[SCM] Samba Shared Repository - branch v4-9-stable updated
Karolin Seeger
kseeger at samba.org
Tue Nov 27 08:48:21 UTC 2018
The branch, v4-9-stable has been updated
via 40c057c900a VERSION: Disable GIT_SNAPSHOT for the 4.9.3 release.
via bec29625127 WHATSNEW: Add release notes for Samba 4.9.3.
via 60b2cd50f4d CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow
via d12b02c7884 CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs
via 4f86beeaf34 CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int
via ec9cc4ed5a0 CVE-2018-16857 tests: Sanity-check password lockout works with default values
via 9cb6b4e9131 CVE-2018-16857 PEP8: fix E251: unexpected spaces around keyword / parameter equals
via fe8e05a9ea8 CVE-2018-16857 PEP8: fix E127: continuation line over-indented for visual indent
via 4d0fd1a421a CVE-2018-16857 selftest: Split up password_lockout into tests with and without a call to sleep()
via 31198d39a76 CVE-2018-16857 PEP8: fix E305: expected 2 blank lines after class or function definition, found 1
via 862d4909ecc CVE-2018-16857 selftest: Prepare to allow override of lockout duration in password_lockout tests
via 4aabfecd290 CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
via f33f52c366f CVE-2018-16851 ldap_server: Check ret before manipulating blob
via c78ca8b9b48 CVE-2018-16852 dcerpc dnsserver: refactor common properties handling
via 05f867db81f CVE-2018-16852 dcerpc dnsserver: Ensure properties are handled correctly
via f40e1b3b42c CVE-2018-16852 dcerpc dnsserver: Verification tests
via 4783b9d6a43 CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ
via 6e84215d4aa CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal
via bf596c14c24 CVE-2018-14629 dns: CNAME loop prevention using counter
via a96d403ff30 VERSION: Bump version up to 4.9.3...
from 865cc283d1b VERSION: Disable GIT_SNAPSHOT for the 4.9.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-stable
- Log -----------------------------------------------------------------
commit 40c057c900a9367e8020c943d29547ea8942212f
Author: Karolin Seeger <kseeger at samba.org>
Date: Sun Nov 25 15:24:31 2018 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.9.3 release.
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
o CVE-2018-16857 (Bad password count in AD DC not always effective)
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit bec29625127fc62ae2f023ea43d918638dd4156e
Author: Karolin Seeger <kseeger at samba.org>
Date: Sun Nov 25 15:23:23 2018 +0100
WHATSNEW: Add release notes for Samba 4.9.3.
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
o CVE-2018-16857 (Bad password count in AD DC not always effective)
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 60b2cd50f4d0554cc5ca8c53b2d1fa89e56a6d06
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Nov 13 13:22:41 2018 +1300
CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow
Clearly the lockOutObservationWindow value is important, and using a
default value of zero doesn't work very well.
This patch adds a better default value (the domain default setting of 30
minutes).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d12b02c78842786969557b9be7c953e9594d90dd
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Nov 13 13:19:04 2018 +1300
CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs
Fix a remaining place where we were trying to read the
msDS-LockoutObservationWindow as an int instead of an int64.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f86beeaf3408383385ee99a74520a805dd63c0f
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Nov 13 12:24:16 2018 +1300
CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int
Commit 442a38c918ae1666b35 refactored some code into a new
get_lockout_observation_window() function. However, in moving the code,
an ldb_msg_find_attr_as_int64() inadvertently got converted to a
ldb_msg_find_attr_as_int().
ldb_msg_find_attr_as_int() will only work for values up to -2147483648
(about 3.5 minutes in MS timestamp form). Unfortunately, the automated
tests used a low enough timeout that they still worked, however,
password lockout would not work with the Samba default settings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ec9cc4ed5a05490297cde3fcaac50eeeaaca8469
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Nov 13 11:49:56 2018 +1300
CVE-2018-16857 tests: Sanity-check password lockout works with default values
Sanity-check that when we use the default lockOutObservationWindow that
user lockout actually works.
The easiest way to do this is to reuse the _test_login_lockout()
test-case, but stop at the point where we wait for the lockout duration
to expire (because we don't want the test to wait 30 mins).
