-S00-openssl.cnf | 250 ++
...C-localdc.samba.example.com-S00-private-key.pem | 51 +
.../DC-localdc.samba.example.com-S00-req.pem | 30 +
.../DC-localdc.samba.example.com-cert.pem | 1 +
.../DC-localdc.samba.example.com-private-key.pem | 1 +
...ugindc.plugindom.samba.example.com-S02-cert.pem | 191 ++
...lugindc.plugindom.samba.example.com-S02-key.pem | 54 +
...ndc.plugindom.samba.example.com-S02-openssl.cnf | 250 ++
...plugindom.samba.example.com-S02-private-key.pem | 51 +
...lugindc.plugindom.samba.example.com-S02-req.pem | 30 +
...C-plugindc.plugindom.samba.example.com-cert.pem | 1 +
...ndc.plugindom.samba.example.com-private-key.pem | 1 +
.../manage-ca/CA-samba.example.com/NewCerts/00.pem | 190 ++
.../manage-ca/CA-samba.example.com/NewCerts/01.pem | 169 ++
.../manage-ca/CA-samba.example.com/NewCerts/02.pem | 191 ++
.../manage-ca/CA-samba.example.com/NewCerts/03.pem | 170 ++
.../Private/CA-samba.example.com-crlnumber.txt | 1 +
.../Private/CA-samba.example.com-crlnumber.txt.old | 1 +
.../Private/CA-samba.example.com-index.txt | 4 +
.../Private/CA-samba.example.com-index.txt.attr | 1 +
.../CA-samba.example.com-index.txt.attr.old | 1 +
.../Private/CA-samba.example.com-index.txt.old | 3 +
.../Private/CA-samba.example.com-openssl.cnf | 203 ++
.../Private/CA-samba.example.com-private-key.pem | 102 +
.../Private/CA-samba.example.com-serial.txt | 1 +
.../Private/CA-samba.example.com-serial.txt.old | 1 +
.../Public/CA-samba.example.com-cert.pem | 62 +
.../Public/CA-samba.example.com-crl.pem | 32 +
...trator at plugindom.samba.example.com-S03-cert.pem | 170 ++
...strator at plugindom.samba.example.com-S03-key.pem | 30 +
...tor at plugindom.samba.example.com-S03-openssl.cnf | 242 ++
...plugindom.samba.example.com-S03-private-key.pem | 27 +
...strator at plugindom.samba.example.com-S03-req.pem | 19 +
...inistrator at plugindom.samba.example.com-cert.pem | 1 +
...tor at plugindom.samba.example.com-private-key.pem | 1 +
...ER-administrator at samba.example.com-S01-cert.pem | 169 ++
...SER-administrator at samba.example.com-S01-key.pem | 30 +
...administrator at samba.example.com-S01-openssl.cnf | 242 ++
...nistrator at samba.example.com-S01-private-key.pem | 27 +
...SER-administrator at samba.example.com-S01-req.pem | 19 +
.../USER-administrator at samba.example.com-cert.pem | 1 +
...administrator at samba.example.com-private-key.pem | 1 +
selftest/manage-ca/manage-CA-samba.example.com.cnf | 21 +
selftest/manage-ca/manage-CA-samba.example.com.sh | 18 +
selftest/manage-ca/manage-ca.sh | 387 +++
.../manage-CA-example.com.cnf | 17 +
.../openssl-BASE-template.cnf | 201 ++
.../manage-ca.templates.d/openssl-CA-template.cnf | 2 +
.../manage-ca.templates.d/openssl-DC-template.cnf | 49 +
.../openssl-USER-template.cnf | 41 +
selftest/selftest.pl | 40 +
selftest/target/Samba.pm | 105 +
selftest/target/Samba3.pm | 1 +
selftest/target/Samba4.pm | 233 +-
selftest/tests/__init__.py | 2 -
selftest/tests/test_run.py | 2 +-
selftest/tests/test_samba.py | 2 +-
selftest/tests/test_socket_wrapper.py | 2 +-
selftest/tests/test_target.py | 2 +-
selftest/tests/test_testlist.py | 2 +-
source3/auth/auth_domain.c | 2 +-
source3/auth/auth_samba4.c | 4 +-
source3/auth/auth_util.c | 15 +
source3/include/ads.h | 30 +-
source3/include/auth_generic.h | 7 +-
source3/include/proto.h | 48 +-
source3/lib/netapi/cm.c | 2 +-
source3/lib/tldap.c | 6 +-
source3/libads/ads_ldap_protos.h | 6 +-
source3/libads/ads_proto.h | 11 +-
source3/libads/ads_status.c | 6 +-
source3/libads/ads_status.h | 2 +-
source3/libads/disp_sec.c | 4 +-
