[SCM] Samba Shared Repository - branch v4-4-test updated
Stefan Metzmacher
metze at samba.org
Tue Apr 12 19:10:13 UTC 2016
The branch, v4-4-test has been updated
via e8918a1 VERSION: Bump version up to 4.4.3...
via 71de921 VERSION: Disable git snapshots for the 4.4.2 release.
via 370b3dd WHATSNEW: Add release notes for Samba 4.4.2.
via 87fb3b8 s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
via bfc9525 VERSION: Bump version up to 4.4.2...
via c8180d1 VERSION: Disable git snapshots for the 4.4.1 release.
via bd94b86 WHATSNEW: Add release notes for Samba 4.4.1.
via 13e3e81 CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
via 2c6f01d CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
via 78b84d5 CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
via 9d953e2 CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
via 4a496d3 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
via 45a2445 CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
via b65429f CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
via 97a0811 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
via 49379e4 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
via 518f8bb CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
via a663ad5 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
via a3fc86d CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
via 6d509e3 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
via 57d5a84 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
via e84519d CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
via 6fd2714 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
via 7b902c3 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
via 5cfe5ec CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
via a9c46e8 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
via 9c2592f CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
via 6456408 CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
via d2c964f CVE-2015-5370: s3:rpc_server: verify presentation context arrays
via 218bd4a CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
via 5148a26 CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
via 198ecf4 CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
via bf4a716 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
via 087b363 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
via e6cdac4 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
via 56014f6 CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
via 8c7d8c8 CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
via 4c51c89 CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
via 5c495ab CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
via f4ef85f CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
via 654d8a5 CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
via dfab482 CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
via 569781f CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
via dd2c270 CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
via b1b538a CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
via ddd4d03 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
via 7e682ed CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
via 9625f91 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
via 2fd10be CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
via d1ffe41 CVE-2015-5370: s4:rpc_server: check frag_length for requests
via 74347a4 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
via d7af609 CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
via a3008ec CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
via 6a9b4ca CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
via 9e86b09 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
via 3d075a4 CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
via cace627 CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
via bf333e9 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
via e3775db CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
via e365d16 CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
via af03332e CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
via 503d08d CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
via 75d9b58 CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
via e3c1c20 CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
via b5d0de4 CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
via c8a1adb CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
via a689216 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
via eb16dfa CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
via 448435a CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
via 7c2984a CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
via f9ed1a9 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
via 83d93a8 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
via 08ec7e7 CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
via 62f8a54 CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
via 8ad4695 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
via 1ed3e26 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
via dc15870 CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
via 58b1cdf CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
via 8332714 CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
via b0349be CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
via 7f348a7 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
via 50fc638 CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
via a96543e CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
via f89c218 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
via 94de482 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
via f64f451 CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
via ac8910f CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
via d3bb3ef CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
via e05c7dd CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
via 23f4243 CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
via 33ee36e CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
via 245fc41 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
via 4907895 CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
via 7ee85d6 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
via 25e48af CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
via 3f447f6 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
via 32d8e05 CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
via 4867460 CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
via b095508 CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
via b77eab0 CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
via 22ab56d CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
via fa0d681 CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via e675f63 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via f425bfd CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
via 6750ffd CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
via ba69e95 CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 3133233 CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
via 2e4f09b CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 36278e3 CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 4862ee5 CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 6568d5d CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 34969d6 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
via c98143b CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 1a3c82e CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
via 2e9824e CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
via d565761 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
via 70ba7b0 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via 6142767 CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via be98e7e CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
via 5d4d8ec CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
via 778dab9 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
via e1de6ec CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
via 3502195 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
via d8c3cf1 CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
via e7ef30e CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
via f76e6f9 CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
via 084b20e CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
via fdd2807 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
via 0422c64 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
via 80102ed CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
via afda479 CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
via 1309832 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
via f1dea29 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
via 2c62a54 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
via dbe7a43 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
via ee4f114 CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
via f3da02a CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
via 8466fe8 CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
via 863d419 CVE-2016-2115: docs-xml: add "client ipc signing" option
via 39282d2 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
via 09a7576 CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
via 2c3649c CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
via 0b05bc9 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
via cc8bbc3 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
via 4177489 CVE-2016-2114: s4:smb2_server: fix session setup with required signing
via b2af10b CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
via 2ced06d CVE-2016-2113: selftest: use "tls verify peer = no_check"
via 5c94dfa CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
via 660dbb8 CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
via a443abe CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
via cd4b292 CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
via 5ec881c CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
via 36ec246 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
via 2d2ab58 CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
via 6db65fb CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
via 5fbce21 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
via 39c169b CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
via d68c225 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
via f44664d CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
via 8105ff1 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
via 483a926 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
via 52ae0cc CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
via c4f9336 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
via 01acb21 CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
via 76b1826 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
via 187e32b CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
via 0d2e185 CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
via be45c4b CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
via ae29971 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
via 560213f CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
via 5d69272 CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
via 7bad35b CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
via f5035af CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
via acd6697 CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
via 7e5966f CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
via dc359da CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
via 379604a CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
via 7f303d7 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
via b38d560 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 54fef0f CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 8421d13 CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
via 80401c9 CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
via a193154 CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
via ab0e71b CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via aaf3893 CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via 1d33ade CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
via d960002 CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
via e1101a6 CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
via 0654735 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
via 861b86d CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
via 4956428 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
via c5032e9 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
via d35bc35 CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
via f77cf81 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
via 95af5d9 CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
via 769eec8 CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
via 6b0ee68 CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
via 6675796 CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
via ce87fef CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
via 6a56dd2 CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
via 77d59f1 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
via beb1f96 CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
via 3a934e1 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
via fc3582b CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
via 03ccba7 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
via 45a1008 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
via 67787ff CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
via 5b86a859 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
via e6e8da9 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
via 00d1eaa9 CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
via ebd79e5 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
via 1437724 s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
via b4125aa s3:rpc_server/samr: correctly handle session_extract_session_key() failures
via 54cd107 s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
via 40b3284 libads: Fix CID 1356316 Uninitialized pointer read
via 9af768f libsmb: Fix CID 1356312 Explicit null dereferenced
via 9f3ae00 s3-auth: check for return code of cli_credentials_set_machine_account().