This highlights a problem currently where the default values don't work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9cb6b4e9131afac71a39a2f6a3c142723cb6ca19
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Mon Jul 30 18:19:21 2018 +1200
CVE-2018-16857 PEP8: fix E251: unexpected spaces around keyword / parameter equals
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Partial backport of commit 1ccc36b4010cd63 (only password_lockout_base.py
change) as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
commit fe8e05a9ea8185325ff87ac73ef0106a85cd662a
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Mon Jul 30 18:15:34 2018 +1200
CVE-2018-16857 PEP8: fix E127: continuation line over-indented for visual indent
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Partial backport of commit bbb9f57603d (only password_lockout_base.py
change) as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
commit 4d0fd1a421ad4a3ca19ed954ee91fcc36413b017
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Sep 2 18:03:06 2018 +1200
CVE-2018-16857 selftest: Split up password_lockout into tests with and without a call to sleep()
This means we can have a long observation window for many of the tests and
so make them much more reliable. Many of these cause frustrating flapping
failures in our CI systems.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Sep 3 06:14:55 CEST 2018 on sn-devel-144
(cherry picked from commit 74357bf347348d3a8b7483c58e5250e98f7e8810)
Backported as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
commit 31198d39a76474d55c3d391e04d76758ee115d8e
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Mon Jul 30 18:21:29 2018 +1200
CVE-2018-16857 PEP8: fix E305: expected 2 blank lines after class or function definition, found 1
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Partial backport of commit 115f2a71b88 (only password_lockout.py
change) as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
commit 862d4909eccd18942e3de8e8b0dc6e1594ec27f1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Sep 2 17:34:03 2018 +1200
CVE-2018-16857 selftest: Prepare to allow override of lockout duration in password_lockout tests
This will make it easier to avoid flapping tests.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit a740a6131c967f9640b19a6964fd5d6f85ce853a)
Backported as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
commit 4aabfecd290cd2769376abf7f170e832becc4112
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 6 13:32:05 2018 +1300
CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit f33f52c366f7cf140f470de44579dcb7eb832629
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Nov 5 16:18:18 2018 +1300
CVE-2018-16851 ldap_server: Check ret before manipulating blob
In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.
Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c78ca8b9b48a19e71f4d6ddd2e300f282fb0b247
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Nov 7 15:08:04 2018 +1300
CVE-2018-16852 dcerpc dnsserver: refactor common properties handling
dnsserver_common.c and dnsutils.c both share similar code to process
zone properties. This patch extracts the common code and moves it to
dnsserver_common.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 05f867db81f118215445f2c49eda4b9c3451d14a
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 6 12:16:30 2018 +1300
CVE-2018-16852 dcerpc dnsserver: Ensure properties are handled correctly
Fixes for
Bug 13669 - (CVE-2018-16852) NULL
pointer de-reference in Samba AD DC DNS management
The presence of the ZONE_MASTER_SERVERS property or the
ZONE_SCAVENGING_SERVERS property in a zone record causes the server to
follow a null pointer and terminate.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f40e1b3b42ce23b574a4c530545ff8170ddc7330
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 6 12:10:07 2018 +1300
CVE-2018-16852 dcerpc dnsserver: Verification tests
Tests to verify
Bug 13669 - (CVE-2018-16852) NULL
pointer de-reference in Samba AD DC DNS management
The presence of the ZONE_MASTER_SERVERS property or the
ZONE_SCAVENGING_SERVERS property in a zone record causes the server to
follow a null pointer and terminate.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 4783b9d6a43287a938b18e15f146e6895b689956
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 24 15:41:28 2018 +1300
CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 6e84215d4aa7ef51096db3b187adbe22cacdd921
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 23 17:33:46 2018 +1300
CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal
In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
mem_ctx.
