[SCM] Samba Shared Repository - branch master updated
Jule Anger
janger at samba.org
Tue Nov 9 20:38:01 UTC 2021
The branch, master has been updated
via 3121be69cac CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
via 5724868c22e CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
via 2a159e6f036 CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
via 965fe0e9062 CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
via af6151ef122 CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
via 897c0e8fc6f CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
via b173ac586a6 CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
via b9deab4ca43 CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
via 45315f2284d CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
via 73b6ed864e0 CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
via 923c80eea96 CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
via c17f4256e53 CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
via 93dad333a22 CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
via 871d672f51f CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
via 9ebc679e768 CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
via 44584f97b08 CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
via e21c405163a CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
via 47865653161 CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
via 2f0bc04afe2 CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
via c00e5fc2c64 CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
via 5f463431019 CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
via ae47a730776 CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
via 262f59a71f5 CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
via 433092d6170 CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
via 972f0435bd8 Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
via fa65ceb3dc3 CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
via f5baabd987b CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
via b8c6fa20f41 CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
via 756934f14cc CVE-2020-25719 heimdal:kdc: Require PAC to be present
via 4888e198110 CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
via 49a13f0fc94 CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
via f08e6ac8622 CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
via fd50fecbe99 CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
via f170f1eb498 CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
via a5db5c7fa2b CVE-2020-25719 heimdal:kdc: Check return code
via 1d3548aeffa CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
via a3aee582a5c CVE-2020-25722 Ensure the structural objectclass cannot be changed
via 43983170fc8 CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
via 05898cfb139 CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
via 80257fa37c4 CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
via b176ddba2a2 CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
via a9ac1f91912 CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
via 158765d1f33 CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
via a831ef74c5b CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
via c70710a0483 CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
via 16f96dbb5d4 CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
via 60140350432 CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
via 8ee6753a6ea CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
via edd3d61feab CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
via cdb5690be40 CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
via 4796b0a5c1d CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
via 19719003af1 CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
via bacb51d0d3a CVE-2020-25719 heimdal:kdc: Require authdata to be present
via 2f9245f2a54 CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
via 0db5c69d296 CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
via 01df6559ee6 CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
via 87a769fc0a9 CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
via 41a36191f67 CVE-2020-25719 mit_samba: Create the talloc context earlier
via bdf07fc4211 CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
via 435719185c3 CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
via 2903a50523a CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
via 61fa866449e CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
via d14a6a88464 CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
via 4ef445a1f37 CVE-2020-25719 mit-samba: Add ks_free_principal()
via d0fb22ee85e CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
via deccd0dc5e4 CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
via fa4c9bcefde CVE-2020-25719 s4/torture: Expect additional PAC buffers
via a461b7d4f8c CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
via 26480ba2aa9 CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
via 7ff05eb8d44 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
via 2e1e57fca84 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
via b8c85fe81c4 CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
via 72f82d949a3 CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
via 8752b83bb98 CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
via 42405aa46be CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
via 58455c48761 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
via 40a3f71818b CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
via 2158ba1eb08 CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
via e647186c144 CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
via 924f3231887 CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
via faf47b0b6b6 CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
via a236e2cc255 CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
via 9602594585d CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
via 21298ddfc5d CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
via 383bedd6fdd CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
via dd251f26df6 CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
via 336dfc32075 CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
via f4ed37ad6aa CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
via 6ec80380dc9 CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
via 2249143fe3d CVE-2020-25718 tests/krb5: Fix indentation
via 72840a972bc CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
via 5fe2633b2a8 CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
via b9962c1e5e4 CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
via 59201d5424a CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
via ed9ec0b0813 CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
via 280c07f58ab CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
via ecb2c3a80cc CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
via d120204012c CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
via 4fb4136a84b CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
via 1e0176cf653 CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
via 74623b644d6 CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
via bdfcea484ef CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
via 87382e198f7 CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
via e4762f4c018 CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
via 2a73827583e CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
via 4d50fe2ff2a CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
via c24a41342f0 CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
via 8abf90a3ef5 CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
via 13377f0b59e CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
via 9235617c637 CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
via 510378f94a6 CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
via 45a4a198b81 CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
via b6f4d931d08 CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
via efbf0b77d00 CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
via ce2930d2d2d CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
via 11540375af1 CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
via df34c11cbc7 CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
via 55752c12cf1 CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
via 0a555cf097a CVE-2020-25722 s4/provision: add host/ SPNs at the start
via 8cde2370905 CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
via 72a2c21f3f5 CVE-2020-25722 samba-tool spn add: remove --force option
via 7243bd7d388 CVE-2020-25722 samba-tool spn: accept -H for database url
via 5a79fca9682 CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
via c7e3617cc36 CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
via b919246c552 CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
via de24916a820 CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
via 2c4aee1145d CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
via 42eb5fee22a CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
via 8da6d0bf6f5 CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute
via 6121f31c0e1 CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
via 48e3cf96511 CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
via 62d1cb4c196 CVE-2020-25722 Add test for SPN deletion followed by addition
via 757f1d20e4b CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
via e8bb009009c CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
via 2609e4297e0 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
via 3ed0e5b924f CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
via 566c2b296dd CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
via c4ddf939e0e CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
via bd8d06ff155 CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
via 935feff8e54 CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
via e2d271cb6bc CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
via e2d5b4d7092 CVE-2020-25717: Add FreeIPA domain controller role
via 57abb7f8f88 CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
via 52190982de1 CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
via 8f79ee99a6a CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
via dd0423bfbbc CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
via 28fae9c2215 CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
via 4b78ad7346c CVE-2020-25717: s3:auth: Check minimum domain uid
via 97d54027910 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
via 14b9f905da1 CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
via 6771b2f211f CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
via b39b698cdac CVE-2020-25717: loadparm: Add new parameter "min domain uid"
via 79a6616cbe7 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
via 27d20fc335c CVE-2020-25717: s3:auth: start with authoritative = 1
via 4cda41677cc CVE-2020-25717: s3:rpcclient: start with authoritative = 1
via cc32b2464a7 CVE-2020-25717: s3:torture: start with authoritative = 1
via cc6d63100cd CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
via 76ec5f94091 CVE-2020-25717: s4:auth_simple: start with authoritative = 1
via 9a235158141 CVE-2020-25717: s4:smb_server: start with authoritative = 1
via 6aedd965e16 CVE-2020-25717: s4:torture: start with authoritative = 1
via 0e23000f278 CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
via 05587361498 CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
via b4ea50f8b27 CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
via f9b16272d28 CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
via 9fe1b719e1b CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
via 903ab1a0277 CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
via 24be2048348 CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
via 3af0c36a063 CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
via 7f7476b08cb CVE-2020-25719 tests/krb5: Add principal aliasing test
via 48e5154de64 CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
via bd87905cf1b CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
via 3f7b971d376 CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
via 89c88a83daf CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
via 4125650a27c CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
via 873ac6d814c CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
via 23dc0cbd53e CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
via 4ac05264a76 MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
via dbedf5b6e26 CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
via 4a792ad92d6 CVE-2020-25719 tests/krb5: Add is_tgt() helper method
via 43df8d0b2ea CVE-2020-25722 tests/krb5: Allow creating server accounts
via 06168fd4e3d CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
via ff6631ecdcb CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
via f7f49db7222 CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
via 558f440f206 CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
via ccd94963bd3 CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
via b001f91668a CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
via adfae12584c CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
via 56eff305cff CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
via 66986eefc65 CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
via 6c03fb656d4 CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
via 756f116b0ec CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
via 4150264ce0b CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
via 0b06e9a5a58 CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
via 55cc9324b48 CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
via 53d0e5d31e0 CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
via adf628000fb CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
via c77f9cbaee0 CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
via dc08915834a CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
via a00c525a4e0 CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
via 6a8f03c5274 CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
via 9c3259e5030 CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
via e5b94eea6a9 CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
via 755e8a53ce0 CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
via 63eb24f0925 CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
via 0d804cfd077 CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
via 23983fb50b4 CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
via 2bdff65b333 CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
via f478aecc45e CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
via 9ef9746bca7 CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
via 93e5902369c CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
from f4cad8b2bc3 smbd: check lp_load_printers before reload via NetShareEnum
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3121be69cac7748d1cb01273c0d09fab2fe726a0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:24:40 2021 +0200
CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
This avoids a crash that's triggered by windows clients using
handles from samr_Connect*() on across multiple connections within
an association group.
