[SCM] Samba Shared Repository - branch v4-8-test updated
Karolin Seeger
kseeger at samba.org
Tue Dec 4 17:37:04 UTC 2018
The branch, v4-8-test has been updated
via 6d9c94e82c0 CVE-2018-16853: fix crash in expired passowrd case
via c4c0a23a34c CVE-2018-16853: Do not segfault if client is not set
via e57433c46ba CVE-2018-16853: Add a test to verify s4u2self doesn't crash
via fb634be8327 CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
via 1c4004425d0 CVE-2018-16853: Fix kinit test on system lacking ldbsearch
via c33afb1e2c9 libcli/smb: don't overwrite status code
via 50c2d78c270 s4:torture/smb2/session: test smbXcli_session_set_disconnect_expired() works
from 903c3a0fb67 vfs_zfsacl: return synthesized ACL when ZFS return ENOTSUP
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test
- Log -----------------------------------------------------------------
commit 6d9c94e82c0cc9fa314de2ad8969d01bac11bd0f
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Nov 7 22:53:35 2018 +0200
CVE-2018-16853: fix crash in expired passowrd case
When calling encode_krb5_padata_sequence() make sure to
pass a null terminated array as required.
Fixes expired passowrd case in samba4.blackbox.kinit test.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(v4-8-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-8-test): Tue Dec 4 18:36:56 CET 2018 on sn-devel-144
commit c4c0a23a34cfe21484f2dbc2830d85aff5929724
Author: Andreas Schneider <asn at samba.org>
Date: Wed Sep 28 07:22:32 2016 +0200
CVE-2018-16853: Do not segfault if client is not set
This can be triggered with FAST but we don't support this yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e57433c46ba8429f633a739052139de1e29c2b23
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Aug 18 16:01:59 2018 +0300
CVE-2018-16853: Add a test to verify s4u2self doesn't crash
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fb634be8327f48f5401f7f10013cd01599932af2
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Aug 18 00:40:30 2018 +0300
CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
This happens when we are called from S4U2Self flow, and in that case
kdcreq->client is NULL. Use the name from client entry instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1c4004425d08492ae9ea53ef96297c858aa6b1b8
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Aug 18 15:32:43 2018 +0300
CVE-2018-16853: Fix kinit test on system lacking ldbsearch
By fixing bindir variable name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c33afb1e2c9285ed399bd2f07f0626edabbbe555
Author: Ralph Boehme <slow at samba.org>
Date: Wed Nov 7 14:00:25 2018 +0100
libcli/smb: don't overwrite status code
The original commit c5cd22b5bbce724dcd68fe94320382b3f772cabf from bug
9175 never worked, as the preceeding signing check overwrote the status
variable.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Nov 13 17:28:45 CET 2018 on sn-devel-144
(cherry picked from commit 5a8583ed701be97c33a20b2a20f6bbb8ac2f8e99)
commit 50c2d78c270a6b4466bfde4ea68559fa1c03558a
Author: Ralph Boehme <slow at samba.org>
Date: Tue Nov 13 12:08:10 2018 +0100
s4:torture/smb2/session: test smbXcli_session_set_disconnect_expired() works
This adds a simple test that verifies that after having set
smbXcli_session_set_disconnect_expired() a session gets disconnected
when it expires.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a5d1bb5c5b5a57a2d7710dc5ab962683fe5c8e68)
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smbXcli_base.c | 12 ++--
source4/kdc/mit-kdb/kdb_samba_policies.c | 24 ++++++-
source4/kdc/mit_samba.c | 7 +-
source4/torture/smb2/session.c | 110 +++++++++++++++++++++++++++++++
testprogs/blackbox/test_kinit_mit.sh | 20 ++++--
5 files changed, 159 insertions(+), 14 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 512cbd8c6f4..3f65216a669 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3907,15 +3907,17 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
}
if (signing_key) {
- status = smb2_signing_check_pdu(*signing_key,
- state->conn->protocol,
- &cur[1], 3);
- if (!NT_STATUS_IS_OK(status)) {
+ NTSTATUS signing_status;
+
+ signing_status = smb2_signing_check_pdu(*signing_key,
+ state->conn->protocol,
+ &cur[1], 3);
+ if (!NT_STATUS_IS_OK(signing_status)) {
/*
* If the signing check fails, we disconnect
* the connection.