This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
MIT KDC effort.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit bf596c14c2462b9a15ea738ef4f32b3abb8b63d1
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue Oct 23 17:25:51 2018 +1300
CVE-2018-14629 dns: CNAME loop prevention using counter
Count number of answers generated by internal DNS query routine and stop at
20 to match Microsoft's loop prevention mechanism.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit a96d403ff304b917195c9536a8a109779daf7d2e
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Nov 8 08:56:10 2018 +0100
VERSION: Bump version up to 4.9.3...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 424d4d2b4084e8778d82684d29514b5b45cdfd36)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 131 ++++++++-
python/samba/tests/dns.py | 22 ++
selftest/knownfail.d/dns | 6 +
source4/dns_server/dns_query.c | 6 +
source4/dns_server/dnsserver_common.c | 129 ++++++---
source4/dns_server/dnsserver_common.h | 3 +
source4/dsdb/common/util.c | 20 +-
source4/dsdb/tests/python/password_lockout.py | 321 ++++++++++++---------
source4/dsdb/tests/python/password_lockout_base.py | 77 +++--
source4/kdc/db-glue.c | 6 +-
source4/ldap_server/ldap_server.c | 4 +-
source4/rpc_server/dnsserver/dnsutils.c | 59 +---
.../tests/rpc_dns_server_dnsutils_test.c | 304 +++++++++++++++++++
source4/rpc_server/wscript_build | 17 +-
source4/selftest/tests.py | 2 +
testprogs/blackbox/test_pkinit_heimdal.sh | 8 +
wscript | 17 ++
18 files changed, 848 insertions(+), 286 deletions(-)
create mode 100644 source4/rpc_server/tests/rpc_dns_server_dnsutils_test.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 79eda3f7612..808d4f3a318 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=9
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 978502e8a00..fc1541dbbe5 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,130 @@
+ =============================
+ Release Notes for Samba 4.9.3
+ November 27, 2018
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
+ Internal DNS server)
+o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
+o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
+o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
+o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
+ configuration (unsupported))
+o CVE-2018-16857 (Bad password count in AD DC not always effective)
+
+
+=======
+Details
+=======
+
+o CVE-2018-14629:
+ All versions of Samba from 4.0.0 onwards are vulnerable to infinite
+ query recursion caused by CNAME loops. Any dns record can be added via
+ ldap by an unprivileged user using the ldbadd tool, so this is a
+ security issue.
+
+o CVE-2018-16841:
+ When configured to accept smart-card authentication, Samba's KDC will call
+ talloc_free() twice on the same memory if the principal in a validly signed
+ certificate does not match the principal in the AS-REQ.
+
+ This is only possible after authentication with a trusted certificate.
+
+ talloc is robust against further corruption from a double-free with
+ talloc_free() and directly calls abort(), terminating the KDC process.
+
+ There is no further vulnerability associated with this issue, merely a
+ denial of service.
+
+o CVE-2018-16851:
+ During the processing of an LDAP search before Samba's AD DC returns
+ the LDAP entries to the client, the entries are cached in a single
+ memory object with a maximum size of 256MB. When this size is
+ reached, the Samba process providing the LDAP service will follow the
+ NULL pointer, terminating the process.
+
+ There is no further vulnerability associated with this issue, merely a
+ denial of service.
+
+o CVE-2018-16852:
+ During the processing of an DNS zone in the DNS management DCE/RPC server,
+ the internal DNS server or the Samba DLZ plugin for BIND9, if the
+ DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS
+ property is set, the server will follow a NULL pointer and terminate.
+
+ There is no further vulnerability associated with this issue, merely a
+ denial of service.
+
+o CVE-2018-16853:
+ A user in a Samba AD domain can crash the KDC when Samba is built in the
+ non-default MIT Kerberos configuration.
+
+ With this advisory we clarify that the MIT Kerberos build of the Samba
+ AD DC is considered experimental. Therefore the Samba Team will not
+ issue security patches for this configuration.
+
+o CVE-2018-16857:
+ AD DC Configurations watching for bad passwords (to restrict brute forcing
+ of passwords) in a window of more than 3 minutes may not watch for bad
+ passwords at all.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.9.2:
+--------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with
+ mis-matching principal.
+ * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT
+ Kerberos is experimental
+
+o Tim Beale <timbeale at catalyst.net.nz>
+ * BUG 13683: CVE-2018-16857: dsdb/util: Correctly treat
+ lockOutObservationWindow as 64-bit int.
+
+o Joe Guo <joeg at catalyst.net.nz>
+ * BUG 13683: CVE-2018-16857 PEP8: Fix E305: Expected 2 blank lines after
+ class or function definition, found 1.
+
+o Aaron Haslett <aaronhaslett at catalyst.net.nz>
+ * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 13669: CVE-2018-16852: Fix NULL pointer de-reference in Samba AD DC
+ DNS management.