In other cases is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and also
improves the auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Jule Anger <janger at samba.org>
Autobuild-Date(master): Tue Nov 9 20:37:30 UTC 2021 on sn-devel-184
commit 5724868c22eb2ecd6d58fd167f315699ede53043
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 15:09:04 2021 +0200
CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and
also improves auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a159e6f036db497bd976e2d165db5c187a09cf6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:24:25 2021 +0200
CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
This avoids a crash that's triggered by windows clients using
handles from OpenPolicy[2]() on across multiple connections within
an association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 965fe0e906263bffd6fb994263e51a8435f155d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:22:47 2021 +0200
CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit af6151ef122a4f452d486e541626c2a1feacb369
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 13:31:29 2021 +0200
CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
This avoids a crash that's triggered by windows clients using
DsCrackNames across multiple connections within an association group
on the same DsBind context(policy) handle.
It also improves the auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 897c0e8fc6fe9a9323f3ff657dc4245a7249c6fd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:22:32 2021 +0200
CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
We already had dcesrv_samdb_connect_as_system(), but it uses the per
connection memory of auth_session_info and remote_address.
But in order to use the samdb connection on a per association group
context/policy handle, we need to make copies, which last for the
whole lifetime of the 'samdb' context.
We need the same logic also for all cases we make use of
the almost same logic where we want to create a samdb context
on behalf of the authenticated user (without allowing system access),
so we introduce dcesrv_samdb_connect_as_user().
In the end we need to replace all direct callers to samdb_connect()
from source4/rpc_server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b173ac586a688c2c3c6e75b02952e939fd0d4698
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 13:30:41 2021 +0200
CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
We want to use this also in code without existing
stackframe.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b9deab4ca43a2d08bed6950c05a57a7b2c7557bd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 11:26:16 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
This adds a reproducer for an invalid memory access, when
using the context handle from DsBind across multiple connections
within an association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 45315f2284d9971d0b9e63b61bfdeab5e9589b54
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 10:34:06 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
This will be used in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 73b6ed864e084814e0a39c1d16c6217ba0ca26dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 09:58:37 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
We want to use the credentials of the joined dc account
in future tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 923c80eea96e725bdfc9e91f854f459bbaa8954f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 11:24:26 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
This will make it easier to reuse.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c17f4256e53229bd100f7bdcbc77620a64446326
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 27 10:40:28 2016 +0200
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 93dad333a22a3b46217072333491b87621db01f5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 24 09:12:59 2016 +0100
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 871d672f51fa8de6b2a4feee2039b76654e6aad2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 16 14:15:06 2020 +0100
CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
All other fragments blindly inherit it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 9ebc679e76803e41861b9901d69fee41d3ce9a0f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 18:14:46 2020 +0100
CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 44584f97b088796818aaaa721cf317541116d506
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 17:43:06 2020 +0100
CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit e21c405163a119af496b6801c31f38dd33e4da93
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 09:50:58 2020 +0100
CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 478656531610ea35c860a769f2309592f7561bcb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 16:59:06 2020 +0100
CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 2f0bc04afe27af91901c66b2f4220129cabaf8a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 13 11:27:19 2020 +0100
CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
That makes the callers much simpler and allow better debugging.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit c00e5fc2c646ef56a457d3850fb4a6e4d8d45294
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 13 11:25:41 2020 +0100
CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
It's better to see the location that triggered the fault.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 5f4634310196c6b2c8b097ad41f949a0cccf0ec6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 2 21:00:00 2021 +1300
CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
If one of the objectClass checks passed, samldb_add() could return
through one of the samldb_fill_*() functions and skip the
servicePrincipalName uniqueness checking.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit ae47a7307766014e637e4a539c96316cf0f09108
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 2 21:21:17 2021 +1300
CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 262f59a71f5488dcb8b9a3c5fafdcf21b30affca
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 2 14:11:27 2021 +0100
CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 433092d61705bdfb3124be94f6d881214b9432ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 2 14:02:14 2021 +1300
CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
This is tested in other places already, but this ensures a global
check that a TGS-REP has a PAC, regardless.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 972f0435bd8b1f0db1f98954692bc58b10631d27
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 2 14:52:22 2021 +1300
Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
This reverts an earlier commit that was incorrect.
It is not Samba practice to include a revert, but at this point in
the patch preperation the ripple though the knownfail files is
more trouble than can be justified.
It is not correct to refuse to parse all tickets with no authorization
data, only for the KDC to require that a PAC is found, which is done
in "heimdal:kdc: Require PAC to be present"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit fa65ceb3dc3469019ec801d0a2a2272ae32308ed
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 15:53:33 2021 +1300
CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f5baabd987bbe71bbf37277e11f51f03372c28f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 15:07:07 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b8c6fa20f41a65fcaa9bb09a6316df97da07ee79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 15:43:28 2021 +1300
CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 756934f14cc87dc1adfd9315672ae5d49cb24d95
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 14:35:52 2021 +1300
CVE-2020-25719 heimdal:kdc: Require PAC to be present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4888e198110a811a1815e2fdffc7562fe979f477
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 4 15:18:34 2021 +1300
CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 49a13f0fc942d1cfb767d5b6bf49d62241d52046
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 15:52:06 2021 +1300
CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f08e6ac86226dcd939fd0e40b6f7dc80c5c00e79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 15:51:58 2021 +1300
CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fd50fecbe99ae4fc63843c796d0a516731a1fe6a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 13:50:03 2021 +1300
CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f170f1eb4989d7f337eed0f45a558fe5231ea367
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:34:44 2021 +1300
CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
This allows us to use it when validating user-to-user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a5db5c7fa2bdf5c651f77749b4e79c515d164e4f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 13:53:25 2021 +1300
CVE-2020-25719 heimdal:kdc: Check return code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1d3548aeffa2ec136f7cdece112a127241d8be13
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:42:41 2021 +1300
CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a3aee582a5c94b3d4de5edd0e9e5a0367addacbd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 20 11:36:58 2021 +1300
CVE-2020-25722 Ensure the structural objectclass cannot be changed
If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.
Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 43983170fc8671f7c0f0a0a6e1f8a82d9dbc2b60
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 27 12:10:02 2021 +1300
CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 05898cfb139ae0674c8251acc9d64c4c3d4c8376
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 8 08:29:51 2021 +1300
CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
Looking up the DB twice is subject to a race and is a poor
use of resources, so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.
The client record has already been bound to the the
original client by the SID check in the PAC.
Likewise by looking up server only once we ensure
that the keys looked up originally are in the record
we confirm the SID for here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 80257fa37c49138fb1af0a910a3ea41954096c11
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 4 12:43:13 2021 +1300
CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b176ddba2a2e3ec9e74e0b6b40b12d1a1139bdf5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 16:14:37 2021 +1300
CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit a9ac1f919127cf91a08dd3c20bbeda27af980aef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 15:59:28 2021 +1300
CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
These common routines will assist the KDC to do the same access
checking as the RPC servers need to do regarding which accounts
a RODC can act with regard to.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 158765d1f33daf19396cb063473c3a132b15a7fc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 15:57:41 2021 +1300
CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
These are added for the uncommon cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit a831ef74c5b2982c108cc16dae9b116e9658dcb8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 14:31:00 2021 +1300
CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit c70710a0483e500f03e59df4dd759e6033975c15
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 12:29:49 2021 +1300
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 16f96dbb5d4b2262c5ba85fb32a479f0cb66ed23
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 12:25:30 2021 +1300
CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
This shares the lookup of the tokenGroups attribute.
There will be a new caller that does not want to do this step,
so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list()
rather than part of it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 601403504325f2f0e241da0a4eb3e390e73f3c08
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 12:01:12 2021 +1300
CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 8ee6753a6ea782050b5b722ce1ac63a275a94f7c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 11:55:11 2021 +1300
CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
While these checks were not in the NETLOGON case, there is no sense where
an RODC should be resetting a bad password count on either a
UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit edd3d61feabf2530c9dc2caff98bfbb5f0a2bd1a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 11:38:16 2021 +1300
CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit cdb5690be40f6f6c5e5809783c4a364785f85a6e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 11:09:48 2021 +1300
CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
This will allow the creation of a common helper routine that
takes the token SID list (from tokenGroups or struct auth_user_info_dc)
and returns the allowed/denied result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 4796b0a5c1d3948642d17eef9f72d364f0e29de3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 10:47:29 2021 +1300
CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
This is instead of an array of struct dom_sid *.
