[SCM] Samba Shared Repository - branch v4-3-test updated
Stefan Metzmacher
metze at samba.org
Tue Apr 12 19:14:19 UTC 2016
The branch, v4-3-test has been updated
via cd143a4 VERSION: Bump version up to 4.3.9
via 5bd1f11 Merge tag 'samba-4.3.8' into v4-3-test
via 4b4a2bd VERSION: Disable git snapshots for the 4.3.8 release.
via 10e9011 WHATSNEW: Add release notes for Samba 4.3.8.
via ad9257b s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
via caa886e VERSION: Bump version up to 4.3.8...
via 6597749 VERSION: Disable git snapshots for the 4.3.7 release.
via 17e1b9f WHATSNEW: Add release notes for Samba 4.3.7.
via 0e2bcca CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
via 9ec6afa CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
via 21fe775 CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
via a141a37 CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
via 6ac5ad0 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
via 51a4a8f CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
via cd2911f CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
via ac0d474 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
via 4449c51 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
via 365fffe CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
via bc001b0 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
via 7ab9a8c CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
via 7f2d791 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
via 73550f4 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
via 46ddaf3 CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
via f3a67c2 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
via 278cdd1 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
via adaf1ae CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
via 14d97d4 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
via dbcd01e CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
via 3f6a270 CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
via 11df891 CVE-2015-5370: s3:rpc_server: verify presentation context arrays
via 9832a22 CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
via e1b75bc CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
via 84cbf3d CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
via d11c5d3 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
via 476c2f5 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
via 8695339 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
via a4a828e CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
via db297a7 CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
via 905313c CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
via 0cf8404 CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
via e87721a CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
via 8e691e7 CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
via f606cfd CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
via f39183c CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
via 28d558e CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
via db30949 CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
via cce7265 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
via 795b44e CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
via 67e2661 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
via f77f9bf CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
via 3239e26 CVE-2015-5370: s4:rpc_server: check frag_length for requests
via d249ce6 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
via 0e26f3c CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
via 6ed0ef7 CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
via 615019f CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
via e0b58a1 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
via cf0a939 CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
via f0d318f CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
via 6228c53 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
via a7d02ec CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
via 1d99eec CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
via 6b2d064 CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
via 26ad208 CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
via 2ed603a CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
via e9511b5 CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
via 5ab994c CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
via 6db7571 CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
via 9f62223 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
via 4ea6765 CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
via 8ba1be0 CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
via 69e1d93 CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
via 5eb3b63 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
via 3165b23 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
via 563d8fe CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
via fd3b82e CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
via 1077b50 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
via 5325276 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
via f8b98b3 CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
via 16e3a4c CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
via 308543b CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
via 08f976d CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
via 0235d72 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
via df2dcc1 CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
via 443e00f CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
via 1551c41 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
via 9b9d307 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
via 735d4ba CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
via 21b9022 CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
via 821d484 CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
via 447f9f1 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
via 220e4ca CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
via e6da619 CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
via 3df2b07 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
via 0899c0a CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
via 71c2c21 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
via e39b737 CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
via 5be0fb1 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
via f64b017 CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
via 47d8c31 CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
via 1c7be37 CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
via 82dd128 CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
via e96791f CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
via 6602e7e CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via 45a9ca1 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via e9718e2 CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
via 4762d25 CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 1ac5f37 CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 3ba93ce CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
via a2d14bb CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 6045947 CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 8f219a0 CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
via 7869c5f CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 20e4023 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
via ca98500 CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 7b93802 CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
via e7be37e CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
via 979067f CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
via 101e8e8 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
via 9ae9c64 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via d5659c7 CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via 0a3d923 CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
via 9bfa937 CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
via 5eb6341 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
via e8dc268 CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
via 31e7611 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
via fa2630f CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
via 2d68100 CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
via cdad358 CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
via b66500f CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
via 27c66c4 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
via 9339d90 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
via 38552d7 CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
via bdff08d CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
via 2b23bc3 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
via 5859266 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
via e0588d9 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
via 2220923 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
via 60851a0 CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
via 7903203 CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
via c21c9a3 CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
via 2c13697 CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
via 668cc85 CVE-2016-2115: docs-xml: add "client ipc signing" option
via 9fa185c CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
via 2f7d773 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
via 25b05a8 CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
via 8611441 CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
via 7c6c666 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
via 67f8524 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
via 2217276 CVE-2016-2114: s4:smb2_server: fix session setup with required signing
via 641cbcc CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
via d778580 CVE-2016-2113: selftest: use "tls verify peer = no_check"
via dc4f8d0 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
via fdac236 CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
via 389b15e CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
via 54a039d CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
via c20ee1b CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
via fc02668 CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
via 9ca8e88 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
via 27f1625 CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
via 104a691 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
via a027a87 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
via 8dad04c CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
via c7f2a10 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
via 90cc943 CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
via 963236f CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
via b012535 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
via e9cfd12 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
via 5172192 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
via 6977700 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
via e072666 CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
via b723d97 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
via a8c60aa CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
via 60647fa CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
via dbdd9cb CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
via ff1e470 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
via e260f6a CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
via 3643bc9 CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
via 3dbb32c CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
via eaabdc1 CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
via f319256 CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
via f22b75d CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
via a1ae538 CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
via 5dbffb8 CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
via b6899e1 CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
via 8e1e621 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
via 9784d68 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 473bbfa CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 984d024 CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
via 5074d1e CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
via 7434b8d CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
via 630e39d CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via b9b3b1e CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via 2f393b3 CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
via fb8bb0f CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
via b76361d CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
via a6d1056 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
via fc9df72 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
via 95a1c91 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
via 39dd2c6 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
via 299b49f CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
via a278c35 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
via 1cc7fbe CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
via 8cae040 CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
via b5e95cc CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
via 3ae39af CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
via f32ad5c CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
via 3673533 CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
via 9440fa8 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
via efe18dc CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
via 0e3bb02 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
via 8714377 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
via 677e214 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
via 2ee222b CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
via a7a0d2e CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
via d29c945 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
via 4e5c214 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
via f914050 CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
via 8df0d59 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
via 25f0a4c s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
via cce2e6a s3:rpc_server/samr: correctly handle session_extract_session_key() failures
via 343637b s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
via ba36c3f libads: Fix CID 1356316 Uninitialized pointer read
via e681d11 libsmb: Fix CID 1356312 Explicit null dereferenced
via 656795b s3-auth: check for return code of cli_credentials_set_machine_account().
