[SCM] Samba Shared Repository - branch v4-15-stable updated
Stefan Metzmacher
metze at samba.org
Tue Nov 9 18:11:21 UTC 2021
The branch, v4-15-stable has been updated
via 7d0c030d423 VERSION: Disable GIT_SNAPSHOT for the 4.15.2 release.
via 35c66c50462 WHATSNEW: Add release notes for Samba 4.15.2.
via a87d07ccc56 CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
via 0b52f103889 CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
via 952ab2b82cd CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
via dbddd1cbcb1 CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
via 091dd0fd5d7 CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
via 3b767f29f4c CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
via 462d635966e CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
via 129b3694a18 CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
via 6f971523a71 CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
via 67b43eadd2b CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
via 4c59866c08e CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
via 670abaacb52 CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
via ecfa1fb3254 CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
via c59c8abb94d CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
via aaba2e8b0e4 CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
via 0b2ab8bc255 CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
via 016be9b15ec CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
via 096405b778e CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
via 9ab57ce2e23 CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
via 09ae69e60cd CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
via 1d1097f08c7 CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
via ef2edd3f178 CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
via 6ceab83249b CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
via ba272db5163 CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
via 98f7ce8d28c Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
via 319554fe6c6 CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
via 637991c7ebf CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
via 390b5e77dc5 CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
via d0228a228cc CVE-2020-25719 heimdal:kdc: Require PAC to be present
via ea38fae96ea CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
via 11491b1462e CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
via d6f3ad0b0ba CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
via b6d1606f6fc CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
via c3b0b6cd7d2 CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
via ce38d6b37c9 CVE-2020-25719 heimdal:kdc: Check return code
via 1c6e4577675 CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
via 8edf19bcf92 CVE-2020-25722 Ensure the structural objectclass cannot be changed
via 3116befb038 CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
via 63ea5339360 CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
via 30e379fc33f CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
via 1d26ec8d58a CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
via ca370968260 CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
via 7a826d91127 CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
via 92249e9be1b CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
via 24a097d23f4 CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
via 83fc8e40f36 CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
via 0492a733054 CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
via 1e957cacd0a CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
via 4a8e087c252 CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
via 4fa7a448f3b CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
via 4d21b4d2050 CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
via 50a69252454 CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
via 947c922c684 CVE-2020-25719 heimdal:kdc: Require authdata to be present
via dc873b2e02b CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
via 31123d80a19 CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
via 733c2a4a489 CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
via 424109b4eea CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
via aa91e1f8249 CVE-2020-25719 mit_samba: Create the talloc context earlier
via db5183ed315 CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
via 717960aaa31 CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
via e2674a4fbd2 CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
via d00fe7a85c3 CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
via a1e75a78a56 CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
via d0a9e4beb0d CVE-2020-25719 mit-samba: Add ks_free_principal()
via f321ccc492b CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
via f1f96558cfd CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
via d6a12f8327d CVE-2020-25719 s4/torture: Expect additional PAC buffers
via 341560f8b51 CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
via 844eca4a0b8 CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
via fa875cb3201 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
via a0485f3a5b2 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
via 4640efa4ee1 CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
via b727d380028 CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
via de5c2f6b5ca CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
via 42d82ae938f CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
via 08b392a6d49 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
via 050d0561899 CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
via e2ba22581f9 CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
via fa66d8da991 CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
via 47eb6bbb90a CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
via 06bbaeae997 CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
via 2b037cab8b2 CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
via 62223d11b91 CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
via 7eed3eb1be6 CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
via 2e977f86d35 CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
via 9053b1056ee CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
via 5a5bd1eef35 CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
via 8d6c969f566 CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
via f905fd741ee CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
via bf5604a7c2a CVE-2020-25718 tests/krb5: Fix indentation
via 0f1da247c15 CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
via 7667a733dc5 CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
via 23cec080d97 CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
via 719aa3b4db4 CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
via 94b664eb005 CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
via b4e64757026 CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
via f17e8513af6 CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
via a26806cf012 CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
via b30b3bb860b CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
via 1b46410403d CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
via c462c86295f CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
via 56fe97474f4 CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
via d9e5807119b CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
via 41a8d6961b8 CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
via 8cb45a7d4e9 CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
via d03c9afc0e7 CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
via 85d0e85e9d1 CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
via 775a0e4406e CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
via ddde2b45c2e CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
via 32a46d01bb8 CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
via faa133886d6 CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
via 9255c680800 CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
via 28bee539115 CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
via 4474022b37c CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
via 9c150303545 CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
via 2cf8ccfbce4 CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
via 13576d8f281 CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
via d3298ec2f66 CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
via 6af91c59d86 CVE-2020-25722 s4/provision: add host/ SPNs at the start
via 1986ab0f5fb CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
via b3c42c6e4a4 CVE-2020-25722 samba-tool spn add: remove --force option
via 119be112383 CVE-2020-25722 samba-tool spn: accept -H for database url
via 7705aa9a7e2 CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
via 480c5bc4b9e CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
via 6bf71b18ce5 CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
via 9e25ea36011 CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
via a1b24b76fe0 CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
via 79bdc2bf07a CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
via 85c73dd456a CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute
via 1d80dabb25d CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
via 908e2e00d73 CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
via 018ce3e0912 CVE-2020-25722 Add test for SPN deletion followed by addition
via 255e5c14061 CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
via c513478908c CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
via 67ef2899a7d CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
via 1d126e4fd9a CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
via 558cd30acc6 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
via 9cb158a9a53 CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
via fb5ca61f544 CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
via 093c5502ab4 CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
via 7b9920b382a CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
via e4172baf122 CVE-2020-25717: Add FreeIPA domain controller role
via 3efb9d684d9 CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
via 58a1cc488ce CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
via 39b060eeea6 CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
via 651b74b12b9 CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
via e40a1d46831 CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
via 325942e4e78 CVE-2020-25717: s3:auth: Check minimum domain uid
via 1ec930b2f58 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
via 210b3e36f76 CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
via a92da791615 CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
via c1bf56f3146 CVE-2020-25717: loadparm: Add new parameter "min domain uid"
via a65cd59b200 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
via ae211528094 CVE-2020-25717: s3:auth: start with authoritative = 1
via dd88bd9f273 CVE-2020-25717: s3:rpcclient: start with authoritative = 1
via c55de3995cf CVE-2020-25717: s3:torture: start with authoritative = 1
via 3657c79eb2d CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
via c955376e02c CVE-2020-25717: s4:auth_simple: start with authoritative = 1
via 2d5d5a39b0d CVE-2020-25717: s4:smb_server: start with authoritative = 1
via 25d2174dd1b CVE-2020-25717: s4:torture: start with authoritative = 1
via eddf0a5c6fa CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
via ff062e2b0ae CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
via 56ace59efee CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
via e44195b765a CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
via af86793af77 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
via 596841810d7 CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
via 9368a1c1a4f CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
via 0cddce8d38f CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
via 7cd1e133b67 CVE-2020-25719 tests/krb5: Add principal aliasing test
via 421edd0e14f CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
via 4ad04eb040a CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
via a98a756a689 CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
via e67379d4c45 CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
via 04d515933b2 CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
via b93b9b41b9e CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
via f11063bc77d CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
via b11b347b1ba MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
via b69f1a758b2 CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
via 317b66d00d0 CVE-2020-25719 tests/krb5: Add is_tgt() helper method
via fe2be397ced CVE-2020-25722 tests/krb5: Allow creating server accounts
via 67b2e0d51a2 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
via ac294d9c65d CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
via 83b398309f4 CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
via e670327b5ee CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
via cb6b4a62355 CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
via 3133699e969 CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
via 90527174c8e CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
via 2bddfc41a4f CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
via fded7b17bcd CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
via 0370d2170a4 CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
via 5ab802bd662 CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
via b455e819d38 CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
via 7211afa9a5c CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
via 2812b7cc0e4 CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
via 73468f3f4a1 CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
via d396fcadc19 CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
via a228f45f63e CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
via e353a62513a CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
via cc64ec21039 CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
via a72cec41c21 CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
via 758c422c11e CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
via 4868385d45b CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
via a6048aaae63 CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
via cf5a3ebaf00 CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
via b999e14700d CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
via df525689abc CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
via 53de95a1f6a CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
via 07aef1e648d CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
via b02578014f7 CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
via 65973d2efd4 CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
via 85e3788d829 CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests
via 6807b81f40b CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test
via 6f20d53279d CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019
via ce8fbffd3a1 CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
via f970d8b549d CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
via 5719cddc268 CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
via 7d3a0e08c48 CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags
via a8578a41263 CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py
via 1a0630b9bc7 CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU
via 8292a799180 CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
via 19f0172708e VERSION: Bump version up to Samba 4.15.2...
from 5850ae94ba6 VERSION: Disable GIT_SNAPSHOT for the 4.15.1 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
commit 7d0c030d4233974c4b9463dad44efdb05e6186f1
Author: Jule Anger <janger at samba.org>
Date: Mon Nov 8 12:18:34 2021 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.15.2 release.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 35c66c504621d620fcb338e0cbd747ff63c0efa8
Author: Jule Anger <janger at samba.org>
Date: Mon Nov 8 11:29:29 2021 +0100
WHATSNEW: Add release notes for Samba 4.15.2.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit a87d07ccc56cfbd2ae3c061a9ce589838e8c4e90
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:24:40 2021 +0200
CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
This avoids a crash that's triggered by windows clients using
handles from samr_Connect*() on across multiple connections within
an association group.