The reason is that auth_user_info_dc has an array of struct dom_sid
(the user token) and for checking if an RODC should be allowed
to print a particular ticket, we want to reuse that a rather
then reconstruct it via tokenGroups.
This also avoids a lot of memory allocation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 19719003af110c6ed664970cddb353d60805ba91
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 30 14:55:06 2021 +1300
CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit bacb51d0d3acd529de4e3315ed2f04eeac4829d5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 15:07:58 2021 +1300
CVE-2020-25719 heimdal:kdc: Require authdata to be present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2f9245f2a549bd89829d7807ec525c54ff61f8e5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:41:31 2021 +1300
CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0db5c69d2961fbc538b7bd47373f9d00215fd5a2
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:20:31 2021 +0200
CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 01df6559ee6ba86110878da094a3badb50fb75d5
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:19:45 2021 +0200
CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 87a769fc0a9cdc75f2f79f5cc8072efa95ff4437
Author: Andreas Schneider <asn at samba.org>
Date: Fri Aug 6 12:03:49 2021 +0200
CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 41a36191f671d4e7e172da6b50ca07c3530ff561
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:25:53 2021 +0200
CVE-2020-25719 mit_samba: Create the talloc context earlier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bdf07fc4211a123b2fe914050d2cb221e0c4a55b
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:22:52 2021 +0200
CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
This does the same check as the hdb plugin now. The client check is already
done earlier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 435719185c3c80539eb3041becf1ec18bcd99bac
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 14:00:19 2021 +0200
CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2903a50523a80e6de37ff0e052734e9170d147c9
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 13:58:57 2021 +0200
CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 61fa866449e1f804b6118ccefdc9cbbc648ed625
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 13:12:00 2021 +0200
CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d14a6a8846493438dca2f974a3a5d5e00a414d72
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 11:20:29 2021 +0200
CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ef445a1f37e77df8016d240fcf22927165b8c03
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 14 14:51:34 2021 +0200
CVE-2020-25719 mit-samba: Add ks_free_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
[abartlet at samba.org As submitted in patch to Samba bugzilla
to address this issue as https://attachments.samba.org/attachment.cgi?id=16724
on overall bug https://bugzilla.samba.org/show_bug.cgi?id=14725]
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d0fb22ee85ee4baeba5eec5f7332e752e27765e0
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 12:32:12 2021 +0200
CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit deccd0dc5e41a86722e41883bb8788f70797aa5f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 19:18:20 2021 +1300
CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fa4c9bcefdeed0a7106aab84df20b02435febc1f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 11:00:38 2021 +1300
CVE-2020-25719 s4/torture: Expect additional PAC buffers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a461b7d4f8c07b2fc64243c99a2c334ab9e73721
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:09:32 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 26480ba2aa9834a24f1ea11ae3f8e2d7ed0ccfd8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:06:58 2021 +1300
CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7ff05eb8d44ed7bd7d71227ba42f0fddf09cd0ed
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:04:25 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2e1e57fca84ba7c8f68a1a2d64f49f9f2c4b80c0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:19:44 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b8c85fe81c4e95dab1b9a679d0d3e3d27e4f8ed9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:02:08 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72f82d949a3ee0889f358a586484248f8386b744
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 11:18:36 2021 +1300
CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.
It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8752b83bb98792579b7705d0ce1bd0fb9321043e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:47:24 2021 +1300
CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 42405aa46be210af0ffdd6ecc9e43e41fc8c4c83
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:51:13 2021 +1300
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 58455c4876113173e682e9b321b8a175779b8a43
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:50:09 2021 +1300
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 40a3f71818b7c9923d31050f05ac24fe7b7f70c4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 10:25:08 2021 +1300
CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2158ba1eb0800ba9429a9891d7af47d82985b73d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:12:12 2021 +1300
CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e647186c144748b6e1672cea2ae37c7f93760984
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:08:34 2021 +1300
CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 924f323188774fabbb8fc1a08d24c1be51b37708
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:20:51 2021 +1300
CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit faf47b0b6b6037e2059cb4871c3e99020a3f605a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:15:53 2021 +1300
CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a236e2cc255b98603449e96d7ce94a3e48277c6c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:14:45 2021 +1300
CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9602594585d0a8d5c4fb7bfb419760765b262138
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:05:08 2021 +1300
CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 21298ddfc5d8e4d755cfb7c6ae2068386447f538
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:51:46 2021 +1300
CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 383bedd6fddb81cbd6d39c41a5c463f432344f5e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:51:34 2021 +1300
CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd251f26df6a26b1f6024758ec85ee2df54e6d50
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:47:53 2021 +1300
CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 336dfc32075ed8776378c35506db94c43cce2a88
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:44:45 2021 +1300
CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f4ed37ad6aa0359f4799188d2b1d30571c6b42a6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:33:49 2021 +1300
CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6ec80380dc9372a896f74e95738b01c046411429
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:33:38 2021 +1300
CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2249143fe3dae59648466326c398912d7d61835f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:56:10 2021 +1300
CVE-2020-25718 tests/krb5: Fix indentation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72840a972bcd36b7ab5bbe3713f4b05913215651
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 12:20:49 2021 +1300
CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5fe2633b2a8e2d1c38bc61cc0629888c67a7c371
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 21 13:49:28 2021 +1300
CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
Nobody uses it now. It never really did what it said it did. Almost
every use was wrong. It was a trap.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b9962c1e5e481191063e75550757c74e63c38039
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:20:54 2021 +1300
CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
This tightens the logic a bit, in that a message with trailing DELETE
elements is no longer accepted when the bypass flag is set. In any case
this is an unlikely scenario as this is an internal flag set by a private
control in pdb_samba_dsdb_replace_by_sam().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 59201d5424a7de44226562af854d5c8cb923f2a3
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:19:42 2021 +1300
CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ed9ec0b0813e0789d45b21dc3b8d4f02d3fb9834
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 21 12:52:07 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 280c07f58abb257a3dc4ec991dde9fdf26bd40e4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:18:21 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ecb2c3a80ccdc3d8a1f0d10a8150a27ed9d77209
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:18:10 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d120204012ce3df76c14366c89d5bf1daff33d5d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:17:50 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4fb4136a84ba98654622ebaff9a1969e17ede5aa
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:17:31 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1e0176cf65342e36973e1624768bdc214799ebe6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:16:34 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 74623b644d61ce02d0f09fe70b2743a790e0375c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:15:43 2021 +1300
CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
dsdb_get_single_valued_attr() was finding the last non-delete element for
userAccountControl and changing its value to the computed value.
Unfortunately, the last non-delete element might not be the last element,
and a subsequent delete might remove it.
Instead we just add a replace on the end.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bdfcea484ef3ba868be185b01206ed29fedb1861
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:15:00 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
There is another call to dsdb_get_expected_new_values() in this function
that we change in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 87382e198f7883dee81ccac769ae54a6700f4f24
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:14:05 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e4762f4c018805e0c3de2d2993a17d90b6683fce
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:13:35 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a73827583e4cc6d28a885508c70975c5f54747b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:12:49 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4d50fe2ff2a163856b5ec11ef9e4b53732056973
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 14:52:49 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
Using dsdb_get_expected_new_values().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c24a41342f03fbfe92b6d45104b7b6b12c916a1e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:10:44 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
using dsdb_get_expected_new_values().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8abf90a3ef5a9939f4e076a2fa8caa984aa2c412
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:09:21 2021 +1300
CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
This function collects a superset of all the new values for the specified
attribute that could result from an ldb add or modify message.
