[SCM] Samba Shared Repository - branch v4-6-test updated
Stefan Metzmacher
metze at samba.org
Thu Jul 13 22:01:03 UTC 2017
The branch, v4-6-test has been updated
via 9251372 selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
via dd573c0 s3:secrets: remove unused secrets_store_[prev_]machine_password()
via d71aa30 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
via 15a7a36 net: make use of secrets_*_password_change() for "net changesecretpw"
via 13a2325 s3:trusts_util: make use the workstation password change more robust
via de1faa7 s3:libnet: make use of secrets_store_JoinCtx()
via 56403c7 net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust
via 835cc12 s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
via cc67ccb secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts
via d80ef0b netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
via 59e23da netlogon.idl: make netr_TrustFlags [public]
via b7e7ac3 lsa.idl: make lsa_DnsDomainInfo [public]
via fc98574 s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
via f7c05a3 libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
via 5d56612 libcli/auth: add const to set_pw_in_buffer()
via 29fa179 libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
via d41f361 s3:trusts_util: pass dcname to trust_pw_change()
via 324af75 s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
via 7481722 s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
via 36ae6bc s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
via fc8506d s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
via bce615d s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
via c54cf09 s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value
via dd0f49a s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
via 4e649f7 s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
via 45ed7f3 s3:secrets: rename secrets_delete() to secrets_delete_entry()
via e67bc70 s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
via f8dc7f3 s3:secrets: add some const to secrets_store_domain_guid()
via f297455 s3:secrets: split out a domain_guid_keystr() function
via 3341df2 s3:secrets: rework des_salt_key() to take the realm as argument
via cfba2c4 s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
via f68f8f6 s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
via 0ce8cd8 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
via bf90563 s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
via 14add2c s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
via 6e1f7e2 s3:libads: provide a simpler kerberos_fetch_salt_princ() function
via bfccba4 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
via beb5f2b s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()
via 4e5c9b5 s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()
via cb36b61 s3:libnet_join: call do_JoinConfig() after we did remote changes on the server
via 1b648aa s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync
via b098b48 s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()
via e709972 s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()
via 15cefb9 s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
via d353c40 s3:libnet_join: remember the domain_guid for AD domains
via 0c9f0d5 s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
via 43cce73 s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()
via b76556f s3:libnet_join: remove dead code from libnet_join_connect_ads()
via 691d69f krb5_wrap: add smb_krb5_salt_principal2data()
via ea40c72 krb5_wrap: add smb_krb5_salt_principal()
via cf5d62e s3:libads: remove unused kerberos_secrets_store_salting_principal()
via 5687cb0 s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
via 6297a35 idl_types.h: add NDR_SECRET shortcut
via 48a9a30 librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
via e73f37d librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
via 4e323ae pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()
via ce91c2e s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()
via 8ac00af selftest: add a test for accessing previous version of directories with snapdirseverywhere
via 7916e1a s3/smbd: let non_widelink_open() chdir() to directories directly
via 80aeac8 dnsserver: Stop dns_name_equal doing OOB read
via 04676d6 selftest: Do not enable inbound replication during replica_sync
from 7b04fb4 VERSION: Bump version up to 4.6.7...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test
- Log -----------------------------------------------------------------
commit 9251372348e72d36fcdd7607d710026d7428b704
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 22 15:30:56 2017 +0200
selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
Here we check that we get 'REDACTED SECRET VALUES' printed, in order
to avoid regression on the non '-f' behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 9530284383f252efd64bfdf138579964c6500eba)
Autobuild-User(v4-6-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-6-test): Fri Jul 14 00:00:12 CEST 2017 on sn-devel-144
commit dd573c0b2e4b1148d8be6cc73ccf6e8dc9e3a1e5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 23 17:42:09 2017 +0200
s3:secrets: remove unused secrets_store_[prev_]machine_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit f513c20ee04fe896900c99ae804753d445414d7d)
commit d71aa30b0e546f7869cf9a165adeb4111733bfef
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 23 17:41:34 2017 +0200
s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b874dc90c91dd41c35e99bf7c4fe04220465edca)
commit 15a7a36f9f36c24815f32bdc6cab88fb818015cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 23 17:29:31 2017 +0200
net: make use of secrets_*_password_change() for "net changesecretpw"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4ae6a3ffb233c9b9576a3b5bb15a51ee56e4dbc3)
commit 13a232572242d2aa4783512c818f250b197e1cf0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 20:47:17 2017 +0200
s3:trusts_util: make use the workstation password change more robust
We use secrets_{prepare,failed,defer,finish}_password_change() to make
the process more robust.
