[SCM] Samba Shared Repository - branch v4-15-test updated
Stefan Metzmacher
metze at samba.org
Tue Nov 9 18:41:48 UTC 2021
The branch, v4-15-test has been updated
via bdc33fa61f8 VERSION: Bump version up to Samba 4.15.3...
via 7d0c030d423 VERSION: Disable GIT_SNAPSHOT for the 4.15.2 release.
via 35c66c50462 WHATSNEW: Add release notes for Samba 4.15.2.
via a87d07ccc56 CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
via 0b52f103889 CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
via 952ab2b82cd CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
via dbddd1cbcb1 CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
via 091dd0fd5d7 CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
via 3b767f29f4c CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
via 462d635966e CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
via 129b3694a18 CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
via 6f971523a71 CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
via 67b43eadd2b CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
via 4c59866c08e CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
via 670abaacb52 CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
via ecfa1fb3254 CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
via c59c8abb94d CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
via aaba2e8b0e4 CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
via 0b2ab8bc255 CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
via 016be9b15ec CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
via 096405b778e CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
via 9ab57ce2e23 CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
via 09ae69e60cd CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
via 1d1097f08c7 CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
via ef2edd3f178 CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
via 6ceab83249b CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
via ba272db5163 CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
via 98f7ce8d28c Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
via 319554fe6c6 CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
via 637991c7ebf CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
via 390b5e77dc5 CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
via d0228a228cc CVE-2020-25719 heimdal:kdc: Require PAC to be present
via ea38fae96ea CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
via 11491b1462e CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
via d6f3ad0b0ba CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
via b6d1606f6fc CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
via c3b0b6cd7d2 CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
via ce38d6b37c9 CVE-2020-25719 heimdal:kdc: Check return code
via 1c6e4577675 CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
via 8edf19bcf92 CVE-2020-25722 Ensure the structural objectclass cannot be changed
via 3116befb038 CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
via 63ea5339360 CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
via 30e379fc33f CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
via 1d26ec8d58a CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
via ca370968260 CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
via 7a826d91127 CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
via 92249e9be1b CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
via 24a097d23f4 CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
via 83fc8e40f36 CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
via 0492a733054 CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
via 1e957cacd0a CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
via 4a8e087c252 CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
via 4fa7a448f3b CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
via 4d21b4d2050 CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
via 50a69252454 CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
via 947c922c684 CVE-2020-25719 heimdal:kdc: Require authdata to be present
via dc873b2e02b CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
via 31123d80a19 CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
via 733c2a4a489 CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
via 424109b4eea CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
via aa91e1f8249 CVE-2020-25719 mit_samba: Create the talloc context earlier
via db5183ed315 CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
via 717960aaa31 CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
via e2674a4fbd2 CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
via d00fe7a85c3 CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
via a1e75a78a56 CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
via d0a9e4beb0d CVE-2020-25719 mit-samba: Add ks_free_principal()
via f321ccc492b CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