In most cases -- where there is a single add or modify -- the exact set
of added values is returned, and this is done reasonably efficiently
using the existing element. Where it gets complicated is when there are
multiple elements for the same attribute in a message. Anything added
before a replace or delete will be included in these results but may not
end up in the database if the message runs its course. Examples:
sequence result
1. ADD the element is returned (exact)
2. REPLACE the element is returned (exact)
3. ADD, ADD both elements are concatenated together (exact)
4. ADD, REPLACE both elements are concatenated together (superset)
5. REPLACE, ADD both elements are concatenated together (exact)
6. ADD, DEL, ADD adds are concatenated together (superset)
7. REPLACE, REPLACE both concatenated (superset)
8. DEL, ADD last element is returned (exact)
Why this? In the past we have treated dsdb_get_single_valued_attr() as if
it returned the complete set of possible database changes, when in fact it
only returned the last non-delete. That is, it could have missed values
in examples 3-7 above.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 13377f0b59e28c7e7b7b6fe922f0b1f1e95042f6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 16:03:18 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9235617c637a5ba878dd7d30764326ea58f91e46
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 13:14:32 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
Not only should it not be possible to add a servicePrincipalName that
is already present in the domain, it should not be possible to add one
that is implied by an entry in sPNMappings, unless the user is adding
an alias to another SPN and has rights to alter that one.
For example, with the default sPNMappings, cifs/ is an alias pointing to
host/, meaning if there is no cifs/example.com SPN, the host/example.com
one will be used instead. A user can add the cifs/example.com SPN only
if they can also change the host/example.com one (because adding the
cifs/ effectively changes the host/). The reverse is refused in all cases,
unless they happen to be on the same object. That is, if there is a
cifs/example.com SPN, there is no way to add host/example.com elsewhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 510378f94a62313777da09efebf4bf737b23cd55
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 15:27:25 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
This only for the real account name, not the account name implicit in
a UPN. It doesn't matter if a UPN implies an illegal sAMAccountName,
since that is not going to conflict with a real one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 45a4a198b81740fe4d81e6459ca90e004ef99efc
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 13:17:34 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
We already know duplicate sAMAccountNames and UserPrincipalNames are bad,
but we also have to check against the values these imply in each other.
For example, imagine users with SAM account names "Alice" and "Bob" in
the realm "example.com". If they do not have explicit UPNs, by the logic
of MS-ADTS 5.1.1.1.1 they use the implict UPNs "alice at example.com" and
"bob at example.com", respectively. If Bob's UPN gets set to
"alice at example.com", it will clash with Alice's implicit one.
Therefore we refuse to allow a UPN that implies an existing SAM account
name and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6f4d931d088c70c62490fb051ec9ab9f081cd77
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 13:16:30 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit efbf0b77d0050faee15b680e5e908357993d869b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 14:12:25 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
This takes a string of logic out of samldb_unique_attr_check() that we
are going to need in other places, and that would be very tedious to
repeat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ce2930d2d2ddcb40b6d44852aa3409ad6d64bedf
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 12 21:53:16 2021 +1200
CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
These need to stay a little bit in sync. The reverse comment is there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 11540375af181bf41b24ae38daac51e05253d631
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 6 12:03:18 2021 +1200
CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit df34c11cbc704270eaccb86fabb16132b37a884f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Mon Sep 13 14:15:09 2021 +1200
CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
Because the sam account name + the dns host name is used as the
default user principal name, we need to check for collisions between
these. Fixes are coming in upcoming patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 55752c12cf14b64d981c9a6010ead0fd8d847857
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 28 13:07:01 2021 +1300
CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
We need to have the SPNs there before someone else nabs them, which
makes the re-provisioned old releases different from the reference
versions that we keep for this comparison.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0a555cf097a5a8d38c7b61edaee838dd0973a989
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 28 09:45:36 2021 +1300
CVE-2020-25722 s4/provision: add host/ SPNs at the start
There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.
This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8cde23709050533c0da898ca0a1072bca0845890
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 1 18:35:02 2021 +1200
CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
It is soon going to be impossible to add duplicate SPNs (short of
going behind DSDB's back on the local filesystem). Our test of adding
SPNs on non-admin users doubled as the test for adding a duplicate (using
--force). As --force is gone, we add these tests on Guest after the SPN
on Administrator is gone.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72a2c21f3f51d1b56b41c9401419b69b2c916ddf
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 27 11:36:42 2021 +1200
CVE-2020-25722 samba-tool spn add: remove --force option
This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.
It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7243bd7d388db2dfaa2072f92162d5cee770c6ea
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 28 05:38:50 2021 +0000
CVE-2020-25722 samba-tool spn: accept -H for database url
Following the convention and making testing easier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5a79fca9682fe1962317d100b581de0b7b123153
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Aug 10 23:02:36 2021 +0000
CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c7e3617cc368bc8c36b4b353e827712b08370e16
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 11 16:56:07 2021 +1200
CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b919246c5523a511ad812c35c1a6b0eb4cc56259
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sun Oct 24 15:18:05 2021 +1300
CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
This makes it easier to convert tests that don't have good messages.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit de24916a82069d4892c052018596e50fdf7e0ca4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Mon Oct 4 12:56:42 2021 +1300
CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
You can give ldb_err() it a number, an LdbError, or a sequence of
numbers, and it will return the corresponding strings. Examples:
ldb_err(68) # "LDB_ERR_ENTRY_ALREADY_EXISTS"
LDB_ERR_LUT[68] # "LDB_ERR_ENTRY_ALREADY_EXISTS"
expected = (ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
ldb.ERR_INVALID_CREDENTIALS)
try:
foo()
except ldb.LdbError as e:
self.fail(f"got {ldb_err(e)}, expected one of {ldb_err(expected)}")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2c4aee1145df27f47a1748964ece490d95908ad3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 1 17:21:16 2021 +1300
CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
We should not fail open on error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 42eb5fee22a482bc727dfdc1ad3ba1b123e4239a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 1 17:19:29 2021 +1300
CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
Thankfully we are aleady in a loop over all the message elements in
acl_modify() so this is an easy and safe change to make.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 8da6d0bf6f575166126dc3196155ca3fc9004819
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Mon Oct 18 14:27:59 2021 +0300
CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute
Validate Writes and Control Access Rights only grant access if the
object is of the type listed in the Right's appliesTo attribute. For
example, even though a Validated-SPN access may be granted to a user
object in the SD, it should only pass if the object is of class
computer This patch enforces the appliesTo attribute classes for
access checks from within the ldb stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6121f31c0e1553194d74de41ea7bcc55364a2612
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Mon Oct 25 14:54:56 2021 +0300
CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
Validate Writes and Control Access Rights should only grant access if the
object is of the type listed in the Right's appliesTo attribute.
Tests to verify this behavior
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 48e3cf96511607e99c665773b30654c918dfa992
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:49:31 2021 +1300
CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
Without these calls the tests could pass if an expected error did not
occur.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Included in backport as changing ACLs while
ACL tests are not checking for unexpected success would be bad]
commit 62d1cb4c19670b7d5ad24083931c1b644ead5eac
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 14:07:41 2021 +1300
CVE-2020-25722 Add test for SPN deletion followed by addition
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Removed transaction hooks, these do nothing over
remote LDAP]
commit 757f1d20e4bcdef20307607a4501fe920270fd6e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:03:04 2021 +0200
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
This is only ever be called in standalone mode with an MIT realm,
so we don't have a PAC/info3 structure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e8bb009009cd68550db814904399163794e3a84a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 17:59:59 2021 +0200
CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
This code is only every called in standalone mode on a MIT realm,
it means we never have a PAC and we also don't have winbindd arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2609e4297e04c93ca5bd1466617c4536faf5be32
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 18:12:49 2021 +0200
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
without a PAC in order to keep the code sane.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3ed0e5b924f77e0f92867cf93892e974e21542e5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 17:14:01 2021 +0200
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.
This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.
As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.
As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 566c2b296dd6826491958bf739673ca7b8d75be5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 19:42:20 2021 +0200
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c4ddf939e0ee2b9ae1af8b2ff8344fc9c7118adf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 12:44:01 2021 +0200
CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bd8d06ff155fb831cd8d487eabfbc69743d12252
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 12:27:28 2021 +0200
CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 935feff8e54cef9b379f653a3198a5bbd3a64989
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 11 23:17:19 2021 +0200
CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
We'll require a PAC at the main gensec layer already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2d271cb6bcd292f786664f055cde41c32002804
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 18:11:57 2021 +0200
CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
on the service account, which can only be explicitly configured,
but that's an invalid configuration!
We still try to support standalone servers in an MIT realm,
as legacy setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[jsutton at samba.org Removed knownfail entries]
commit e2d5b4d709293b52112d078d6fcde95593d790c5
Author: Alexander Bokovoy <ab at samba.org>
Date: Wed Nov 11 18:50:45 2020 +0200
CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.