Even if we just just verified the current password with the DC
it can still happen that the remote password change will fail.
If a server has the RefusePasswordChange=1 under
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,
it will reject NetrServerPasswordSet2() with NT_STATUS_WRONG_PASSWORD.
This results in a successful local change, but a failing remote change,
which means the domain membership is broken (as we don't fallback to
the previous password for ntlmssp nor kerberos yet).
An (at least Samba) RODC will also reject a password change,
see https://bugzilla.samba.org/show_bug.cgi?id=12773.
Even with this change we still have open problems, e.g. if the password was
changed, but we didn't get the servers response. In order to fix that we need
to use only netlogon and lsa over unprotected transports, just using schannel
authentication (which supports the fallback to the old password).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 40c42af11fda062fef9df96a9b5ae3e02709f07c)
commit de1faa7c09f2a2f4a4403f583d50698dc79f1027
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 10:29:59 2017 +0200
s3:libnet: make use of secrets_store_JoinCtx()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c3ad8be5d5192070c599350d6ab28c064206b6cf)
commit 56403c73c4a06c4bc470d7c63828f40e22fc855c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 24 18:05:40 2017 +0200
net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c7c17d9f503d6037aa8ed0bd7ab7cf52f5f28382)
commit 835cc1271a5b5154607dd86f4158a2eee134d518
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:28:17 2017 +0200
s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
We now store various hashed keys at change time and maintain a lot of details
that will help debugging failed password changes.
We keep storing the legacy values:
SECRETS/SID/
SECRETS/DOMGUID/
SECRETS/MACHINE_LAST_CHANGE_TIME/
SECRETS/MACHINE_PASSWORD/
SECRETS/MACHINE_PASSWORD.PREV/
SECRETS/SALTING_PRINCIPAL/DES/
This allows downgrades to older Samba versions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5f0038fba612afd7fc15b7ab321df979891170d8)
commit cc67ccbe7450641a6a07160c820107adea0cfa3b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 10:11:18 2017 +0200
secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts
This blob will be store in secrets.tdb. It makes it possible to store much
more useful details about the workstation trust.
The key feature that that triggered this change is the ability
to store details for the next password change before doing
the remote change. This will allow us to recover from failures.
While being there I also thought about possible new features,
which we may implement in the near future.
We also store the raw UTF16 like cleartext buffer as well as derived
keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys.
This will allow us to avoid recalculating the keys for an in memory
keytab in future.
I also added pointer to an optional lsa_ForestTrustInformation structure,
which might be useful to implement multi-tenancy in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a59c9cba31a801d90db06b767cfd44776f4ede77)
commit d80ef0b640cbfac8202dd08a41fb9e53f5a68d37
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 10:09:01 2017 +0200
netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 28ac10503476de3c000b3deee2c1f67e0b305578)
commit 59e23da940101251f064cd954d17917846b419d6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 11:35:37 2017 +0200
netlogon.idl: make netr_TrustFlags [public]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 60274475332dafdfb829a7c086ea09cd9ed00540)
commit b7e7ac3b55210bb03365855a20717fdc41a719a2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 11:35:20 2017 +0200
lsa.idl: make lsa_DnsDomainInfo [public]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ea0798881a7aaf5897a3a3806149536d3d54fc3b)
commit fc985740bb49627ed623b33053ab99eab15dac2d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 21 21:30:39 2017 +0200
s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
Even in the case where only the password is known to the server, we should
try to leave a valid authentication behind.
We have better ways to indentify which password worked than only using
the current one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d60404b032eca5384d889352f52b9b129861b4af)
commit f7c05a3992b70eacf014e46f64a7b96f22257bb7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 11:18:37 2017 +0200
libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0f5945a06df4bef501ca5085c621294057007225)
commit 5d566127b5bf0a27b594cb26431b9a66f4ee8060
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 11:17:03 2017 +0200
libcli/auth: add const to set_pw_in_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1b48c8515ed8fd29204c82cc47f958f4636cd494)
commit 29fa1791a35bc0988a22f2b06149bdb6c9c27132
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 20:44:40 2017 +0200
libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
This way the caller can pass more than 2 hashes and can only
know which hash was used for a successful connection.