via 1b646bb s4-smb_server: check for return code of cli_credentials_set_machine_account().
via 168b015 s4:rpc_server: require access to the machine account credentials
via cbeff28 auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
via 2779ec8 auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
via 2c1fa78 s4:torture/rpc/schannel: don't use validation level 6 without privacy
via eef3a10 s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
via dba5783 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
via 8dea510 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
via 10eda28 s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
via 402d4ac s3:test_rpcclient_samlogon.sh: test samlogon with schannel
via ff65d5b s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
via 8b90698 selftest: setup information of new samba.example.com CA in the client environment
via 46fa417 selftest: set tls crlfile if it exist
via 5e62983 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
via 0e5d2dd selftest: add Samba::prepare_keyblobs() helper function
via 91d2c97 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
via bbb66a9 selftest: add CA-samba.example.com (non-binary) files
via 6a09084 selftest: add config and script to create a samba.example.com CA
via 03479af selftest: add some helper scripts to mange a CA
via da66e65 selftest: s!addc.samba.example.com!addom.samba.example.com!
via df14c6a s4:rpc_server: dcesrv_generic_session_key should only work on local transports
via bb63122 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
via 511dfb4 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
via 934f731 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
via fe4cdee s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
via 528db7f s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
via b282ac7 s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
via 5a8126d s3:libsmb: remove unused functions in clispnego.c
via 506ac99 s3:libsmb: remove unused cli_session_setup_kerberos*() functions
via d1921c6 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
via a167728 s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
via a7f8e94 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
via 4b55e96 s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
via 20c847f s3:libsmb: unused ntlmssp.c
via 7767d82 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
via a16bbec s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
via 6507d6f s3:libads: keep service and hostname separately in ads_service_principal
via 1571a9f s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
via 8e7229d s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
via 468c68c s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
via ea56849 s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
via 52629ac s3:libads: add missing TALLOC_FREE(frame) in error path
via c5da725 s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
via 0577097 s4:selftest: simplify the loops over samba4.ldb.ldap
via ff77277 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
via f74c031 s4:libcli/ldap: fix retry authentication after a bad password
via 2ace844 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
via 482555b auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
via 8f747f6 auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
via 2a496ba auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
via eafd97e auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
via c9edc04 auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
via 5c61712 librpc/ndr: add ndr_ntlmssp_find_av() helper function
via 92d7499 ntlmssp.idl: make AV_PAIR_LIST public
via e2e7ffe ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
via 159be66 security.idl: add LSAP_TOKEN_INFO_INTEGRITY
via 62d31f6 auth/ntlmssp: use ntlmssp_version_blob() in the server
via 47cebc5 auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
via 423f193 auth/ntlmssp: add ntlmssp_version_blob()
via 28725ef auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
via 7494612 auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
via 3adc8f5 auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
via 2e40c60 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
via 2663f44 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
via 75bdf52 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
via b57c0e7 winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
via 8f69094 s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
via cb0719d auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
via 333e02b auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
via 4e2e1f6 auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
via 4f94262 s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
via 17d6b17 s3:auth_generic: make use of the top level NTLMSSP client code
via 6ed7942 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
via eab2039 s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
via 06e6d37 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
via b8eabce s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
via 6b766dc s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
via c6aef8c auth/ntlmssp: add gensec_ntlmssp_server_domain()
via 3d0fc91 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
via 76e22d9 s3:auth_generic: add auth_generic_client_start_by_sasl()
via 4f97bcb s3:auth_generic: add auth_generic_client_start_by_name()
via 1317625 auth/gensec: make gensec_security_by_name() public
via 967282e auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
via 7cad825 auth/gensec: keep a pointer to a possible child/sub gensec_security context
via 9e8749a s4:pygensec: make sig_size() and sign/check_packet() available
via 028c609 s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
via 8614c6c s3:librpc/gse: don't log gss_acquire_creds failed at level 0
via 1448dba s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
via 55b0f3c s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
via b10c1db s3:librpc/gse: fix debug message in gse_init_client()
via 73f2fa6 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
via 26d4f25 wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
via 1a5f082 s3:libads: remove unused ads_connect_gc()
via 93332f4 s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
via d356450 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
via 6ea3642 dcerpc.idl: make WERROR RPC faults available in ndr_print output
via b6a1b04 epmapper.idl: make epm_twr_t available in python bindings
via 557fc14 s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
via 338e1a9 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
via c51b125 lib/util_net: add support for .ipv6-literal.net
via b0c603c lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
via 84f8c9a spnego: Correctly check asn1_tag_remaining retval
via 4d73b84 s4:torture/ntlmssp fix a compiler warning
via 2e8f4c8 s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
via baa0a10 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
via f39d6d4 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
via dd6b293 s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
via 98466ff s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
via b1f72ca ntlmssp: when pulling messages it is important to clear memory first.