It means that role won't result in ROLE_STANDALONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 57abb7f8f8884f52f1d194c5c74e067aecd0d3dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 18:03:55 2021 +0200
CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 52190982de134fb55abce76def0609651e45012e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 13:13:52 2021 +0200
CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
is_allowed_domain() is a central place we already use to
trigger NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, so
we can add additional logic there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8f79ee99a6a3390ccb409ac1b5f543488e7bd784
Author: Ralph Boehme <slow at samba.org>
Date: Fri Oct 8 12:33:16 2021 +0200
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!
As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!
For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().
The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.
Note: use 'git show -w'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd0423bfbbce2d9f1f8a62c21cf612e5c755b616
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:08:20 2021 +0200
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).
This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28fae9c2215698e465201b6ad27eb9eeb55c906a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 17:40:30 2021 +0200
CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
We should avoid autocreation of users as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b78ad7346c7128142a65ce6d6625d3d28116882
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Sep 28 10:45:11 2021 +0200
CVE-2020-25717: s3:auth: Check minimum domain uid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Removed knownfail on advice from metze]
commit 97d54027910b7d3fa04bd6c1b72448a85cdf5d7c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 19:57:18 2021 +0200
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 14b9f905da196e4e1904e4d4b0dec6192e76ab61
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Oct 5 16:56:06 2021 +0200
CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Fixed knowfail per instruction from metze]
commit 6771b2f211f6f5ae08d94a75afb7c6109f65497d
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Oct 5 12:31:29 2021 +0200
CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
This environment creates an AD member that doesn't have
'nss_winbind' configured, while winbindd is still started.
For testing we map a DOMAIN\root user to the local root
account and unix token of the local root user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b39b698cdac9ef97d018d6f02d59493ec5bff6e6
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Sep 28 10:43:40 2021 +0200
CVE-2020-25717: loadparm: Add new parameter "min domain uid"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 79a6616cbe723a2bc05084b90298745143a76a7c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 27d20fc335c5df53bf6780d6296f1e4aef277311
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4cda41677ccb6d68289bafdf4d486e85b6beb2a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cc32b2464a74ecd8a53460eba3523296fa31e943
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cc6d63100cdfad10cd1a17e111b7d3012d796098
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 76ec5f94091095bb1736a4582696ef6c4b37654c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s4:auth_simple: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9a2351581416223a4486c33378f430f510a03db4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s4:smb_server: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6aedd965e167c46ab7e42e35268574e18a97fd51
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s4:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0e23000f27823243ad797eb39581f83c3ad50b2b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 17:29:34 2021 +0200
CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 05587361498ae8131435aca2d8c860e98f605581
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 17:29:34 2021 +0200
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b4ea50f8b272a3b1d1d9d9ceda3641c22a082604
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 10:27:41 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9b16272d2879812011c5642019fd33ae72a6b91
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 22 16:20:36 2021 +0200
CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
[jsutton at samba.org Added knownfail entries]
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9fe1b719e1b35ae4053cbb13f29f76f4b2f950ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 24 17:11:24 2021 +0200
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if
no PAC is available.
For now we want to look for ACCESS_DENIED as this allows
the test to pass (showing that gensec:require_pac = true
is a useful partial mitigation).
This will also help others doing backports that do not
take the full patch set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 903ab1a02776504ba3b4eb59470cfb8bdf4f2a90
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 16:46:56 2021 +1300
CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 24be204834889fca3f963ac4fee503a6ecbef439
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 28 16:20:07 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3af0c36a06354bae9737dad37a341d3c120a1aba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 11:45:23 2021 +1300
CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7f7476b08cb3eb8ec3d9c1c5b6903a2d6e79b6a8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 19 20:02:45 2021 +1300
CVE-2020-25719 tests/krb5: Add principal aliasing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 48e5154de645daa168c6b79467abfd977f72277e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 19 14:39:36 2021 +1300
CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bd87905cf1bc014729ac72e8f1462ba10533efa9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 15:02:39 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3f7b971d3762b6f3a1e934a99f1b25365f7b6a54
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 13 16:07:09 2021 +1300
CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 89c88a83dafca26d09a374aa410066113467547a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 15:45:00 2021 +1300
CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4125650a27c3be0f43f873843821751010090010
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 22 11:37:37 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 873ac6d814c814fdf2088745dbd562cd91caddd3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 22 11:37:31 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
This allows us to use get_tgt() and get_service_ticket() to obtain
tickets, which simplifies the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 23dc0cbd53e16f0450204aa3a0eb971d1215bc5a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 16:46:23 2021 +1300
CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ac05264a762de8d3673b91d1ceb84b1f1703936
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 15:48:20 2021 +1300
MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dbedf5b6e26cd6ed7ba18a96797f9bd610161a49
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 19 15:02:10 2021 +1300
CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4a792ad92d6f7319f3272b38e32e281b55d76f70
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 16:53:22 2021 +1300
CVE-2020-25719 tests/krb5: Add is_tgt() helper method
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 43df8d0b2ea539f031ff0226dbd78470b9c4f569
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:09 2021 +1300
CVE-2020-25722 tests/krb5: Allow creating server accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 06168fd4e3d1b1ea7fdcb6a42f1c721ba7340475
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 15:00:38 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff6631ecdcb7f0f6455d83e905647dc5aacee51d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 14:59:01 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f7f49db72223478b64f1d2aa07a160737f95629a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 15:48:35 2021 +1300
CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 558f440f2060934d39bd1b6297e554f47fc44e8c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 27 11:20:19 2021 +1300
CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit ccd94963bd3c0600e1b6ae6b94e01fb5d2cbca9e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 23:41:23 2021 +1300
CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
This new restriction breaks a large number of assumptions in the tests, like
that you can remove some UF_ flags, because it turns out doing so will
make the 'computer' a 'user' again, and this will fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b001f91668a17e128e709d8e548d053091e5337b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 22:54:52 2021 +1300
CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
This favors a test that confirms we got an error over getting exactly
the right error, at least for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit adfae12584c8af82624bdbd2461d1fdc404e320a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 22:40:06 2021 +1300
CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 56eff305cff77d5e642eba5e6dc2457285f483b8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:42:46 2021 +1300
CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
Objects of objectclass computer are computers by default now and this changes
the sAMAccountType and primaryGroupID as well as userAccountControl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 66986eefc656988bc04922706f105dedcd0d45f7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:19:19 2021 +1300
CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6c03fb656d493f026684934cd320fa6d2a7cbfbf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:14:28 2021 +1300
CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 756f116b0ecb5a38664782d5113be944b70e9167
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:06:14 2021 +1300
CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
We now enforce that a trust account must be a user.
These can not be added over LDAP anyway, and our C
code in the RPC server gets this right in any case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4150264ce0b50f01c52dd67f6cbbf5d3dab9d69e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 14:03:05 2021 +1300
CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
The parts that create and delete a single object can be
safely split out into an individual test.
At this point the parts that fail against Windows 2019 are:
error: __main__.SamTests.test_userAccountControl_computer_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_computer_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_0_uac [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0b06e9a5a58c240a38be498ed9a7c8a63cfaa38b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 13:02:42 2021 +1300
CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 55cc9324b48ac981ae3bd716aab3e28a7075e30a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 11:57:22 2021 +1300
CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
Objects with objectclass computer now have UF_WORKSTATION_TRUST_ACCOUNT
by default and so this test must adapt.