via 6db7be4 s4-smb_server: check for return code of cli_credentials_set_machine_account().
via bca3039 s4:rpc_server: require access to the machine account credentials
via a6e7f49 auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
via c0beb87 auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
via 5cdddba s4:torture/rpc/schannel: don't use validation level 6 without privacy
via 61a09ae s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
via 1cd3836 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
via 8665944 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
via 46f52e7 s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
via 1103a6b s3:test_rpcclient_samlogon.sh: test samlogon with schannel
via 6a3a45d s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
via 3f05c5a selftest: setup information of new samba.example.com CA in the client environment
via 1311631 selftest: set tls crlfile if it exist
via 739e896 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
via 0ad8ef8 selftest: add Samba::prepare_keyblobs() helper function
via f058da2 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
via 8be3031 selftest: add CA-samba.example.com (non-binary) files
via 08976c4 selftest: add config and script to create a samba.example.com CA
via 158e06d selftest: add some helper scripts to mange a CA
via f91a66f selftest: s!addc.samba.example.com!addom.samba.example.com!
via 1346b27 s4:rpc_server: dcesrv_generic_session_key should only work on local transports
via 663ec33 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
via 5182c93 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
via 44e2da8 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
via fd1e4ec s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
via 32ad277 s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
via e09c17a s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
via 2d6afd9 s3:libsmb: remove unused functions in clispnego.c
via 979fc6a s3:libsmb: remove unused cli_session_setup_kerberos*() functions
via 8a1d0a9 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
via 70d546d s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
via c4c3bd6 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
via 1498885 s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
via e8b6ef4 s3:libsmb: unused ntlmssp.c
via bbc4eb8 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
via 59b8032 s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
via d19d039 s3:libads: keep service and hostname separately in ads_service_principal
via e952e63 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
via 3d3725b s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
via 4cbf13e s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
via c63d32b s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
via 383d18d s3:libads: add missing TALLOC_FREE(frame) in error path
via 95461fb s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
via e2bea35 s4:selftest: simplify the loops over samba4.ldb.ldap
via ccc1c51 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
via b000387 s4:libcli/ldap: fix retry authentication after a bad password
via 58478f4 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
via debafe8 auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
via 1016c9d auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
via 294ef73 auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
via 6d08a2a auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
via 192d5be auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
via 3136ede librpc/ndr: add ndr_ntlmssp_find_av() helper function
via 30b4e8f ntlmssp.idl: make AV_PAIR_LIST public
via 983edc9 ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
via c3392f3 security.idl: add LSAP_TOKEN_INFO_INTEGRITY
via 00fbd5b auth/ntlmssp: use ntlmssp_version_blob() in the server
via 3a52567 auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
via 9419ce6 auth/ntlmssp: add ntlmssp_version_blob()
via a575c5e auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
via c8059be auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
via 34ce552 auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
via 6d18d46 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
via 3938b90 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
via db7e894 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
via aea667c winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
via 6ee35d9 s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
via 81745b6 auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
via 7303a10 auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
via 7fcefea auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
via 3585e41 s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
via 993420f s3:auth_generic: make use of the top level NTLMSSP client code
via cb7bf55 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
via c9d2b8d s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
via 0f54d60 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
via 2dac558 s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
via 8800015 s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
via 33f7f44 auth/ntlmssp: add gensec_ntlmssp_server_domain()
via aa0ed80 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
via 14b2a51 s3:auth_generic: add auth_generic_client_start_by_sasl()
via a0feacf s3:auth_generic: add auth_generic_client_start_by_name()
via 9e42312 auth/gensec: make gensec_security_by_name() public
via 35f80cf auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
via 2e6af15 auth/gensec: keep a pointer to a possible child/sub gensec_security context
via b474d13 s4:pygensec: make sig_size() and sign/check_packet() available
via f702a9e s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
via 5a046d5 s3:librpc/gse: don't log gss_acquire_creds failed at level 0
via 47272c3 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
via 2b351b7 s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
via 91e2717 s3:librpc/gse: fix debug message in gse_init_client()
via 4357b22 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
via 88a09dc wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
via 0555445 s3:libads: remove unused ads_connect_gc()
via 49a7697 s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
via 3121494 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
via e7595fa dcerpc.idl: make WERROR RPC faults available in ndr_print output
via 0117f64 epmapper.idl: make epm_twr_t available in python bindings
via 0d53d8a s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
via 16e14f9 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
via 7f24c0b lib/util_net: add support for .ipv6-literal.net
via 6b6fbcf lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
via a70f620 spnego: Correctly check asn1_tag_remaining retval
via 5530d91 s4:torture/ntlmssp fix a compiler warning
via 7019a9c s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
via 14f4002 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
via 97ac363 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
via a54b256 s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
via 109618b s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
via 1865f12 ntlmssp: when pulling messages it is important to clear memory first.