+
+o Garming Sam <garming at catalyst.net.nz>
+ * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
=============================
Release Notes for Samba 4.9.2
November 08, 2018
@@ -89,8 +216,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.9.1
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index 6771e3bb8c4..3e6306e2be8 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -844,6 +844,28 @@ class TestComplexQueries(DNSTest):
self.assertEquals(response.answers[1].name, name2)
self.assertEquals(response.answers[1].rdata, name0)
+ def test_cname_loop(self):
+ cname1 = "cnamelooptestrec." + self.get_dns_domain()
+ cname2 = "cnamelooptestrec2." + self.get_dns_domain()
+ cname3 = "cnamelooptestrec3." + self.get_dns_domain()
+ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
+ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
+ self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME)
+
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ q = self.make_name_question(cname1,
+ dns.DNS_QTYPE_A,
+ dns.DNS_QCLASS_IN)
+ questions.append(q)
+ self.finish_name_packet(p, questions)
+
+ (response, response_packet) =\
+ self.dns_transaction_udp(p, host=self.server_ip)
+
+ max_recursion_depth = 20
+ self.assertEquals(len(response.answers), max_recursion_depth)
class TestInvalidQueries(DNSTest):
def setUp(self):
diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns
index a5176654cc2..a248432aafa 100644
--- a/selftest/knownfail.d/dns
+++ b/selftest/knownfail.d/dns
@@ -69,3 +69,9 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\)
# The SOA override should not pass against the RODC, it must not overstamp
samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\)
+
+#
+# rodc and vampire_dc require signed dns updates, so the test setup
+# fails, but the test does run on fl2003dc
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 923f7233eb9..65faeac3b6a 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -40,6 +40,7 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_DNS
+#define MAX_Q_RECURSION_DEPTH 20
struct forwarder_string {
const char *forwarder;
@@ -419,6 +420,11 @@ static struct tevent_req *handle_dnsrpcrec_send(
state->answers = answers;
state->nsrecs = nsrecs;
+ if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
resolve_cname = ((rec->wType == DNS_TYPE_CNAME) &&
((question->question_type == DNS_QTYPE_A) ||
(question->question_type == DNS_QTYPE_AAAA)));
diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c
index bbbfe920f4e..cc24a6c1b52 100644
--- a/source4/dns_server/dnsserver_common.c
+++ b/source4/dns_server/dnsserver_common.c
@@ -742,6 +742,94 @@ bool dns_name_is_static(struct dnsp_DnssrvRpcRecord *records,
return false;
}
+/*
+ * Helper function to copy a dnsp_ip4_array struct to an IP4_ARRAY struct.
+ * The new structure and it's data are allocated on the supplied talloc context
+ */
+static struct IP4_ARRAY *copy_ip4_array(TALLOC_CTX *ctx,
+ const char *name,
+ struct dnsp_ip4_array array)
+{
+
+ struct IP4_ARRAY *ip4_array = NULL;
+ unsigned int i;
+
+ ip4_array = talloc_zero(ctx, struct IP4_ARRAY);
+ if (ip4_array == NULL) {
+ DBG_ERR("Out of memory copying property [%s]\n", name);
+ return NULL;
+ }
+
+ ip4_array->AddrCount = array.addrCount;
+ if (ip4_array->AddrCount == 0) {
+ return ip4_array;
+ }
+
+ ip4_array->AddrArray =
+ talloc_array(ip4_array, uint32_t, ip4_array->AddrCount);
+ if (ip4_array->AddrArray == NULL) {
+ TALLOC_FREE(ip4_array);
+ DBG_ERR("Out of memory copying property [%s] values\n", name);
+ return NULL;
+ }
+
+ for (i = 0; i < ip4_array->AddrCount; i++) {
+ ip4_array->AddrArray[i] = array.addr[i];
+ }
+
+ return ip4_array;
+}
+
+bool dns_zoneinfo_load_zone_property(struct dnsserver_zoneinfo *zoneinfo,
+ struct dnsp_DnsProperty *prop)
+{
+ switch (prop->id) {
+ case DSPROPERTY_ZONE_TYPE:
+ zoneinfo->dwZoneType = prop->data.zone_type;
+ break;
+ case DSPROPERTY_ZONE_ALLOW_UPDATE:
+ zoneinfo->fAllowUpdate = prop->data.allow_update_flag;
+ break;
+ case DSPROPERTY_ZONE_NOREFRESH_INTERVAL:
+ zoneinfo->dwNoRefreshInterval = prop->data.norefresh_hours;
+ break;
+ case DSPROPERTY_ZONE_REFRESH_INTERVAL:
+ zoneinfo->dwRefreshInterval = prop->data.refresh_hours;
+ break;
+ case DSPROPERTY_ZONE_AGING_STATE:
+ zoneinfo->fAging = prop->data.aging_enabled;
+ break;
+ case DSPROPERTY_ZONE_SCAVENGING_SERVERS:
+ zoneinfo->aipScavengeServers = copy_ip4_array(
+ zoneinfo, "ZONE_SCAVENGING_SERVERS", prop->data.servers);
+ if (zoneinfo->aipScavengeServers == NULL) {
+ return false;
+ }
+ break;
+ case DSPROPERTY_ZONE_AGING_ENABLED_TIME:
+ zoneinfo->dwAvailForScavengeTime =
+ prop->data.next_scavenging_cycle_hours;
+ break;
+ case DSPROPERTY_ZONE_MASTER_SERVERS:
+ zoneinfo->aipLocalMasters = copy_ip4_array(
+ zoneinfo, "ZONE_MASTER_SERVERS", prop->data.master_servers);
+ if (zoneinfo->aipLocalMasters == NULL) {
+ return false;
+ }
+ break;
+ case DSPROPERTY_ZONE_EMPTY:
+ case DSPROPERTY_ZONE_SECURE_TIME:
+ case DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME:
+ case DSPROPERTY_ZONE_AUTO_NS_SERVERS:
+ case DSPROPERTY_ZONE_DCPROMO_CONVERT:
+ case DSPROPERTY_ZONE_SCAVENGING_SERVERS_DA:
+ case DSPROPERTY_ZONE_MASTER_SERVERS_DA:
+ case DSPROPERTY_ZONE_NS_SERVERS_DA:
+ case DSPROPERTY_ZONE_NODE_DBFLAGS:
+ break;
+ }
+ return true;
+}
WERROR dns_get_zone_properties(struct ldb_context *samdb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *zone_dn,
@@ -774,6 +862,7 @@ WERROR dns_get_zone_properties(struct ldb_context *samdb,
}
for (i = 0; i < element->num_values; i++) {
+ bool valid_property;
prop = talloc_zero(mem_ctx, struct dnsp_DnsProperty);
if (prop == NULL) {
return WERR_NOT_ENOUGH_MEMORY;
@@ -787,42 +876,10 @@ WERROR dns_get_zone_properties(struct ldb_context *samdb,
return DNS_ERR(SERVER_FAILURE);
}
- switch (prop->id) {
- case DSPROPERTY_ZONE_AGING_STATE:
- zoneinfo->fAging = prop->data.aging_enabled;
- break;
- case DSPROPERTY_ZONE_NOREFRESH_INTERVAL:
- zoneinfo->dwNoRefreshInterval =
- prop->data.norefresh_hours;
- break;
- case DSPROPERTY_ZONE_REFRESH_INTERVAL:
- zoneinfo->dwRefreshInterval = prop->data.refresh_hours;
- break;
- case DSPROPERTY_ZONE_ALLOW_UPDATE:
- zoneinfo->fAllowUpdate = prop->data.allow_update_flag;
- break;
- case DSPROPERTY_ZONE_AGING_ENABLED_TIME:
- zoneinfo->dwAvailForScavengeTime =
- prop->data.next_scavenging_cycle_hours;
- break;
- case DSPROPERTY_ZONE_SCAVENGING_SERVERS:
- zoneinfo->aipScavengeServers->AddrCount =
- prop->data.servers.addrCount;
- zoneinfo->aipScavengeServers->AddrArray =
- prop->data.servers.addr;
- break;
- case DSPROPERTY_ZONE_EMPTY:
- case DSPROPERTY_ZONE_TYPE:
- case DSPROPERTY_ZONE_SECURE_TIME:
- case DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME:
- case DSPROPERTY_ZONE_MASTER_SERVERS:
- case DSPROPERTY_ZONE_AUTO_NS_SERVERS:
- case DSPROPERTY_ZONE_DCPROMO_CONVERT:
- case DSPROPERTY_ZONE_SCAVENGING_SERVERS_DA:
- case DSPROPERTY_ZONE_MASTER_SERVERS_DA:
- case DSPROPERTY_ZONE_NS_SERVERS_DA:
- case DSPROPERTY_ZONE_NODE_DBFLAGS:
- break;
+ valid_property =
+ dns_zoneinfo_load_zone_property(zoneinfo, prop);
+ if (!valid_property) {
+ return DNS_ERR(SERVER_FAILURE);
}
}
diff --git a/source4/dns_server/dnsserver_common.h b/source4/dns_server/dnsserver_common.h
index 380f61b8dbc..60ecde4fa91 100644
--- a/source4/dns_server/dnsserver_common.h
+++ b/source4/dns_server/dnsserver_common.h
@@ -87,4 +87,7 @@ NTSTATUS dns_common_zones(struct ldb_context *samdb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *base_dn,
struct dns_server_zone **zones_ret);
+
+bool dns_zoneinfo_load_zone_property(struct dnsserver_zoneinfo *zoneinfo,
+ struct dnsp_DnsProperty *prop);
#endif /* __DNSSERVER_COMMON_H__ */
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 193fa2ae653..18f700370a3 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -56,6 +56,9 @@
*/
#include "dsdb/samdb/ldb_modules/util.h"
+/* default is 30 minutes: -1e7 * 30 * 60 */
+#define DEFAULT_OBSERVATION_WINDOW -18000000000
+
/*
search the sam for the specified attributes in a specific domain, filter on
objectSid being in domain_sid.