We allow up to 4 hashes (next, current, old, older).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ddd7ac68ccae8b4df6c6a65b3dad20e21924f538)
commit d41f361e86c61929cf02e9465a7b81c56c4d4215
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 15:36:29 2017 +0200
s3:trusts_util: pass dcname to trust_pw_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1421abfc733247a6b71eefd819dfeae7151a6d78)
commit 324af7571c9fe96c77ff3dce1adcceb2870a53ab
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 24 05:56:32 2017 +0200
s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
We just want all values to be removed at the end, it doesn't matter
if they didn't existed before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit bfe35abc1fb15e70a99fa74d064051a1ad541ed0)
commit 748172221a6a359ced903abaf3a6d83a819e214c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:44:31 2017 +0200
s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit dfaadc81925e313901c9b30cd98a4b4fd2404f9d)
commit 36ae6bcf40735e343bcc0b0f3198813a8f6af0c3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:40:05 2017 +0200
s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit cf8a4646fe71a974b6a5ee13ae7d7751a5a0adc9)
commit fc8506dcf9de9ba3a80c9c890ff0311d4d16ae3f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:31:01 2017 +0200
s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5bc2764fe517748c03a57b61f2f7ef889c92825d)
commit bce615d2e33359f7192772e8960767eb4355c71c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 24 06:44:32 2017 +0200
s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5b95cb74e7b2838d228f9773c0e20982b81d1e7d)
commit c54cf09ea1de341be178fc79448e8845d6a0bbfc
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:27:45 2017 +0200
s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 45eea321a6faa6db1c9c706a27527cc0766dc831)
commit dd0f49a6d37088f1e17b11a5db79cf9f063ee606
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:21:37 2017 +0200
s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c5ded1123797b2bd152b0989e24eba7cae6a5792)
commit 4e649f7a416b5c877f01c57b8e5a31753436c61c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:21:37 2017 +0200
s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fde4af1c329655d7ef3f55727632b3f026a3ea73)
commit 45ed7f339393e3d29e413087b12e898c37dd91a0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 20 13:07:15 2017 +0200
s3:secrets: rename secrets_delete() to secrets_delete_entry()
secrets_delete_entry() fails if the key doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit cd1e888773c4fd3db63ce38a496fc3d54eb8e021)
commit e67bc70a04d6f3686ff690bc0711bc4480f54817
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:18:33 2017 +0200
s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4e37d7805b345d80ca6e8a598e39fc81f72a27ce)
commit f8dc7f36c0ec080a32c21cff2e5f6ddb1e2c054a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 21 19:38:15 2017 +0200
s3:secrets: add some const to secrets_store_domain_guid()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 99013685a1114829579e420df3625ed79eb7ee94)
commit f29745546d1fffeb14cf332b035b2f19eba68cc0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:10:45 2017 +0200
s3:secrets: split out a domain_guid_keystr() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d37e30cef7906b7b2b14351ad81d0d884811557b)
commit 3341df2252198aa0d94552f5a24315f602d1e74c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 11:38:12 2017 +0200
s3:secrets: rework des_salt_key() to take the realm as argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 072dd87e639d7dbfc583ede5ddf6559d9d433b8b)
commit cfba2c40d30cab29dd4e2140f3274c8c67b11d24
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:17:00 2017 +0200
s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 504b446d8dc7410ad63eba9d214e9cf271cf3b2f)
commit f68f8f63535583f283002958ee76a6e2fb9f2efb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:09:20 2017 +0200
s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1a26805ad9f19f02a52d9eaa4f2f11ff20ee76ac)
commit 0ce8cd86b8c1ecbb3d50c9a433b36be3d2f4ad4e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:08:24 2017 +0200
s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b0928a2687a9ffe92ebdce7b5252781d62e7e02d)
commit bf905639359574dfdc8a4c1e4908856ba0571ab9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:04:36 2017 +0200
s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 51ae7b42d4d52016b39b79447a3e28d473e676cb)
commit 14add2cc7b370acbbb2ef38e8fe76dd812152cdc
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:28:42 2017 +0200
s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1d1cf9792f9227e65857c85ff66a961331e3c16e)
commit 6e1f7e2f0091cd9d9779d4bdd1d1f253f5d64214
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:15:34 2017 +0200
s3:libads: provide a simpler kerberos_fetch_salt_princ() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5fe939e32cdaf7bb5b6dac67e7b0118ce65846be)
commit bfccba416eb0ee2194e20238199fbf331b8e95a2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:01:55 2017 +0200
s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.