via f1f96558cfd CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
via d6a12f8327d CVE-2020-25719 s4/torture: Expect additional PAC buffers
via 341560f8b51 CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
via 844eca4a0b8 CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
via fa875cb3201 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
via a0485f3a5b2 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
via 4640efa4ee1 CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
via b727d380028 CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
via de5c2f6b5ca CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
via 42d82ae938f CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
via 08b392a6d49 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
via 050d0561899 CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
via e2ba22581f9 CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
via fa66d8da991 CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
via 47eb6bbb90a CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
via 06bbaeae997 CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
via 2b037cab8b2 CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
via 62223d11b91 CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
via 7eed3eb1be6 CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
via 2e977f86d35 CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
via 9053b1056ee CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
via 5a5bd1eef35 CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
via 8d6c969f566 CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
via f905fd741ee CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
via bf5604a7c2a CVE-2020-25718 tests/krb5: Fix indentation
via 0f1da247c15 CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
via 7667a733dc5 CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
via 23cec080d97 CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
via 719aa3b4db4 CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
via 94b664eb005 CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
via b4e64757026 CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
via f17e8513af6 CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
via a26806cf012 CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
via b30b3bb860b CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
via 1b46410403d CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
via c462c86295f CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
via 56fe97474f4 CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
via d9e5807119b CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
via 41a8d6961b8 CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
via 8cb45a7d4e9 CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
via d03c9afc0e7 CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
via 85d0e85e9d1 CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
via 775a0e4406e CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
via ddde2b45c2e CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
via 32a46d01bb8 CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
via faa133886d6 CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
via 9255c680800 CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
via 28bee539115 CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
via 4474022b37c CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
via 9c150303545 CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
via 2cf8ccfbce4 CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
via 13576d8f281 CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
via d3298ec2f66 CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
via 6af91c59d86 CVE-2020-25722 s4/provision: add host/ SPNs at the start
via 1986ab0f5fb CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
via b3c42c6e4a4 CVE-2020-25722 samba-tool spn add: remove --force option
via 119be112383 CVE-2020-25722 samba-tool spn: accept -H for database url
via 7705aa9a7e2 CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
via 480c5bc4b9e CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
via 6bf71b18ce5 CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
via 9e25ea36011 CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
via a1b24b76fe0 CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
via 79bdc2bf07a CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
via 85c73dd456a CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute
via 1d80dabb25d CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
via 908e2e00d73 CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
via 018ce3e0912 CVE-2020-25722 Add test for SPN deletion followed by addition
via 255e5c14061 CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
via c513478908c CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