source3/libads/ldap.c | 163 +-
source3/libads/ldap_printer.c | 4 +-
source3/libads/ldap_utils.c | 10 +-
source3/libads/sasl.c | 706 ++----
source3/libads/sasl_wrapping.c | 2 +-
source3/libnet/libnet_join.c | 6 +-
source3/librpc/crypto/gse.c | 394 ++-
source3/librpc/rpc/dcerpc.h | 10 +-
source3/librpc/rpc/dcerpc_helpers.c | 98 +-
source3/libsmb/auth_generic.c | 51 +-
source3/libsmb/cliconnect.c | 674 ++---
source3/libsmb/clidgram.c | 2 +-
source3/libsmb/clientgen.c | 11 +-
source3/libsmb/clierror.c | 6 +-
source3/libsmb/clifsinfo.c | 22 +-
source3/libsmb/clilist.c | 6 +-
source3/libsmb/clirap.c | 26 +-
source3/libsmb/clirap.h | 48 +-
source3/libsmb/clirap2.c | 30 +-
source3/libsmb/clisecdesc.c | 4 +-
source3/libsmb/clispnego.c | 283 +--
source3/libsmb/libsmb_dir.c | 18 +-
source3/libsmb/libsmb_file.c | 6 +-
source3/libsmb/libsmb_misc.c | 4 +-
source3/libsmb/libsmb_server.c | 2 +-
source3/libsmb/libsmb_stat.c | 10 +-
source3/libsmb/libsmb_xattr.c | 14 +-
source3/libsmb/namequery.c | 4 +-
source3/libsmb/nmblib.c | 2 +-
source3/libsmb/ntlmssp.c | 765 ------
source3/libsmb/ntlmssp_wrap.c | 135 -
source3/libsmb/passchange.c | 7 +-
source3/libsmb/proto.h | 26 +-
source3/libsmb/samlogon_cache.c | 2 +-
source3/libsmb/smb_share_modes.c | 18 +-
source3/libsmb/smbsock_connect.c | 2 +-
source3/pam_smbpass/wscript_build | 2 +-
source3/param/loadparm.c | 44 +-
source3/rpc_client/cli_lsarpc.c | 4 +-
source3/rpc_client/cli_lsarpc.h | 4 +-
source3/rpc_client/cli_netlogon.c | 4 +-
source3/rpc_client/cli_netlogon.h | 2 +-
source3/rpc_client/cli_pipe.c | 327 ++-
source3/rpc_client/rpc_client.h | 4 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 57 +-
source3/rpc_server/rpc_handles.c | 7 +-
source3/rpc_server/rpc_ncacn_np.c | 3 +-
source3/rpc_server/rpc_pipes.h | 11 +
source3/rpc_server/rpc_server.c | 12 +
source3/rpc_server/samr/srv_samr_nt.c | 21 +-
source3/rpc_server/srv_access_check.c | 6 +-
source3/rpc_server/srv_access_check.h | 4 +-
source3/rpc_server/srv_pipe.c | 502 ++--
source3/rpcclient/rpcclient.c | 5 +-
source3/script/tests/test_ntlm_auth_s3.sh | 2 +
source3/script/tests/test_rpcclient_samlogon.sh | 11 +-
source3/script/tests/test_smbclient_auth.sh | 11 +
source3/selftest/tests.py | 7 +-
source3/smbd/negprot.c | 6 +-
source3/smbd/sesssetup.c | 4 +-
source3/smbd/smb2_negprot.c | 10 +-
source3/smbd/smb2_sesssetup.c | 3 +-
source3/torture/test_ntlm_auth.py | 553 +++--
source3/utils/net_ads.c | 2 +-
source3/utils/net_rpc.c | 2 +-
source3/utils/net_util.c | 2 +-
source3/utils/ntlm_auth.c | 819 +-----
source3/winbindd/winbindd_ccache_access.c | 44 +-
source3/winbindd/winbindd_cm.c | 6 +-
source3/winbindd/winbindd_dual_srv.c | 2 +-
source3/wscript_build | 10 +-
source4/auth/gensec/cyrus_sasl.c | 452 ----
source4/auth/gensec/gensec_gssapi.c | 322 +--
source4/auth/gensec/gensec_gssapi.h | 1 -
source4/auth/gensec/gensec_krb5.c | 12 +-
source4/auth/gensec/gensec_socket.h | 28 -
source4/auth/gensec/pygensec.c | 83 +
source4/auth/gensec/socket.c | 435 ----
source4/auth/gensec/wscript_build | 14 +-
source4/auth/ntlm/auth_util.c | 4 +-
source4/auth/wscript_configure | 4 -
source4/dsdb/tests/python/dsdb_schema_info.py | 3 +-
source4/heimdal/lib/gssapi/krb5/aeap.c | 98 +-
source4/heimdal/lib/gssapi/krb5/arcfour.c | 645 ++++-
source4/heimdal/lib/gssapi/krb5/decapsulate.c | 3 +
source4/heimdal_build/wscript_configure | 1 +
source4/ldap_server/ldap_bind.c | 50 +-
source4/ldap_server/ldap_server.c | 7 +
source4/ldap_server/ldap_server.h | 2 +
source4/lib/tls/tls.c | 2 +-
source4/lib/tls/tls.h | 32 +-