Having this legacy code adds quite some complexity for no
good reason.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 487b4717b58a6f1ba913708ce8419145b7f4fac8)
commit beb5f2bbb912ae9ae654bac35263160eb0c7ae53
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 16:02:44 2017 +0200
s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 7d2eea39112fd69d2b710181b23301562efea387)
commit 4e5c9b5e12561759524769757132e8d3328e224f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:59:00 2017 +0200
s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()
We should not store the secrets before we did all remote changes
(except the optional dns updates).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a922e01baeccedc3ffc8a893f1d6072bb203220f)
commit cb36b6175f172870abca011187487eff5ec1ff87
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:52:59 2017 +0200
s3:libnet_join: call do_JoinConfig() after we did remote changes on the server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 559de1e7236fd4a38f2a1f9980216db95d0430ce)
commit 1b648aac145dfcc87d4ef55ff581d81dc176bd0a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:50:49 2017 +0200
s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0ab7944a2b00df4aa155a239c86f97e4e731b864)
commit b098b48f66cf5c3ef0a88913335d2f5805cdd96d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:48:49 2017 +0200
s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()
We should separate the calculation and the storing steps.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0c65d5f41023076fd201c3a179df77dd615cdb01)
commit e7099728c0bb783ed673cff12271ad4fedaa767d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:40:25 2017 +0200
s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 549c9d9a07d3002442cbbb7a90d0a7fef4a92bff)
commit 15cefb9081e3b8611b3bc3a433d350d2beac2ae5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:38:26 2017 +0200
s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3b13e4d2d0f73c6374ffdae57528cd1a7f333792)
commit d353c40d3c4de6fba79ec0655efb28e70632a9f4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 15:45:22 2017 +0200
s3:libnet_join: remember the domain_guid for AD domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fc2bad0cf34fca5e65fba7e036acf1d8c61f05c0)
commit 0c9f0d5ed6ec3467f628cdfe2f64109852b616b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 15:45:22 2017 +0200
s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 03e455f5a815ce2134e216dc28929646a964384f)
commit 43cce73b9730cbdd33bd376906b55a2171688ba5
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 13:53:19 2017 +0200
s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 826223cc8d36871c2bcb37fe23241f1dbe99a0db)
commit b76556fc88b4588c0750299161146ee8c39c5951
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 12:42:04 2017 +0200
s3:libnet_join: remove dead code from libnet_join_connect_ads()
username[strlen(username)] is *always* '\0'!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5958c6790fbceb39065353c07fe25f74ddf09ef0)
commit 691d69f80b895b5bdc921332ba95b216a43cb706
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 11:32:46 2017 +0200
krb5_wrap: add smb_krb5_salt_principal2data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ec2da944d304852d76137e8f9d234462bc807c6b)
commit ea40c72fb8e63b5dc42310ebc8a139309a1b4374
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 17:13:02 2017 +0200
krb5_wrap: add smb_krb5_salt_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5df46700cfb0a15fec2d366e12728cd497188741)
commit cf5d62e85498fa76d95a6f39423af9ccd5d24b4c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 16:13:37 2017 +0200
s3:libads: remove unused kerberos_secrets_store_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c56043a94a10c76a220ce3c7eb7cb8cf2e992cab)
commit 5687cb0229405117736d8ba93f41f52541cf314a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 15:05:51 2017 +0200
s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4260b52a399667bcdbaa375a20952237ff68449c)
commit 6297a357c42e1e30e4a1e121c4f9657768268a98