In other cases is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and also
improves the auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0b52f103889b3673e75ec7cd25356a3bf6267595
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 15:09:04 2021 +0200
CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and
also improves auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 952ab2b82cd38969f7131721b3b7f542a65067dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:24:25 2021 +0200
CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
This avoids a crash that's triggered by windows clients using
handles from OpenPolicy[2]() on across multiple connections within
an association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dbddd1cbcb169720c65a755ecf077d3727d63bb4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:22:47 2021 +0200
CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 091dd0fd5d7affe549b7c76c8209a2b8ea5b26e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 13:31:29 2021 +0200
CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
This avoids a crash that's triggered by windows clients using
DsCrackNames across multiple connections within an association group
on the same DsBind context(policy) handle.
It also improves the auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b767f29f4c18b5d0da43a697712222444fcc3b3
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:22:32 2021 +0200
CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
We already had dcesrv_samdb_connect_as_system(), but it uses the per
connection memory of auth_session_info and remote_address.
But in order to use the samdb connection on a per association group
context/policy handle, we need to make copies, which last for the
whole lifetime of the 'samdb' context.
We need the same logic also for all cases we make use of
the almost same logic where we want to create a samdb context
on behalf of the authenticated user (without allowing system access),
so we introduce dcesrv_samdb_connect_as_user().
In the end we need to replace all direct callers to samdb_connect()
from source4/rpc_server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 462d635966e7eb87269d637b381ea43fa06fe49c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 13:30:41 2021 +0200
CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
We want to use this also in code without existing
stackframe.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 129b3694a18feca4fcba5a5acbf0e6b201e928d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 11:26:16 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
This adds a reproducer for an invalid memory access, when
using the context handle from DsBind across multiple connections
within an association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6f971523a715822834a3152d1705b8afc0cc9a0d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 10:34:06 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
This will be used in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 67b43eadd2bd78c4bc60eda75d5d4d5851e9afc1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 09:58:37 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
We want to use the credentials of the joined dc account
in future tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4c59866c08e73532bd6aeb7374f83a98974de1cd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 11:24:26 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
This will make it easier to reuse.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 670abaacb5217720bf60f5cc78c9ab0f6ee21512
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 27 10:40:28 2016 +0200
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit ecfa1fb325460e99885d320ff4501cf685585743
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 24 09:12:59 2016 +0100
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit c59c8abb94d9ddd5f0b31e882fb2d32349ff7450
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 16 14:15:06 2020 +0100
CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
All other fragments blindly inherit it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit aaba2e8b0e48125549eb0399c8d3285ca21faf53
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 18:14:46 2020 +0100
CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 0b2ab8bc2551a73390a80ed77dfab7fb8c66acdf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 17:43:06 2020 +0100
CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 016be9b15ecd79d2b35c4e27d346f7dd218bac4a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 09:50:58 2020 +0100
CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 096405b778ec639508e8c2efe8c701bb72d663c4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 16:59:06 2020 +0100
CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 9ab57ce2e2344ee379cf961dd3af5567e0f1f8de
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 13 11:27:19 2020 +0100
CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
That makes the callers much simpler and allow better debugging.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 09ae69e60cd4db3ceb779d4480985ab3899746f3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 13 11:25:41 2020 +0100
CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
It's better to see the location that triggered the fault.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 1d1097f08c78409a085516e44c395430ceefff6d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 2 21:00:00 2021 +1300
CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
If one of the objectClass checks passed, samldb_add() could return
through one of the samldb_fill_*() functions and skip the
servicePrincipalName uniqueness checking.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit ef2edd3f1783196e49ae3266ca392cb76d7b3bc2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 2 21:21:17 2021 +1300
CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 6ceab83249bf448f2555ea187f2b5c195ba84c93
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 2 14:11:27 2021 +0100
CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit ba272db51634a214466faf0e69724fb6ac25e2a9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 2 14:02:14 2021 +1300
CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
This is tested in other places already, but this ensures a global
check that a TGS-REP has a PAC, regardless.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 98f7ce8d28c1fe8fae512231f119b618a93a8af0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 2 14:52:22 2021 +1300
Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
This reverts an earlier commit that was incorrect.
It is not Samba practice to include a revert, but at this point in
the patch preperation the ripple though the knownfail files is
more trouble than can be justified.
It is not correct to refuse to parse all tickets with no authorization
data, only for the KDC to require that a PAC is found, which is done
in "heimdal:kdc: Require PAC to be present"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 319554fe6c687a2d2dfa6dd0ef9b7fb5f78ac8eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 15:53:33 2021 +1300
CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 637991c7ebf98aca180cad407b96c45189d94cbc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 15:07:07 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 390b5e77dc5c90f3ed78e5696daeb2e0969f70ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 15:43:28 2021 +1300
CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d0228a228cc4e04623288156fae45cc896a2e808
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 14:35:52 2021 +1300
CVE-2020-25719 heimdal:kdc: Require PAC to be present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ea38fae96eadeab68ca2e0b0f2e1a3e8c09a50b7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 4 15:18:34 2021 +1300
CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 11491b1462ebe27768a292013af3168b9528941e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 15:52:06 2021 +1300
CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d6f3ad0b0ba58b0a35c43ffef405af766d4f114f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 15:51:58 2021 +1300
CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6d1606f6fcd2f6b1cf7b06430abea43c3ac863a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 13:50:03 2021 +1300
CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c3b0b6cd7d20e7b1b2a921c7927ca48accb43427
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:34:44 2021 +1300
CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
This allows us to use it when validating user-to-user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ce38d6b37c9a961343234cead81612f5f2ad579e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 13:53:25 2021 +1300
CVE-2020-25719 heimdal:kdc: Check return code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1c6e4577675d6b4fbafc1f868e1d54bedc0fdb7f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:42:41 2021 +1300
CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8edf19bcf92547cf9981c44a0f512f49e889e8f8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 20 11:36:58 2021 +1300
CVE-2020-25722 Ensure the structural objectclass cannot be changed
If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.
Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 3116befb038f33a9d26de4a17da0e24560c9e462
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 27 12:10:02 2021 +1300
CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 63ea53393607a94db094ddb4443090bd331c0cd2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 8 08:29:51 2021 +1300
CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
Looking up the DB twice is subject to a race and is a poor
use of resources, so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.
The client record has already been bound to the the
original client by the SID check in the PAC.
Likewise by looking up server only once we ensure
that the keys looked up originally are in the record
we confirm the SID for here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 30e379fc33f2eec78b2ebb8ae3f9cabf251356f3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 4 12:43:13 2021 +1300
CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1d26ec8d58a8510a8ef81fcaf366aa417a637142
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 16:14:37 2021 +1300
CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit ca37096826008aee797eb806c500e903afd7d2ef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 15:59:28 2021 +1300
CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
These common routines will assist the KDC to do the same access
checking as the RPC servers need to do regarding which accounts
a RODC can act with regard to.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 7a826d91127bc31476dbc8805b0b0c240b3b1ecf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 15:57:41 2021 +1300
CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
These are added for the uncommon cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 92249e9be1bb2e579ad2f28391c094e9abe970da
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 14:31:00 2021 +1300
CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 24a097d23f4e7129ef0ef46622e4775db5a2b456
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 12:29:49 2021 +1300
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 83fc8e40f36fe2bb87e645434ef78947d7fe029a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 12:25:30 2021 +1300
CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
This shares the lookup of the tokenGroups attribute.
There will be a new caller that does not want to do this step,
so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list()
rather than part of it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 0492a73305478604efb60c74c678da1a2df76383
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 12:01:12 2021 +1300
CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 1e957cacd0a248ddad07b897058e6494e67de0d4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 11:55:11 2021 +1300
CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
While these checks were not in the NETLOGON case, there is no sense where
an RODC should be resetting a bad password count on either a
UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 4a8e087c2522cd7212b0b244df708ad8a1c35695
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 11:38:16 2021 +1300
CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 4fa7a448f3b22cdb7ad83bc4c99d41d57770caec
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 11:09:48 2021 +1300
CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
This will allow the creation of a common helper routine that
takes the token SID list (from tokenGroups or struct auth_user_info_dc)
and returns the allowed/denied result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 4d21b4d2050e43b96a605198ce1306ea4f9e0577
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 10:47:29 2021 +1300
CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
This is instead of an array of struct dom_sid *.