via 67ef2899a7d CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
via 1d126e4fd9a CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
via 558cd30acc6 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
via 9cb158a9a53 CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
via fb5ca61f544 CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
via 093c5502ab4 CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
via 7b9920b382a CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
via e4172baf122 CVE-2020-25717: Add FreeIPA domain controller role
via 3efb9d684d9 CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
via 58a1cc488ce CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
via 39b060eeea6 CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
via 651b74b12b9 CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
via e40a1d46831 CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
via 325942e4e78 CVE-2020-25717: s3:auth: Check minimum domain uid
via 1ec930b2f58 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
via 210b3e36f76 CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
via a92da791615 CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
via c1bf56f3146 CVE-2020-25717: loadparm: Add new parameter "min domain uid"
via a65cd59b200 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
via ae211528094 CVE-2020-25717: s3:auth: start with authoritative = 1
via dd88bd9f273 CVE-2020-25717: s3:rpcclient: start with authoritative = 1
via c55de3995cf CVE-2020-25717: s3:torture: start with authoritative = 1
via 3657c79eb2d CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
via c955376e02c CVE-2020-25717: s4:auth_simple: start with authoritative = 1
via 2d5d5a39b0d CVE-2020-25717: s4:smb_server: start with authoritative = 1
via 25d2174dd1b CVE-2020-25717: s4:torture: start with authoritative = 1
via eddf0a5c6fa CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
via ff062e2b0ae CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
via 56ace59efee CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
via e44195b765a CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
via af86793af77 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
via 596841810d7 CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
via 9368a1c1a4f CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
via 0cddce8d38f CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
via 7cd1e133b67 CVE-2020-25719 tests/krb5: Add principal aliasing test
via 421edd0e14f CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
via 4ad04eb040a CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
via a98a756a689 CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
via e67379d4c45 CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
via 04d515933b2 CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
via b93b9b41b9e CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
via f11063bc77d CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
via b11b347b1ba MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
via b69f1a758b2 CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
via 317b66d00d0 CVE-2020-25719 tests/krb5: Add is_tgt() helper method
via fe2be397ced CVE-2020-25722 tests/krb5: Allow creating server accounts
via 67b2e0d51a2 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
via ac294d9c65d CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
via 83b398309f4 CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
via e670327b5ee CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
via cb6b4a62355 CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
via 3133699e969 CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
via 90527174c8e CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
via 2bddfc41a4f CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
via fded7b17bcd CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
via 0370d2170a4 CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
via 5ab802bd662 CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
via b455e819d38 CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
via 7211afa9a5c CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
via 2812b7cc0e4 CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
via 73468f3f4a1 CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
via d396fcadc19 CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
via a228f45f63e CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
via e353a62513a CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
via cc64ec21039 CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
via a72cec41c21 CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
via 758c422c11e CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
via 4868385d45b CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
via a6048aaae63 CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
