[SCM] Samba Shared Repository - branch v4-14-stable updated
Jule Anger
janger at samba.org
Wed Oct 27 13:22:02 UTC 2021
The branch, v4-14-stable has been updated
via c1bd376c357 VERSION: Disable GIT_SNAPSHOT for the 4.14.9 release.
via d9c91656442 WHATSNEW: Add release notes for Samba 4.14.9.
via c1d2a0570df ldb: Release ldb 2.3.1
via e425abeb7d2 pyldb: Make ldb.Message containment testing consistent with indexing
via fabd904977a pyldb: Add tests for ldb.Message containment testing
via 588749ba7ba pyldb: Raise TypeError for an invalid ldb.Message index
via a78c94440be pyldb: Add test for an invalid ldb.Message index type
via e37949faf91 s4/torture/drs/python: Fix attribute existence check
via d8f30194798 pyldb: Fix deleting an ldb.Control critical flag
via 320278f1cfb pytest:segfault: Add test for deleting an ldb.Control critical flag
via 2bb74e48c7f pyldb: Fix deleting an ldb.Message dn
via 805183c8165 pytest:segfault: Add test for deleting an ldb.Message dn
via 33e8ef79d4d Fix Python docstrings
via 6b5aba80e64 lib/krb5_wrap: Fix missing error check in new salt code
via 51324ea4a65 dsdb: Allow special chars like "@" in samAccountName when generating the salt
via d79ddfb027a tests/krb5: Add tests for account salt calculation
via 46ef1ac3f37 tests/krb5: Fix account salt calculation to match Windows
via b2157fd16de tests/krb5: Allow specifying the UPN for test accounts
via 68f9cc0b9f2 tests/krb5: Allow creating machine accounts without a trailing dollar
via cf03277b663 tests/krb5: Allow specifying prefix or suffix for test account names
via 3a813c6d70e tests/krb5: Decrease length of test account prefix
via 7fbdc4f0bc4 selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
via 64880dc2ad2 selftest/Samba3: remove unused close(USERMAP); calls
via 523b18be4b1 waf: Allow building with MIT KRB5 >= 1.20
via 1918feb3e9f selftest: Improve error handling and perl style when setting up users in Samba4.pm
via e4e9f671d03 selftest: Remove duplicate setup of $base_dn and $ldbmodify
via 93ea095a260 selftest: krb5 account creation: clarify account type as an enum
via 11a5c413da5 pytest: dynamic tests optionally add __doc__
via 0d100830605 selftest: Increase account lockout windows to make test more realiable
via 30b9be9601b pytest/rodc_rwdc: try to avoid race.
via 45cd642a456 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
via 716b2825791 tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
via d8b9907d2a7 tests/krb5: Ensure PAC is not present if expect_pac is false
via 2149108966f kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
via 5cdec75f8bc kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
via 8034d387a8f tests/krb5: Add tests for requesting a service ticket without a PAC
via bb3fbf53ad1 tests/krb5: Add method to get the PAC from a ticket
via d09fa6b47b3 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
via 1a1f72c2e22 tests/krb5: Allow get_tgt() to request including or omitting a PAC
via 4e98f5d9d46 heimdal:kdc: Fix ticket signing without a PAC
via c3df114577d selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
via 4ecd119b7c1 krb5: Fix PAC signature leak affecting KDC
via eadd3b8844d s4:kdc: Check ticket signature
via a2c7a5a94e6 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
via c8bbd3d659b s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
via a1d8f275d10 kdc: correctly generate PAC TGS signature
via 4de575650ee kdc: use ticket client name when signing PAC
via 81e1564e3ee kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
via 15789d27dd9 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
via bf8ad7c0d29 krb5: rework PAC validation loop