The reason is that auth_user_info_dc has an array of struct dom_sid
(the user token) and for checking if an RODC should be allowed
to print a particular ticket, we want to reuse that a rather
then reconstruct it via tokenGroups.
This also avoids a lot of memory allocation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 50a69252454501c163917156c05661d43615b244
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 30 14:55:06 2021 +1300
CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 947c922c6845a205b2e77c3d8dbfb54ecec2352d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 15:07:58 2021 +1300
CVE-2020-25719 heimdal:kdc: Require authdata to be present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dc873b2e02b2d58213e93946b60b9a8ea96ee7fb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:41:31 2021 +1300
CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 31123d80a1975c6674da937bcc6c7d5fedf8d861
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:20:31 2021 +0200
CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 733c2a4a4897a2a4ed0e041518998c8d357472ac
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:19:45 2021 +0200
CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 424109b4eeac22959932c1d0a56b96f6979d1cb3
Author: Andreas Schneider <asn at samba.org>
Date: Fri Aug 6 12:03:49 2021 +0200
CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aa91e1f82499bb28d1b55c925ef7360ca6595677
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:25:53 2021 +0200
CVE-2020-25719 mit_samba: Create the talloc context earlier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit db5183ed31529badf3c3378fb2df79d5f0ce3409
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:22:52 2021 +0200
CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
This does the same check as the hdb plugin now. The client check is already
done earlier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 717960aaa312431b37374c18e1df7f9586947de3
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 14:00:19 2021 +0200
CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2674a4fbd2a1eb4b7b6930a6017b28518c5c5d8
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 13:58:57 2021 +0200
CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d00fe7a85c3406371cf6bbf7107f68ab5ee8d562
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 13:12:00 2021 +0200
CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a1e75a78a566d6d6f4a611b5b6d76a48c8b14fb8
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 11:20:29 2021 +0200
CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d0a9e4beb0d4be3d492cb51c55ad5d643c09513e
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 14 14:51:34 2021 +0200
CVE-2020-25719 mit-samba: Add ks_free_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
[abartlet at samba.org As submitted in patch to Samba bugzilla
to address this issue as https://attachments.samba.org/attachment.cgi?id=16724
on overall bug https://bugzilla.samba.org/show_bug.cgi?id=14725]
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f321ccc492bea1622d97b882c8451dce1c6302b7
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 12:32:12 2021 +0200
CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1f96558cfdbe716d23b24453e4caf932683c755
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 19:18:20 2021 +1300
CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d6a12f8327d2634ff9744bd3dc8ffe67d0ccb873
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 11:00:38 2021 +1300
CVE-2020-25719 s4/torture: Expect additional PAC buffers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 341560f8b51783b00d3d1b96401f1d1a9e5a4a55
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:09:32 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 844eca4a0b8773b04300e29c8f1de471a91c2d5c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:06:58 2021 +1300
CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fa875cb32011f779423037ba52ba9fb5abb04374
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:04:25 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a0485f3a5b29ac049a34323b5db2187fa070d737
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:19:44 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4640efa4ee1d6fa505acec9e70d3de12312d484f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:02:08 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b727d380028f7e54b8530dd7cd187a5d3ca0d4f9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 11:18:36 2021 +1300
CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.
It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit de5c2f6b5ca31d88941ffdee6622c4331bedd784
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:47:24 2021 +1300
CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 42d82ae938fcffd36558afab97c25528b763ec03
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:51:13 2021 +1300
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 08b392a6d4914ecf44029ac89b1dab353b7bca6a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:50:09 2021 +1300
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 050d05618995ac1f027852a0b71908d5d7258deb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 10:25:08 2021 +1300
CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2ba22581f97171ef170b0b58196f9bb7e8fc801
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:12:12 2021 +1300
CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fa66d8da991f292e8139f51acb54bbf87bdf619c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:08:34 2021 +1300
CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 47eb6bbb90a2ae1cdd0b12bb1f9140d226565cf3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:20:51 2021 +1300
CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 06bbaeae99731fddc03584a88417a9e3c5cfb2c4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:15:53 2021 +1300
CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2b037cab8b2602ad4d629196ea36bb1a6f170469
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:14:45 2021 +1300
CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 62223d11b918a7460500503aaaebe6a764a11d07
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:05:08 2021 +1300
CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7eed3eb1be6ba896b1f19efdad86c4c9dcdb21f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:51:46 2021 +1300
CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2e977f86d359dd1b6233208041bb1e76b14c864b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:51:34 2021 +1300
CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9053b1056eedab207d3b8f717dcceaf3b44db0d7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:47:53 2021 +1300
CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5a5bd1eef351df89fa78ea01e63e884a9ed8c82b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:44:45 2021 +1300
CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8d6c969f566b7b1379d67f02f4772d4ba070f919
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:33:49 2021 +1300
CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f905fd741ee15fb34ce02475b2791750bd21e025
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:33:38 2021 +1300
CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bf5604a7c2a028f1f43d254a0ab851a06c01459a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:56:10 2021 +1300
CVE-2020-25718 tests/krb5: Fix indentation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0f1da247c15bb53af6da36990d95c963ec76e2f4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 12:20:49 2021 +1300
CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7667a733dc596629c5c41795db475858be256959
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 21 13:49:28 2021 +1300
CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
Nobody uses it now. It never really did what it said it did. Almost
every use was wrong. It was a trap.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 23cec080d976338785c9322dc82be3d43ca982a5
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:20:54 2021 +1300
CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
This tightens the logic a bit, in that a message with trailing DELETE
elements is no longer accepted when the bypass flag is set. In any case
this is an unlikely scenario as this is an internal flag set by a private
control in pdb_samba_dsdb_replace_by_sam().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 719aa3b4db423e8d604c8b2cf69a791b039190bd
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:19:42 2021 +1300
CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 94b664eb005ad0bdc914b28968d511a20645fdea
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 21 12:52:07 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b4e64757026e4758bbc7985c749418bcf1340289
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:18:21 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f17e8513af6a86281d699f90224c5a24483fb349
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:18:10 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a26806cf01283d2fe1bbdceb8f834e61ae68444c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:17:50 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b30b3bb860b9641ba2ae7e0946e131f898c42b0b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:17:31 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1b46410403d6011fc5a059968928932a4e952e6c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:16:34 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c462c86295fba6ff5f42a97524fe653ef4476ccd
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:15:43 2021 +1300
CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
dsdb_get_single_valued_attr() was finding the last non-delete element for
userAccountControl and changing its value to the computed value.
Unfortunately, the last non-delete element might not be the last element,
and a subsequent delete might remove it.
Instead we just add a replace on the end.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 56fe97474f4fa6213b76fe92e7d506d11e5bc6ff
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:15:00 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
There is another call to dsdb_get_expected_new_values() in this function
that we change in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d9e5807119baa3017fc787ad0e08c1a2e63f6373
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:14:05 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 41a8d6961b84c5691c0697253d1e86f9cff07edd
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:13:35 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8cb45a7d4e9dc64194041646680b1ba78bc4f6d0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:12:49 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d03c9afc0e7537053f699ebce663dff1e3dc7364
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 14:52:49 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
Using dsdb_get_expected_new_values().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 85d0e85e9d17c825762ce91979dae12d055cf3d5
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:10:44 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
using dsdb_get_expected_new_values().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 775a0e4406ee4626f966e637c5950e8a8cd1d840
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:09:21 2021 +1300
CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
This function collects a superset of all the new values for the specified
attribute that could result from an ldb add or modify message.
In most cases -- where there is a single add or modify -- the exact set
of added values is returned, and this is done reasonably efficiently
using the existing element. Where it gets complicated is when there are
multiple elements for the same attribute in a message. Anything added
before a replace or delete will be included in these results but may not
end up in the database if the message runs its course. Examples:
sequence result
1. ADD the element is returned (exact)
2. REPLACE the element is returned (exact)
3. ADD, ADD both elements are concatenated together (exact)
4. ADD, REPLACE both elements are concatenated together (superset)
5. REPLACE, ADD both elements are concatenated together (exact)
6. ADD, DEL, ADD adds are concatenated together (superset)
7. REPLACE, REPLACE both concatenated (superset)
8. DEL, ADD last element is returned (exact)
Why this? In the past we have treated dsdb_get_single_valued_attr() as if
it returned the complete set of possible database changes, when in fact it
only returned the last non-delete. That is, it could have missed values
in examples 3-7 above.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ddde2b45c2ea8a6980527104f20cb3f2d622aaa4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 16:03:18 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 32a46d01bb8def508517c32aacc43fdd8bbe5451
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 13:14:32 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
Not only should it not be possible to add a servicePrincipalName that
is already present in the domain, it should not be possible to add one
that is implied by an entry in sPNMappings, unless the user is adding
an alias to another SPN and has rights to alter that one.