via cf5a3ebaf00 CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
via b999e14700d CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
via df525689abc CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
via 53de95a1f6a CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
via 07aef1e648d CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
via b02578014f7 CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
via 65973d2efd4 CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
via 85e3788d829 CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests
via 6807b81f40b CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test
via 6f20d53279d CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019
via ce8fbffd3a1 CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
via f970d8b549d CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
via 5719cddc268 CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
via 7d3a0e08c48 CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags
via a8578a41263 CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py
via 1a0630b9bc7 CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU
via 8292a799180 CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
from 19f0172708e VERSION: Bump version up to Samba 4.15.2...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit bdc33fa61f81d3223279a852991d8aded886881b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 9 19:39:35 2021 +0100
VERSION: Bump version up to Samba 4.15.3...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 112 +-
auth/auth_util.c | 9 +-
auth/credentials/tests/bind.py | 13 +-
auth/gensec/gensec_util.c | 27 +-
auth/ntlmssp/ntlmssp_server.c | 2 +-
docs-xml/smbdotconf/security/mindomainuid.xml | 17 +
docs-xml/smbdotconf/security/serverrole.xml | 7 +
docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 +
lib/param/loadparm.c | 4 +
lib/param/loadparm_server_role.c | 2 +
lib/param/param_table.c | 1 +
lib/param/util.c | 1 +
libcli/netlogon/netlogon.c | 2 +-
libds/common/flag_mapping.c | 50 +
libds/common/flag_mapping.h | 1 +
libds/common/flags.h | 5 +
libds/common/roles.h | 1 +
librpc/idl/krb5pac.idl | 38 +-
librpc/ndr/ndr_krb5pac.c | 4 +-
librpc/rpc/dcerpc_pkt_auth.c | 19 +-
librpc/rpc/dcerpc_pkt_auth.h | 1 +
librpc/rpc/dcesrv_auth.c | 28 +
librpc/rpc/dcesrv_core.c | 160 +-
python/samba/netcmd/spn.py | 37 +-
python/samba/tests/__init__.py | 58 +-
python/samba/tests/blackbox/ndrdump.py | 35 +
python/samba/tests/dcerpc/raw_protocol.py | 1561 ++++++++++++++--
python/samba/tests/dcerpc/raw_testcase.py | 57 +-
python/samba/tests/dsdb_api.py | 57 +
python/samba/tests/krb5/alias_tests.py | 201 ++
python/samba/tests/krb5/kdc_base_test.py | 168 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 1922 +++++++++++++++++++-
python/samba/tests/krb5/raw_testcase.py | 239 ++-
python/samba/tests/krb5/rfc4120_constants.py | 3 +
python/samba/tests/krb5/rodc_tests.py | 2 +
python/samba/tests/krb5/s4u_tests.py | 49 +-
python/samba/tests/krb5/spn_tests.py | 212 +++
python/samba/tests/krb5/test_ccache.py | 67 +-
python/samba/tests/krb5/test_ldap.py | 100 +-
python/samba/tests/krb5/test_min_domain_uid.py | 121 ++
python/samba/tests/krb5/test_rpc.py | 70 +-
python/samba/tests/krb5/test_smb.py | 71 +-
python/samba/tests/ldap_spn.py | 917 ++++++++++
python/samba/tests/ldap_upn_sam_account.py | 510 ++++++
python/samba/tests/samba_tool/computer.py | 18 +-
python/samba/tests/usage.py | 3 +
selftest/knownfail.d/ldap_spn | 1 +
selftest/knownfail.d/modify-order | 2 +-
selftest/knownfail.d/priv_attr | 13 +
selftest/knownfail.d/uac_objectclass_restrict | 17 +
selftest/knownfail_heimdal_kdc | 16 +-
selftest/knownfail_mit_kdc | 147 +-
selftest/selftest.pl | 2 -
selftest/target/Samba.pm | 1 +
selftest/target/Samba3.pm | 75 +-
selftest/target/Samba4.pm | 2 -
selftest/tests.py | 1 +
source3/auth/auth.c | 3 +
source3/auth/auth_generic.c | 160 +-
source3/auth/auth_sam.c | 14 +-
source3/auth/auth_samba4.c | 2 +-
source3/auth/auth_util.c | 105 +-
source3/auth/proto.h | 3 -
source3/auth/user_krb5.c | 79 +-
source3/include/smb_macros.h | 2 +-
source3/lib/netapi/joindomain.c | 1 +
source3/lib/util_names.c | 15 +-
source3/libsmb/cliconnect.c | 9 +
source3/param/loadparm.c | 6 +-
source3/passdb/lookup_sid.c | 2 +-
source3/passdb/machine_account_secrets.c | 7 +-
source3/registry/reg_backend_prod_options.c | 1 +
source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 +
source3/rpcclient/cmd_netlogon.c | 2 +-
source3/smbd/server.c | 2 +-
source3/torture/pdbtest.c | 2 +-
source3/utils/ntlm_auth.c | 95 +-
source3/utils/ntlm_auth_diagnostics.c | 10 +-
source3/winbindd/winbindd_dual_srv.c | 7 +
source3/winbindd/winbindd_irpc.c | 7 +
source3/winbindd/winbindd_misc.c | 2 +-
source3/winbindd/winbindd_pam.c | 15 +-
source3/winbindd/winbindd_pam_auth_crap.c | 9 +-
source3/winbindd/winbindd_util.c | 47 +-
source4/auth/auth.h | 8 -
source4/auth/ntlm/auth.c | 55 +-
source4/auth/ntlm/auth_sam.c | 12 -