*/
- return status;
+ return signing_status;
}
}
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index de5813bde2f..fc80329f221 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -81,6 +81,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
char *netbios_name = NULL;
char *realm = NULL;
bool password_change = false;
+ krb5_const_principal client_princ;
DATA_BLOB int_data = { NULL, 0 };
krb5_data d;
krb5_pa_data **e_data;
@@ -90,7 +91,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
return KRB5_KDB_DBNOTINITED;
}
- if (ks_is_kadmin(context, kdcreq->client)) {
+ /* Prefer canonicalised name from client entry */
+ client_princ = client ? client->princ : kdcreq->client;
+
+ if (client_princ == NULL || ks_is_kadmin(context, client_princ)) {
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
}
@@ -111,7 +115,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
goto done;
}
- code = krb5_unparse_name(context, kdcreq->client, &client_name);
+ code = krb5_unparse_name(context, client_princ, &client_name);
if (code) {
goto done;
}
@@ -457,6 +461,14 @@ void kdb_samba_db_audit_as_req(krb5_context context,
krb5_timestamp authtime,
krb5_error_code error_code)
{
+ /*
+ * FIXME: This segfaulted with a FAST test
+ * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0
+ */
+ if (client == NULL) {
+ return;
+ }
+
samba_bad_password_count(client, error_code);
/* TODO: perform proper audit logging for addresses */
@@ -469,6 +481,14 @@ void kdb_samba_db_audit_as_req(krb5_context context,
krb5_timestamp authtime,
krb5_error_code error_code)
{
+ /*
+ * FIXME: This segfaulted with a FAST test
+ * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0
+ */
+ if (client == NULL) {
+ return;
+ }
+
samba_bad_password_count(client, error_code);
}
#endif
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 1cd6750f5ab..8283c726487 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -855,7 +855,7 @@ krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data
static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
{
krb5_error_code ret = 0;
- krb5_pa_data pa, *ppa = NULL;
+ krb5_pa_data pa, *ppa[2];
krb5_data *d = NULL;
if (!e_data)
@@ -876,9 +876,10 @@ static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
SIVAL(pa.contents, 4, 0);
SIVAL(pa.contents, 8, 1);
- ppa = &pa;
+ ppa[0] = &pa;
+ ppa[1] = NULL;
- ret = encode_krb5_padata_sequence(&ppa, &d);
+ ret = encode_krb5_padata_sequence(ppa, &d);
free(pa.contents);
if (ret) {
return;
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 57a5addcfcc..3917e0c09c4 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1596,6 +1596,114 @@ static bool test_session_expire2e(struct torture_context *tctx)
true); /* force_encryption */
}
+static bool test_session_expire_disconnect(struct torture_context *tctx)
+{
+ NTSTATUS status;
+ bool ret = false;
+ struct smbcli_options options;
+ const char *host = torture_setting_string(tctx, "host", NULL);
+ const char *share = torture_setting_string(tctx, "share", NULL);
+ struct cli_credentials *credentials = popt_get_cmdline_credentials();
+ struct smb2_tree *tree = NULL;
+ enum credentials_use_kerberos use_kerberos;
+ char fname[256];
+ struct smb2_handle _h1;
+ struct smb2_handle *h1 = NULL;
+ struct smb2_create io1;
+ union smb_fileinfo qfinfo;
+ bool connected;
+
+ use_kerberos = cli_credentials_get_kerberos_state(credentials);
+ if (use_kerberos != CRED_MUST_USE_KERBEROS) {
+ torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
+ torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
+ }
+
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
+ lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
+ lpcfg_smbcli_options(tctx->lp_ctx, &options);
+ options.signing = SMB_SIGNING_REQUIRED;
+
+ status = smb2_connect(tctx,
+ host,
+ lpcfg_smb_ports(tctx->lp_ctx),
+ share,
+ lpcfg_resolve_context(tctx->lp_ctx),
+ credentials,
+ &tree,
+ tctx->ev,
+ &options,
+ lpcfg_socket_options(tctx->lp_ctx),
+ lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+ );
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_connect failed");
+