For example, with the default sPNMappings, cifs/ is an alias pointing to
host/, meaning if there is no cifs/example.com SPN, the host/example.com
one will be used instead. A user can add the cifs/example.com SPN only
if they can also change the host/example.com one (because adding the
cifs/ effectively changes the host/). The reverse is refused in all cases,
unless they happen to be on the same object. That is, if there is a
cifs/example.com SPN, there is no way to add host/example.com elsewhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit faa133886d67788bb400446865f4e05ec02d38af
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 15:27:25 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
This only for the real account name, not the account name implicit in
a UPN. It doesn't matter if a UPN implies an illegal sAMAccountName,
since that is not going to conflict with a real one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9255c680800d021ba4cf6e89611f53e1e9585219
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 13:17:34 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
We already know duplicate sAMAccountNames and UserPrincipalNames are bad,
but we also have to check against the values these imply in each other.
For example, imagine users with SAM account names "Alice" and "Bob" in
the realm "example.com". If they do not have explicit UPNs, by the logic
of MS-ADTS 5.1.1.1.1 they use the implict UPNs "alice at example.com" and
"bob at example.com", respectively. If Bob's UPN gets set to
"alice at example.com", it will clash with Alice's implicit one.
Therefore we refuse to allow a UPN that implies an existing SAM account
name and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28bee539115fce7a61dddb65990ffbee7efdd6f1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 13:16:30 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4474022b37c64abc20ee299fc27dadc144e09de7
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 14:12:25 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
This takes a string of logic out of samldb_unique_attr_check() that we
are going to need in other places, and that would be very tedious to
repeat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c150303545928a7be31132cc038fd34d1586e34
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 12 21:53:16 2021 +1200
CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
These need to stay a little bit in sync. The reverse comment is there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2cf8ccfbce408ccb9fc4047f97b3eb2c7144349e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 6 12:03:18 2021 +1200
CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 13576d8f281e746a9798c1871487873d13c95f40
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Mon Sep 13 14:15:09 2021 +1200
CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
Because the sam account name + the dns host name is used as the
default user principal name, we need to check for collisions between
these. Fixes are coming in upcoming patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d3298ec2f6627db5f9401d472f1071d50999e14e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 28 13:07:01 2021 +1300
CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
We need to have the SPNs there before someone else nabs them, which
makes the re-provisioned old releases different from the reference
versions that we keep for this comparison.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6af91c59d86048a9627c90c95c3607b498b2ebf6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 28 09:45:36 2021 +1300
CVE-2020-25722 s4/provision: add host/ SPNs at the start
There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.
This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1986ab0f5fbac9fa77288e1f60b3fae541666a42
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 1 18:35:02 2021 +1200
CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
It is soon going to be impossible to add duplicate SPNs (short of
going behind DSDB's back on the local filesystem). Our test of adding
SPNs on non-admin users doubled as the test for adding a duplicate (using
--force). As --force is gone, we add these tests on Guest after the SPN
on Administrator is gone.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b3c42c6e4a4453f4461103f8ef13c9218ce12dd9
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 27 11:36:42 2021 +1200
CVE-2020-25722 samba-tool spn add: remove --force option
This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.
It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 119be11238340d576bb3f15c0c8da4c11034902b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 28 05:38:50 2021 +0000
CVE-2020-25722 samba-tool spn: accept -H for database url
Following the convention and making testing easier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7705aa9a7e2a1becdcdb23b5dc3935227e271fa4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Aug 10 23:02:36 2021 +0000
CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 480c5bc4b9eb8256cf23b9a96b2ebd54a1a7446d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 11 16:56:07 2021 +1200
CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6bf71b18ce56558ea29059c200bce42e8707f1c1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sun Oct 24 15:18:05 2021 +1300
CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
This makes it easier to convert tests that don't have good messages.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9e25ea360119b120001d755f60489b82a2b21847
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Mon Oct 4 12:56:42 2021 +1300
CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
You can give ldb_err() it a number, an LdbError, or a sequence of
numbers, and it will return the corresponding strings. Examples:
ldb_err(68) # "LDB_ERR_ENTRY_ALREADY_EXISTS"
LDB_ERR_LUT[68] # "LDB_ERR_ENTRY_ALREADY_EXISTS"
expected = (ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
ldb.ERR_INVALID_CREDENTIALS)
try:
foo()
except ldb.LdbError as e:
self.fail(f"got {ldb_err(e)}, expected one of {ldb_err(expected)}")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a1b24b76fe05208552287bced2df043aee7c7717
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 1 17:21:16 2021 +1300
CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
We should not fail open on error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 79bdc2bf07a8111c0494f5da2725dc245d3bdcaa
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 1 17:19:29 2021 +1300
CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
Thankfully we are aleady in a loop over all the message elements in
acl_modify() so this is an easy and safe change to make.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 85c73dd456aa8b516303ccdc505a35af2cd35a99
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Mon Oct 18 14:27:59 2021 +0300
CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute
Validate Writes and Control Access Rights only grant access if the
object is of the type listed in the Right's appliesTo attribute. For
example, even though a Validated-SPN access may be granted to a user
object in the SD, it should only pass if the object is of class
computer This patch enforces the appliesTo attribute classes for
access checks from within the ldb stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1d80dabb25dcee429f28b543b6a913063472fe88
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Mon Oct 25 14:54:56 2021 +0300
CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
Validate Writes and Control Access Rights should only grant access if the
object is of the type listed in the Right's appliesTo attribute.
Tests to verify this behavior
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 908e2e00d73b5d13fa73d0b862b5c661bd2450d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:49:31 2021 +1300
CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
Without these calls the tests could pass if an expected error did not
occur.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Included in backport as changing ACLs while
ACL tests are not checking for unexpected success would be bad]
commit 018ce3e09122c6efd50d4be868a559ad09aa2d78
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 14:07:41 2021 +1300
CVE-2020-25722 Add test for SPN deletion followed by addition
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Removed transaction hooks, these do nothing over
remote LDAP]
commit 255e5c14061ca65c135959046a26418321d80092
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:03:04 2021 +0200
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
This is only ever be called in standalone mode with an MIT realm,
so we don't have a PAC/info3 structure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c513478908c19b3c9112a9d3d195a67931d6146c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 17:59:59 2021 +0200
CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
This code is only every called in standalone mode on a MIT realm,
it means we never have a PAC and we also don't have winbindd arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 67ef2899a7d5164b9788996ad86402722dcd2564
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 18:12:49 2021 +0200
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
without a PAC in order to keep the code sane.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1d126e4fd9a6895b4d4b69efbf9f1791aa955f96
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 17:14:01 2021 +0200
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.
This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.
As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.
As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 558cd30acc6f6fff2356fe755cba65de7b3a6603
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 19:42:20 2021 +0200
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9cb158a9a53de11a7f0959d30be28b9f09b41469
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 12:44:01 2021 +0200
CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fb5ca61f54412dcf24c4f20dd1dd4639838fbfab
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 12:27:28 2021 +0200
CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 093c5502ab41f068dbc222854caf9cca14d4c157
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 11 23:17:19 2021 +0200
CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
We'll require a PAC at the main gensec layer already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7b9920b382ac57b045e46fa113a9c4a9da782b68
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 18:11:57 2021 +0200
CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
on the service account, which can only be explicitly configured,
but that's an invalid configuration!
We still try to support standalone servers in an MIT realm,
as legacy setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[jsutton at samba.org Removed knownfail entries]
commit e4172baf12205881098e42e502b0fc8d961e6601
Author: Alexander Bokovoy <ab at samba.org>
Date: Wed Nov 11 18:50:45 2020 +0200
CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.
It means that role won't result in ROLE_STANDALONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3efb9d684d957f0e08c4fd537b0916b02cb73ceb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 18:03:55 2021 +0200
CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 58a1cc488ce20f7cd3c9013e9b8ec3163a25075e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 13:13:52 2021 +0200
CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
is_allowed_domain() is a central place we already use to
trigger NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, so
we can add additional logic there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 39b060eeea6d364c7b7b575fda7a6877ce6e2a9a
Author: Ralph Boehme <slow at samba.org>
Date: Fri Oct 8 12:33:16 2021 +0200
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!
As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!
For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().
The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.
Note: use 'git show -w'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 651b74b12b9d995f442fd02e90ca0a1ce12d4a52
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:08:20 2021 +0200
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).