source4/auth/ntlm/auth_simple.c | 2 +-
source4/auth/sam.c | 5 +-
source4/dsdb/common/rodc_helper.c | 284 +++
source4/dsdb/common/util.c | 11 +
source4/dsdb/pydsdb.c | 30 +
source4/dsdb/samdb/cracknames.c | 19 +-
source4/dsdb/samdb/ldb_modules/acl.c | 120 +-
source4/dsdb/samdb/ldb_modules/acl_util.c | 40 +
source4/dsdb/samdb/ldb_modules/dirsync.c | 13 +-
source4/dsdb/samdb/ldb_modules/objectclass.c | 36 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 164 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 1921 ++++++++++++++++---
source4/dsdb/samdb/ldb_modules/util.c | 119 +-
source4/dsdb/tests/python/acl.py | 97 +
source4/dsdb/tests/python/ldap.py | 49 +-
source4/dsdb/tests/python/linked_attributes.py | 21 -
source4/dsdb/tests/python/password_settings.py | 30 +-
source4/dsdb/tests/python/priv_attrs.py | 398 ++++
source4/dsdb/tests/python/sam.py | 94 +-
source4/dsdb/tests/python/subtree_rename.py | 25 -
source4/dsdb/tests/python/user_account_control.py | 855 +++++++--
source4/dsdb/wscript_build | 2 +-
source4/heimdal/kdc/kerberos5.c | 23 +-
source4/heimdal/kdc/krb5tgs.c | 292 ++-
source4/heimdal/kdc/windc.c | 7 +-
source4/heimdal/kdc/windc_plugin.h | 2 +
source4/heimdal/lib/hdb/hdb.h | 2 +-
source4/kdc/db-glue.c | 77 +-
source4/kdc/db-glue.h | 5 +-
source4/kdc/hdb-samba4.c | 43 +-
source4/kdc/kdc-heimdal.c | 1 +
source4/kdc/mit-kdb/kdb_samba.h | 7 +
source4/kdc/mit-kdb/kdb_samba_policies.c | 185 +-
source4/kdc/mit-kdb/kdb_samba_principals.c | 60 +-
source4/kdc/mit_samba.c | 62 +-
source4/kdc/mit_samba.h | 2 +
source4/kdc/pac-glue.c | 473 ++++-
source4/kdc/pac-glue.h | 31 +-
source4/kdc/wdc-samba4.c | 132 +-
source4/libcli/smb_composite/sesssetup.c | 14 +
source4/librpc/rpc/dcerpc.c | 1 +
.../librpc/tests/krb5pac_upn_dns_info_ex.b64.txt | 1 +
source4/librpc/tests/krb5pac_upn_dns_info_ex.txt | 220 +++
.../krb5pac_upn_dns_info_ex_not_supported.b64.txt | 1 +
.../krb5pac_upn_dns_info_ex_not_supported.txt | 213 +++
source4/rpc_server/common/server_info.c | 121 +-
source4/rpc_server/common/sid_helper.c | 134 --
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 11 +-
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 55 +-
source4/rpc_server/drsuapi/getncchanges.c | 71 +-
source4/rpc_server/lsa/lsa_init.c | 7 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 191 +-
source4/rpc_server/samr/dcesrv_samr.c | 21 +-
source4/rpc_server/samr/samr_password.c | 31 +-
source4/rpc_server/wscript_build | 9 +-
source4/selftest/tests.py | 110 +-
source4/setup/provision_self_join.ldif | 9 +-
source4/setup/tests/blackbox_spn.sh | 7 +-
source4/setup/tests/blackbox_upgradeprovision.sh | 8 +-
source4/smb_server/smb/sesssetup.c | 4 +-
source4/torture/rpc/drsuapi.c | 202 +-
source4/torture/rpc/drsuapi.h | 3 +-
source4/torture/rpc/drsuapi_cracknames.c | 2 +-
source4/torture/rpc/remote_pac.c | 24 +-
source4/torture/rpc/samlogon.c | 4 +-
source4/torture/rpc/schannel.c | 2 +-
testprogs/blackbox/dbcheck-oldrelease.sh | 4 +-
testprogs/blackbox/functionalprep.sh | 2 +-
testprogs/blackbox/upgradeprovision-oldrelease.sh | 4 +-
157 files changed, 12976 insertions(+), 2197 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml
create mode 100644 python/samba/tests/dsdb_api.py
create mode 100755 python/samba/tests/krb5/alias_tests.py
create mode 100755 python/samba/tests/krb5/spn_tests.py
create mode 100755 python/samba/tests/krb5/test_min_domain_uid.py
create mode 100644 python/samba/tests/ldap_spn.py
create mode 100644 python/samba/tests/ldap_upn_sam_account.py
create mode 100644 selftest/knownfail.d/ldap_spn
create mode 100644 selftest/knownfail.d/priv_attr
create mode 100644 selftest/knownfail.d/uac_objectclass_restrict
create mode 100644 source4/dsdb/common/rodc_helper.c
create mode 100644 source4/dsdb/tests/python/priv_attrs.py
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.b64.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.b64.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.txt
delete mode 100644 source4/rpc_server/common/sid_helper.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 7aaed9b5009..4b02d074ee7 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 73cc1613bef..6632cf1c294 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,111 @@
+ ==============================
+ Release Notes for Samba 4.15.2
+ November 9, 2021
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
+ authentication.
+ https://www.samba.org/samba/security/CVE-2016-2124.html
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+ https://www.samba.org/samba/security/CVE-2020-25717.html
+ (PLEASE READ! There are important behaviour changes described)
+
+o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
+ by an RODC.
+ https://www.samba.org/samba/security/CVE-2020-25718.html
+
+o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
+ tickets.
+ https://www.samba.org/samba/security/CVE-2020-25719.html
+
+o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
+ (eg objectSid).