via 42c2d63 ntlmssp: properly document version defines in IDL (from MS-NLMP).
via 1e0e8d6 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
via 5b4999a ntlmssp: add some missing defines from MS-NLMP to our IDL.
via e73cfb9 tls: increase Diffie-Hellman group size to 2048 bits
via 24c6d42 s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
via 62e5169 s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
via 5bbf46e s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
via 83b6653 asn1: Make 'struct asn1_data' private
via 66ea451 asn1: Remove a reference to asn1_data internals
via c27fd04 libcli: Remove a reference to asn1->ofs
via 9c89afd lib: Use asn1_current_ofs()
via 95fa77f asn1: Add asn1_current_ofs()
via 54aecd7 lib: Use asn1_has_nesting
via 9ac8312 asn1: Add asn1_has_nesting
via 2b11481 lib: Use asn1_extract_blob()
via a44d9bb asn1: Add asn1_extract_blob()
via 274c9a4 lib: Use asn1_set_error()
via a330540 asn1: Add asn1_set_error()
via 89d0afc lib: Use asn1_has_error()
via 4b04663 asn1: Add asn1_has_error()
via d51a607 asn1: Make "struct nesting" private
via 6d2f6e1 asn1: Add some early returns
via bb6607a asn1: Add overflow check to asn1_write
via 7ef1333 asn1: Make asn1_peek_full_tag return 0/errno
via 980785a asn1: Remove an unused asn1 function
via b5c5fec Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
via a06c22f VERSION: Bump version up to 4.3.7...
from ca09ef7 build: fix build when --without-quota specified
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test
- Log -----------------------------------------------------------------
commit cd143a4b7fe8ff4f786bd319371e853ac56c37ae
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 12 21:13:35 2016 +0200
VERSION: Bump version up to 4.3.9
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 5bd1f11c6bd12c3879c035758dfe996b25742d18
Merge: ca09ef7 4b4a2bd
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 12 21:12:44 2016 +0200
Merge tag 'samba-4.3.8' into v4-3-test
samba: tag release samba-4.3.8
Signed-off-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 561 +++++
auth/credentials/credentials.h | 5 +-
auth/credentials/credentials_ntlm.c | 12 +-
auth/gensec/gensec.c | 113 +-
auth/gensec/gensec.h | 4 +
auth/gensec/gensec_internal.h | 7 +
auth/gensec/gensec_start.c | 18 +-
auth/gensec/gensec_util.c | 2 +-
auth/gensec/schannel.c | 22 +-
auth/gensec/spnego.c | 301 ++-
auth/ntlmssp/gensec_ntlmssp.c | 9 +
auth/ntlmssp/gensec_ntlmssp_server.c | 44 +-
auth/ntlmssp/ntlmssp.c | 91 +-
auth/ntlmssp/ntlmssp.h | 17 +
auth/ntlmssp/ntlmssp_client.c | 534 +++-
auth/ntlmssp/ntlmssp_ndr.c | 1 +
auth/ntlmssp/ntlmssp_private.h | 10 +-
auth/ntlmssp/ntlmssp_server.c | 424 +++-
auth/ntlmssp/ntlmssp_sign.c | 103 +-
auth/ntlmssp/ntlmssp_util.c | 176 +-
auth/ntlmssp/wscript_build | 2 +-
.../ldap/ldapserverrequirestrongauth.xml | 26 +
.../smbdotconf/protocol/clientipcmaxprotocol.xml | 29 +
.../smbdotconf/protocol/clientipcminprotocol.xml | 29 +
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 9 +-
docs-xml/smbdotconf/protocol/clientminprotocol.xml | 6 +
docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 +
.../security/allowdcerpcauthlevelconnect.xml | 27 +
docs-xml/smbdotconf/security/clientipcsigning.xml | 26 +
docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 +
docs-xml/smbdotconf/security/clientsigning.xml | 12 +-
docs-xml/smbdotconf/security/rawntlmv2auth.xml | 19 +
docs-xml/smbdotconf/security/serversigning.xml | 2 +-
docs-xml/smbdotconf/security/tlsverifypeer.xml | 47 +
lib/param/loadparm.c | 47 +-
lib/param/loadparm.h | 6 +
lib/param/param_table.c | 83 +
lib/util/asn1.c | 109 +-
lib/util/asn1.h | 25 +-
lib/util/tests/asn1_tests.c | 6 +-
lib/util/util_net.c | 247 +-
lib/util/util_net.h | 1 +
libcli/auth/proto.h | 6 +
libcli/auth/smbencrypt.c | 170 +-
libcli/auth/spnego.h | 8 +-
libcli/auth/spnego_parse.c | 55 +-
libcli/cldap/cldap.c | 12 +-
libcli/ldap/ldap_message.c | 32 +-
libcli/smb/smbXcli_base.c | 1 +
libcli/smb/smb_constants.h | 1 +
libcli/smb/smb_signing.c | 4 +
libcli/smb/tstream_smbXcli_np.c | 4 +
librpc/idl/dcerpc.idl | 15 +-
librpc/idl/epmapper.idl | 2 +-
librpc/idl/ntlmssp.idl | 48 +-
librpc/idl/security.idl | 9 +
librpc/ndr/ndr_ntlmssp.c | 16 +
librpc/ndr/ndr_ntlmssp.h | 2 +
librpc/rpc/binding.c | 2 +-
librpc/rpc/dcerpc_error.c | 6 +-
librpc/rpc/dcerpc_util.c | 141 +-
librpc/rpc/rpc_common.h | 9 +-