via 5c5ca93aab7 krb5: allow NULL parameter to krb5_pac_free()
via 2d2da2af26e kdc: sign ticket using Windows PAC
via 4e4fa68e1b5 kdc: remove KRB5SignedPath, to be replaced with PAC
via 77f46ab1a4a s4/torture: Expect ticket checksum PAC buffer
via a3864293e82 s4:kdc: Fix debugging messages
via 8048b6fe8cf s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
via 761ae6dba67 tests/krb5: Fix duplicate account creation
via 0c828728e0d tests/krb5: Allow bypassing cache when creating accounts
via fbf52f34082 tests/krb5: Don't include empty AD-IF-RELEVANT
via f8ac3ccdb7c tests/krb5: Add constrained delegation tests
via 271b8cebf14 tests/krb5: Verify tickets obtained with get_service_ticket()
via a5f3863aec1 tests/krb5: Require ticket checksums if decryption key is available
via ec438f0b6ee tests/krb5: Add TKT_SIG_SUPPORT environment variable
via 1ddb8111ed5 selftest/dbcheck: Fix up RODC one-way links
via 2c65205c238 tests/krb5: Fix sha1 checksum type
via fd40fbe9a39 tests/krb5: Provide clearer assertion messages for test failures
via 2dc3b7d9a4c tests/krb5: Disable debugging output for tests
via 5620fbd2a3d tests/krb5: Simplify padata checking
via dafb8efd7f5 tests/krb5: Check logon name in PAC
via 1eb3f880c70 tests/krb5: Check padata types when STRICT_CHECKING=0
via e7150fe2968 tests/krb5: Add environment variable to specify KDC FAST support
via a26133b9f0a tests/krb5: Fix padata checking at functional level 2003
via 72c05a708d1 tests/krb5: Clarify checksum type assertion message
via 8537439913a tests/krb5: Use correct principal name type
via cb0b486f483 tests/krb5: Add compatability tests for ticket checksums
via d5e7162ae37 tests/krb5: Add parameter to enforce presence of ticket checksums
via a608f759105 tests/krb5: Supply supported account enctypes in tgs_req()
via d9135f31e33 tests/krb5: Allow specifying options and expected flags when obtaining a ticket
via 0e16f882d02 tests/krb5: Save account SPN
via 2c77e1d8771 tests/krb5: Check constrained delegation PAC buffer
via fbfdfb979f3 tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
via bbaa1159d2d tests/krb5: Add expect_claims parameter to kdc_exchange_dict
via 68275cdd191 tests/krb5: Fix checking for presence of error data
via 0bdeb9cebf0 tests/krb5: Remove unneeded parameters from ticket cache key
via 316df8064de tests/krb5: Fix assertElementFlags()
via 191a0e9dbb3 tests/krb5: Make expected_sname checking more explicit
via ca549882cf6 tests/krb5: Fix status code checking
via 0547b4ebcdd tests/krb5: Fix handling authdata with missing PAC
via a4e9eb693a9 tests/krb5: Allow excluding the PAC server checksum
via f2c1535f8b6 tests/krb5: Fix checksum generation and verification
via 08608d9f50e tests/krb5: Fix method for creating invalid length zeroed checksum
via bd1aa18c52b tests/krb5: Introduce helper method for creating invalid length checksums
via d5566cbb681 tests/krb5: Add assertion to make failures clearer
via ce2da506c77 tests/krb5: Allow created accounts to use resource-based constrained delegation
via 22477380e69 tests/krb5: Rename allowed_to_delegate_to parameter for clarity
via b5432f5203f tests/krb5: Fix PA-PAC-OPTIONS checking
via 505eb4e71f7 tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
via 2af40a2ddf2 tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
via 91df69559c5 tests/krb5: Remove unused parameter
via 85053e6eb2e tests/krb5: Rename method parameter
via bb6eb577c05 tests/krb5: Add classes for testing invalid checksums
via 4cf6614a16a tests/krb5: Add method to determine if principal is krbtgt
via 6868628eab7 tests/krb5: Verify checksums of tickets obtained from the KDC
via 1c1154d81ad tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