+ https://www.samba.org/samba/security/CVE-2020-25721.html
+
+o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
+ checking of data stored.
+ https://www.samba.org/samba/security/CVE-2020-25722.html
+
+o CVE-2021-3738: Use after free in Samba AD DC RPC server.
+ https://www.samba.org/samba/security/CVE-2021-3738.html
+
+o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
+ https://www.samba.org/samba/security/CVE-2021-23192.html
+
+
+Changes since 4.15.1
+--------------------
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * CVE-2020-25722
+
+o Andrew Bartlett <abartlet at samba.org>
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+
+o Ralph Boehme <slow at samba.org>
+ * CVE-2020-25717
+
+o Alexander Bokovoy <ab at samba.org>
+ * CVE-2020-25717
+
+o Samuel Cabrero <scabrero at samba.org>
+ * CVE-2020-25717
+
+o Nadezhda Ivanova <nivanova at symas.com>
+ * CVE-2020-25722
+
+o Stefan Metzmacher <metze at samba.org>
+ * CVE-2016-2124
+ * CVE-2020-25717
+ * CVE-2020-25719
+ * CVE-2020-25722
+ * CVE-2021-23192
+ * CVE-2021-3738
+
+o Andreas Schneider <asn at samba.org>
+ * CVE-2020-25719
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * CVE-2020-17049
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+ * MS CVE-2020-17049
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
==============================
Release Notes for Samba 4.15.1
October 27, 2021
@@ -101,8 +209,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.15.0
September 20, 2021
diff --git a/auth/auth_util.c b/auth/auth_util.c
index f3586f1fc1e..fe01babd107 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -26,26 +26,28 @@
struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
const struct auth_session_info *src)
{
+ TALLOC_CTX *frame = talloc_stackframe();
struct auth_session_info *dst;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
ndr_err = ndr_push_struct_blob(
&blob,
- talloc_tos(),
+ frame,
src,
(ndr_push_flags_fn_t)ndr_push_auth_session_info);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
+ TALLOC_FREE(frame);
return NULL;
}
dst = talloc(mem_ctx, struct auth_session_info);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
- TALLOC_FREE(blob.data);
+ TALLOC_FREE(frame);
return NULL;
}
@@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
dst,
dst,
(ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
- TALLOC_FREE(blob.data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
+ TALLOC_FREE(frame);
return NULL;
}
+ TALLOC_FREE(frame);
return dst;
}
diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py
index a256a930a8a..68ea99ed894 100755
--- a/auth/credentials/tests/bind.py
+++ b/auth/credentials/tests/bind.py
@@ -92,7 +92,8 @@ class BindTests(samba.tests.TestCase):
# this test to detect when the LDAP DN is being double-parsed
# but must be in the user at realm style to allow the account to
# be created
- self.ldb.add_ldif("""
+ try:
+ self.ldb.add_ldif("""
dn: """ + self.virtual_user_dn + """
cn: frednurk@""" + self.realm + """
displayName: Fred Nurk
@@ -105,13 +106,21 @@ objectClass: person
objectClass: top
objectClass: user
""")
+ except LdbError as e:
+ (num, msg) = e.args
+ self.fail(f"Failed to create e-mail user: {msg}")
+
self.addCleanup(delete_force, self.ldb, self.virtual_user_dn)
- self.ldb.modify_ldif("""
+ try:
+ self.ldb.modify_ldif("""
dn: """ + self.virtual_user_dn + """
changetype: modify
replace: unicodePwd
unicodePwd:: """ + base64.b64encode(u"\"P at ssw0rd\"".encode('utf-16-le')).decode('utf8') + """
""")
+ except LdbError as e:
+ (num, msg) = e.args
+ self.fail(f"Failed to set password on e-mail user: {msg}")
self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn)
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index e411751c3af..1075b9fde87 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -25,6 +25,8 @@
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
#include "../lib/util/asn1.h"
+#include "param/param.h"
+#include "libds/common/roles.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -48,10 +50,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!pac_blob) {
- if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
- principal_string));
- return NT_STATUS_ACCESS_DENIED;
+ enum server_role server_role =
+ lpcfg_server_role(gensec_security->settings->lp_ctx);
+
+ /*
+ * For any domain setup (DC or member) we require having
+ * a PAC, as the service ticket comes from an AD DC,
+ * which will always provide a PAC, unless
+ * UF_NO_AUTH_DATA_REQUIRED is configured for our
+ * account, but that's just an invalid configuration,
+ * the admin configured for us!