nsswitch/libwbclient/wbc_pam.c | 21 +-
nsswitch/winbind_struct_protocol.h | 1 +
python/samba/tests/__init__.py | 525 ++++
python/samba/tests/dcerpc/dnsserver.py | 2 +-
python/samba/tests/dcerpc/raw_protocol.py | 2623 ++++++++++++++++++++
selftest/knownfail | 28 +
.../DC-addc.addom.samba.example.com-S02-cert.pem | 191 ++
.../DC-addc.addom.samba.example.com-S02-key.pem | 54 +
...DC-addc.addom.samba.example.com-S02-openssl.cnf | 250 ++
...ddc.addom.samba.example.com-S02-private-key.pem | 51 +
.../DC-addc.addom.samba.example.com-S02-req.pem | 30 +
.../DC-addc.addom.samba.example.com-cert.pem | 1 +
...DC-addc.addom.samba.example.com-private-key.pem | 1 +
.../DC-localdc.samba.example.com-S00-cert.pem | 190 ++
.../DC-localdc.samba.example.com-S00-key.pem | 54 +
.../DC-localdc.samba.example.com-S00-openssl.cnf | 250 ++
...C-localdc.samba.example.com-S00-private-key.pem | 51 +
.../DC-localdc.samba.example.com-S00-req.pem | 30 +
.../DC-localdc.samba.example.com-cert.pem | 1 +
.../DC-localdc.samba.example.com-private-key.pem | 1 +
.../manage-ca/CA-samba.example.com/NewCerts/00.pem | 190 ++
.../manage-ca/CA-samba.example.com/NewCerts/01.pem | 169 ++
.../manage-ca/CA-samba.example.com/NewCerts/02.pem | 191 ++
.../manage-ca/CA-samba.example.com/NewCerts/03.pem | 169 ++
.../Private/CA-samba.example.com-crlnumber.txt | 1 +
.../Private/CA-samba.example.com-crlnumber.txt.old | 1 +
.../Private/CA-samba.example.com-index.txt | 4 +
.../Private/CA-samba.example.com-index.txt.attr | 1 +
.../CA-samba.example.com-index.txt.attr.old | 1 +
.../Private/CA-samba.example.com-index.txt.old | 3 +
.../Private/CA-samba.example.com-openssl.cnf | 203 ++
.../Private/CA-samba.example.com-private-key.pem | 102 +
.../Private/CA-samba.example.com-serial.txt | 1 +
.../Private/CA-samba.example.com-serial.txt.old | 1 +
.../Public/CA-samba.example.com-cert.pem | 62 +
.../Public/CA-samba.example.com-crl.pem | 32 +
...inistrator at addom.samba.example.com-S03-cert.pem | 169 ++
...ministrator at addom.samba.example.com-S03-key.pem | 30 +
...strator at addom.samba.example.com-S03-openssl.cnf | 242 ++
...tor at addom.samba.example.com-S03-private-key.pem | 27 +
...ministrator at addom.samba.example.com-S03-req.pem | 19 +
...-administrator at addom.samba.example.com-cert.pem | 1 +
...strator at addom.samba.example.com-private-key.pem | 1 +
...ER-administrator at samba.example.com-S01-cert.pem | 169 ++
...SER-administrator at samba.example.com-S01-key.pem | 30 +
...administrator at samba.example.com-S01-openssl.cnf | 242 ++
...nistrator at samba.example.com-S01-private-key.pem | 27 +
...SER-administrator at samba.example.com-S01-req.pem | 19 +
.../USER-administrator at samba.example.com-cert.pem | 1 +
...administrator at samba.example.com-private-key.pem | 1 +
selftest/manage-ca/manage-CA-samba.example.com.cnf | 21 +
selftest/manage-ca/manage-CA-samba.example.com.sh | 18 +
selftest/manage-ca/manage-ca.sh | 387 +++
.../manage-CA-example.com.cnf | 17 +
.../openssl-BASE-template.cnf | 201 ++
.../manage-ca.templates.d/openssl-CA-template.cnf | 2 +
.../manage-ca.templates.d/openssl-DC-template.cnf | 49 +
.../openssl-USER-template.cnf | 41 +
selftest/selftest.pl | 40 +
selftest/target/Samba.pm | 105 +
selftest/target/Samba3.pm | 1 +
selftest/target/Samba4.pm | 232 +-
source3/auth/auth_domain.c | 2 +-
source3/auth/auth_samba4.c | 4 +-
source3/auth/auth_util.c | 15 +
source3/include/auth_generic.h | 7 +-
source3/include/proto.h | 48 +-
source3/lib/netapi/cm.c | 2 +-
source3/lib/tldap.c | 6 +-
source3/libads/ads_proto.h | 1 -
source3/libads/ldap.c | 134 -
source3/libads/sasl.c | 671 ++---
source3/libnet/libnet_join.c | 6 +-
source3/librpc/crypto/gse.c | 81 +-
source3/librpc/rpc/dcerpc.h | 10 +-
source3/librpc/rpc/dcerpc_helpers.c | 98 +-
source3/libsmb/auth_generic.c | 51 +-
source3/libsmb/cliconnect.c | 669 ++---
source3/libsmb/clientgen.c | 9 +
source3/libsmb/clispnego.c | 283 +--
source3/libsmb/ntlmssp.c | 765 ------
source3/libsmb/ntlmssp_wrap.c | 135 -
source3/libsmb/passchange.c | 7 +-
source3/pam_smbpass/wscript_build | 2 +-
source3/param/loadparm.c | 43 +-
source3/rpc_client/cli_pipe.c | 314 ++-
source3/rpc_server/netlogon/srv_netlog_nt.c | 57 +-
source3/rpc_server/rpc_handles.c | 1 +
source3/rpc_server/rpc_ncacn_np.c | 3 +-
source3/rpc_server/rpc_pipes.h | 11 +
source3/rpc_server/rpc_server.c | 12 +
source3/rpc_server/samr/srv_samr_nt.c | 21 +-