via 3b93cf0 ntlmssp: properly document version defines in IDL (from MS-NLMP).
via 9ed62a3 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
via 0c1671a ntlmssp: add some missing defines from MS-NLMP to our IDL.
from 2a33a44 VERSION: Bump version up to 4.0.1...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -----------------------------------------------------------------
commit e8918a1ae21081189b24a87e167bcca4ba962ded
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 12 21:08:22 2016 +0200
VERSION: Bump version up to 4.4.3...
and re-enable git snapshots.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 550 ++++
auth/credentials/credentials.h | 5 +-
auth/credentials/credentials_ntlm.c | 12 +-
auth/gensec/gensec.c | 113 +-
auth/gensec/gensec.h | 4 +
auth/gensec/gensec_internal.h | 7 +
auth/gensec/gensec_start.c | 18 +-
auth/gensec/schannel.c | 22 +-
auth/gensec/spnego.c | 289 ++-
auth/ntlmssp/gensec_ntlmssp.c | 9 +
auth/ntlmssp/gensec_ntlmssp_server.c | 44 +-
auth/ntlmssp/ntlmssp.c | 91 +-
auth/ntlmssp/ntlmssp.h | 17 +
auth/ntlmssp/ntlmssp_client.c | 513 +++-
auth/ntlmssp/ntlmssp_ndr.c | 1 +
auth/ntlmssp/ntlmssp_private.h | 10 +-
auth/ntlmssp/ntlmssp_server.c | 424 +++-
auth/ntlmssp/ntlmssp_sign.c | 103 +-
auth/ntlmssp/ntlmssp_util.c | 176 +-
auth/ntlmssp/wscript_build | 2 +-
.../ldap/ldapserverrequirestrongauth.xml | 26 +
.../smbdotconf/protocol/clientipcmaxprotocol.xml | 29 +
.../smbdotconf/protocol/clientipcminprotocol.xml | 29 +
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 9 +-
docs-xml/smbdotconf/protocol/clientminprotocol.xml | 6 +
docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 +
.../security/allowdcerpcauthlevelconnect.xml | 27 +
docs-xml/smbdotconf/security/clientipcsigning.xml | 26 +
docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 +
docs-xml/smbdotconf/security/clientsigning.xml | 12 +-
docs-xml/smbdotconf/security/rawntlmv2auth.xml | 19 +
docs-xml/smbdotconf/security/serversigning.xml | 2 +-
docs-xml/smbdotconf/security/tlsverifypeer.xml | 47 +
lib/param/loadparm.c | 47 +-
lib/param/loadparm.h | 6 +
lib/param/param_table.c | 27 +
lib/util/util_net.c | 247 +-
lib/util/util_net.h | 1 +
libcli/auth/proto.h | 6 +
libcli/auth/smbencrypt.c | 170 +-
libcli/auth/spnego.h | 8 +-
libcli/auth/spnego_parse.c | 5 +-
libcli/smb/smbXcli_base.c | 1 +
libcli/smb/smb_constants.h | 1 +
libcli/smb/smb_signing.c | 4 +
libcli/smb/tstream_smbXcli_np.c | 4 +
librpc/idl/dcerpc.idl | 15 +-
librpc/idl/epmapper.idl | 2 +-
librpc/idl/ntlmssp.idl | 48 +-
librpc/idl/security.idl | 9 +
librpc/ndr/ndr_ntlmssp.c | 16 +
librpc/ndr/ndr_ntlmssp.h | 2 +
librpc/rpc/binding.c | 2 +-
librpc/rpc/dcerpc_error.c | 6 +-
librpc/rpc/dcerpc_util.c | 141 +-
librpc/rpc/rpc_common.h | 9 +-
nsswitch/libwbclient/wbc_pam.c | 21 +-
nsswitch/winbind_struct_protocol.h | 1 +
python/samba/tests/__init__.py | 525 ++++
python/samba/tests/dcerpc/dnsserver.py | 2 +-
python/samba/tests/dcerpc/raw_protocol.py | 2623 ++++++++++++++++++++
selftest/knownfail | 28 +
.../DC-addc.addom.samba.example.com-S02-cert.pem | 191 ++
.../DC-addc.addom.samba.example.com-S02-key.pem | 54 +
...DC-addc.addom.samba.example.com-S02-openssl.cnf | 250 ++
...ddc.addom.samba.example.com-S02-private-key.pem | 51 +
.../DC-addc.addom.samba.example.com-S02-req.pem | 30 +
.../DC-addc.addom.samba.example.com-cert.pem | 1 +
...DC-addc.addom.samba.example.com-private-key.pem | 1 +
.../DC-localdc.samba.example.com-S00-cert.pem | 190 ++
.../DC-localdc.samba.example.com-S00-key.pem | 54 +
.../DC-localdc.samba.example.com-S00-openssl.cnf | 250 ++
...C-localdc.samba.example.com-S00-private-key.pem | 51 +
.../DC-localdc.samba.example.com-S00-req.pem | 30 +
.../DC-localdc.samba.example.com-cert.pem | 1 +
.../DC-localdc.samba.example.com-private-key.pem | 1 +