source4/lib/tls/tls_tstream.c | 288 ++-
source4/lib/tls/tlscert.c | 19 +-
source4/lib/tls/wscript | 6 +-
source4/libcli/cliconnect.c | 2 +-
source4/libcli/ldap/ldap_bind.c | 125 +-
source4/libcli/ldap/ldap_client.c | 443 ++--
source4/libcli/ldap/ldap_client.h | 17 +-
source4/libcli/ldap/ldap_controls.c | 48 +-
source4/libcli/ldap/wscript_build | 4 +-
source4/libcli/raw/libcliraw.h | 1 +
source4/libcli/raw/rawnegotiate.c | 11 +-
source4/libcli/smb2/connect.c | 7 +-
source4/libcli/smb_composite/connect.c | 1 +
source4/libcli/smb_composite/sesssetup.c | 35 +-
source4/librpc/rpc/dcerpc.c | 351 ++-
source4/librpc/rpc/dcerpc.h | 14 +-
source4/librpc/rpc/dcerpc_auth.c | 93 +-
source4/librpc/rpc/dcerpc_connect.c | 22 +
source4/librpc/rpc/dcerpc_roh.c | 13 +-
source4/librpc/rpc/dcerpc_util.c | 22 +-
source4/librpc/rpc/pyrpc.c | 80 +-
source4/param/loadparm.c | 3 +-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 13 +-
source4/rpc_server/common/reply.c | 49 +-
source4/rpc_server/dcerpc_server.c | 812 ++++--
source4/rpc_server/dcerpc_server.h | 57 +-
source4/rpc_server/dcesrv_auth.c | 275 +-
source4/rpc_server/dcesrv_mgmt.c | 8 +
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 8 +
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 8 +
source4/rpc_server/echo/rpc_echo.c | 7 +
source4/rpc_server/epmapper/rpc_epmapper.c | 8 +
source4/rpc_server/handles.c | 8 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 8 +
source4/rpc_server/lsa/lsa_lookup.c | 12 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 46 +-
source4/rpc_server/remote/dcesrv_remote.c | 8 +-
source4/rpc_server/samr/dcesrv_samr.c | 12 +
source4/rpc_server/samr/samr_password.c | 25 +-
source4/selftest/tests.py | 77 +-
source4/smb_server/smb/negprot.c | 6 +-
source4/smb_server/smb/sesssetup.c | 10 +
source4/smb_server/smb2/negprot.c | 7 +-
source4/smb_server/smb2/sesssetup.c | 8 -
source4/torture/basic/base.c | 20 +-
source4/torture/drs/python/drs_base.py | 6 +-
source4/torture/ndr/ntlmssp.c | 181 +-
source4/torture/raw/samba3misc.c | 7 +
source4/torture/rpc/alter_context.c | 2 +-
source4/torture/rpc/backupkey.c | 21 +-
source4/torture/rpc/forest_trust.c | 12 +-
source4/torture/rpc/netlogon.c | 101 +-
source4/torture/rpc/netlogon.h | 7 +
source4/torture/rpc/remote_pac.c | 121 +-
source4/torture/rpc/samba3rpc.c | 75 +-
source4/torture/rpc/samlogon.c | 3 +-
source4/torture/rpc/samr.c | 4 +-
source4/torture/rpc/schannel.c | 29 +-
source4/torture/rpc/testjoin.c | 35 +-
source4/winbind/wb_pam_auth.c | 4 +-
source4/winbind/wb_samba3_cmd.c | 9 +-
testprogs/blackbox/test_ldb.sh | 3 +
testprogs/blackbox/test_ldb_simple.sh | 41 +
.../midltests/valid/midltests_DRS_EXTENSIONS.idl | 64 +
.../midltests/valid/midltests_DRS_EXTENSIONS.out | 43 +
wscript_configure_system_mitkrb5 | 4 +-
321 files changed, 17822 insertions(+), 7115 deletions(-)
create mode 100644 auth/kerberos/gssapi_helper.c
create mode 100644 auth/kerberos/gssapi_helper.h
create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
create mode 100644 docs-xml/smbdotconf/security/tlspriority.xml
create mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml
create mode 100755 python/samba/tests/dcerpc/raw_protocol.py
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
create mode 100755 selftest/manage-ca/manage-ca.sh
create mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
delete mode 100644 source3/libsmb/ntlmssp.c
delete mode 100644 source3/libsmb/ntlmssp_wrap.c
delete mode 100644 source4/auth/gensec/cyrus_sasl.c
delete mode 100644 source4/auth/gensec/gensec_socket.h