source3/rpc_server/srv_pipe.c | 494 ++--
source3/rpcclient/rpcclient.c | 5 +-
source3/script/tests/test_ntlm_auth_s3.sh | 2 +
source3/script/tests/test_rpcclient_samlogon.sh | 11 +-
source3/script/tests/test_smbclient_auth.sh | 11 +
source3/selftest/tests.py | 7 +-
source3/smbd/negprot.c | 6 +-
source3/smbd/sesssetup.c | 4 +-
source3/smbd/smb2_negprot.c | 10 +-
source3/smbd/smb2_sesssetup.c | 3 +-
source3/torture/test_ntlm_auth.py | 553 +++--
source3/utils/net_ads.c | 2 +-
source3/utils/net_rpc.c | 2 +-
source3/utils/net_util.c | 2 +-
source3/utils/ntlm_auth.c | 803 +-----
source3/winbindd/winbindd_ccache_access.c | 44 +-
source3/winbindd/winbindd_cm.c | 6 +-
source3/wscript_build | 10 +-
source4/auth/gensec/gensec_krb5.c | 11 +-
source4/auth/gensec/pygensec.c | 83 +
source4/auth/ntlm/auth_util.c | 4 +-
source4/ldap_server/ldap_bind.c | 50 +-
source4/ldap_server/ldap_server.c | 6 +
source4/ldap_server/ldap_server.h | 2 +
source4/lib/tls/tls.c | 2 +-
source4/lib/tls/tls.h | 23 +
source4/lib/tls/tls_tstream.c | 251 +-
source4/lib/tls/tlscert.c | 18 +-
source4/lib/tls/wscript | 5 +
source4/libcli/cliconnect.c | 2 +-
source4/libcli/ldap/ldap_bind.c | 62 +-
source4/libcli/ldap/ldap_client.c | 9 +-
source4/libcli/ldap/ldap_controls.c | 48 +-
source4/libcli/raw/libcliraw.h | 1 +
source4/libcli/raw/rawnegotiate.c | 11 +-
source4/libcli/smb2/connect.c | 7 +-
source4/libcli/smb_composite/connect.c | 1 +
source4/libcli/smb_composite/sesssetup.c | 35 +-
source4/librpc/rpc/dcerpc.c | 351 ++-
source4/librpc/rpc/dcerpc.h | 14 +-
source4/librpc/rpc/dcerpc_auth.c | 93 +-
source4/librpc/rpc/dcerpc_connect.c | 22 +
source4/librpc/rpc/dcerpc_roh.c | 13 +-
source4/librpc/rpc/dcerpc_util.c | 22 +-
source4/param/loadparm.c | 3 +-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 13 +-
source4/rpc_server/common/reply.c | 49 +-
source4/rpc_server/dcerpc_server.c | 812 ++++--
source4/rpc_server/dcerpc_server.h | 57 +-
source4/rpc_server/dcesrv_auth.c | 261 +-
source4/rpc_server/dcesrv_mgmt.c | 8 +
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 8 +
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 8 +
source4/rpc_server/echo/rpc_echo.c | 7 +
source4/rpc_server/epmapper/rpc_epmapper.c | 8 +
source4/rpc_server/handles.c | 8 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 8 +
source4/rpc_server/lsa/lsa_lookup.c | 12 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 46 +-
source4/rpc_server/remote/dcesrv_remote.c | 8 +-
source4/rpc_server/samr/dcesrv_samr.c | 12 +
source4/rpc_server/samr/samr_password.c | 25 +-
source4/selftest/tests.py | 75 +-
source4/smb_server/smb/negprot.c | 6 +-
source4/smb_server/smb/sesssetup.c | 10 +
source4/smb_server/smb2/negprot.c | 7 +-
source4/smb_server/smb2/sesssetup.c | 8 -
source4/torture/basic/base.c | 20 +-
source4/torture/ndr/ntlmssp.c | 183 +-
source4/torture/raw/samba3misc.c | 7 +
source4/torture/rpc/backupkey.c | 21 +-
source4/torture/rpc/forest_trust.c | 12 +-
source4/torture/rpc/lsa.c | 14 +-
source4/torture/rpc/netlogon.c | 101 +-
source4/torture/rpc/netlogon.h | 7 +
source4/torture/rpc/remote_pac.c | 39 +-
source4/torture/rpc/samba3rpc.c | 61 +-
source4/torture/rpc/samlogon.c | 3 +-
source4/torture/rpc/samr.c | 4 +-
source4/torture/rpc/schannel.c | 29 +-
source4/torture/rpc/testjoin.c | 35 +-
testprogs/blackbox/test_ldb_simple.sh | 41 +
wscript_configure_system_mitkrb5 | 4 +-
238 files changed, 15105 insertions(+), 4869 deletions(-)
create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
create mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml
create mode 100755 python/samba/tests/dcerpc/raw_protocol.py
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
create mode 100755 selftest/manage-ca/manage-ca.sh
create mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
delete mode 100644 source3/libsmb/ntlmssp.c
delete mode 100644 source3/libsmb/ntlmssp_wrap.c
create mode 100755 testprogs/blackbox/test_ldb_simple.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 371c694..b59769a 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=9
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a47ede4..435ae45 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,565 @@
=============================
+ Release Notes for Samba 4.3.8
+ April 12, 2016
+ =============================
+
+This is a security release containing one additional
+regression fix for the security release 4.3.7.