.../manage-ca/CA-samba.example.com/NewCerts/00.pem | 190 ++
.../manage-ca/CA-samba.example.com/NewCerts/01.pem | 169 ++
.../manage-ca/CA-samba.example.com/NewCerts/02.pem | 191 ++
.../manage-ca/CA-samba.example.com/NewCerts/03.pem | 169 ++
.../Private/CA-samba.example.com-crlnumber.txt | 1 +
.../Private/CA-samba.example.com-crlnumber.txt.old | 1 +
.../Private/CA-samba.example.com-index.txt | 4 +
.../Private/CA-samba.example.com-index.txt.attr | 1 +
.../CA-samba.example.com-index.txt.attr.old | 1 +
.../Private/CA-samba.example.com-index.txt.old | 3 +
.../Private/CA-samba.example.com-openssl.cnf | 203 ++
.../Private/CA-samba.example.com-private-key.pem | 102 +
.../Private/CA-samba.example.com-serial.txt | 1 +
.../Private/CA-samba.example.com-serial.txt.old | 1 +
.../Public/CA-samba.example.com-cert.pem | 62 +
.../Public/CA-samba.example.com-crl.pem | 32 +
...inistrator at addom.samba.example.com-S03-cert.pem | 169 ++
...ministrator at addom.samba.example.com-S03-key.pem | 30 +
...strator at addom.samba.example.com-S03-openssl.cnf | 242 ++
...tor at addom.samba.example.com-S03-private-key.pem | 27 +
...ministrator at addom.samba.example.com-S03-req.pem | 19 +
...-administrator at addom.samba.example.com-cert.pem | 1 +
...strator at addom.samba.example.com-private-key.pem | 1 +
...ER-administrator at samba.example.com-S01-cert.pem | 169 ++
...SER-administrator at samba.example.com-S01-key.pem | 30 +
...administrator at samba.example.com-S01-openssl.cnf | 242 ++
...nistrator at samba.example.com-S01-private-key.pem | 27 +
...SER-administrator at samba.example.com-S01-req.pem | 19 +
.../USER-administrator at samba.example.com-cert.pem | 1 +
...administrator at samba.example.com-private-key.pem | 1 +
selftest/manage-ca/manage-CA-samba.example.com.cnf | 21 +
selftest/manage-ca/manage-CA-samba.example.com.sh | 18 +
selftest/manage-ca/manage-ca.sh | 387 +++
.../manage-CA-example.com.cnf | 17 +
.../openssl-BASE-template.cnf | 201 ++
.../manage-ca.templates.d/openssl-CA-template.cnf | 2 +
.../manage-ca.templates.d/openssl-DC-template.cnf | 49 +
.../openssl-USER-template.cnf | 41 +
selftest/selftest.pl | 40 +
selftest/target/Samba.pm | 105 +
selftest/target/Samba3.pm | 1 +
selftest/target/Samba4.pm | 232 +-
source3/auth/auth_domain.c | 2 +-
source3/auth/auth_samba4.c | 4 +-
source3/auth/auth_util.c | 15 +
source3/include/auth_generic.h | 7 +-
source3/include/proto.h | 48 +-
source3/lib/netapi/cm.c | 2 +-
source3/libads/ads_proto.h | 1 -
source3/libads/ldap.c | 134 -
source3/libads/sasl.c | 671 ++---
source3/libnet/libnet_join.c | 6 +-
source3/librpc/crypto/gse.c | 81 +-
source3/librpc/rpc/dcerpc.h | 10 +-
source3/librpc/rpc/dcerpc_helpers.c | 98 +-
source3/libsmb/auth_generic.c | 51 +-
source3/libsmb/cliconnect.c | 669 ++---
source3/libsmb/clientgen.c | 9 +
source3/libsmb/clispnego.c | 282 ---
source3/libsmb/ntlmssp.c | 765 ------
source3/libsmb/ntlmssp_wrap.c | 135 -
source3/libsmb/passchange.c | 7 +-
source3/param/loadparm.c | 43 +-
source3/rpc_client/cli_pipe.c | 314 ++-
source3/rpc_server/netlogon/srv_netlog_nt.c | 57 +-
source3/rpc_server/rpc_handles.c | 1 +
source3/rpc_server/rpc_ncacn_np.c | 3 +-
source3/rpc_server/rpc_pipes.h | 11 +
source3/rpc_server/rpc_server.c | 12 +
source3/rpc_server/samr/srv_samr_nt.c | 21 +-
source3/rpc_server/srv_pipe.c | 494 ++--
source3/rpcclient/rpcclient.c | 5 +-
source3/script/tests/test_ntlm_auth_s3.sh | 2 +
source3/script/tests/test_rpcclient_samlogon.sh | 11 +-
source3/script/tests/test_smbclient_auth.sh | 11 +
source3/selftest/tests.py | 7 +-
source3/smbd/negprot.c | 6 +-
source3/smbd/sesssetup.c | 4 +-
source3/smbd/smb2_negprot.c | 10 +-
source3/smbd/smb2_sesssetup.c | 3 +-
source3/torture/test_ntlm_auth.py | 553 +++--
source3/utils/net_ads.c | 2 +-
source3/utils/net_rpc.c | 2 +-
source3/utils/net_util.c | 2 +-
