[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Mon Nov 29 09:33:01 UTC 2021
The branch, master has been updated
via 90febd2a33b s4:mit-kdb: Force canonicalization for looking up principals
via 8b83758b7c5 s4:kdc: Remove trailing spaces in db-glue.c
via d128a85f999 s4:mit-kdb: Reduce includes to only what's needed
via 28be1acd8eb mit-kdc: Use more strict KDC default settings
from 3507e96b3dc CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Sep 19 14:16:20 2020 +0200
s4:mit-kdb: Force canonicalization for looking up principals
See also
https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184
commit 8b83758b7c51e4effc57c6130abb38bd53d74bb9
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Tue Oct 19 09:59:54 2021 +0200
s4:kdc: Remove trailing spaces in db-glue.c
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit d128a85f999afb002b510ad6ec8c94f7df006195
Author: Andreas Schneider <asn at samba.org>
Date: Tue Nov 23 07:43:05 2021 +0100
s4:mit-kdb: Reduce includes to only what's needed
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 28be1acd8eb921c15cbd1260711cbbdd48595e6c
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 11 10:55:52 2021 +0200
mit-kdc: Use more strict KDC default settings
As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/provision/kerberos.py | 7 +++++++
selftest/knownfail_mit_kdc | 14 --------------
selftest/target/Samba.pm | 7 +++++++
source4/heimdal/lib/hdb/hdb.h | 1 +
source4/kdc/db-glue.c | 15 ++++++++++-----
source4/kdc/mit-kdb/kdb_samba_policies.c | 9 ++++++---
source4/kdc/mit_samba.c | 8 ++++++++
source4/kdc/sdb.h | 1 +
8 files changed, 40 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/provision/kerberos.py b/python/samba/provision/kerberos.py
index 6b8ceb28733..665c031ffa5 100644
--- a/python/samba/provision/kerberos.py
+++ b/python/samba/provision/kerberos.py
@@ -52,19 +52,26 @@ def create_kdc_conf(kdcconf, realm, domain, logdir):
f.write("\tkdc_ports = 88\n")
f.write("\tkdc_tcp_ports = 88\n")
f.write("\tkadmind_port = 464\n")
+ f.write("\trestrict_anonymous_to_tgt = true\n")
f.write("\n")
f.write("[realms]\n")
f.write("\t%s = {\n" % realm)
+ f.write("\t\tmaster_key_type = aes256-cts\n")
+ f.write("\t\tdefault_principal_flags = +preauth\n")
f.write("\t}\n")
f.write("\n")
f.write("\t%s = {\n" % realm.lower())
+ f.write("\t\tmaster_key_type = aes256-cts\n")
+ f.write("\t\tdefault_principal_flags = +preauth\n")
f.write("\t}\n")
f.write("\n")
f.write("\t%s = {\n" % domain)
+ f.write("\t\tmaster_key_type = aes256-cts\n")
+ f.write("\t\tdefault_principal_flags = +preauth\n")
f.write("\t}\n")
f.write("\n")
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index cc7b501c6bf..c046a46a4f3 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -379,8 +379,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_allowed_denied
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_denied
@@ -408,8 +406,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_other_sname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_req
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_allowed_denied
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_denied
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_no_krbtgt_link
@@ -422,10 +418,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_cname_host
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_correct_cname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_correct_realm
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_other_cname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_wrong_realm
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm
@@ -471,12 +463,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_none
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_none
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_none
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_true
#
# PAC requester SID tests
#
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index c4f8eb5d4f9..ab6d8edc2cc 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -457,15 +457,22 @@ sub mk_mitkdc_conf($$)
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
+ restrict_anonymous_to_tgt = true
[realms]
$ctx->{realm} = {
+ master_key_type = aes256-cts
+ default_principal_flags = +preauth
}
$ctx->{dnsname} = {
+ master_key_type = aes256-cts
+ default_principal_flags = +preauth
}
$ctx->{domain} = {
+ master_key_type = aes256-cts
+ default_principal_flags = +preauth
}
[dbmodules]
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 5ef9d9565f3..dafaffc6c2d 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
#define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
#define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aff74f2ee71..bfde2baf0b5 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -870,13 +870,13 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
userAccountControl |= msDS_User_Account_Control_Computed;
}
- /*
+ /*
* If we are set to canonicalize, we get back the fixed UPPER
* case realm, and the real username (ie matching LDAP
- * samAccountName)
+ * samAccountName)
*
* Otherwise, if we are set to enterprise, we
- * get back the whole principal as-sent
+ * get back the whole principal as-sent
*
* Finally, if we are not set to canonicalize, we get back the
* fixed UPPER case realm, but the as-sent username
@@ -922,11 +922,16 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
krb5_clear_error_message(context);
goto out;
}
- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
+ } else if ((flags & SDB_F_FORCE_CANON) ||
+ ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) {
/*
* SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the AS-REQ case
+ *
+ * The SDB_F_FORCE_CANON if for new MIT KDC code that wants
+ * the canonical name in all lookups, and takes care to
+ * canonicalize only when appropriate.
*/
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
@@ -946,7 +951,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* the client-specified realm. This code attempts to
* replace the client principal's realm with the one
* we determine from our records */
-
+
/* this has to be with malloc() */
ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
if (ret) {
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index f35210669c2..336aa3f711a 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -20,9 +20,12 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include "includes.h"
-
-#include "system/kerberos.h"
+#include "lib/replace/replace.h"
+#include "lib/replace/system/kerberos.h"
+#include "lib/util/data_blob.h"
+#include "lib/util/debug.h"
+#include "lib/util/fault.h"
+#include "lib/util/memory.h"
#include <profile.h>
#include <kdb.h>
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 4239332f0d9..53c137de2fd 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -221,6 +221,14 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
return ENOMEM;
}
+#if KRB5_KDB_API_VERSION >= 10
+ /*
+ * The MIT KDC code that wants the canonical name in all lookups, and
+ * takes care to canonicalize only when appropriate.
+ */
+ sflags |= SDB_F_FORCE_CANON;
+#endif
+
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
sflags |= SDB_F_CANON;
}
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index c929acccce6..a9115ec23d7 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
void sdb_free_entry(struct sdb_entry_ex *e);
void free_sdb_entry(struct sdb_entry *s);
--
Samba Shared Repository
More information about the samba-cvs
mailing list