+
+This fixes a regression that prevents things like 'net ads join'
+from working against a Windows 2003 domain.
+
+Changes since 4.3.7:
+====================
+
+o Stefan Metzmacher <metze at samba.org>
+ * Bug 11804 - prerequisite backports for the security release on
+ April 12th, 2016
+
+Release notes for the original 4.3.7 release follows:
+-----------------------------------------------------
+
+ =============================
+ Release Notes for Samba 4.3.7
+ April 12, 2016
+ =============================
+
+
+This is a security release in order to address the following CVEs:
+
+o CVE-2015-5370 (Multiple errors in DCE-RPC code)
+
+o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
+
+o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
+
+o CVE-2016-2112 (LDAP client and server don't enforce integrity)
+
+o CVE-2016-2113 (Missing TLS certificate validation)
+
+o CVE-2016-2114 ("server signing = mandatory" not enforced)
+
+o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
+
+o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+
+The number of changes are rather huge for a security release,
+compared to typical security releases.
+
+Given the number of problems and the fact that they are all related
+to man in the middle attacks we decided to fix them all at once
+instead of splitting them.
+
+In order to prevent the man in the middle attacks it was required
+to change the (default) behavior for some protocols. Please see the
+"New smb.conf options" and "Behavior changes" sections below.
+
+=======
+Details
+=======
+
+o CVE-2015-5370
+
+ Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
+ denial of service attacks (crashes and high cpu consumption)
+ in the DCE-RPC client and server implementations. In addition,
+ errors in validation of the DCE-RPC packets can lead to a downgrade
+ of a secure connection to an insecure one.
+
+ While we think it is unlikely, there's a nonzero chance for
+ a remote code execution attack against the client components,
+ which are used by smbd, winbindd and tools like net, rpcclient and
+ others. This may gain root access to the attacker.
+
+ The above applies all possible server roles Samba can operate in.
+
+ Note that versions before 3.6.0 had completely different marshalling
+ functions for the generic DCE-RPC layer. It's quite possible that
+ that code has similar problems!
+
+ The downgrade of a secure connection to an insecure one may
+ allow an attacker to take control of Active Directory object
+ handles created on a connection created from an Administrator
+ account and re-use them on the now non-privileged connection,
+ compromising the security of the Samba AD-DC.
+
+o CVE-2016-2110:
+
+ There are several man in the middle attacks possible with
+ NTLMSSP authentication.
+
+ E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
+ can be cleared by a man in the middle.
+
+ This was by protocol design in earlier Windows versions.
+
+ Windows Server 2003 RTM and Vista RTM introduced a way
+ to protect against the trivial downgrade.
+
+ See MsvAvFlags and flag 0x00000002 in
+ https://msdn.microsoft.com/en-us/library/cc236646.aspx
+
+ This new feature also implies support for a mechlistMIC
+ when used within SPNEGO, which may prevent downgrades
+ from other SPNEGO mechs, e.g. Kerberos, if sign or
+ seal is finally negotiated.
+
+ The Samba implementation doesn't enforce the existence of
+ required flags, which were requested by the application layer,
+ e.g. LDAP or SMB1 encryption (via the unix extensions).
+ As a result a man in the middle can take over the connection.
+ It is also possible to misguide client and/or
+ server to send unencrypted traffic even if encryption
+ was explicitly requested.
+
+ LDAP (with NTLMSSP authentication) is used as a client
+ by various admin tools of the Samba project,
+ e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
+
+ As an active directory member server LDAP is also used
+ by the winbindd service when connecting to domain controllers.
+
+ Samba also offers an LDAP server when running as
+ active directory domain controller.
+
+ The NTLMSSP authentication used by the SMB1 encryption
+ is protected by smb signing, see CVE-2015-5296.
+
+o CVE-2016-2111:
+
+ It's basically the same as CVE-2015-0005 for Windows:
+
+ The NETLOGON service in Microsoft Windows Server 2003 SP2,
+ Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
+ and R2, when a Domain Controller is configured, allows remote
+ attackers to spoof the computer name of a secure channel's
+ endpoint, and obtain sensitive session information, by running a
+ crafted application and leveraging the ability to sniff network
+ traffic, aka "NETLOGON Spoofing Vulnerability".
+
+ The vulnerability in Samba is worse as it doesn't require
+ credentials of a computer account in the domain.
+
+ This only applies to Samba running as classic primary domain controller,
+ classic backup domain controller or active directory domain controller.
+
+ The security patches introduce a new option called "raw NTLMv2 auth"
+ ("yes" or "no") for the [global] section in smb.conf.