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 17:58:46 2017 +0200
idl_types.h: add NDR_SECRET shortcut
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 969ab12c56cd12dcc0e63e9b662397c1604a0cc0)
commit 48a9a30a3cac5de643531622d760413b9c8e20d0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 17:58:20 2017 +0200
librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 32aa3a199dfd61eb5982e158008964b4747599b8)
commit e73f37ddce0f6d635fcce038f1865bb754fbf260
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 15:22:42 2017 +0200
librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
The range included the unused (1<<14) before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 91d8272e8604b5d87bcc0ce365b553bc760c8ed3)
commit 4e323aed36b03de8cd7157ff624078733df92d97
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 18:58:49 2017 +0200
pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 81bbfb010599b65308aca89cc50532372ca4cb00)
commit ce91c2e27b68720a22d68ca8fcb61ab1e811db16
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 10 11:29:58 2017 +0200
s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()
The result is only used temporary and should not be leaked on a long term
memory context as 'conn'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12890
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 77cbced5d2f8bf65c8d02f5edfaba8cbad519d08)
commit 8ac00afe1072e917a25ea8925c8ade18d211d562
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 7 13:12:19 2017 +0200
selftest: add a test for accessing previous version of directories with snapdirseverywhere
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Sat Jul 8 00:33:51 CEST 2017 on sn-devel-144
(cherry picked from commit cc9ba98c08665e0ed6927fd81fa43a7bb7842e45)
commit 7916e1a9efa0196dcdadc27ce8bec107026d9646
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 7 12:57:57 2017 +0200
s3/smbd: let non_widelink_open() chdir() to directories directly
If the caller passes O_DIRECTORY we just try to chdir() to smb_fname
directly, not to the parent directory.
The security check in check_reduced_name() will continue to work, but
this fixes the case of an open() for a previous version of a
subdirectory that contains snapshopt.
Eg:
[share]
path = /shares/test
vfs objects = shadow_copy2
shadow:snapdir = .snapshots
shadow:snapdirseverywhere = yes
Directory tree with fake snapshots:
$ tree -a /shares/test/
/shares/test/
├── dir
│ ├── file
│ └── .snapshots
│ └── @GMT-2017.07.04-04.30.12
│ └── file
├── dir2
│ └── file
├── file
├── .snapshots
│ └── @GMT-2001.01.01-00.00.00
│ ├── dir2
│ │ └── file
│ └── file
└── testfsctl.dat
./bin/smbclient -U slow%x //localhost/share -c 'ls @GMT-2017.07.04-04.30.12/dir/*'
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \@GMT-2017.07.04-04.30.12\dir\*
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b886a9443d49f6e27fa3863d87c9e24d12e62874)
commit 80aeac8bd06d1a4a62e31e5306545efd92ddffa1
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jun 1 14:36:07 2017 +1200
dnsserver: Stop dns_name_equal doing OOB read
This has been the cause of a large number of flakey autobuilds. Every
now and again dns_name_equal would not be equal between two empty
strings, thus causing failures.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12813
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Jun 1 19:34:38 CEST 2017 on sn-devel-144
(cherry picked from commit 5ccfd38156ddf2435df15600638cde8ed020958f)
commit 04676d6feb0500df24149fe7abebe0bfbd2a2f43
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 20 14:08:20 2017 +1200
selftest: Do not enable inbound replication during replica_sync
Instead we should use the forced=True to only do a very specific
replication, and so avoid noise from any other DC also live
on the network. This extra replication in turn causes (and this
patch fixes) flapping replica_sync tests.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12753
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sat Apr 22 05:19:11 CEST 2017 on sn-devel-144
(cherry picked from commit 52349a7e69a933cbfe410241c7ad80d012886e02)