The changes to this test passes against Windows 2019 except for
the new behaviour around the UF_WORKSTATION_TRUST_ACCOUNT default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 53d0e5d31e0f50d632771d835a5f97ce266eb4ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 22 11:29:02 2021 +1200
CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit adf628000fb597ef530dfe4f8d673f40a82b76ef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 22 11:28:05 2021 +1200
CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
This makes the code less indented and simpler to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c77f9cbaee0fd2483be20d2d695f88cd3af37c16
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 16:18:51 2021 +1300
CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
This makes many of our tests pass again. We do not pass against Windows 2019 on all
as this does not have this restriction at this time.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit dc08915834a8beed960328a62ecea88aa95f941d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 28 14:47:30 2021 +1300
CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a00c525a4e01342ee8b9ec8441994ad27bffb254
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 16:07:46 2021 +1300
CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
The restriction is not applied to users with administrator rights,
as this breaks a lot of tests and provides no security benefit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6a8f03c52746bc5e55caf40d4a57838a84808269
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 23:33:32 2021 +1300
CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c3259e5030deee1838a5e9da43842ce5954c0d0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 15:42:08 2021 +1300
CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
This helps ensure we cover off all the cases that matter
for objectclass/trailing-doller/userAccountControl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e5b94eea6a9d78b53ec34eb32d8ab5c94d78d151
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 16 08:46:42 2021 +1200
CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
This default applies even to users with administrator rights,
as changing the default based on permissions would break
to many assumptions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 755e8a53ce041cc3e448fb0579b430db847bd0a0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 13:41:40 2021 +1200
CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
This will allow these to be listed in a knownfail shortly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 63eb24f0925f0a3d117fc5eb2dc728a5af121f6a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 20 14:54:03 2021 +1200
CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
This allows future patches to restrict changing the account type
without triggering an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0d804cfd07789c6bcd8c252756ead99e92bceb1b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 20 12:35:51 2021 +1200
CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
This allows for any failures here to be handled via the knownfail system.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 23983fb50b475b74eea8571e0d9c7923fd2ca76e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 13 10:21:03 2021 +1200
CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
The idea here is to split out the restrictions seen on Windows 2019
at the schema level, as seen when acting as an administrator.
These pass against Windows 2019 except for the account type swapping
which is not wanted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2bdff65b333365740e5e9c8c2b2fc176323f5108
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 13 20:34:54 2021 +1200
CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f478aecc45efb56868bc7cec216f33e5db7ccf18
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 13 17:42:23 2021 +1200
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
The remaining failures in the priv_attrs (not the strict one) test are
due to missing objectclass constraints on the administrator which should
be addressed, but are not a security issue.
A better test for confirming constraints between objectclass and
userAccountControl UF_NORMAL_ACCONT/UF_WORKSTATION_TRUST values would
be user_account_control.py.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 9ef9746bca73a939ad04b1df07caeb70921bc3de
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 12 11:10:09 2021 +1200
CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
This allows the add of an RODC, before setting the password, to avoid
this module, which helps isolate testing of security around the
msDS-SecondaryKrbTgtNumber attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 93e5902369c22d625fa2e48b3eafe043dc17e3ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 22:31:02 2021 +1200
CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
This, except for where we choose to disagree, does pass
against Windows 2019.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_util.c | 9 +-
auth/credentials/tests/bind.py | 13 +-
auth/gensec/gensec_util.c | 27 +-
auth/ntlmssp/ntlmssp_server.c | 2 +-
docs-xml/smbdotconf/security/mindomainuid.xml | 17 +
docs-xml/smbdotconf/security/serverrole.xml | 7 +
docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 +
lib/param/loadparm.c | 4 +
lib/param/loadparm_server_role.c | 2 +
lib/param/param_table.c | 1 +
lib/param/util.c | 1 +
libcli/netlogon/netlogon.c | 2 +-
libds/common/roles.h | 1 +
librpc/idl/krb5pac.idl | 38 +-
librpc/ndr/ndr_krb5pac.c | 4 +-
librpc/rpc/dcerpc_pkt_auth.c | 19 +-
librpc/rpc/dcerpc_pkt_auth.h | 1 +
librpc/rpc/dcesrv_auth.c | 28 +
librpc/rpc/dcesrv_core.c | 160 +-
python/samba/netcmd/spn.py | 37 +-
python/samba/tests/__init__.py | 53 +-
python/samba/tests/blackbox/ndrdump.py | 35 +
python/samba/tests/dcerpc/raw_protocol.py | 1561 ++++++++++++++--
python/samba/tests/dcerpc/raw_testcase.py | 57 +-
python/samba/tests/krb5/alias_tests.py | 201 ++
python/samba/tests/krb5/kdc_base_test.py | 166 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 1922 +++++++++++++++++++-
python/samba/tests/krb5/raw_testcase.py | 213 ++-
python/samba/tests/krb5/rfc4120_constants.py | 3 +
python/samba/tests/krb5/rodc_tests.py | 2 +
python/samba/tests/krb5/s4u_tests.py | 37 +-
python/samba/tests/krb5/spn_tests.py | 212 +++
python/samba/tests/krb5/test_ccache.py | 67 +-
python/samba/tests/krb5/test_ldap.py | 100 +-
python/samba/tests/krb5/test_min_domain_uid.py | 121 ++
python/samba/tests/krb5/test_rpc.py | 70 +-
python/samba/tests/krb5/test_smb.py | 71 +-
python/samba/tests/ldap_spn.py | 917 ++++++++++
python/samba/tests/ldap_upn_sam_account.py | 510 ++++++
python/samba/tests/samba_tool/computer.py | 18 +-
python/samba/tests/usage.py | 3 +
selftest/knownfail.d/ldap_spn | 1 +
selftest/knownfail.d/modify-order | 2 +-
selftest/knownfail.d/priv_attr | 13 +
selftest/knownfail.d/uac_objectclass_restrict | 17 +
selftest/knownfail.d/user_account_control | 1 -
selftest/knownfail_heimdal_kdc | 16 +-
selftest/knownfail_mit_kdc | 147 +-
selftest/selftest.pl | 2 -
selftest/target/Samba.pm | 1 +
selftest/target/Samba3.pm | 75 +-
selftest/target/Samba4.pm | 2 -
source3/auth/auth.c | 3 +
source3/auth/auth_generic.c | 160 +-
source3/auth/auth_sam.c | 14 +-
source3/auth/auth_samba4.c | 2 +-
source3/auth/auth_util.c | 105 +-
source3/auth/proto.h | 3 -
source3/auth/user_krb5.c | 79 +-
source3/include/smb_macros.h | 2 +-
source3/lib/netapi/joindomain.c | 1 +
source3/lib/util_names.c | 15 +-
source3/libsmb/cliconnect.c | 9 +
source3/param/loadparm.c | 6 +-
source3/passdb/lookup_sid.c | 2 +-
source3/passdb/machine_account_secrets.c | 7 +-
source3/registry/reg_backend_prod_options.c | 1 +
source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 +
source3/rpcclient/cmd_netlogon.c | 2 +-
source3/smbd/server.c | 2 +-
source3/torture/pdbtest.c | 2 +-
source3/utils/ntlm_auth.c | 95 +-
source3/utils/ntlm_auth_diagnostics.c | 10 +-
source3/winbindd/winbindd_dual_srv.c | 7 +
source3/winbindd/winbindd_irpc.c | 7 +
source3/winbindd/winbindd_misc.c | 2 +-
source3/winbindd/winbindd_pam.c | 15 +-
source3/winbindd/winbindd_pam_auth_crap.c | 9 +-
source3/winbindd/winbindd_util.c | 47 +-
source4/auth/auth.h | 8 -
source4/auth/ntlm/auth.c | 55 +-
source4/auth/ntlm/auth_sam.c | 12 -
source4/auth/ntlm/auth_simple.c | 2 +-
source4/auth/sam.c | 5 +-
source4/dsdb/common/rodc_helper.c | 284 +++
source4/dsdb/common/util.c | 11 +
source4/dsdb/samdb/cracknames.c | 19 +-
source4/dsdb/samdb/ldb_modules/acl.c | 120 +-
source4/dsdb/samdb/ldb_modules/acl_util.c | 40 +
source4/dsdb/samdb/ldb_modules/dirsync.c | 13 +-
source4/dsdb/samdb/ldb_modules/objectclass.c | 36 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 164 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 1921 ++++++++++++++++---
source4/dsdb/samdb/ldb_modules/util.c | 119 +-