+ Samba (the smbd process) will reject client using raw NTLMv2
+ without using NTLMSSP.
+
+ Note that this option also applies to Samba running as
+ standalone server and member server.
+
+ You should also consider using "lanman auth = no" (which is already the default)
+ and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
+ as they might impact compatibility with older clients. These also
+ apply for all server roles.
+
+o CVE-2016-2112:
+
+ Samba uses various LDAP client libraries, a builtin one and/or the system
+ ldap libraries (typically openldap).
+
+ As active directory domain controller Samba also provides an LDAP server.
+
+ Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
+ for LDAP connections, including possible integrity (sign) and privacy (seal)
+ protection.
+
+ Samba has support for an option called "client ldap sasl wrapping" since version
+ 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
+
+ Tools using the builtin LDAP client library do not obey the
+ "client ldap sasl wrapping" option. This applies to tools like:
+ "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
+ options like "--sign" and "--encrypt". With the security update they will
+ also obey the "client ldap sasl wrapping" option as default.
+
+ In all cases, even if explicitly request via "client ldap sasl wrapping",
+ "--sign" or "--encrypt", the protection can be downgraded by a man in the
+ middle.
+
+ The LDAP server doesn't have an option to enforce strong authentication
+ yet. The security patches will introduce a new option called
+ "ldap server require strong auth", possible values are "no",
+ "allow_sasl_over_tls" and "yes".
+
+ As the default behavior was as "no" before, you may
+ have to explicitly change this option until all clients have
+ been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
+ Windows clients and Samba member servers already use
+ integrity protection.
+
+o CVE-2016-2113:
+
+ Samba has support for TLS/SSL for some protocols:
+ ldap and http, but currently certificates are not
+ validated at all. While we have a "tls cafile" option,
+ the configured certificate is not used to validate
+ the server certificate.
+
+ This applies to ldaps:// connections triggered by tools like:
+ "ldbsearch", "ldbedit" and more. Note that it only applies
+ to the ldb tools when they are built as part of Samba or with Samba
+ extensions installed, which means the Samba builtin LDAP client library is
+ used.
+
+ It also applies to dcerpc client connections using ncacn_http (with https://),
+ which are only used by the openchange project. Support for ncacn_http
+ was introduced in version 4.2.0.
+
+ The security patches will introduce a new option called
+ "tls verify peer". Possible values are "no_check", "ca_only",
+ "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
+
+ If you use the self-signed certificates which are auto-generated
+ by Samba, you won't have a crl file and need to explicitly
+ set "tls verify peer = ca_and_name".
+
+o CVE-2016-2114
+
+ Due to a regression introduced in Samba 4.0.0,
+ an explicit "server signing = mandatory" in the [global] section
+ of the smb.conf was not enforced for clients using the SMB1 protocol.
+
+ As a result it does not enforce smb signing and allows man in the middle attacks.
+
+ This problem applies to all possible server roles:
+ standalone server, member server, classic primary domain controller,
+ classic backup domain controller and active directory domain controller.
+
+ In addition, when Samba is configured with "server role = active directory domain controller"
+ the effective default for the "server signing" option should be "mandatory".
+
+ During the early development of Samba 4 we had a new experimental
+ file server located under source4/smb_server. But before
+ the final 4.0.0 release we switched back to the file server
+ under source3/smbd.
+
+ But the logic for the correct default of "server signing" was not
+ ported correctly ported.
+
+ Note that the default for server roles other than active directory domain
+ controller, is "off" because of performance reasons.
+
+o CVE-2016-2115:
+
+ Samba has an option called "client signing", this is turned off by default
+ for performance reasons on file transfers.
+
+ This option is also used when using DCERPC with ncacn_np.
+
+ In order to get integrity protection for ipc related communication
+ by default the "client ipc signing" option is introduced.
+ The effective default for this new option is "mandatory".
+
+ In order to be compatible with more SMB server implementations,
+ the following additional options are introduced:
+ "client ipc min protocol" ("NT1" by default) and
+ "client ipc max protocol" (the highest support SMB2/3 dialect by default).
+ These options overwrite the "client min protocol" and "client max protocol"
+ options, because the default for "client max protocol" is still "NT1".
+ The reason for this is the fact that all SMB2/3 support SMB signing,
+ while there are still SMB1 implementations which don't offer SMB signing
+ by default (this includes Samba versions before 4.0.0).
+
+ Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
+ against active directory domain controllers despite of the
+ "client signing" and "client ipc signing" options.
+
+o CVE-2016-2118 (a.k.a. BADLOCK):
+
+ The Security Account Manager Remote Protocol [MS-SAMR] and the
+ Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
+ are both vulnerable to man in the middle attacks. Both are application level
+ protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
+
+ These protocols are typically available on all Windows installations
+ as well as every Samba server. They are used to maintain
+ the Security Account Manager Database. This applies to all
+ roles, e.g. standalone, domain member, domain controller.
+
+ Any authenticated DCERPC connection a client initiates against a server
+ can be used by a man in the middle to impersonate the authenticated user
+ against the SAMR or LSAD service on the server.
+
+ The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
+ and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
+ in this case. A man in the middle can change auth level to CONNECT
+ (which means authentication without message protection) and take over
+ the connection.
+
+ As a result, a man in the middle is able to get read/write access to the
+ Security Account Manager Database, which reveals all passwords
+ and any other potential sensitive information.