via 5cd321086ba tests/krb5: Simplify account creation
via ac378a754bd tests/krb5: Provide ticket enc-part key to tgs_req()
via 0fbff441fc7 tests/krb5: Fix checking for presence of authorization data
via e71cfc36ad7 tests/krb5: Add method to get DC credentials
via c08defb5a7d tests/krb5: Allow tgs_req() to check the returned ticket enc-part
via 39941358333 tests/krb5: Set key version number for all accounts created with create_account()
via 15c7c561f7b tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
via 4ace77d830b tests/krb5: Get supported enctypes for credentials from database
via 84973c79a79 tests/krb5: Add methods to convert between enctypes and bitfields
via efc3d6edd69 tests/krb5: Make get_default_enctypes() return a set of enctype constants
via f2744977896 tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
via 02c17fe22be tests/krb5: Add method for modifying a ticket and creating PAC checksums
via bee8264f1bc tests/krb5: Add method to verify ticket PAC checksums
via 1301ed37c44 tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
via 4fc5d67f601 tests/krb5: Add methods for creating zeroed checksums and verifying checksums
via 912bac3ba71 tests/krb5: Cache obtained tickets
via 10db9a0bfb0 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
via 5db1b57b20d tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
via 459e3bd695b tests/krb5: Allow get_tgt() to specify expected and unexpected flags
via b14183e7f35 tests/krb5: Allow get_tgt() to specify different kdc-options
via 65a269f1e31 tests/krb5: Allow get_tgt() to get tickets from the RODC
via 1e6c77a03af tests/krb5: Allow get_service_ticket() to get tickets from the RODC
via 690d90ba615 tests/krb5: Set DN of created accounts to ldb.Dn type
via 7ad68c8cc59 tests/krb5: Don't manually create PAC request and options in fast_tests
via 71c46e032a9 tests/krb5: Use PAC buffer type constants from krb5pac.idl
via eb103f6337a tests/krb5: Allow as_req() to specify different kdc-options
via aff414e2a75 tests/krb5: Allow tgs_req() to send requests to the RODC
via 8c7d78a2e1a tests/krb5: Allow tgs_req() to specify different kdc-options
via c2a61c2c911 tests/krb5: Allow tgs_req() to send additional padata
via 76f1deb3cd8 tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
via 61cc6767c32 tests/krb5: Check correct flags element
via 5812a13ec5f tests/krb5: Add helper method for modifying PACs
via bf06918b44d python/join: Check for correct msDS-KrbTgtLink attribute
via 0dcab6505c6 python: Don't leak file handles
via 6614fee6e8b tests/krb5: Allow replicating accounts to the created RODC
via 82a19ce548e tests/krb5: Create RODC account for testing
via 10e46b9b74b tests/krb5: Allow replicating accounts to the RODC
via fadecadfe2f tests/krb5: Add get_secrets() method to get the secret attributes of a DN
via 61739d1a33a tests/krb5: Add method to get RODC krbtgt credentials
via 811714e4f6b tests/krb5: Sign-extend kvno from 32-bit integer
via 58f68bf357f tests/krb5: Generate padata for FAST tests
via 18c892942ee tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
via 7594ba47c19 tests/krb5: Get encpart decryption key from kdc_exchange_dict
via 0e1d6fda206 tests/krb5: Get expected cname from TGT for TGS-REQ messages
via dcd13ba166e tests/krb5: Allow specifying status code to be checked
via 23eaf0160ad tests/krb5: Create testing accounts in appropriate containers
via fc91b526f7d tests/krb5: Check for presence of 'key-expiration' element
via 95c7eba3951 tests/krb5: Check 'caddr' element
via 1984c30ce37 tests/krb5: Check for presence of 'renew-till' element
via 0e80a7ef9c4 tests/krb5: Allow Kerberos requests to be sent to DC or RODC