@@ -5361,9 +5364,9 @@ int samdb_result_effective_badPwdCount(struct ldb_context *sam_ldb,
if (res != NULL) {
lockOutObservationWindow =
- ldb_msg_find_attr_as_int(res->msgs[0],
- "msDS-LockoutObservationWindow",
- 0);
+ ldb_msg_find_attr_as_int64(res->msgs[0],
+ "msDS-LockoutObservationWindow",
+ DEFAULT_OBSERVATION_WINDOW);
talloc_free(res);
} else {
@@ -5400,12 +5403,13 @@ static int64_t get_lockout_observation_window(struct ldb_message *domain_msg,
struct ldb_message *pso_msg)
{
if (pso_msg != NULL) {
- return ldb_msg_find_attr_as_int(pso_msg,
- "msDS-LockoutObservationWindow",
- 0);
+ return ldb_msg_find_attr_as_int64(pso_msg,
+ "msDS-LockoutObservationWindow",
+ DEFAULT_OBSERVATION_WINDOW);
} else {
- return ldb_msg_find_attr_as_int(domain_msg,
- "lockOutObservationWindow", 0);
+ return ldb_msg_find_attr_as_int64(domain_msg,
+ "lockOutObservationWindow",
+ DEFAULT_OBSERVATION_WINDOW);
}
}
diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py
index ec6cf13fe66..b09a732e179 100755
--- a/source4/dsdb/tests/python/password_lockout.py
+++ b/source4/dsdb/tests/python/password_lockout.py
@@ -88,6 +88,42 @@ class PasswordTests(password_lockout_base.BasePasswordTestCase):
self.lockout2ntlm_ldb = self._readd_user(self.lockout2ntlm_creds,
lockOutObservationWindow=self.lockout_observation_window)
+
+ def use_pso_lockout_settings(self, creds):
+
+ # create a PSO with the lockout settings the test cases normally expect
+ #
+ # Some test cases sleep() for self.account_lockout_duration
+ pso = PasswordSettings("lockout-PSO", self.ldb, lockout_attempts=3,
+ lockout_duration=self.account_lockout_duration)
+ self.addCleanup(self.ldb.delete, pso.dn)
+
+ userdn = "cn=%s,cn=users,%s" % (creds.get_username(), self.base_dn)
+ pso.apply_to(userdn)
+
+ # update the global lockout settings to be wildly different to what
+ # the test cases normally expect
+ self.update_lockout_settings(threshold=10, duration=600,
+ observation_window=600)
+
+ def _reset_samr(self, res):
+
+ # Now reset the lockout, by removing ACB_AUTOLOCK (which removes the lock, despite being a generated attribute)
+ samr_user = self._open_samr_user(res)
+ acb_info = self.samr.QueryUserInfo(samr_user, 16)
+ acb_info.acct_flags &= ~samr.ACB_AUTOLOCK
+ self.samr.SetUserInfo(samr_user, 16, acb_info)
+ self.samr.Close(samr_user)
+
+
+class PasswordTestsWithoutSleep(PasswordTests):
+ def setUp(self):
+ # The tests in this class do not sleep, so we can have a
+ # longer window and not flap on slower hosts
+ self.account_lockout_duration = 30
+ self.lockout_observation_window = 30
+ super(PasswordTestsWithoutSleep, self).setUp()
+
def _reset_ldap_lockoutTime(self, res):
self.ldb.modify_ldif("""
dn: """ + str(res[0].dn) + """
@@ -615,23 +651,130 @@ userPassword: thatsAcomplPASS2XYZ
"samr",
initial_lastlogon_relation='greater')
- def use_pso_lockout_settings(self, creds):
- # create a PSO with the lockout settings the test cases normally expect
- pso = PasswordSettings("lockout-PSO", self.ldb, lockout_attempts=3,
- lockout_duration=3)
- self.addCleanup(self.ldb.delete, pso.dn)
+ def test_multiple_logon_krb5(self):
+ self._test_multiple_logon(self.lockout1krb5_creds)
--
Samba Shared Repository
More information about the samba-cvs
mailing list