+
+ Samba running as an active directory domain controller is additionally
+ missing checks to enforce PKT_PRIVACY for the
+ Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
+ and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
+ The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
+ is not enforcing at least PKT_INTEGRITY.
+
+====================
+New smb.conf options
+====================
+
+ allow dcerpc auth level connect (G)
+
+ This option controls whether DCERPC services are allowed to be used with
+ DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
+ message integrity nor privacy protection.
+
+ Some interfaces like samr, lsarpc and netlogon have a hard-coded default
+ of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
+
+ The behavior can be overwritten per interface name (e.g. lsarpc,
+ netlogon, samr, srvsvc, winreg, wkssvc ...) by using
+ 'allow dcerpc auth level connect:interface = yes' as option.
+
+ This option yields precedence to the implementation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+
+ Default: allow dcerpc auth level connect = no
+
+ Example: allow dcerpc auth level connect = yes
+
+ client ipc signing (G)
+
+ This controls whether the client is allowed or required to use
+ SMB signing for IPC$ connections as DCERPC transport. Possible
+ values are auto, mandatory and disabled.
+
+ When set to mandatory or default, SMB signing is required.
+
+ When set to auto, SMB signing is offered, but not enforced and
+ if set to disabled, SMB signing is not offered either.
+
+ Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.
+
+ Default: client ipc signing = default
+
+ client ipc max protocol (G)
+
+ The value of the parameter (a string) is the highest protocol level that will
+ be supported for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the latest supported protocol, currently SMB3_11.
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc max protocol = default
+
+ Example: client ipc max protocol = SMB2_10
+
+ client ipc min protocol (G)
+
+ This setting controls the minimum protocol version that the will be
+ attempted to use for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the higher value of NT1 and the
+ effective value of "client min protocol".
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc min protocol = default
+
+ Example: client ipc min protocol = SMB3_11
+
+ ldap server require strong auth (G)
+
+ The ldap server require strong auth defines whether the
+ ldap server requires ldap traffic to be signed or
+ signed and encrypted (sealed). Possible values are no,
+ allow_sasl_over_tls and yes.
+
+ A value of no allows simple and sasl binds over all transports.
+
+ A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
+ over TLS encrypted connections. Unencrypted connections only
+ allow sasl binds with sign or seal.
+
+ A value of yes allows only simple binds over TLS encrypted connections.
+ Unencrypted connections only allow sasl binds with sign or seal.
+
+ Default: ldap server require strong auth = yes
+
+ raw NTLMv2 auth (G)
+
+ This parameter determines whether or not smbd(8) will allow SMB1 clients
+ without extended security (without SPNEGO) to use NTLMv2 authentication.
+
+ If this option, lanman auth and ntlm auth are all disabled, then only
+ clients with SPNEGO support will be permitted. That means NTLMv2 is only
+ supported within NTLMSSP.
+
+ Default: raw NTLMv2 auth = no
+
+ tls verify peer (G)
+
+ This controls if and how strict the client will verify the peer's
+ certificate and name. Possible values are (in increasing order): no_check,
+ ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
+
+ When set to no_check the certificate is not verified at all,
+ which allows trivial man in the middle attacks.
+
+ When set to ca_only the certificate is verified to be signed from a ca
+ specified in the "tls ca file" option. Setting "tls ca file" to a valid file
+ is required. The certificate lifetime is also verified. If the "tls crl file"
+ option is configured, the certificate is also verified against
+ the ca crl.
+
+ When set to ca_and_name_if_available all checks from ca_only are performed.
+ In addition, the peer hostname is verified against the certificate's
+ name, if it is provided by the application layer and not given as
+ an ip address string.
+
+ When set to ca_and_name all checks from ca_and_name_if_available are performed.
+ In addition the peer hostname needs to be provided and even an ip
+ address is checked against the certificate's name.
+
+ When set to as_strict_as_possible all checks from ca_and_name are performed.
+ In addition the "tls crl file" needs to be configured. Future versions
+ of Samba may implement additional checks.
+
+ Default: tls verify peer = as_strict_as_possible
+
+ tls priority (G) (backported from Samba 4.3 to Samba 4.2)
+
+ This option can be set to a string describing the TLS protocols to be
+ supported in the parts of Samba that use GnuTLS, specifically the AD DC.
+
+ The default turns off SSLv3, as this protocol is no longer considered
+ secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+ in HTTPS applications.
+
+ The valid options are described in the GNUTLS Priority-Strings
+ documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
+
+ Default: tls priority = NORMAL:-VERS-SSL3.0
+
+================
+Behavior changes
+================
+
+o The default auth level for authenticated binds has changed from
+ DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
+ That means ncacn_ip_tcp:server is now implicitly the same
+ as ncacn_ip_tcp:server[sign] and offers a similar protection
+ as ncacn_np:server, which relies on smb signing.
+
+o The following constraints are applied to SMB1 connections:
+
+ - "client lanman auth = yes" is now consistently
+ required for authenticated connections using the
+ SMB1 LANMAN2 dialect.
+ - "client ntlmv2 auth = yes" and "client use spnego = yes"
+ (both the default values), require extended security (SPNEGO)
+ support from the server. That means NTLMv2 is only used within
+ NTLMSSP.
+
+o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
+ default of "client ldap sasl wrapping = sign". Even with
+ "client ldap sasl wrapping = plain" they will automatically upgrade
+ to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
+ server.
+
+Changes since 4.3.6:
+====================
+
+o Jeremy Allison <jra at samba.org>
--
Samba Shared Repository
More information about the samba-cvs
mailing list