+ *
+ * As a legacy case, we still allow kerberos tickets from an MIT
+ * realm, but only in standalone mode. In that mode we'll only
+ * ever accept a kerberos authentication with a keytab file
+ * being explicitly configured via the 'keytab method' option.
+ */
+ if (server_role != ROLE_STANDALONE) {
+ DBG_WARNING("Unable to find PAC in ticket from %s, "
+ "failing to allow access\n",
+ principal_string);
+ return NT_STATUS_NO_IMPERSONATION_TOKEN;
}
DBG_NOTICE("Unable to find PAC for %s, resorting to local "
"user lookup\n", principal_string);
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 001238278d7..939aa0ef4aa 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -799,7 +799,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq)
struct gensec_security *gensec_security = state->gensec_security;
struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp;
struct auth4_context *auth_context = gensec_security->auth_context;
- uint8_t authoritative = 0;
+ uint8_t authoritative = 1;
NTSTATUS status;
status = auth_context->check_ntlm_password_recv(subreq,
diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
new file mode 100644
index 00000000000..46ae795d730
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mindomainuid.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="min domain uid"
+ type="integer"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The integer parameter specifies the minimum uid allowed when mapping a
+ local account to a domain account.
+ </para>
+
+ <para>
+ Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
+ </para>
+</description>
+
+<value type="default">1000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml
index 9511c61c96d..b8b83a127b5 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -78,6 +78,13 @@
url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4
HOWTO</ulink></para>
+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs Samba in a hybrid mode for IPA
+ domain controller, providing forest trust to Active Directory.
+ This role requires special configuration performed by IPA installers
+ and should not be used manually by any administrator.
+ </para>
</description>
<related>security</related>
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
index 1374040fb29..f70f11df757 100644
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -80,6 +80,9 @@
authoritative for a unix ID to SID mapping, so it must be set
for each individually configured domain and for the default
configuration. The configured ranges must be mutually disjoint.
+ </para>
+ <para>
+ Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
</para></listitem>
</varlistentry>
@@ -115,4 +118,5 @@
</programlisting>
</description>
+<related>min domain uid</related>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 59e749d9d46..151fe167b26 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2994,6 +2994,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"server smb3 encryption algorithms",
DEFAULT_SMB3_ENCRYPTION_ALGORITHMS);
+ lpcfg_do_global_parameter(lp_ctx,
+ "min domain uid",
+ "1000");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
index 7a6bc770723..a78d1ab9cf3 100644
--- a/lib/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -42,6 +42,7 @@ static const struct srv_role_tab {
{ ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
{ ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
{ ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
+ { ROLE_IPA_DC, "ROLE_IPA_DC"},
{ 0, NULL }
};
@@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
if (security == SEC_USER) {
valid = true;
}
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index d9301152d94..9fac73ef113 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -109,6 +109,7 @@ static const struct enum_list enum_server_role[] = {
{ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
{ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
{ROLE_ACTIVE_DIRECTORY_DC, "dc"},
+ {ROLE_IPA_DC, "IPA primary domain controller"},
{-1, NULL}
};
diff --git a/lib/param/util.c b/lib/param/util.c
index cd8e74b9d8f..9a0fc102de8 100644
--- a/lib/param/util.c
+++ b/lib/param/util.c
@@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
return lpcfg_workgroup(lp_ctx);
default:
return lpcfg_netbios_name(lp_ctx);
diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c
index 239503e85b6..59af460dc4e 100644
--- a/libcli/netlogon/netlogon.c
+++ b/libcli/netlogon/netlogon.c
@@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx,
if (ndr->offset < ndr->data_size) {
TALLOC_FREE(ndr);
/*
- * We need to handle a bug in FreeIPA (at least <= 4.1.2).