source3/utils/ntlm_auth.c | 803 +-----
source3/winbindd/winbindd_ccache_access.c | 44 +-
source3/winbindd/winbindd_cm.c | 6 +-
source3/wscript_build | 10 +-
source4/auth/gensec/pygensec.c | 83 +
source4/auth/ntlm/auth_util.c | 4 +-
source4/ldap_server/ldap_bind.c | 50 +-
source4/ldap_server/ldap_server.c | 6 +
source4/ldap_server/ldap_server.h | 2 +
source4/lib/tls/tls.h | 23 +
source4/lib/tls/tls_tstream.c | 249 ++
source4/lib/tls/tlscert.c | 18 +-
source4/lib/tls/wscript | 5 +
source4/libcli/cliconnect.c | 2 +-
source4/libcli/ldap/ldap_bind.c | 62 +-
source4/libcli/ldap/ldap_client.c | 9 +-
source4/libcli/raw/libcliraw.h | 1 +
source4/libcli/raw/rawnegotiate.c | 11 +-
source4/libcli/smb2/connect.c | 7 +-
source4/libcli/smb_composite/connect.c | 1 +
source4/libcli/smb_composite/sesssetup.c | 35 +-
source4/librpc/rpc/dcerpc.c | 351 ++-
source4/librpc/rpc/dcerpc.h | 14 +-
source4/librpc/rpc/dcerpc_auth.c | 93 +-
source4/librpc/rpc/dcerpc_connect.c | 22 +
source4/librpc/rpc/dcerpc_roh.c | 13 +-
source4/librpc/rpc/dcerpc_util.c | 22 +-
source4/param/loadparm.c | 3 +-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 13 +-
.../backupkey/dcesrv_backupkey_heimdal.c | 12 +-
source4/rpc_server/common/reply.c | 49 +-
source4/rpc_server/dcerpc_server.c | 812 ++++--
source4/rpc_server/dcerpc_server.h | 57 +-
source4/rpc_server/dcesrv_auth.c | 261 +-
source4/rpc_server/dcesrv_mgmt.c | 8 +
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 8 +
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 8 +
source4/rpc_server/echo/rpc_echo.c | 7 +
source4/rpc_server/epmapper/rpc_epmapper.c | 8 +
source4/rpc_server/handles.c | 8 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 8 +
source4/rpc_server/lsa/lsa_lookup.c | 12 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 46 +-
source4/rpc_server/remote/dcesrv_remote.c | 8 +-
source4/rpc_server/samr/dcesrv_samr.c | 12 +
source4/rpc_server/samr/samr_password.c | 25 +-
source4/selftest/tests.py | 75 +-
source4/smb_server/smb/negprot.c | 6 +-
source4/smb_server/smb/sesssetup.c | 10 +
source4/smb_server/smb2/negprot.c | 7 +-
source4/smb_server/smb2/sesssetup.c | 8 -
source4/torture/basic/base.c | 20 +-
source4/torture/ndr/ntlmssp.c | 183 +-
source4/torture/raw/samba3misc.c | 7 +
source4/torture/rpc/backupkey.c | 19 +-
source4/torture/rpc/backupkey_heimdal.c | 19 +-
source4/torture/rpc/forest_trust.c | 12 +-
source4/torture/rpc/lsa.c | 14 +-
source4/torture/rpc/netlogon.c | 101 +-
source4/torture/rpc/netlogon.h | 7 +
source4/torture/rpc/remote_pac.c | 39 +-
source4/torture/rpc/samba3rpc.c | 61 +-
source4/torture/rpc/samlogon.c | 3 +-
source4/torture/rpc/samr.c | 4 +-
source4/torture/rpc/schannel.c | 29 +-
source4/torture/rpc/testjoin.c | 35 +-
testprogs/blackbox/test_ldb_simple.sh | 41 +
wscript_configure_system_mitkrb5 | 4 +-
229 files changed, 14845 insertions(+), 4750 deletions(-)
create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
create mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml
create mode 100755 python/samba/tests/dcerpc/raw_protocol.py
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
create mode 100755 selftest/manage-ca/manage-ca.sh
create mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
delete mode 100644 source3/libsmb/ntlmssp.c
delete mode 100644 source3/libsmb/ntlmssp_wrap.c
create mode 100755 testprogs/blackbox/test_ldb_simple.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index c3d4cc4..5c6793e 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 396ce6e..cea4492 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,553 @@
+ =============================
+ Release Notes for Samba 4.4.2
+ April 12, 2016
+ =============================
+
+This is a security release containing one additional
+regression fix for the security release 4.4.1.