This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e40a1d46831be8b6125b76b511bb24582e8a13e9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 17:40:30 2021 +0200
CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
We should avoid autocreation of users as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 325942e4e78cccac5456a831375b881d5f80b4c0
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Sep 28 10:45:11 2021 +0200
CVE-2020-25717: s3:auth: Check minimum domain uid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Removed knownfail on advice from metze]
commit 1ec930b2f584ef012cd84d3d7ae265719de1b878
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 19:57:18 2021 +0200
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 210b3e36f76d7251714aa48af2319496b907db11
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Oct 5 16:56:06 2021 +0200
CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Fixed knowfail per instruction from metze]
commit a92da791615cd42ce28c679aba1c18a1ef2b5eb8
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Oct 5 12:31:29 2021 +0200
CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
This environment creates an AD member that doesn't have
'nss_winbind' configured, while winbindd is still started.
For testing we map a DOMAIN\root user to the local root
account and unix token of the local root user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c1bf56f314667ee3c5399576a45b74346d4c7f2e
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Sep 28 10:43:40 2021 +0200
CVE-2020-25717: loadparm: Add new parameter "min domain uid"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a65cd59b200ec6570cca7f2ab2238f6221bda602
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ae21152809414e96c209f708ba9a737d9dc16e8b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd88bd9f273dcb49d80d226df457aa05df232237
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c55de3995cf49812b24d4c2fc6e14c5c609db46c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3657c79eb2dbfc6bc6b6157881edefe0fe0f1b56
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c955376e02c74208c47d474a08e8ebb9308e319c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s4:auth_simple: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d5d5a39b0d89b98dc466f3561721f9d4dbbeb1b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s4:smb_server: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 25d2174dd1bce0ef8e984db6223339c2e8862389
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s4:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eddf0a5c6fa06cc6348217ae339b7fb9ef88b80d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 17:29:34 2021 +0200
CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff062e2b0ae4063fb807ddfe2fa172bae0d2eec5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 17:29:34 2021 +0200
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 56ace59efee73988bfd6b25161fa70cfc1956c82
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 10:27:41 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e44195b765a4029909fc7132928f1ec971d8727d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 22 16:20:36 2021 +0200
CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
[jsutton at samba.org Added knownfail entries]
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit af86793af77ab0dfe1c0a9740820c52b435d993d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 24 17:11:24 2021 +0200
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if
no PAC is available.
For now we want to look for ACCESS_DENIED as this allows
the test to pass (showing that gensec:require_pac = true
is a useful partial mitigation).
This will also help others doing backports that do not
take the full patch set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 596841810d79b5ce47301141ab979aad0cf165cf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 16:46:56 2021 +1300
CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9368a1c1a4f936345864e66f62889ecb59881716
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 28 16:20:07 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0cddce8d38f6c32c1dd444af1a9ffc27ff9fb258
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 11:45:23 2021 +1300
CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7cd1e133b675df3ebe8b5b6b2e11f0bafba44b57
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 19 20:02:45 2021 +1300
CVE-2020-25719 tests/krb5: Add principal aliasing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 421edd0e14ff58698abebe8b48a814fc4f327d89
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 19 14:39:36 2021 +1300
CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ad04eb040a96e8a17d71ad47cab180b77d7063a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 15:02:39 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a98a756a689c8a60966aa4e56a90013fc29d9b80
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 13 16:07:09 2021 +1300
CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e67379d4c4563bd07acfe8abe79f695eddfc9a9b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 15:45:00 2021 +1300
CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 04d515933b2566c138756357ed6112d50faa878b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 22 11:37:37 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b93b9b41b9eba84a090a76d376d5cf37810dbb89
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 22 11:37:31 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
This allows us to use get_tgt() and get_service_ticket() to obtain
tickets, which simplifies the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f11063bc77df573d36ecab4751070dc96723c2f6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 16:46:23 2021 +1300
CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b11b347b1ba262600121e3156fd5e08e86ed6255
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 15:48:20 2021 +1300
MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b69f1a758b24125c2de9aaa789ee37c0edf5811e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 19 15:02:10 2021 +1300
CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 317b66d00d0dc771a2a724aa11d7c26f7bd117fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 16:53:22 2021 +1300
CVE-2020-25719 tests/krb5: Add is_tgt() helper method
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fe2be397ced48ddddc8e07033a82ce1e31a43b93
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:09 2021 +1300
CVE-2020-25722 tests/krb5: Allow creating server accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 67b2e0d51a22e57c4758b3b8b6c739956d05187f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 15:00:38 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ac294d9c65db0a72c566657f52479b738f668589
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 14:59:01 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 83b398309f4f2c26bdfac4d5346852c42d943a14
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 15:48:35 2021 +1300
CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e670327b5ee6124219e922dded83a805ab7a521f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 27 11:20:19 2021 +1300
CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit cb6b4a62355117d4d2a4cfef75485745a5032a00
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 23:41:23 2021 +1300
CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
This new restriction breaks a large number of assumptions in the tests, like
that you can remove some UF_ flags, because it turns out doing so will
make the 'computer' a 'user' again, and this will fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3133699e96962de2840ded30ee9d7c84777a3d52
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 22:54:52 2021 +1300
CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
This favors a test that confirms we got an error over getting exactly
the right error, at least for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 90527174c8e3df260873a569266e5f3954f9b601
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 22:40:06 2021 +1300
CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2bddfc41a4f55500c248b3be76703da98f62819f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:42:46 2021 +1300
CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
Objects of objectclass computer are computers by default now and this changes
the sAMAccountType and primaryGroupID as well as userAccountControl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fded7b17bcd26b06a0e634d4bb048d943311e82d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:19:19 2021 +1300
CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0370d2170a4b081229a14b5fb14ebceccc2aea60
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:14:28 2021 +1300
CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5ab802bd662a230eb640c2d1479a20bf822aa75f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:06:14 2021 +1300
CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
We now enforce that a trust account must be a user.
These can not be added over LDAP anyway, and our C
code in the RPC server gets this right in any case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b455e819d38fa289894cf9d6477ef679073d931d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 14:03:05 2021 +1300
CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
The parts that create and delete a single object can be
safely split out into an individual test.
At this point the parts that fail against Windows 2019 are:
error: __main__.SamTests.test_userAccountControl_computer_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_computer_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_0_uac [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7211afa9a5c675e0f3c4668b6e9f79bf11caaa7d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 13:02:42 2021 +1300
CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2812b7cc0e4d270dd71437094d4b141d2c2ce6c7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 11:57:22 2021 +1300
CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
Objects with objectclass computer now have UF_WORKSTATION_TRUST_ACCOUNT
by default and so this test must adapt.
The changes to this test passes against Windows 2019 except for
the new behaviour around the UF_WORKSTATION_TRUST_ACCOUNT default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 73468f3f4a1488ff6b70bdcad27721f4357a5c4e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 22 11:29:02 2021 +1200
CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d396fcadc191919a07fb64350eea857b66c9c99f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 22 11:28:05 2021 +1200
CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
This makes the code less indented and simpler to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a228f45f63e405946a10c50b3c84a6661c5a0850
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 16:18:51 2021 +1300
CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
This makes many of our tests pass again. We do not pass against Windows 2019 on all
as this does not have this restriction at this time.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e353a62513a2a5ca292dccbb79e3aff9f7190615
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 28 14:47:30 2021 +1300
CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit cc64ec210390aaf87ed0ca7ec674dea7b6072fce
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 16:07:46 2021 +1300
CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
The restriction is not applied to users with administrator rights,
as this breaks a lot of tests and provides no security benefit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a72cec41c21d8599e7dcd45915901e987d95f8c6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 23:33:32 2021 +1300
CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 758c422c11eef328a40b1cd24a5220774d50a69d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 15:42:08 2021 +1300
CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
This helps ensure we cover off all the cases that matter
for objectclass/trailing-doller/userAccountControl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4868385d45b87154a583c040a1d37e5d89a1351c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 16 08:46:42 2021 +1200
CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
This default applies even to users with administrator rights,
as changing the default based on permissions would break
to many assumptions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a6048aaae63b65fed9e37af85aff4d251640f519
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 13:41:40 2021 +1200
CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
This will allow these to be listed in a knownfail shortly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit cf5a3ebaf00048e20c04717ded75d67459c0463c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 20 14:54:03 2021 +1200
CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
This allows future patches to restrict changing the account type
without triggering an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b999e14700d14fd1e3819c69ed1106f3bbfc44ef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 20 12:35:51 2021 +1200
CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
This allows for any failures here to be handled via the knownfail system.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit df525689abcb25abeac1545b087ae2f4b75dbf8b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 13 10:21:03 2021 +1200
CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
The idea here is to split out the restrictions seen on Windows 2019
at the schema level, as seen when acting as an administrator.