delete mode 100644 source4/auth/gensec/socket.c
create mode 100755 testprogs/blackbox/test_ldb_simple.sh
create mode 100644 testprogs/win32/midltests/valid/midltests_DRS_EXTENSIONS.idl
create mode 100644 testprogs/win32/midltests/valid/midltests_DRS_EXTENSIONS.out
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 9c7df70..ce2ca71 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=9
+SAMBA_VERSION_RELEASE=11
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f03be3a..ecb5fe6 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,580 @@
+ ==============================
+ Release Notes for Samba 4.2.11
+ April 12, 2016
+ ==============================
+
+This is a security release containing one additional
+regression fix for the security release 4.2.10.
+
+This fixes a regression that prevents things like 'net ads join'
+from working against a Windows 2003 domain.
+
+Changes since 4.2.10:
+=====================
+
+o Stefan Metzmacher <metze at samba.org>
+ * Bug 11804 - prerequisite backports for the security release on
+ April 12th, 2016
+
+Release notes for the original 4.2.10 release follows:
+------------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 4.2.10
+ April 12, 2016
+ ==============================
+
+
+This is a security release in order to address the following CVEs:
+
+o CVE-2015-5370 (Multiple errors in DCE-RPC code)
+
+o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
+
+o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
+
+o CVE-2016-2112 (LDAP client and server don't enforce integrity)
+
+o CVE-2016-2113 (Missing TLS certificate validation)
+
+o CVE-2016-2114 ("server signing = mandatory" not enforced)
+
+o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
+
+o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+
+The number of changes are rather huge for a security release,
+compared to typical security releases.
+
+Given the number of problems and the fact that they are all related
+to man in the middle attacks we decided to fix them all at once
+instead of splitting them.
+
+In order to prevent the man in the middle attacks it was required
+to change the (default) behavior for some protocols. Please see the
+"New smb.conf options" and "Behavior changes" sections below.
+
+=======
+Details
+=======
+
+o CVE-2015-5370
+
+ Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
+ denial of service attacks (crashes and high cpu consumption)
+ in the DCE-RPC client and server implementations. In addition,
+ errors in validation of the DCE-RPC packets can lead to a downgrade
+ of a secure connection to an insecure one.
+
+ While we think it is unlikely, there's a nonzero chance for
+ a remote code execution attack against the client components,
+ which are used by smbd, winbindd and tools like net, rpcclient and
+ others. This may gain root access to the attacker.
+
+ The above applies all possible server roles Samba can operate in.
+
+ Note that versions before 3.6.0 had completely different marshalling
+ functions for the generic DCE-RPC layer. It's quite possible that
+ that code has similar problems!
+
+ The downgrade of a secure connection to an insecure one may
+ allow an attacker to take control of Active Directory object
+ handles created on a connection created from an Administrator
+ account and re-use them on the now non-privileged connection,
+ compromising the security of the Samba AD-DC.
+
+o CVE-2016-2110:
+
+ There are several man in the middle attacks possible with
+ NTLMSSP authentication.