+
+This fixes a regression that prevents things like 'net ads join'
+from working against a Windows 2003 domain.
+
+Changes since 4.4.1:
+====================
+
+o Stefan Metzmacher <metze at samba.org>
+ * Bug 11804 - prerequisite backports for the security release on
+ April 12th, 2016
+
+Release notes for the original 4.4.1 release follows:
+-----------------------------------------------------
+
+ =============================
+ Release Notes for Samba 4.4.1
+ April 12, 2016
+ =============================
+
+
+This is a security release in order to address the following CVEs:
+
+o CVE-2015-5370 (Multiple errors in DCE-RPC code)
+
+o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
+
+o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
+
+o CVE-2016-2112 (LDAP client and server don't enforce integrity)
+
+o CVE-2016-2113 (Missing TLS certificate validation)
+
+o CVE-2016-2114 ("server signing = mandatory" not enforced)
+
+o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
+
+o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+
+The number of changes are rather huge for a security release,
+compared to typical security releases.
+
+Given the number of problems and the fact that they are all related
+to man in the middle attacks we decided to fix them all at once
+instead of splitting them.
+
+In order to prevent the man in the middle attacks it was required
+to change the (default) behavior for some protocols. Please see the
+"New smb.conf options" and "Behavior changes" sections below.
+
+=======
+Details
+=======
+
+o CVE-2015-5370
+
+ Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
+ denial of service attacks (crashes and high cpu consumption)
+ in the DCE-RPC client and server implementations. In addition,
+ errors in validation of the DCE-RPC packets can lead to a downgrade
+ of a secure connection to an insecure one.
+
+ While we think it is unlikely, there's a nonzero chance for
+ a remote code execution attack against the client components,
+ which are used by smbd, winbindd and tools like net, rpcclient and
+ others. This may gain root access to the attacker.
+
+ The above applies all possible server roles Samba can operate in.
+
+ Note that versions before 3.6.0 had completely different marshalling
+ functions for the generic DCE-RPC layer. It's quite possible that
+ that code has similar problems!
+
+ The downgrade of a secure connection to an insecure one may
+ allow an attacker to take control of Active Directory object
+ handles created on a connection created from an Administrator
+ account and re-use them on the now non-privileged connection,
+ compromising the security of the Samba AD-DC.
+
+o CVE-2016-2110:
+
+ There are several man in the middle attacks possible with
+ NTLMSSP authentication.
+
+ E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
+ can be cleared by a man in the middle.
+
+ This was by protocol design in earlier Windows versions.
+
+ Windows Server 2003 RTM and Vista RTM introduced a way
+ to protect against the trivial downgrade.
+
+ See MsvAvFlags and flag 0x00000002 in
+ https://msdn.microsoft.com/en-us/library/cc236646.aspx
+
+ This new feature also implies support for a mechlistMIC
+ when used within SPNEGO, which may prevent downgrades
+ from other SPNEGO mechs, e.g. Kerberos, if sign or
+ seal is finally negotiated.
+
+ The Samba implementation doesn't enforce the existence of
+ required flags, which were requested by the application layer,
+ e.g. LDAP or SMB1 encryption (via the unix extensions).
+ As a result a man in the middle can take over the connection.
+ It is also possible to misguide client and/or
+ server to send unencrypted traffic even if encryption
+ was explicitly requested.
+
+ LDAP (with NTLMSSP authentication) is used as a client
+ by various admin tools of the Samba project,
+ e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
+
+ As an active directory member server LDAP is also used
+ by the winbindd service when connecting to domain controllers.
+
+ Samba also offers an LDAP server when running as
+ active directory domain controller.
+
+ The NTLMSSP authentication used by the SMB1 encryption
+ is protected by smb signing, see CVE-2015-5296.
+
+o CVE-2016-2111:
+
+ It's basically the same as CVE-2015-0005 for Windows:
+
+ The NETLOGON service in Microsoft Windows Server 2003 SP2,
+ Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
+ and R2, when a Domain Controller is configured, allows remote
+ attackers to spoof the computer name of a secure channel's
+ endpoint, and obtain sensitive session information, by running a
+ crafted application and leveraging the ability to sniff network
+ traffic, aka "NETLOGON Spoofing Vulnerability".
+
+ The vulnerability in Samba is worse as it doesn't require
+ credentials of a computer account in the domain.
+
+ This only applies to Samba running as classic primary domain controller,
+ classic backup domain controller or active directory domain controller.
+
+ The security patches introduce a new option called "raw NTLMv2 auth"
+ ("yes" or "no") for the [global] section in smb.conf.
+ Samba (the smbd process) will reject client using raw NTLMv2
+ without using NTLMSSP.
+
+ Note that this option also applies to Samba running as
+ standalone server and member server.
+
+ You should also consider using "lanman auth = no" (which is already the default)
+ and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
+ as they might impact compatibility with older clients. These also
+ apply for all server roles.
+
+o CVE-2016-2112:
+
+ Samba uses various LDAP client libraries, a builtin one and/or the system
+ ldap libraries (typically openldap).
+
+ As active directory domain controller Samba also provides an LDAP server.