+ smbXcli_session_set_disconnect_expired(tree->session->smbXcli);
+
+ /* Add some random component to the file name. */
+ snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
+ generate_random_str(tctx, 8));
+
+ smb2_util_unlink(tree, fname);
+
+ smb2_oplock_create_share(&io1, fname,
+ smb2_util_share_access(""),
+ smb2_util_oplock_level("b"));
+ io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
+
+ status = smb2_create(tree, tctx, &io1);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_create failed");
+ _h1 = io1.out.file.handle;
+ h1 = &_h1;
+ CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+ torture_assert_int_equal(tctx, io1.out.oplock_level,
+ smb2_util_oplock_level("b"),
+ "oplock_level incorrect");
+
+ /* get the security descriptor */
+
+ ZERO_STRUCT(qfinfo);
+
+ qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
+ qfinfo.access_information.in.file.handle = _h1;
+
+ torture_comment(tctx, "query info => OK\n");
+
+ ZERO_STRUCT(qfinfo.access_information.out);
+ status = smb2_getinfo_file(tree, tctx, &qfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_getinfo_file failed");
+
+ torture_comment(tctx, "sleep 10 seconds\n");
+ smb_msleep(10*1000);
+
+ torture_comment(tctx, "query info => EXPIRED\n");
+ ZERO_STRUCT(qfinfo.access_information.out);
+ status = smb2_getinfo_file(tree, tctx, &qfinfo);
+ torture_assert_ntstatus_equal_goto(tctx, status,
+ NT_STATUS_NETWORK_SESSION_EXPIRED,
+ ret, done, "smb2_getinfo_file "
+ "returned unexpected status");
+
+ connected = smbXcli_conn_is_connected(tree->session->transport->conn);
+ torture_assert_goto(tctx, !connected, ret, done, "connected\n");
+
+ ret = true;
+done:
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
+ if (h1 != NULL) {
+ smb2_util_close(tree, *h1);
+ }
+
+ talloc_free(tree);
+ lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
+ return ret;
+}
+
bool test_session_bind1(struct torture_context *tctx, struct smb2_tree *tree1)
{
const char *host = torture_setting_string(tctx, "host", NULL);
@@ -1754,6 +1862,8 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
torture_suite_add_simple_test(suite, "expire2e", test_session_expire2e);
+ torture_suite_add_simple_test(suite, "expire_disconnect",
+ test_session_expire_disconnect);
torture_suite_add_1smb2_test(suite, "bind1", test_session_bind1);
suite->description = talloc_strdup(suite, "SMB2-SESSION tests");
diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
index 3e07281b8c7..f1567caa3a1 100755
--- a/testprogs/blackbox/test_kinit_mit.sh
+++ b/testprogs/blackbox/test_kinit_mit.sh
@@ -24,6 +24,7 @@ samba_srcdir="$SRCDIR/source4"
samba_kinit=kinit
samba_kdestroy=kdestroy
samba_kpasswd=kpasswd
+samba_kvno=kvno
samba_tool="$samba_bindir/samba-tool"
samba_texpect="$samba_bindir/texpect"
@@ -32,13 +33,13 @@ samba_enableaccount="$samba_tool user enable"
machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache"
ldbmodify="ldbmodify"
-if [ -x "$samba4bindir/ldbmodify" ]; then
- ldbmodify="$samba4bindir/ldbmodify"
+if [ -x "$samba_bindir/ldbmodify" ]; then
+ ldbmodify="$samba_bindir/ldbmodify"
fi
ldbsearch="ldbsearch"
-if [ -x "$samba4bindir/ldbsearch" ]; then
- ldbsearch="$samba4bindir/ldbsearch"
+if [ -x "$samba_bindir/ldbsearch" ]; then
+ ldbsearch="$samba_bindir/ldbsearch"
fi
. `dirname $0`/subunit.sh
@@ -299,6 +300,17 @@ test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes ||
testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $ADMIN_LDBMODIFY_CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
+###########################################################
+### Test basic s4u2self request
+###########################################################
+
+# Use previous acquired machine creds to request a ticket for self.
+# We expect it to fail for now.
+MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM"
+$samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT
+# But we expect the KDC to be up and running still
+testit "kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1`
+
### Cleanup
$samba_kdestroy
--
Samba Shared Repository
More information about the samba-cvs
mailing list