+
+ E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
+ can be cleared by a man in the middle.
+
+ This was by protocol design in earlier Windows versions.
+
+ Windows Server 2003 RTM and Vista RTM introduced a way
+ to protect against the trivial downgrade.
+
+ See MsvAvFlags and flag 0x00000002 in
+ https://msdn.microsoft.com/en-us/library/cc236646.aspx
+
+ This new feature also implies support for a mechlistMIC
+ when used within SPNEGO, which may prevent downgrades
+ from other SPNEGO mechs, e.g. Kerberos, if sign or
+ seal is finally negotiated.
+
+ The Samba implementation doesn't enforce the existence of
+ required flags, which were requested by the application layer,
+ e.g. LDAP or SMB1 encryption (via the unix extensions).
+ As a result a man in the middle can take over the connection.
+ It is also possible to misguide client and/or
+ server to send unencrypted traffic even if encryption
+ was explicitly requested.
+
+ LDAP (with NTLMSSP authentication) is used as a client
+ by various admin tools of the Samba project,
+ e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
+
+ As an active directory member server LDAP is also used
+ by the winbindd service when connecting to domain controllers.
+
+ Samba also offers an LDAP server when running as
+ active directory domain controller.
+
+ The NTLMSSP authentication used by the SMB1 encryption
+ is protected by smb signing, see CVE-2015-5296.
+
+o CVE-2016-2111:
+
+ It's basically the same as CVE-2015-0005 for Windows:
+
+ The NETLOGON service in Microsoft Windows Server 2003 SP2,
+ Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
+ and R2, when a Domain Controller is configured, allows remote
+ attackers to spoof the computer name of a secure channel's
+ endpoint, and obtain sensitive session information, by running a
+ crafted application and leveraging the ability to sniff network
+ traffic, aka "NETLOGON Spoofing Vulnerability".
+
+ The vulnerability in Samba is worse as it doesn't require
+ credentials of a computer account in the domain.
+
+ This only applies to Samba running as classic primary domain controller,
+ classic backup domain controller or active directory domain controller.
+
+ The security patches introduce a new option called "raw NTLMv2 auth"
+ ("yes" or "no") for the [global] section in smb.conf.
+ Samba (the smbd process) will reject client using raw NTLMv2
+ without using NTLMSSP.
+
+ Note that this option also applies to Samba running as
+ standalone server and member server.
+
+ You should also consider using "lanman auth = no" (which is already the default)
+ and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
+ as they might impact compatibility with older clients. These also
+ apply for all server roles.
+
+o CVE-2016-2112:
+
+ Samba uses various LDAP client libraries, a builtin one and/or the system
+ ldap libraries (typically openldap).
+
+ As active directory domain controller Samba also provides an LDAP server.
+
+ Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
+ for LDAP connections, including possible integrity (sign) and privacy (seal)
+ protection.
+
+ Samba has support for an option called "client ldap sasl wrapping" since version
+ 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
+
+ Tools using the builtin LDAP client library do not obey the
+ "client ldap sasl wrapping" option. This applies to tools like:
+ "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
+ options like "--sign" and "--encrypt". With the security update they will
+ also obey the "client ldap sasl wrapping" option as default.
+
+ In all cases, even if explicitly request via "client ldap sasl wrapping",
+ "--sign" or "--encrypt", the protection can be downgraded by a man in the
+ middle.
+
+ The LDAP server doesn't have an option to enforce strong authentication
+ yet. The security patches will introduce a new option called
+ "ldap server require strong auth", possible values are "no",
+ "allow_sasl_over_tls" and "yes".
+
+ As the default behavior was as "no" before, you may
+ have to explicitly change this option until all clients have
+ been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
+ Windows clients and Samba member servers already use
+ integrity protection.
+
+o CVE-2016-2113:
+
+ Samba has support for TLS/SSL for some protocols:
+ ldap and http, but currently certificates are not
+ validated at all. While we have a "tls cafile" option,
+ the configured certificate is not used to validate
+ the server certificate.
+
+ This applies to ldaps:// connections triggered by tools like:
+ "ldbsearch", "ldbedit" and more. Note that it only applies
+ to the ldb tools when they are built as part of Samba or with Samba
+ extensions installed, which means the Samba builtin LDAP client library is
+ used.
+
+ It also applies to dcerpc client connections using ncacn_http (with https://),
+ which are only used by the openchange project. Support for ncacn_http
+ was introduced in version 4.2.0.