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 187 ++++
lib/krb5_wrap/krb5_samba.h | 10 +
libcli/auth/netlogon_creds_cli.c | 78 +-
libcli/auth/netlogon_creds_cli.h | 16 +-
libcli/auth/proto.h | 2 +-
libcli/auth/smbencrypt.c | 2 +-
librpc/idl/idl_types.h | 6 +
librpc/idl/lsa.idl | 2 +-
librpc/idl/netlogon.idl | 6 +-
librpc/ndr/libndr.h | 24 +-
librpc/ndr/ndr.c | 23 +
librpc/ndr/ndr_basic.c | 44 +
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 +
selftest/target/Samba3.pm | 10 +
source3/include/proto.h | 1 +
source3/include/secrets.h | 38 +-
source3/libads/kerberos.c | 200 ----
source3/libads/kerberos_keytab.c | 14 +-
source3/libads/kerberos_proto.h | 8 -
source3/libads/util.c | 106 +-
source3/libnet/libnet_join.c | 127 ++-
source3/libnet/libnet_keytab.c | 5 +-
source3/librpc/crypto/gse_krb5.c | 40 +-
source3/librpc/idl/libnet_join.idl | 4 +-
source3/librpc/idl/secrets.idl | 92 +-
source3/librpc/wscript_build | 2 +-
source3/libsmb/trusts_util.c | 276 ++++-
source3/passdb/machine_account_secrets.c | 1661 ++++++++++++++++++++++++++--
source3/passdb/secrets.c | 25 +-
source3/passdb/secrets_lsa.c | 2 +-
source3/rpc_client/cli_netlogon.c | 15 +-
source3/rpcclient/cmd_netlogon.c | 2 +
source3/script/tests/test_shadow_copy.sh | 23 +
source3/smbd/lanman.c | 20 +-
source3/smbd/open.c | 30 +-
source3/smbd/reply.c | 2 +-
source3/utils/net.c | 142 ++-
source3/utils/net_rpc.c | 8 +
source3/winbindd/winbindd_dual.c | 1 +
source3/winbindd/winbindd_dual_srv.c | 2 +
source4/rpc_server/dnsserver/dnsdata.c | 4 +-
source4/torture/drs/python/replica_sync.py | 51 -
42 files changed, 2744 insertions(+), 571 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 4fbc2e0..6a863bd 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -422,6 +422,193 @@ int smb_krb5_get_pw_salt(krb5_context context,
#error UNKNOWN_SALT_FUNCTIONS
#endif
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] is_computer The indication of the object includes
+ * objectClass=computer.
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ bool is_computer,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ char *upper_realm = NULL;
+ const char *principal = NULL;
+ int principal_len = 0;
+
+ *_salt_principal = NULL;
+
+ if (sAMAccountName == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ if (realm == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ upper_realm = strupper_talloc(frame, realm);
+ if (upper_realm == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ /* Many, many thanks to lukeh at padl.com for this
+ * algorithm, described in his Nov 10 2004 mail to
+ * samba-technical at lists.samba.org */
+
+ /*
+ * Determine a salting principal
+ */
+ if (is_computer) {
+ int computer_len = 0;
+ char *tmp = NULL;
+
+ computer_len = strlen(sAMAccountName);
+ if (sAMAccountName[computer_len-1] == '$') {
+ computer_len -= 1;
+ }
+
+ tmp = talloc_asprintf(frame, "host/%*.*s.%s",
+ computer_len, computer_len,
+ sAMAccountName, realm);
+ if (tmp == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ principal = strlower_talloc(frame, tmp);
+ TALLOC_FREE(tmp);
+ if (principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+ principal_len = strlen(principal);
+
+ } else if (userPrincipalName != NULL) {
+ char *p;
+
+ principal = userPrincipalName;
+ p = strchr(principal, '@');
+ if (p != NULL) {
+ principal_len = PTR_DIFF(p, principal);
+ } else {
+ principal_len = strlen(principal);
+ }
+ } else {
+ principal = sAMAccountName;
+ principal_len = strlen(principal);
+ }
+
+ *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
+ principal_len, principal_len,
+ principal, upper_realm);
+ if (*_salt_principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+}
+
+/**
+ * @brief Converts the salt principal string into the salt data blob
+ *
+ * This function takes a salt_principal as string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * It generates values like:
+ * - EXAMPLE.COMhost/somehost.example.com
+ * - EXAMPLE.COMSomeAccount
+ * - EXAMPLE.COMSomePrincipal
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] is_computer The indication of the object includes
+ * objectClass=computer.