source4/dsdb/tests/python/acl.py | 97 +
source4/dsdb/tests/python/ldap.py | 49 +-
source4/dsdb/tests/python/password_settings.py | 30 +-
source4/dsdb/tests/python/priv_attrs.py | 398 ++++
source4/dsdb/tests/python/sam.py | 94 +-
source4/dsdb/tests/python/user_account_control.py | 523 +++++-
source4/dsdb/wscript_build | 2 +-
source4/heimdal/kdc/kerberos5.c | 23 +-
source4/heimdal/kdc/krb5tgs.c | 292 ++-
source4/heimdal/kdc/windc.c | 7 +-
source4/heimdal/kdc/windc_plugin.h | 2 +
source4/heimdal/lib/hdb/hdb.h | 2 +-
source4/kdc/db-glue.c | 77 +-
source4/kdc/db-glue.h | 5 +-
source4/kdc/hdb-samba4.c | 43 +-
source4/kdc/kdc-heimdal.c | 1 +
source4/kdc/mit-kdb/kdb_samba.h | 7 +
source4/kdc/mit-kdb/kdb_samba_policies.c | 185 +-
source4/kdc/mit-kdb/kdb_samba_principals.c | 60 +-
source4/kdc/mit_samba.c | 62 +-
source4/kdc/mit_samba.h | 2 +
source4/kdc/pac-glue.c | 473 ++++-
source4/kdc/pac-glue.h | 31 +-
source4/kdc/wdc-samba4.c | 132 +-
source4/libcli/smb_composite/sesssetup.c | 14 +
source4/librpc/rpc/dcerpc.c | 1 +
.../librpc/tests/krb5pac_upn_dns_info_ex.b64.txt | 1 +
source4/librpc/tests/krb5pac_upn_dns_info_ex.txt | 220 +++
.../krb5pac_upn_dns_info_ex_not_supported.b64.txt | 1 +
.../krb5pac_upn_dns_info_ex_not_supported.txt | 213 +++
source4/rpc_server/common/server_info.c | 121 +-
source4/rpc_server/common/sid_helper.c | 134 --
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 11 +-
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 55 +-
source4/rpc_server/drsuapi/getncchanges.c | 71 +-
source4/rpc_server/lsa/lsa_init.c | 7 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 191 +-
source4/rpc_server/samr/dcesrv_samr.c | 21 +-
source4/rpc_server/samr/samr_password.c | 31 +-
source4/rpc_server/wscript_build | 9 +-
source4/selftest/tests.py | 110 +-
source4/setup/provision_self_join.ldif | 9 +-
source4/setup/tests/blackbox_spn.sh | 7 +-
source4/setup/tests/blackbox_upgradeprovision.sh | 8 +-
source4/smb_server/smb/sesssetup.c | 4 +-
source4/torture/rpc/drsuapi.c | 202 +-
source4/torture/rpc/drsuapi.h | 3 +-
source4/torture/rpc/drsuapi_cracknames.c | 2 +-
source4/torture/rpc/remote_pac.c | 24 +-
source4/torture/rpc/samlogon.c | 4 +-
source4/torture/rpc/schannel.c | 2 +-
testprogs/blackbox/dbcheck-oldrelease.sh | 4 +-
testprogs/blackbox/functionalprep.sh | 2 +-
testprogs/blackbox/upgradeprovision-oldrelease.sh | 4 +-
148 files changed, 12458 insertions(+), 2035 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml
create mode 100755 python/samba/tests/krb5/alias_tests.py
create mode 100755 python/samba/tests/krb5/spn_tests.py
create mode 100755 python/samba/tests/krb5/test_min_domain_uid.py
create mode 100644 python/samba/tests/ldap_spn.py
create mode 100644 python/samba/tests/ldap_upn_sam_account.py
create mode 100644 selftest/knownfail.d/ldap_spn
create mode 100644 selftest/knownfail.d/priv_attr
create mode 100644 selftest/knownfail.d/uac_objectclass_restrict
delete mode 100644 selftest/knownfail.d/user_account_control
create mode 100644 source4/dsdb/common/rodc_helper.c
create mode 100644 source4/dsdb/tests/python/priv_attrs.py
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.b64.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.b64.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.txt
delete mode 100644 source4/rpc_server/common/sid_helper.c
Changeset truncated at 500 lines:
diff --git a/auth/auth_util.c b/auth/auth_util.c
index f3586f1fc1e..fe01babd107 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -26,26 +26,28 @@
struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
const struct auth_session_info *src)
{
+ TALLOC_CTX *frame = talloc_stackframe();
struct auth_session_info *dst;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
ndr_err = ndr_push_struct_blob(
&blob,
- talloc_tos(),
+ frame,
src,
(ndr_push_flags_fn_t)ndr_push_auth_session_info);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
+ TALLOC_FREE(frame);
return NULL;
}
dst = talloc(mem_ctx, struct auth_session_info);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
- TALLOC_FREE(blob.data);
+ TALLOC_FREE(frame);
return NULL;
}
@@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
dst,
dst,
(ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
- TALLOC_FREE(blob.data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
+ TALLOC_FREE(frame);
return NULL;
}
+ TALLOC_FREE(frame);
return dst;
}
diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py
index a38021b5ded..ce81b736e86 100755
--- a/auth/credentials/tests/bind.py
+++ b/auth/credentials/tests/bind.py
@@ -92,7 +92,8 @@ class BindTests(samba.tests.TestCase):
# this test to detect when the LDAP DN is being double-parsed
# but must be in the user at realm style to allow the account to
# be created
- self.ldb.add_ldif("""
+ try:
+ self.ldb.add_ldif("""
dn: """ + self.virtual_user_dn + """
cn: frednurk@""" + self.realm + """
displayName: Fred Nurk
@@ -105,13 +106,21 @@ objectClass: person
objectClass: top
objectClass: user
""")
+ except LdbError as e:
+ (num, msg) = e.args
+ self.fail(f"Failed to create e-mail user: {msg}")
+
self.addCleanup(delete_force, self.ldb, self.virtual_user_dn)
- self.ldb.modify_ldif("""
+ try:
+ self.ldb.modify_ldif("""
dn: """ + self.virtual_user_dn + """
changetype: modify
replace: unicodePwd
unicodePwd:: """ + base64.b64encode(u"\"P at ssw0rd\"".encode('utf-16-le')).decode('utf8') + """
""")
+ except LdbError as e:
+ (num, msg) = e.args
+ self.fail(f"Failed to set password on e-mail user: {msg}")
self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn)
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index e411751c3af..1075b9fde87 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -25,6 +25,8 @@
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
#include "../lib/util/asn1.h"
+#include "param/param.h"
+#include "libds/common/roles.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -48,10 +50,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!pac_blob) {
- if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
- principal_string));
- return NT_STATUS_ACCESS_DENIED;
+ enum server_role server_role =
+ lpcfg_server_role(gensec_security->settings->lp_ctx);
+
+ /*
+ * For any domain setup (DC or member) we require having
+ * a PAC, as the service ticket comes from an AD DC,
+ * which will always provide a PAC, unless
+ * UF_NO_AUTH_DATA_REQUIRED is configured for our
+ * account, but that's just an invalid configuration,
+ * the admin configured for us!
+ *
+ * As a legacy case, we still allow kerberos tickets from an MIT
+ * realm, but only in standalone mode. In that mode we'll only
+ * ever accept a kerberos authentication with a keytab file
+ * being explicitly configured via the 'keytab method' option.
+ */
+ if (server_role != ROLE_STANDALONE) {
+ DBG_WARNING("Unable to find PAC in ticket from %s, "
+ "failing to allow access\n",
+ principal_string);
+ return NT_STATUS_NO_IMPERSONATION_TOKEN;
}
DBG_NOTICE("Unable to find PAC for %s, resorting to local "
"user lookup\n", principal_string);
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 001238278d7..939aa0ef4aa 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -799,7 +799,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq)
struct gensec_security *gensec_security = state->gensec_security;
struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp;
struct auth4_context *auth_context = gensec_security->auth_context;
- uint8_t authoritative = 0;
+ uint8_t authoritative = 1;
NTSTATUS status;
status = auth_context->check_ntlm_password_recv(subreq,
diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
new file mode 100644
index 00000000000..46ae795d730
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mindomainuid.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="min domain uid"
+ type="integer"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The integer parameter specifies the minimum uid allowed when mapping a
+ local account to a domain account.
+ </para>
+
+ <para>
+ Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
+ </para>
+</description>
+
+<value type="default">1000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml
index 9511c61c96d..b8b83a127b5 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -78,6 +78,13 @@
url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4
HOWTO</ulink></para>
+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs Samba in a hybrid mode for IPA
+ domain controller, providing forest trust to Active Directory.
+ This role requires special configuration performed by IPA installers
+ and should not be used manually by any administrator.
+ </para>
</description>
<related>security</related>
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
index 1374040fb29..f70f11df757 100644
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -80,6 +80,9 @@
authoritative for a unix ID to SID mapping, so it must be set
for each individually configured domain and for the default
configuration. The configured ranges must be mutually disjoint.