+
+ Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
+ for LDAP connections, including possible integrity (sign) and privacy (seal)
+ protection.
+
+ Samba has support for an option called "client ldap sasl wrapping" since version
+ 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
+
+ Tools using the builtin LDAP client library do not obey the
+ "client ldap sasl wrapping" option. This applies to tools like:
+ "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
+ options like "--sign" and "--encrypt". With the security update they will
+ also obey the "client ldap sasl wrapping" option as default.
+
+ In all cases, even if explicitly request via "client ldap sasl wrapping",
+ "--sign" or "--encrypt", the protection can be downgraded by a man in the
+ middle.
+
+ The LDAP server doesn't have an option to enforce strong authentication
+ yet. The security patches will introduce a new option called
+ "ldap server require strong auth", possible values are "no",
+ "allow_sasl_over_tls" and "yes".
+
+ As the default behavior was as "no" before, you may
+ have to explicitly change this option until all clients have
+ been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
+ Windows clients and Samba member servers already use
+ integrity protection.
+
+o CVE-2016-2113:
+
+ Samba has support for TLS/SSL for some protocols:
+ ldap and http, but currently certificates are not
+ validated at all. While we have a "tls cafile" option,
+ the configured certificate is not used to validate
+ the server certificate.
+
+ This applies to ldaps:// connections triggered by tools like:
+ "ldbsearch", "ldbedit" and more. Note that it only applies
+ to the ldb tools when they are built as part of Samba or with Samba
+ extensions installed, which means the Samba builtin LDAP client library is
+ used.
+
+ It also applies to dcerpc client connections using ncacn_http (with https://),
+ which are only used by the openchange project. Support for ncacn_http
+ was introduced in version 4.2.0.
+
+ The security patches will introduce a new option called
+ "tls verify peer". Possible values are "no_check", "ca_only",
+ "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
+
+ If you use the self-signed certificates which are auto-generated
+ by Samba, you won't have a crl file and need to explicitly
+ set "tls verify peer = ca_and_name".
+
+o CVE-2016-2114
+
+ Due to a regression introduced in Samba 4.0.0,
+ an explicit "server signing = mandatory" in the [global] section
+ of the smb.conf was not enforced for clients using the SMB1 protocol.
+
+ As a result it does not enforce smb signing and allows man in the middle attacks.
+
+ This problem applies to all possible server roles:
+ standalone server, member server, classic primary domain controller,
+ classic backup domain controller and active directory domain controller.
+
+ In addition, when Samba is configured with "server role = active directory domain controller"
+ the effective default for the "server signing" option should be "mandatory".
+
+ During the early development of Samba 4 we had a new experimental
+ file server located under source4/smb_server. But before
+ the final 4.0.0 release we switched back to the file server
+ under source3/smbd.
+
+ But the logic for the correct default of "server signing" was not
+ ported correctly ported.
+
+ Note that the default for server roles other than active directory domain
+ controller, is "off" because of performance reasons.
+
+o CVE-2016-2115:
+
+ Samba has an option called "client signing", this is turned off by default
+ for performance reasons on file transfers.
+
+ This option is also used when using DCERPC with ncacn_np.
+
+ In order to get integrity protection for ipc related communication
+ by default the "client ipc signing" option is introduced.
+ The effective default for this new option is "mandatory".
+
+ In order to be compatible with more SMB server implementations,
+ the following additional options are introduced:
+ "client ipc min protocol" ("NT1" by default) and
+ "client ipc max protocol" (the highest support SMB2/3 dialect by default).
+ These options overwrite the "client min protocol" and "client max protocol"
+ options, because the default for "client max protocol" is still "NT1".
+ The reason for this is the fact that all SMB2/3 support SMB signing,
+ while there are still SMB1 implementations which don't offer SMB signing
+ by default (this includes Samba versions before 4.0.0).
+
+ Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
+ against active directory domain controllers despite of the
+ "client signing" and "client ipc signing" options.
+
+o CVE-2016-2118 (a.k.a. BADLOCK):
+
+ The Security Account Manager Remote Protocol [MS-SAMR] and the
+ Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
+ are both vulnerable to man in the middle attacks. Both are application level
+ protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
+
+ These protocols are typically available on all Windows installations
+ as well as every Samba server. They are used to maintain
+ the Security Account Manager Database. This applies to all
+ roles, e.g. standalone, domain member, domain controller.
+
+ Any authenticated DCERPC connection a client initiates against a server
+ can be used by a man in the middle to impersonate the authenticated user
+ against the SAMR or LSAD service on the server.
+
+ The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
+ and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
+ in this case. A man in the middle can change auth level to CONNECT
+ (which means authentication without message protection) and take over
+ the connection.
+
+ As a result, a man in the middle is able to get read/write access to the
+ Security Account Manager Database, which reveals all passwords
+ and any other potential sensitive information.
+
+ Samba running as an active directory domain controller is additionally
+ missing checks to enforce PKT_PRIVACY for the
+ Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
+ and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
+ The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
+ is not enforcing at least PKT_INTEGRITY.
+
+====================
+New smb.conf options
+====================
+
+ allow dcerpc auth level connect (G)
+
+ This option controls whether DCERPC services are allowed to be used with
+ DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
+ message integrity nor privacy protection.