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal
+ */
+int smb_krb5_salt_principal2data(krb5_context context,
+ const char *salt_principal,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_data)
+{
+ krb5_error_code ret;
+ krb5_principal salt_princ = NULL;
+ krb5_data salt;
+
+ *_salt_data = NULL;
+
+ ret = krb5_parse_name(context, salt_principal, &salt_princ);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = smb_krb5_get_pw_salt(context, salt_princ, &salt);
+ krb5_free_principal(context, salt_princ);
+ if (ret != 0) {
+ return ret;
+ }
+
+ *_salt_data = talloc_strndup(mem_ctx,
+ (char *)salt.data,
+ salt.length);
+ smb_krb5_free_data_contents(context, &salt);
+ if (*_salt_data == NULL) {
+ return ENOMEM;
+ }
+
+ return 0;
+}
+
#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
/**
* @brief Get a list of encryption types allowed for session keys
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index c921538..5834629 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -352,6 +352,16 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
int smb_krb5_get_pw_salt(krb5_context context,
krb5_const_principal host_princ,
krb5_data *psalt);
+int smb_krb5_salt_principal(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ bool is_computer,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal);
+int smb_krb5_salt_principal2data(krb5_context context,
+ const char *salt_principal,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_data);
int smb_krb5_create_key_from_string(krb5_context context,
krb5_const_principal host_princ,
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index d55142e..29baae4 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -36,6 +36,7 @@
#include "source3/include/messages.h"
#include "source3/include/g_lock.h"
#include "libds/common/roles.h"
+#include "lib/crypto/crypto.h"
struct netlogon_creds_cli_locked_state;
@@ -942,9 +943,10 @@ struct netlogon_creds_cli_auth_state {
struct tevent_context *ev;
struct netlogon_creds_cli_context *context;
struct dcerpc_binding_handle *binding_handle;
- struct samr_Password current_nt_hash;
- struct samr_Password previous_nt_hash;
- struct samr_Password used_nt_hash;
+ uint8_t num_nt_hashes;
+ uint8_t idx_nt_hashes;
+ const struct samr_Password * const *nt_hashes;
+ const struct samr_Password *used_nt_hash;
char *srv_name_slash;
uint32_t current_flags;
struct netr_Credential client_challenge;
@@ -956,7 +958,6 @@ struct netlogon_creds_cli_auth_state {
bool try_auth3;
bool try_auth2;
bool require_auth2;
- bool try_previous_nt_hash;
struct netlogon_creds_cli_locked_state *locked_state;
};
@@ -967,8 +968,8 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash)
+ uint8_t num_nt_hashes,
+ const struct samr_Password * const *nt_hashes)
{
struct tevent_req *req;
struct netlogon_creds_cli_auth_state *state;
@@ -984,12 +985,19 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->context = context;
state->binding_handle = b;
- state->current_nt_hash = current_nt_hash;
- if (previous_nt_hash != NULL) {
- state->previous_nt_hash = *previous_nt_hash;
- state->try_previous_nt_hash = true;
+ if (num_nt_hashes < 1) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
+ if (num_nt_hashes > 4) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
}
+ state->num_nt_hashes = num_nt_hashes;
+ state->idx_nt_hashes = 0;
+ state->nt_hashes = nt_hashes;
+
if (context->db.locked_state != NULL) {
tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
return tevent_req_post(req, ev);
@@ -1019,7 +1027,7 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
state->require_auth2 = true;
}
- state->used_nt_hash = state->current_nt_hash;
+ state->used_nt_hash = state->nt_hashes[state->idx_nt_hashes];
state->current_flags = context->client.proposed_flags;
if (context->db.g_ctx != NULL) {
@@ -1141,7 +1149,7 @@ static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
state->context->client.type,
&state->client_challenge,
&state->server_challenge,
- &state->used_nt_hash,
+ state->used_nt_hash,
&state->client_credential,
state->current_flags);
if (tevent_req_nomem(state->creds, req)) {
@@ -1283,7 +1291,8 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
return;
}
- if (!state->try_previous_nt_hash) {
+ state->idx_nt_hashes += 1;
+ if (state->idx_nt_hashes >= state->num_nt_hashes) {
/*
* we already retried, giving up...
*/
@@ -1294,8 +1303,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
/*
* lets retry with the old nt hash.