+
+ The security patches will introduce a new option called
+ "tls verify peer". Possible values are "no_check", "ca_only",
+ "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
+
+ If you use the self-signed certificates which are auto-generated
+ by Samba, you won't have a crl file and need to explicitly
+ set "tls verify peer = ca_and_name".
+
+o CVE-2016-2114
+
+ Due to a regression introduced in Samba 4.0.0,
+ an explicit "server signing = mandatory" in the [global] section
+ of the smb.conf was not enforced for clients using the SMB1 protocol.
+
+ As a result it does not enforce smb signing and allows man in the middle attacks.
+
+ This problem applies to all possible server roles:
+ standalone server, member server, classic primary domain controller,
+ classic backup domain controller and active directory domain controller.
+
+ In addition, when Samba is configured with "server role = active directory domain controller"
+ the effective default for the "server signing" option should be "mandatory".
+
+ During the early development of Samba 4 we had a new experimental
+ file server located under source4/smb_server. But before
+ the final 4.0.0 release we switched back to the file server
+ under source3/smbd.
+
+ But the logic for the correct default of "server signing" was not
+ ported correctly ported.
+
+ Note that the default for server roles other than active directory domain
+ controller, is "off" because of performance reasons.
+
+o CVE-2016-2115:
+
+ Samba has an option called "client signing", this is turned off by default
+ for performance reasons on file transfers.
+
+ This option is also used when using DCERPC with ncacn_np.
+
+ In order to get integrity protection for ipc related communication
+ by default the "client ipc signing" option is introduced.
+ The effective default for this new option is "mandatory".
+
+ In order to be compatible with more SMB server implementations,
+ the following additional options are introduced:
+ "client ipc min protocol" ("NT1" by default) and
+ "client ipc max protocol" (the highest support SMB2/3 dialect by default).
+ These options overwrite the "client min protocol" and "client max protocol"
+ options, because the default for "client max protocol" is still "NT1".
+ The reason for this is the fact that all SMB2/3 support SMB signing,
+ while there are still SMB1 implementations which don't offer SMB signing
+ by default (this includes Samba versions before 4.0.0).
+
+ Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
+ against active directory domain controllers despite of the
+ "client signing" and "client ipc signing" options.
+
+o CVE-2016-2118 (a.k.a. BADLOCK):
+
+ The Security Account Manager Remote Protocol [MS-SAMR] and the
+ Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
+ are both vulnerable to man in the middle attacks. Both are application level
+ protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
+
+ These protocols are typically available on all Windows installations
+ as well as every Samba server. They are used to maintain
+ the Security Account Manager Database. This applies to all
+ roles, e.g. standalone, domain member, domain controller.
+
+ Any authenticated DCERPC connection a client initiates against a server
+ can be used by a man in the middle to impersonate the authenticated user
+ against the SAMR or LSAD service on the server.
+
+ The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
+ and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
+ in this case. A man in the middle can change auth level to CONNECT
+ (which means authentication without message protection) and take over
+ the connection.
+
+ As a result, a man in the middle is able to get read/write access to the
+ Security Account Manager Database, which reveals all passwords
+ and any other potential sensitive information.
+
+ Samba running as an active directory domain controller is additionally
+ missing checks to enforce PKT_PRIVACY for the
+ Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
+ and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
+ The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
+ is not enforcing at least PKT_INTEGRITY.
+
+====================
+New smb.conf options
+====================
+
+ allow dcerpc auth level connect (G)
+
+ This option controls whether DCERPC services are allowed to be used with
+ DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
+ message integrity nor privacy protection.
+
+ Some interfaces like samr, lsarpc and netlogon have a hard-coded default
+ of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
+
+ The behavior can be overwritten per interface name (e.g. lsarpc,
+ netlogon, samr, srvsvc, winreg, wkssvc ...) by using
+ 'allow dcerpc auth level connect:interface = yes' as option.
+
+ This option yields precedence to the implementation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+
+ Default: allow dcerpc auth level connect = no
+
+ Example: allow dcerpc auth level connect = yes
+
+ client ipc signing (G)
+
+ This controls whether the client is allowed or required to use
+ SMB signing for IPC$ connections as DCERPC transport. Possible
+ values are auto, mandatory and disabled.
+
+ When set to mandatory or default, SMB signing is required.