+ * We need to handle a bug in IPA (at least <= 4.1.2).
*
* They include the ip address information without setting
* NETLOGON_NT_VERSION_5EX_WITH_IP, while using
diff --git a/libds/common/flag_mapping.c b/libds/common/flag_mapping.c
index ddc8ec5c198..020922db659 100644
--- a/libds/common/flag_mapping.c
+++ b/libds/common/flag_mapping.c
@@ -164,3 +164,53 @@ uint32_t ds_uf2prim_group_rid(uint32_t uf)
return prim_group_rid;
}
+
+#define FLAG(x) { .name = #x, .uf = x }
+struct {
+ const char *name;
+ uint32_t uf;
+} user_account_control_name_map[] = {
+ FLAG(UF_SCRIPT),
+ FLAG(UF_ACCOUNTDISABLE),
+ FLAG(UF_00000004),
+ FLAG(UF_HOMEDIR_REQUIRED),
+ FLAG(UF_LOCKOUT),
+ FLAG(UF_PASSWD_NOTREQD),
+ FLAG(UF_PASSWD_CANT_CHANGE),
+ FLAG(UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED),
+
+ FLAG(UF_TEMP_DUPLICATE_ACCOUNT),
+ FLAG(UF_NORMAL_ACCOUNT),
+ FLAG(UF_00000400),
+ FLAG(UF_INTERDOMAIN_TRUST_ACCOUNT),
+
+ FLAG(UF_WORKSTATION_TRUST_ACCOUNT),
+ FLAG(UF_SERVER_TRUST_ACCOUNT),
+ FLAG(UF_00004000),
+ FLAG(UF_00008000),
+
+ FLAG(UF_DONT_EXPIRE_PASSWD),
+ FLAG(UF_MNS_LOGON_ACCOUNT),
+ FLAG(UF_SMARTCARD_REQUIRED),
+ FLAG(UF_TRUSTED_FOR_DELEGATION),
+
+ FLAG(UF_NOT_DELEGATED),
+ FLAG(UF_USE_DES_KEY_ONLY),
+ FLAG(UF_DONT_REQUIRE_PREAUTH),
+ FLAG(UF_PASSWORD_EXPIRED),
+ FLAG(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION),
+ FLAG(UF_NO_AUTH_DATA_REQUIRED),
+ FLAG(UF_PARTIAL_SECRETS_ACCOUNT),
+ FLAG(UF_USE_AES_KEYS)
+};
+
+const char *dsdb_user_account_control_flag_bit_to_string(uint32_t uf)
+{
+ int i;
+ for (i=0; i < ARRAY_SIZE(user_account_control_name_map); i++) {
+ if (uf == user_account_control_name_map[i].uf) {
+ return user_account_control_name_map[i].name;
+ }
+ }
+ return NULL;
+}
diff --git a/libds/common/flag_mapping.h b/libds/common/flag_mapping.h
index ae721da894a..f08d5593af6 100644
--- a/libds/common/flag_mapping.h
+++ b/libds/common/flag_mapping.h
@@ -31,5 +31,6 @@ uint32_t ds_uf2atype(uint32_t uf);
uint32_t ds_gtype2atype(uint32_t gtype);
enum lsa_SidType ds_atype_map(uint32_t atype);
uint32_t ds_uf2prim_group_rid(uint32_t uf);
+const char *dsdb_user_account_control_flag_bit_to_string(uint32_t uf);
#endif /* __LIBDS_COMMON_FLAG_MAPPING_H__ */
diff --git a/libds/common/flags.h b/libds/common/flags.h
index d436f2bafd8..75e04b0c488 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -18,6 +18,8 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+/* Please keep this list in sync with the flag_mapping.c and pydsdb.c */
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list