These pass against Windows 2019 except for the account type swapping
which is not wanted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 53de95a1f6a4a591c1bd8e470f39ecd34ac59099
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 13 20:34:54 2021 +1200
CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 07aef1e648d0b7464739647063ccb207061674d4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 13 17:42:23 2021 +1200
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
The remaining failures in the priv_attrs (not the strict one) test are
due to missing objectclass constraints on the administrator which should
be addressed, but are not a security issue.
A better test for confirming constraints between objectclass and
userAccountControl UF_NORMAL_ACCONT/UF_WORKSTATION_TRUST values would
be user_account_control.py.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b02578014f7ef9d8f59cafa9b62c2a6696c03270
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 12 11:10:09 2021 +1200
CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
This allows the add of an RODC, before setting the password, to avoid
this module, which helps isolate testing of security around the
msDS-SecondaryKrbTgtNumber attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 65973d2efd4b27d564cb673bb6d349e8b5e0527e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 22:31:02 2021 +1200
CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
This, except for where we choose to disagree, does pass
against Windows 2019.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 85e3788d8294e809dac17d4636e93b3ec53bce33
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 16:46:56 2021 +1300
CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184
(cherry picked from commit c174e9ebe715aad6910d53c1f427a0512c09d651)
commit 6807b81f40b97e109465b9ac0a458c0cb2eaaeb6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 16 16:09:24 2021 +1200
CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test
This changes most of the simple pattern with self.samdb.modify()
to use the wrapper. Some other calls still need to be converted, while
the complex decision tree tests should remain as-is for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Oct 4 21:55:43 UTC 2021 on sn-devel-184
(cherry picked from commit b45190bdac7bd9dcefd5ed88be4bd9a97a712664)
commit 6f20d53279d36f28f71dc527b0660d5f07d83a58
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 18:17:47 2021 +1200
CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019
This gets us closer to passing against Windows 2019, without
making major changes to what was tested. More tests are needed,
but it is important to get what was being tested tested again.
Account types (eg UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT)
are now required on all objects, this can't be omitted any more.
Also for UF_NORMAL_ACCOUNT for these accounts without a password
set |UF_PASSWD_NOTREQD must be included.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 15 08:49:11 UTC 2021 on sn-devel-184
(cherry picked from commit d12cb47724c2e8d19a28286d4c3ef72271a002fd)
commit ce8fbffd3a1657370eced845df2a414402a3780e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 14:54:39 2021 +1200
CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
This generates a single test per bit which is easier to
debug. Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 17ae0319db53a7b88e7fb44a9e2fd4bf1d1daa0e)
commit f970d8b549d00d72bee880f2c390cf44d8fcebfb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 14:51:27 2021 +1200
CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
This generates a single test per bit which is easier to
debug. Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 60f1b6cf0ef0bf6736d8db9c53fa48fe9f3d8e75)
commit 5719cddc268b1bf11e7bf7fc9fdd32f7ab6b2a89
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 14:37:06 2021 +1200
CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
This is a nice easy example of how the test generation
code works, and it combined nicely with the earlier
patch to return string names from the UF_ constants.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 8701ce492fc3a209035b152961d8c17e801b082a)
commit 7d3a0e08c485b11844aa9a9d1ec19c1d07ee2bcd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 13:03:15 2021 +1200
CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit fb6c0b9e2a10c9559d3e056bb020bd2c990da998)
commit a8578a41263cfb05ba6686b73f880eed1a114f53
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 10:10:56 2021 +1200
CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py
self.addCleanup() is called regardless of the test failure or error status
and so is more reliable, particularly during development.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 8c455268165f0bbfce17407df2c1746a0e03f828)
commit 1a0630b9bc705175831d0ecbde41a095d247b34d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 10:07:31 2021 +1200
CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU
We set and use a single self.OU to ensure consistancy and
reduce string duplication.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 8b078bbf8717b9407cdbc1588dd065164ab78e1b)
commit 8292a799180708e5e3a6802918265aef95e8cca5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 13 21:48:13 2021 +1200
CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
This is easier to reason with regarding which cases should work
and which cases should fail, avoiding issues where more success
than expected would be OK because a self.fail() was missed in a
try: block.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 298515cac2f35082483c2b4e4b7dbfe4df1d2e0c)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 112 +-
auth/auth_util.c | 9 +-
auth/credentials/tests/bind.py | 13 +-
auth/gensec/gensec_util.c | 27 +-
auth/ntlmssp/ntlmssp_server.c | 2 +-
docs-xml/smbdotconf/security/mindomainuid.xml | 17 +
docs-xml/smbdotconf/security/serverrole.xml | 7 +
docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 +
lib/param/loadparm.c | 4 +
lib/param/loadparm_server_role.c | 2 +
lib/param/param_table.c | 1 +
lib/param/util.c | 1 +
libcli/netlogon/netlogon.c | 2 +-
libds/common/flag_mapping.c | 50 +
libds/common/flag_mapping.h | 1 +
libds/common/flags.h | 5 +
libds/common/roles.h | 1 +
librpc/idl/krb5pac.idl | 38 +-
librpc/ndr/ndr_krb5pac.c | 4 +-
librpc/rpc/dcerpc_pkt_auth.c | 19 +-
librpc/rpc/dcerpc_pkt_auth.h | 1 +
librpc/rpc/dcesrv_auth.c | 28 +
librpc/rpc/dcesrv_core.c | 160 +-
python/samba/netcmd/spn.py | 37 +-
python/samba/tests/__init__.py | 58 +-
python/samba/tests/blackbox/ndrdump.py | 35 +
python/samba/tests/dcerpc/raw_protocol.py | 1561 ++++++++++++++--
python/samba/tests/dcerpc/raw_testcase.py | 57 +-
python/samba/tests/dsdb_api.py | 57 +
python/samba/tests/krb5/alias_tests.py | 201 ++
python/samba/tests/krb5/kdc_base_test.py | 168 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 1922 +++++++++++++++++++-
python/samba/tests/krb5/raw_testcase.py | 239 ++-
python/samba/tests/krb5/rfc4120_constants.py | 3 +
python/samba/tests/krb5/rodc_tests.py | 2 +
python/samba/tests/krb5/s4u_tests.py | 49 +-
python/samba/tests/krb5/spn_tests.py | 212 +++
python/samba/tests/krb5/test_ccache.py | 67 +-
python/samba/tests/krb5/test_ldap.py | 100 +-
python/samba/tests/krb5/test_min_domain_uid.py | 121 ++
python/samba/tests/krb5/test_rpc.py | 70 +-
python/samba/tests/krb5/test_smb.py | 71 +-
python/samba/tests/ldap_spn.py | 917 ++++++++++
python/samba/tests/ldap_upn_sam_account.py | 510 ++++++
python/samba/tests/samba_tool/computer.py | 18 +-
python/samba/tests/usage.py | 3 +
selftest/knownfail.d/ldap_spn | 1 +
selftest/knownfail.d/modify-order | 2 +-
selftest/knownfail.d/priv_attr | 13 +
selftest/knownfail.d/uac_objectclass_restrict | 17 +
selftest/knownfail_heimdal_kdc | 16 +-
selftest/knownfail_mit_kdc | 147 +-
selftest/selftest.pl | 2 -
selftest/target/Samba.pm | 1 +
selftest/target/Samba3.pm | 75 +-
selftest/target/Samba4.pm | 2 -
selftest/tests.py | 1 +
source3/auth/auth.c | 3 +
source3/auth/auth_generic.c | 160 +-
source3/auth/auth_sam.c | 14 +-
source3/auth/auth_samba4.c | 2 +-
source3/auth/auth_util.c | 105 +-
source3/auth/proto.h | 3 -
source3/auth/user_krb5.c | 79 +-
source3/include/smb_macros.h | 2 +-
source3/lib/netapi/joindomain.c | 1 +
source3/lib/util_names.c | 15 +-
source3/libsmb/cliconnect.c | 9 +
source3/param/loadparm.c | 6 +-
source3/passdb/lookup_sid.c | 2 +-
source3/passdb/machine_account_secrets.c | 7 +-
source3/registry/reg_backend_prod_options.c | 1 +
source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 +
source3/rpcclient/cmd_netlogon.c | 2 +-
source3/smbd/server.c | 2 +-
source3/torture/pdbtest.c | 2 +-
source3/utils/ntlm_auth.c | 95 +-
source3/utils/ntlm_auth_diagnostics.c | 10 +-
source3/winbindd/winbindd_dual_srv.c | 7 +
source3/winbindd/winbindd_irpc.c | 7 +
source3/winbindd/winbindd_misc.c | 2 +-
source3/winbindd/winbindd_pam.c | 15 +-
source3/winbindd/winbindd_pam_auth_crap.c | 9 +-
source3/winbindd/winbindd_util.c | 47 +-
source4/auth/auth.h | 8 -
source4/auth/ntlm/auth.c | 55 +-
source4/auth/ntlm/auth_sam.c | 12 -
source4/auth/ntlm/auth_simple.c | 2 +-
source4/auth/sam.c | 5 +-
source4/dsdb/common/rodc_helper.c | 284 +++
source4/dsdb/common/util.c | 11 +
source4/dsdb/pydsdb.c | 30 +
source4/dsdb/samdb/cracknames.c | 19 +-