via 39a7676c868 tests/krb5: Make time assertion less strict
via d5b1b59cde4 tests/krb5: Allow specifying ticket flags expected to be set or reset
via 3edaa318df9 tests/krb5: Remove magic constants
via d94233f1e0c tests/krb5: Don't create PAC request or options manually in fast_tests
via 7d955391e29 tests/krb5: Don't create PAC request manually in as_req_tests
via f63461ffd80 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
via 7b6848c73b0 tests/krb5: Move padata generation methods to base class
via c8c0af0b20f tests/krb5: Keep track of account DN in credentials object
via ee2a85aba9f tests/krb5: Allow specifying additional User Account Control flags for account
via dadedd0d550 tests/krb5: Allow specifying an OU to create accounts in
via e1fa2fff930 tests/krb5: Replace expected_cname_private with expected_anon parameter
via 231d508a472 tests/krb5: Use more compact dict lookup
via a87fdc6629f tests/krb5: Add KDCOptions flag for constrained delegation
via 22aa29993e0 tests/krb5: Use signed integers to represent key version numbers in ASN.1
via ba22aee1d8c tests/krb5: Add methods to obtain the length of checksum types
via 67d713b9362 tests/krb5: Calculate expected salt if not given explicitly
via fb63bdd8283 security.idl: Add well-known SIDs for FAST
via 6acbb94dadd krb5pac.idl: Add ticket checksum PAC buffer type
via 44636fa0378 ctdb-tests: add a comment to the generated public_addresses file used by eventscript UNIT tests
via c10d2880356 ctdb-tests: Fix typo in ctdb stub comment matching
via a200f88452e ctdb-scripts: filter out comments in public_addresses file
via edf50886ec5 s3: smbd: Ensure when we change security context we delete any $cwd cache.
via de2150dc762 s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share.
via 6f10103d076 VERSION: Bump version up to Samba 4.14.9...
from d1c9330fa69 VERSION: Disable GIT_SNAPSHOT for the 4.14.8 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 104 +-
auth/credentials/credentials_krb5.c | 12 +-
ctdb/config/events/legacy/10.interface.script | 3 +-
ctdb/config/functions | 3 +
ctdb/tests/UNIT/eventscripts/scripts/local.sh | 1 +
ctdb/tests/UNIT/eventscripts/stubs/ctdb | 2 +-
lib/krb5_wrap/krb5_samba.c | 192 ++-
lib/krb5_wrap/krb5_samba.h | 13 +-
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.1.sigs} | 0
...pyldb-util-2.1.0.sigs => pyldb-util-2.3.1.sigs} | 0
lib/ldb/pyldb.c | 51 +-
lib/ldb/tests/python/api.py | 29 +
lib/ldb/wscript | 2 +-
lib/tdb/pytdb.c | 2 +-
lib/tevent/pytevent.c | 2 +-
librpc/idl/krb5pac.idl | 7 +-
librpc/idl/security.idl | 3 +
python/samba/__init__.py | 12 +-
python/samba/join.py | 7 +-
python/samba/ms_schema.py | 6 +-
python/samba/schema.py | 9 +-
python/samba/tests/__init__.py | 3 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 11 +-
python/samba/tests/krb5/as_req_tests.py | 57 +-
python/samba/tests/krb5/compatability_tests.py | 48 +-
python/samba/tests/krb5/fast_tests.py | 476 ++-----
python/samba/tests/krb5/kcrypto.py | 28 +-
python/samba/tests/krb5/kdc_base_test.py | 1099 +++++++++++++--
python/samba/tests/krb5/kdc_tests.py | 4 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 137 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 93 +-
python/samba/tests/krb5/raw_testcase.py | 1461 +++++++++++++++-----
python/samba/tests/krb5/rfc4120.asn1 | 3 +-
python/samba/tests/krb5/rfc4120_constants.py | 11 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 3 +-
python/samba/tests/krb5/rodc_tests.py | 73 +
python/samba/tests/krb5/s4u_tests.py | 1074 +++++++++++++-
python/samba/tests/krb5/salt_tests.py | 327 +++++
python/samba/tests/krb5/simple_tests.py | 4 +-
python/samba/tests/krb5/test_ccache.py | 15 +-