+
+ Some interfaces like samr, lsarpc and netlogon have a hard-coded default
+ of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
+
+ The behavior can be overwritten per interface name (e.g. lsarpc,
+ netlogon, samr, srvsvc, winreg, wkssvc ...) by using
+ 'allow dcerpc auth level connect:interface = yes' as option.
+
+ This option yields precedence to the implementation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+
+ Default: allow dcerpc auth level connect = no
+
+ Example: allow dcerpc auth level connect = yes
+
+ client ipc signing (G)
+
+ This controls whether the client is allowed or required to use
+ SMB signing for IPC$ connections as DCERPC transport. Possible
+ values are auto, mandatory and disabled.
+
+ When set to mandatory or default, SMB signing is required.
+
+ When set to auto, SMB signing is offered, but not enforced and
+ if set to disabled, SMB signing is not offered either.
+
+ Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.
+
+ Default: client ipc signing = default
+
+ client ipc max protocol (G)
+
+ The value of the parameter (a string) is the highest protocol level that will
+ be supported for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the latest supported protocol, currently SMB3_11.
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc max protocol = default
+
+ Example: client ipc max protocol = SMB2_10
+
+ client ipc min protocol (G)
+
+ This setting controls the minimum protocol version that the will be
+ attempted to use for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the higher value of NT1 and the
+ effective value of "client min protocol".
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc min protocol = default
+
+ Example: client ipc min protocol = SMB3_11
+
+ ldap server require strong auth (G)
+
+ The ldap server require strong auth defines whether the
+ ldap server requires ldap traffic to be signed or
+ signed and encrypted (sealed). Possible values are no,
+ allow_sasl_over_tls and yes.
+
+ A value of no allows simple and sasl binds over all transports.
+
+ A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
+ over TLS encrypted connections. Unencrypted connections only
+ allow sasl binds with sign or seal.
+
+ A value of yes allows only simple binds over TLS encrypted connections.
+ Unencrypted connections only allow sasl binds with sign or seal.
+
+ Default: ldap server require strong auth = yes
+
+ raw NTLMv2 auth (G)
+
+ This parameter determines whether or not smbd(8) will allow SMB1 clients
+ without extended security (without SPNEGO) to use NTLMv2 authentication.
+
+ If this option, lanman auth and ntlm auth are all disabled, then only
+ clients with SPNEGO support will be permitted. That means NTLMv2 is only
+ supported within NTLMSSP.
+
+ Default: raw NTLMv2 auth = no
+
+ tls verify peer (G)
+
+ This controls if and how strict the client will verify the peer's
+ certificate and name. Possible values are (in increasing order): no_check,
+ ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
+
+ When set to no_check the certificate is not verified at all,
+ which allows trivial man in the middle attacks.
+
+ When set to ca_only the certificate is verified to be signed from a ca
+ specified in the "tls ca file" option. Setting "tls ca file" to a valid file
+ is required. The certificate lifetime is also verified. If the "tls crl file"
+ option is configured, the certificate is also verified against
+ the ca crl.
+
+ When set to ca_and_name_if_available all checks from ca_only are performed.
+ In addition, the peer hostname is verified against the certificate's
+ name, if it is provided by the application layer and not given as
+ an ip address string.
+
+ When set to ca_and_name all checks from ca_and_name_if_available are performed.
+ In addition the peer hostname needs to be provided and even an ip
+ address is checked against the certificate's name.
+
+ When set to as_strict_as_possible all checks from ca_and_name are performed.
+ In addition the "tls crl file" needs to be configured. Future versions
+ of Samba may implement additional checks.
+
+ Default: tls verify peer = as_strict_as_possible
+
+ tls priority (G) (backported from Samba 4.3 to Samba 4.2)
+
+ This option can be set to a string describing the TLS protocols to be
+ supported in the parts of Samba that use GnuTLS, specifically the AD DC.
+
+ The default turns off SSLv3, as this protocol is no longer considered
+ secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+ in HTTPS applications.
+
+ The valid options are described in the GNUTLS Priority-Strings
+ documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
+
+ Default: tls priority = NORMAL:-VERS-SSL3.0
+
+================
+Behavior changes
+================
+
+o The default auth level for authenticated binds has changed from
+ DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
+ That means ncacn_ip_tcp:server is now implicitly the same
+ as ncacn_ip_tcp:server[sign] and offers a similar protection
+ as ncacn_np:server, which relies on smb signing.
+
+o The following constraints are applied to SMB1 connections:
+
+ - "client lanman auth = yes" is now consistently
+ required for authenticated connections using the
+ SMB1 LANMAN2 dialect.
+ - "client ntlmv2 auth = yes" and "client use spnego = yes"
+ (both the default values), require extended security (SPNEGO)
+ support from the server. That means NTLMv2 is only used within
+ NTLMSSP.
+
+o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
+ default of "client ldap sasl wrapping = sign". Even with
+ "client ldap sasl wrapping = plain" they will automatically upgrade
+ to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
+ server.
+
+Changes since 4.4.0:
+====================
+
+o Jeremy Allison <jra at samba.org>
--
Samba Shared Repository
More information about the samba-cvs
mailing list