+ </para>
+ <para>
+ Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
</para></listitem>
</varlistentry>
@@ -115,4 +118,5 @@
</programlisting>
</description>
+<related>min domain uid</related>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 9c725402758..a26dabb9fca 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2995,6 +2995,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"server smb3 encryption algorithms",
DEFAULT_SMB3_ENCRYPTION_ALGORITHMS);
+ lpcfg_do_global_parameter(lp_ctx,
+ "min domain uid",
+ "1000");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
index 7a6bc770723..a78d1ab9cf3 100644
--- a/lib/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -42,6 +42,7 @@ static const struct srv_role_tab {
{ ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
{ ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
{ ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
+ { ROLE_IPA_DC, "ROLE_IPA_DC"},
{ 0, NULL }
};
@@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
if (security == SEC_USER) {
valid = true;
}
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index d9301152d94..9fac73ef113 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -109,6 +109,7 @@ static const struct enum_list enum_server_role[] = {
{ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
{ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
{ROLE_ACTIVE_DIRECTORY_DC, "dc"},
+ {ROLE_IPA_DC, "IPA primary domain controller"},
{-1, NULL}
};
diff --git a/lib/param/util.c b/lib/param/util.c
index cd8e74b9d8f..9a0fc102de8 100644
--- a/lib/param/util.c
+++ b/lib/param/util.c
@@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
return lpcfg_workgroup(lp_ctx);
default:
return lpcfg_netbios_name(lp_ctx);
diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c
index 239503e85b6..59af460dc4e 100644
--- a/libcli/netlogon/netlogon.c
+++ b/libcli/netlogon/netlogon.c
@@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx,
if (ndr->offset < ndr->data_size) {
TALLOC_FREE(ndr);
/*
- * We need to handle a bug in FreeIPA (at least <= 4.1.2).
+ * We need to handle a bug in IPA (at least <= 4.1.2).
*
* They include the ip address information without setting
* NETLOGON_NT_VERSION_5EX_WITH_IP, while using
diff --git a/libds/common/roles.h b/libds/common/roles.h
index 4772c8d7d3f..03ba1915b21 100644
--- a/libds/common/roles.h
+++ b/libds/common/roles.h
@@ -33,6 +33,7 @@ enum server_role {
/* not in samr.idl */
ROLE_ACTIVE_DIRECTORY_DC = 4,
+ ROLE_IPA_DC = 5,
/* To determine the role automatically, this is not a valid role */
ROLE_AUTO = 100
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 515150ab9cd..bbe4a253e3a 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -86,17 +86,45 @@ interface krb5pac
} PAC_CONSTRAINED_DELEGATION;
typedef [bitmap32bit] bitmap {
- PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
+ PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001,
+ PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002
} PAC_UPN_DNS_FLAGS;
+ typedef struct {
+ [value(2*strlen_m(samaccountname))] uint16 samaccountname_size;
+ [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname;
+ [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size;
+ [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid;
+ } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID;
+
+ typedef [nodiscriminant] union {
+ [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid;
+ [default];
+ } PAC_UPN_DNS_INFO_EX;
+
typedef struct {
[value(2*strlen_m(upn_name))] uint16 upn_name_size;
[relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
[value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
[relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
PAC_UPN_DNS_FLAGS flags;
+ [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex;
} PAC_UPN_DNS_INFO;
+ typedef [bitmap32bit] bitmap {
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
+ } PAC_ATTRIBUTE_INFO_FLAGS;
+
+ typedef struct {
+ uint32 flags_length; /* length in bits */
+ PAC_ATTRIBUTE_INFO_FLAGS flags;
+ } PAC_ATTRIBUTES_INFO;
+
+ typedef struct {
+ dom_sid sid;
+ } PAC_REQUESTER_SID;
+
typedef [public] struct {
PAC_LOGON_INFO *info;
} PAC_LOGON_INFO_CTR;
@@ -116,7 +144,9 @@ interface krb5pac
PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
PAC_TYPE_DEVICE_INFO = 14,
PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
- PAC_TYPE_TICKET_CHECKSUM = 16
+ PAC_TYPE_TICKET_CHECKSUM = 16,
+ PAC_TYPE_ATTRIBUTES_INFO = 17,
+ PAC_TYPE_REQUESTER_SID = 18
} PAC_TYPE;
typedef struct {
@@ -133,6 +163,8 @@ interface krb5pac
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
[case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
+ [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
+ [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid;
/* when new PAC info types are added they are supposed to be done
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
@@ -142,7 +174,7 @@ interface krb5pac
typedef [public,nopush,nopull] struct {
PAC_TYPE type;
- [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
+ [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size;
/*
* We need to have two subcontexts to get the padding right,
* the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c
index a9ae2c4a789..57b28df9e52 100644
--- a/librpc/ndr/ndr_krb5pac.c
+++ b/librpc/ndr/ndr_krb5pac.c
@@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_push_align(ndr, 4));
NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0)));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8)));
{
uint32_t _flags_save_PAC_INFO = ndr->flags;
ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8);
@@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
{
struct ndr_push *_ndr_info_pad;
struct ndr_push *_ndr_info;
- size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0);
+ size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8);
NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8)));
NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
diff --git a/librpc/rpc/dcerpc_pkt_auth.c b/librpc/rpc/dcerpc_pkt_auth.c
index 322d7497893..1cb191468b5 100644
--- a/librpc/rpc/dcerpc_pkt_auth.c
+++ b/librpc/rpc/dcerpc_pkt_auth.c
@@ -39,6 +39,7 @@
NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state,
struct gensec_security *gensec,
+ bool check_pkt_auth_fields,
TALLOC_CTX *mem_ctx,
enum dcerpc_pkt_type ptype,
uint8_t required_flags,
@@ -115,16 +116,18 @@ NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state,
return NT_STATUS_INTERNAL_ERROR;
}
- if (auth.auth_type != auth_state->auth_type) {
- return NT_STATUS_ACCESS_DENIED;
- }
+ if (check_pkt_auth_fields) {
+ if (auth.auth_type != auth_state->auth_type) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
- if (auth.auth_level != auth_state->auth_level) {
- return NT_STATUS_ACCESS_DENIED;
- }
+ if (auth.auth_level != auth_state->auth_level) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
- if (auth.auth_context_id != auth_state->auth_context_id) {
- return NT_STATUS_ACCESS_DENIED;
+ if (auth.auth_context_id != auth_state->auth_context_id) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
/* check signature or unseal the packet */
diff --git a/librpc/rpc/dcerpc_pkt_auth.h b/librpc/rpc/dcerpc_pkt_auth.h
index c0d23b91c05..1dcee12f53c 100644
--- a/librpc/rpc/dcerpc_pkt_auth.h
+++ b/librpc/rpc/dcerpc_pkt_auth.h
@@ -31,6 +31,7 @@
NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state,
struct gensec_security *gensec,
+ bool check_pkt_auth_fields,
TALLOC_CTX *mem_ctx,
enum dcerpc_pkt_type ptype,
uint8_t required_flags,
diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
index 62f69696dad..fec8df513a8 100644
--- a/librpc/rpc/dcesrv_auth.c
+++ b/librpc/rpc/dcesrv_auth.c
@@ -443,6 +443,10 @@ bool dcesrv_auth_prepare_auth3(struct dcesrv_call_state *call)
return false;
}
+ if (auth->auth_invalid) {
+ return false;
+ }
+
/* We can't work without an existing gensec state */
if (auth->gensec_security == NULL) {
return false;
@@ -529,6 +533,10 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
return false;
}
+ if (auth->auth_invalid) {
+ return false;
+ }
+
if (call->in_auth_info.auth_type != auth->auth_type) {
return false;
}
@@ -595,6 +603,7 @@ bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call,
.auth_level = auth->auth_level,
.auth_context_id = auth->auth_context_id,
};
+ bool check_pkt_auth_fields;
NTSTATUS status;
if (!auth->auth_started) {
@@ -610,8 +619,27 @@ bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call,
return false;
}
+ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
+ /*
+ * The caller most likely checked this
+ * already, but we better double check.
+ */
+ check_pkt_auth_fields = true;
+ } else {
+ /*
+ * The caller already found first fragment
+ * and is passing the auth_state of it.
+ * A server is supposed to use the
+ * setting of the first fragment and
+ * completely ignore the values
+ * on the remaining fragments
+ */
+ check_pkt_auth_fields = false;
--
Samba Shared Repository
More information about the samba-cvs
mailing list