source4/dsdb/samdb/ldb_modules/acl.c | 120 +-
source4/dsdb/samdb/ldb_modules/acl_util.c | 40 +
source4/dsdb/samdb/ldb_modules/dirsync.c | 13 +-
source4/dsdb/samdb/ldb_modules/objectclass.c | 36 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 164 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 1921 ++++++++++++++++---
source4/dsdb/samdb/ldb_modules/util.c | 119 +-
source4/dsdb/tests/python/acl.py | 97 +
source4/dsdb/tests/python/ldap.py | 49 +-
source4/dsdb/tests/python/linked_attributes.py | 21 -
source4/dsdb/tests/python/password_settings.py | 30 +-
source4/dsdb/tests/python/priv_attrs.py | 398 ++++
source4/dsdb/tests/python/sam.py | 94 +-
source4/dsdb/tests/python/subtree_rename.py | 25 -
source4/dsdb/tests/python/user_account_control.py | 855 +++++++--
source4/dsdb/wscript_build | 2 +-
source4/heimdal/kdc/kerberos5.c | 23 +-
source4/heimdal/kdc/krb5tgs.c | 292 ++-
source4/heimdal/kdc/windc.c | 7 +-
source4/heimdal/kdc/windc_plugin.h | 2 +
source4/heimdal/lib/hdb/hdb.h | 2 +-
source4/kdc/db-glue.c | 77 +-
source4/kdc/db-glue.h | 5 +-
source4/kdc/hdb-samba4.c | 43 +-
source4/kdc/kdc-heimdal.c | 1 +
source4/kdc/mit-kdb/kdb_samba.h | 7 +
source4/kdc/mit-kdb/kdb_samba_policies.c | 185 +-
source4/kdc/mit-kdb/kdb_samba_principals.c | 60 +-
source4/kdc/mit_samba.c | 62 +-
source4/kdc/mit_samba.h | 2 +
source4/kdc/pac-glue.c | 473 ++++-
source4/kdc/pac-glue.h | 31 +-
source4/kdc/wdc-samba4.c | 132 +-
source4/libcli/smb_composite/sesssetup.c | 14 +
source4/librpc/rpc/dcerpc.c | 1 +
.../librpc/tests/krb5pac_upn_dns_info_ex.b64.txt | 1 +
source4/librpc/tests/krb5pac_upn_dns_info_ex.txt | 220 +++
.../krb5pac_upn_dns_info_ex_not_supported.b64.txt | 1 +
.../krb5pac_upn_dns_info_ex_not_supported.txt | 213 +++
source4/rpc_server/common/server_info.c | 121 +-
source4/rpc_server/common/sid_helper.c | 134 --
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 11 +-
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 55 +-
source4/rpc_server/drsuapi/getncchanges.c | 71 +-
source4/rpc_server/lsa/lsa_init.c | 7 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 191 +-
source4/rpc_server/samr/dcesrv_samr.c | 21 +-
source4/rpc_server/samr/samr_password.c | 31 +-
source4/rpc_server/wscript_build | 9 +-
source4/selftest/tests.py | 110 +-
source4/setup/provision_self_join.ldif | 9 +-
source4/setup/tests/blackbox_spn.sh | 7 +-
source4/setup/tests/blackbox_upgradeprovision.sh | 8 +-
source4/smb_server/smb/sesssetup.c | 4 +-
source4/torture/rpc/drsuapi.c | 202 +-
source4/torture/rpc/drsuapi.h | 3 +-
source4/torture/rpc/drsuapi_cracknames.c | 2 +-
source4/torture/rpc/remote_pac.c | 24 +-
source4/torture/rpc/samlogon.c | 4 +-
source4/torture/rpc/schannel.c | 2 +-
testprogs/blackbox/dbcheck-oldrelease.sh | 4 +-
testprogs/blackbox/functionalprep.sh | 2 +-
testprogs/blackbox/upgradeprovision-oldrelease.sh | 4 +-
157 files changed, 12976 insertions(+), 2197 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml
create mode 100644 python/samba/tests/dsdb_api.py
create mode 100755 python/samba/tests/krb5/alias_tests.py
create mode 100755 python/samba/tests/krb5/spn_tests.py
create mode 100755 python/samba/tests/krb5/test_min_domain_uid.py
create mode 100644 python/samba/tests/ldap_spn.py
create mode 100644 python/samba/tests/ldap_upn_sam_account.py
create mode 100644 selftest/knownfail.d/ldap_spn
create mode 100644 selftest/knownfail.d/priv_attr
create mode 100644 selftest/knownfail.d/uac_objectclass_restrict
create mode 100644 source4/dsdb/common/rodc_helper.c
create mode 100644 source4/dsdb/tests/python/priv_attrs.py
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.b64.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.b64.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.txt
delete mode 100644 source4/rpc_server/common/sid_helper.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 4c07d646431..06669ad9d90 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 73cc1613bef..6632cf1c294 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,111 @@
+ ==============================
+ Release Notes for Samba 4.15.2
+ November 9, 2021
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
+ authentication.
+ https://www.samba.org/samba/security/CVE-2016-2124.html
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+ https://www.samba.org/samba/security/CVE-2020-25717.html
+ (PLEASE READ! There are important behaviour changes described)
+
+o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
+ by an RODC.
+ https://www.samba.org/samba/security/CVE-2020-25718.html
+
+o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
+ tickets.
+ https://www.samba.org/samba/security/CVE-2020-25719.html
+
+o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
+ (eg objectSid).
+ https://www.samba.org/samba/security/CVE-2020-25721.html
+
+o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
+ checking of data stored.
+ https://www.samba.org/samba/security/CVE-2020-25722.html
+
+o CVE-2021-3738: Use after free in Samba AD DC RPC server.
+ https://www.samba.org/samba/security/CVE-2021-3738.html
+
+o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
+ https://www.samba.org/samba/security/CVE-2021-23192.html
+
+
+Changes since 4.15.1
+--------------------
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * CVE-2020-25722
+
+o Andrew Bartlett <abartlet at samba.org>
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+
+o Ralph Boehme <slow at samba.org>
+ * CVE-2020-25717
+
+o Alexander Bokovoy <ab at samba.org>
+ * CVE-2020-25717
+
+o Samuel Cabrero <scabrero at samba.org>
+ * CVE-2020-25717
+
+o Nadezhda Ivanova <nivanova at symas.com>
+ * CVE-2020-25722
+
+o Stefan Metzmacher <metze at samba.org>
+ * CVE-2016-2124
+ * CVE-2020-25717
+ * CVE-2020-25719
+ * CVE-2020-25722
+ * CVE-2021-23192
+ * CVE-2021-3738
+
+o Andreas Schneider <asn at samba.org>
+ * CVE-2020-25719
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * CVE-2020-17049
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+ * MS CVE-2020-17049
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
==============================
Release Notes for Samba 4.15.1
October 27, 2021
@@ -101,8 +209,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.15.0
September 20, 2021
diff --git a/auth/auth_util.c b/auth/auth_util.c
index f3586f1fc1e..fe01babd107 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -26,26 +26,28 @@
struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
const struct auth_session_info *src)
{
+ TALLOC_CTX *frame = talloc_stackframe();
struct auth_session_info *dst;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
ndr_err = ndr_push_struct_blob(
&blob,
- talloc_tos(),
+ frame,
src,
(ndr_push_flags_fn_t)ndr_push_auth_session_info);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
+ TALLOC_FREE(frame);
return NULL;
}
dst = talloc(mem_ctx, struct auth_session_info);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
- TALLOC_FREE(blob.data);
+ TALLOC_FREE(frame);
return NULL;
}
@@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
dst,
dst,
(ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
- TALLOC_FREE(blob.data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
+ TALLOC_FREE(frame);
return NULL;
}
+ TALLOC_FREE(frame);
return dst;
}
diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py
index a256a930a8a..68ea99ed894 100755
--- a/auth/credentials/tests/bind.py
+++ b/auth/credentials/tests/bind.py
@@ -92,7 +92,8 @@ class BindTests(samba.tests.TestCase):
# this test to detect when the LDAP DN is being double-parsed
# but must be in the user at realm style to allow the account to
# be created
- self.ldb.add_ldif("""
+ try:
+ self.ldb.add_ldif("""
dn: """ + self.virtual_user_dn + """
cn: frednurk@""" + self.realm + """
displayName: Fred Nurk
@@ -105,13 +106,21 @@ objectClass: person
objectClass: top
objectClass: user
""")
+ except LdbError as e:
+ (num, msg) = e.args
+ self.fail(f"Failed to create e-mail user: {msg}")
+
self.addCleanup(delete_force, self.ldb, self.virtual_user_dn)
- self.ldb.modify_ldif("""
+ try:
+ self.ldb.modify_ldif("""
dn: """ + self.virtual_user_dn + """
changetype: modify
replace: unicodePwd
unicodePwd:: """ + base64.b64encode(u"\"P at ssw0rd\"".encode('utf-16-le')).decode('utf8') + """
""")
+ except LdbError as e:
+ (num, msg) = e.args
+ self.fail(f"Failed to set password on e-mail user: {msg}")
self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn)
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index e411751c3af..1075b9fde87 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -25,6 +25,8 @@
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
#include "../lib/util/asn1.h"
+#include "param/param.h"
+#include "libds/common/roles.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -48,10 +50,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!pac_blob) {
- if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
- principal_string));
- return NT_STATUS_ACCESS_DENIED;
+ enum server_role server_role =
+ lpcfg_server_role(gensec_security->settings->lp_ctx);
+
+ /*
+ * For any domain setup (DC or member) we require having
+ * a PAC, as the service ticket comes from an AD DC,
+ * which will always provide a PAC, unless
+ * UF_NO_AUTH_DATA_REQUIRED is configured for our
+ * account, but that's just an invalid configuration,
+ * the admin configured for us!