+
+ When set to auto, SMB signing is offered, but not enforced and
+ if set to disabled, SMB signing is not offered either.
+
+ Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.
+
+ Default: client ipc signing = default
+
+ client ipc max protocol (G)
+
+ The value of the parameter (a string) is the highest protocol level that will
+ be supported for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the latest supported protocol, currently SMB3_11.
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc max protocol = default
+
+ Example: client ipc max protocol = SMB2_10
+
+ client ipc min protocol (G)
+
+ This setting controls the minimum protocol version that the will be
+ attempted to use for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the higher value of NT1 and the
+ effective value of "client min protocol".
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc min protocol = default
+
+ Example: client ipc min protocol = SMB3_11
+
+ ldap server require strong auth (G)
+
+ The ldap server require strong auth defines whether the
+ ldap server requires ldap traffic to be signed or
+ signed and encrypted (sealed). Possible values are no,
+ allow_sasl_over_tls and yes.
+
+ A value of no allows simple and sasl binds over all transports.
+
+ A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
+ over TLS encrypted connections. Unencrypted connections only
+ allow sasl binds with sign or seal.
+
+ A value of yes allows only simple binds over TLS encrypted connections.
+ Unencrypted connections only allow sasl binds with sign or seal.
+
+ Default: ldap server require strong auth = yes
+
+ raw NTLMv2 auth (G)
+
+ This parameter determines whether or not smbd(8) will allow SMB1 clients
+ without extended security (without SPNEGO) to use NTLMv2 authentication.
+
+ If this option, lanman auth and ntlm auth are all disabled, then only
+ clients with SPNEGO support will be permitted. That means NTLMv2 is only
+ supported within NTLMSSP.
+
+ Default: raw NTLMv2 auth = no
+
+ tls verify peer (G)
+
+ This controls if and how strict the client will verify the peer's
+ certificate and name. Possible values are (in increasing order): no_check,
+ ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
+
+ When set to no_check the certificate is not verified at all,
+ which allows trivial man in the middle attacks.
+
+ When set to ca_only the certificate is verified to be signed from a ca
+ specified in the "tls ca file" option. Setting "tls ca file" to a valid file
+ is required. The certificate lifetime is also verified. If the "tls crl file"
+ option is configured, the certificate is also verified against
+ the ca crl.
+
+ When set to ca_and_name_if_available all checks from ca_only are performed.
+ In addition, the peer hostname is verified against the certificate's
+ name, if it is provided by the application layer and not given as
+ an ip address string.
+
+ When set to ca_and_name all checks from ca_and_name_if_available are performed.
+ In addition the peer hostname needs to be provided and even an ip
+ address is checked against the certificate's name.
+
+ When set to as_strict_as_possible all checks from ca_and_name are performed.
+ In addition the "tls crl file" needs to be configured. Future versions
+ of Samba may implement additional checks.
+
+ Default: tls verify peer = as_strict_as_possible
+
+ tls priority (G) (backported from Samba 4.3 to Samba 4.2)
+
+ This option can be set to a string describing the TLS protocols to be
+ supported in the parts of Samba that use GnuTLS, specifically the AD DC.
+
+ The default turns off SSLv3, as this protocol is no longer considered
+ secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+ in HTTPS applications.
+
+ The valid options are described in the GNUTLS Priority-Strings
+ documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
+
+ Default: tls priority = NORMAL:-VERS-SSL3.0
+
+================
+Behavior changes
+================
+
+o The default auth level for authenticated binds has changed from
+ DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
+ That means ncacn_ip_tcp:server is now implicitly the same
+ as ncacn_ip_tcp:server[sign] and offers a similar protection
+ as ncacn_np:server, which relies on smb signing.
+
+o The following constraints are applied to SMB1 connections:
+
+ - "client lanman auth = yes" is now consistently
+ required for authenticated connections using the
+ SMB1 LANMAN2 dialect.
+ - "client ntlmv2 auth = yes" and "client use spnego = yes"
+ (both the default values), require extended security (SPNEGO)
+ support from the server. That means NTLMv2 is only used within
+ NTLMSSP.
+
+o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
+ default of "client ldap sasl wrapping = sign". Even with
+ "client ldap sasl wrapping = plain" they will automatically upgrade
+ to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
+ server.
+
+Changes since 4.2.9:
+====================
+
+o Jeremy Allison <jra at samba.org>
--
Samba Shared Repository
More information about the samba-cvs
mailing list