*/
- state->try_previous_nt_hash = false;
- state->used_nt_hash = state->previous_nt_hash;
+ state->used_nt_hash = state->nt_hashes[state->idx_nt_hashes];
state->current_flags = state->context->client.proposed_flags;
netlogon_creds_cli_auth_challenge_start(req);
return;
@@ -1330,43 +1338,52 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
tevent_req_done(req);
}
-NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req,
+ uint8_t *idx_nt_hashes)
{
+ struct netlogon_creds_cli_auth_state *state =
+ tevent_req_data(req,
+ struct netlogon_creds_cli_auth_state);
NTSTATUS status;
+ *idx_nt_hashes = 0;
+
if (tevent_req_is_nterror(req, &status)) {
tevent_req_received(req);
return status;
}
+ *idx_nt_hashes = state->idx_nt_hashes;
tevent_req_received(req);
return NT_STATUS_OK;
}
NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash)
+ uint8_t num_nt_hashes,
+ const struct samr_Password * const *nt_hashes,
+ uint8_t *idx_nt_hashes)
{
TALLOC_CTX *frame = talloc_stackframe();
struct tevent_context *ev;
struct tevent_req *req;
NTSTATUS status = NT_STATUS_NO_MEMORY;
+ *idx_nt_hashes = 0;
+
ev = samba_tevent_context_init(frame);
if (ev == NULL) {
goto fail;
}
req = netlogon_creds_cli_auth_send(frame, ev, context, b,
- current_nt_hash,
- previous_nt_hash);
+ num_nt_hashes, nt_hashes);
if (req == NULL) {
goto fail;
}
if (!tevent_req_poll_ntstatus(req, ev, &status)) {
goto fail;
}
- status = netlogon_creds_cli_auth_recv(req);
+ status = netlogon_creds_cli_auth_recv(req, idx_nt_hashes);
fail:
TALLOC_FREE(frame);
return status;
@@ -1734,7 +1751,7 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- const char *new_password,
+ const DATA_BLOB *new_password,
const uint32_t *new_version)
{
struct tevent_req *req;
@@ -1752,20 +1769,21 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
state->context = context;
state->binding_handle = b;
- /*
- * netr_ServerPasswordSet
- */
- ok = E_md4hash(new_password, state->samr_password.hash);
- if (!ok) {
+ if (new_password->length < 14) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return tevent_req_post(req, ev);
}
/*
+ * netr_ServerPasswordSet
+ */
+ mdfour(state->samr_password.hash, new_password->data, new_password->length);
+
+ /*
* netr_ServerPasswordSet2
*/
- ok = encode_pw_buffer(state->samr_crypt_password.data,
- new_password, STR_UNICODE);
+ ok = set_pw_in_buffer(state->samr_crypt_password.data,
+ new_password);
if (!ok) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return tevent_req_post(req, ev);
@@ -2035,7 +2053,7 @@ NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
NTSTATUS netlogon_creds_cli_ServerPasswordSet(
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- const char *new_password,
+ const DATA_BLOB *new_password,
const uint32_t *new_version)
{
TALLOC_CTX *frame = talloc_stackframe();
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 949e03b..a7fd48c 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -84,13 +84,15 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash);
-NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
+ uint8_t num_nt_hashes,
+ const struct samr_Password * const *nt_hashes);
+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req,
+ uint8_t *idx_nt_hashes);
NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash);
+ uint8_t num_nt_hashes,
+ const struct samr_Password * const *nt_hashes,
+ uint8_t *idx_nt_hashes);
struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -104,13 +106,13 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- const char *new_password,
+ const DATA_BLOB *new_password,
const uint32_t *new_version);
NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
NTSTATUS netlogon_creds_cli_ServerPasswordSet(
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- const char *new_password,
+ const DATA_BLOB *new_password,
const uint32_t *new_version);
struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index cc9ae33..a03f45e 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -187,7 +187,7 @@ void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_B
encode a password buffer with an already unicode password. The
rest of the buffer is filled with random data to make it harder to attack.
************************************************************/
-bool set_pw_in_buffer(uint8_t buffer[516], DATA_BLOB *password);
+bool set_pw_in_buffer(uint8_t buffer[516], const DATA_BLOB *password);
/***********************************************************
decode a password buffer
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index ebf6812..afd9286 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -804,7 +804,7 @@ void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_B
encode a password buffer with an already unicode password. The
rest of the buffer is filled with random data to make it harder to attack.
************************************************************/
-bool set_pw_in_buffer(uint8_t buffer[516], DATA_BLOB *password)
+bool set_pw_in_buffer(uint8_t buffer[516], const DATA_BLOB *password)
{
if (password->length > 512) {
return false;
diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h
--
Samba Shared Repository
More information about the samba-cvs
mailing list