+ *
+ * As a legacy case, we still allow kerberos tickets from an MIT
+ * realm, but only in standalone mode. In that mode we'll only
+ * ever accept a kerberos authentication with a keytab file
+ * being explicitly configured via the 'keytab method' option.
+ */
+ if (server_role != ROLE_STANDALONE) {
+ DBG_WARNING("Unable to find PAC in ticket from %s, "
+ "failing to allow access\n",
+ principal_string);
+ return NT_STATUS_NO_IMPERSONATION_TOKEN;
}
DBG_NOTICE("Unable to find PAC for %s, resorting to local "
"user lookup\n", principal_string);
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 001238278d7..939aa0ef4aa 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -799,7 +799,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq)
struct gensec_security *gensec_security = state->gensec_security;
struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp;
struct auth4_context *auth_context = gensec_security->auth_context;
- uint8_t authoritative = 0;
+ uint8_t authoritative = 1;
NTSTATUS status;
status = auth_context->check_ntlm_password_recv(subreq,
diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
new file mode 100644
index 00000000000..46ae795d730
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mindomainuid.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="min domain uid"
+ type="integer"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The integer parameter specifies the minimum uid allowed when mapping a
+ local account to a domain account.
+ </para>
+
+ <para>
+ Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
+ </para>
+</description>
+
+<value type="default">1000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml
index 9511c61c96d..b8b83a127b5 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -78,6 +78,13 @@
url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4
HOWTO</ulink></para>
+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs Samba in a hybrid mode for IPA
+ domain controller, providing forest trust to Active Directory.
+ This role requires special configuration performed by IPA installers
+ and should not be used manually by any administrator.
+ </para>
</description>
<related>security</related>
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
index 1374040fb29..f70f11df757 100644
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -80,6 +80,9 @@
authoritative for a unix ID to SID mapping, so it must be set
for each individually configured domain and for the default
configuration. The configured ranges must be mutually disjoint.
+ </para>
+ <para>
+ Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
</para></listitem>
</varlistentry>
@@ -115,4 +118,5 @@
</programlisting>
</description>
+<related>min domain uid</related>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 59e749d9d46..151fe167b26 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2994,6 +2994,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"server smb3 encryption algorithms",
DEFAULT_SMB3_ENCRYPTION_ALGORITHMS);
+ lpcfg_do_global_parameter(lp_ctx,
+ "min domain uid",
+ "1000");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
index 7a6bc770723..a78d1ab9cf3 100644
--- a/lib/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -42,6 +42,7 @@ static const struct srv_role_tab {
{ ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
{ ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
{ ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
+ { ROLE_IPA_DC, "ROLE_IPA_DC"},
{ 0, NULL }
};
@@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
if (security == SEC_USER) {
valid = true;
}
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index d9301152d94..9fac73ef113 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -109,6 +109,7 @@ static const struct enum_list enum_server_role[] = {
{ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
{ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
{ROLE_ACTIVE_DIRECTORY_DC, "dc"},
+ {ROLE_IPA_DC, "IPA primary domain controller"},
{-1, NULL}
};
diff --git a/lib/param/util.c b/lib/param/util.c
index cd8e74b9d8f..9a0fc102de8 100644
--- a/lib/param/util.c
+++ b/lib/param/util.c
@@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
return lpcfg_workgroup(lp_ctx);
default:
return lpcfg_netbios_name(lp_ctx);
diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c
index 239503e85b6..59af460dc4e 100644
--- a/libcli/netlogon/netlogon.c
+++ b/libcli/netlogon/netlogon.c
@@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx,
if (ndr->offset < ndr->data_size) {
TALLOC_FREE(ndr);
/*
- * We need to handle a bug in FreeIPA (at least <= 4.1.2).
+ * We need to handle a bug in IPA (at least <= 4.1.2).
*
* They include the ip address information without setting
* NETLOGON_NT_VERSION_5EX_WITH_IP, while using
diff --git a/libds/common/flag_mapping.c b/libds/common/flag_mapping.c
index ddc8ec5c198..020922db659 100644
--- a/libds/common/flag_mapping.c
+++ b/libds/common/flag_mapping.c
@@ -164,3 +164,53 @@ uint32_t ds_uf2prim_group_rid(uint32_t uf)
return prim_group_rid;
}
+
+#define FLAG(x) { .name = #x, .uf = x }
+struct {
+ const char *name;
+ uint32_t uf;
+} user_account_control_name_map[] = {
+ FLAG(UF_SCRIPT),
+ FLAG(UF_ACCOUNTDISABLE),
+ FLAG(UF_00000004),
+ FLAG(UF_HOMEDIR_REQUIRED),
+ FLAG(UF_LOCKOUT),
+ FLAG(UF_PASSWD_NOTREQD),
+ FLAG(UF_PASSWD_CANT_CHANGE),
+ FLAG(UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED),
+
+ FLAG(UF_TEMP_DUPLICATE_ACCOUNT),
+ FLAG(UF_NORMAL_ACCOUNT),
+ FLAG(UF_00000400),
+ FLAG(UF_INTERDOMAIN_TRUST_ACCOUNT),
+
+ FLAG(UF_WORKSTATION_TRUST_ACCOUNT),
+ FLAG(UF_SERVER_TRUST_ACCOUNT),
+ FLAG(UF_00004000),
+ FLAG(UF_00008000),
+
+ FLAG(UF_DONT_EXPIRE_PASSWD),
+ FLAG(UF_MNS_LOGON_ACCOUNT),
+ FLAG(UF_SMARTCARD_REQUIRED),
+ FLAG(UF_TRUSTED_FOR_DELEGATION),
+
+ FLAG(UF_NOT_DELEGATED),
+ FLAG(UF_USE_DES_KEY_ONLY),
+ FLAG(UF_DONT_REQUIRE_PREAUTH),
+ FLAG(UF_PASSWORD_EXPIRED),
+ FLAG(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION),
+ FLAG(UF_NO_AUTH_DATA_REQUIRED),
+ FLAG(UF_PARTIAL_SECRETS_ACCOUNT),
+ FLAG(UF_USE_AES_KEYS)
+};
+
+const char *dsdb_user_account_control_flag_bit_to_string(uint32_t uf)
+{
+ int i;
+ for (i=0; i < ARRAY_SIZE(user_account_control_name_map); i++) {
+ if (uf == user_account_control_name_map[i].uf) {
+ return user_account_control_name_map[i].name;
+ }
+ }
+ return NULL;
+}
diff --git a/libds/common/flag_mapping.h b/libds/common/flag_mapping.h
index ae721da894a..f08d5593af6 100644
--- a/libds/common/flag_mapping.h
+++ b/libds/common/flag_mapping.h
@@ -31,5 +31,6 @@ uint32_t ds_uf2atype(uint32_t uf);
uint32_t ds_gtype2atype(uint32_t gtype);
enum lsa_SidType ds_atype_map(uint32_t atype);
uint32_t ds_uf2prim_group_rid(uint32_t uf);
+const char *dsdb_user_account_control_flag_bit_to_string(uint32_t uf);
#endif /* __LIBDS_COMMON_FLAG_MAPPING_H__ */
diff --git a/libds/common/flags.h b/libds/common/flags.h
index d436f2bafd8..75e04b0c488 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -18,6 +18,8 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+/* Please keep this list in sync with the flag_mapping.c and pydsdb.c */
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list