python/samba/tests/krb5/test_ldap.py | 4 +-
python/samba/tests/krb5/test_rpc.py | 4 +-
python/samba/tests/krb5/test_smb.py | 4 +-
python/samba/tests/krb5/xrealm_tests.py | 4 +-
python/samba/tests/segfault.py | 12 +
python/samba/tests/usage.py | 2 +
selftest/knownfail.d/kdc-salt | 1 +
selftest/knownfail.d/python-segfaults | 2 +
selftest/knownfail_heimdal_kdc | 134 ++
selftest/knownfail_mit_kdc | 53 +
selftest/target/Samba3.pm | 16 +-
selftest/target/Samba4.pm | 76 +-
source3/passdb/machine_account_secrets.c | 10 +-
source3/script/tests/test_chdir_cache.sh | 102 ++
source3/selftest/tests.py | 9 +
source3/smbd/sec_ctx.c | 8 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 23 +-
source4/dsdb/tests/python/rodc_rwdc.py | 8 +-
source4/heimdal/kdc/kerberos5.c | 147 +-
source4/heimdal/kdc/krb5tgs.c | 665 +++------
source4/heimdal/kdc/windc.c | 15 +-
source4/heimdal/kdc/windc_plugin.h | 5 +-
source4/heimdal/lib/asn1/krb5.asn1 | 21 -
source4/heimdal/lib/krb5/authdata.c | 124 ++
source4/heimdal/lib/krb5/pac.c | 484 ++++++-
source4/heimdal/lib/krb5/version-script.map | 5 +
source4/heimdal_build/wscript_build | 2 +-
source4/kdc/mit_samba.c | 14 +-
source4/kdc/pac-glue.c | 10 +-
source4/kdc/pac-glue.h | 3 +-
source4/kdc/wdc-samba4.c | 356 +++--
source4/kdc/wscript_build | 1 +
source4/librpc/ndr/py_security.c | 2 +-
source4/selftest/tests.py | 86 +-
source4/torture/drs/python/replica_sync.py | 2 +-
source4/torture/rpc/remote_pac.c | 14 +-
testprogs/blackbox/dbcheck.sh | 2 +-
78 files changed, 5964 insertions(+), 1855 deletions(-)
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.3.1.sigs} (100%)
create mode 100755 python/samba/tests/krb5/rodc_tests.py
create mode 100755 python/samba/tests/krb5/salt_tests.py
create mode 100644 selftest/knownfail.d/kdc-salt
create mode 100755 source3/script/tests/test_chdir_cache.sh
create mode 100644 source4/heimdal/lib/krb5/authdata.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 4ef0829ae24..cb6ed014d2a 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=14
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cdea32de764..e41ee1dabb4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,104 @@
+ ==============================
+ Release Notes for Samba 4.14.9
+ October 27, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.14 release series.
+
+
+Changes since 4.14.8
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 14868: rodc_rwdc test flaps.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
+ * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Viktor Dukhovni <viktor at twosigma.com>
+ * BUG 12998: Fix transit path validation.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Luke Howard <lukeh at padl.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14868: rodc_rwdc test flaps.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Nicolas Williams <nico at twosigma.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.14.8
October 05, 2021
@@ -89,8 +190,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.14.7
August 24, 2021
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index d7b1c430841..2338d9f114b 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1200,12 +1200,12 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
break;
}
- ret = smb_krb5_salt_principal(realm,
- username, /* sAMAccountName */
- upn, /* userPrincipalName */
- uac_flags,
- mem_ctx,
- &salt_principal);
+ ret = smb_krb5_salt_principal_str(realm,
+ username, /* sAMAccountName */
+ upn, /* userPrincipalName */
+ uac_flags,
+ mem_ctx,
+ &salt_principal);
if (ret) {
talloc_free(mem_ctx);
return ret;
diff --git a/ctdb/config/events/legacy/10.interface.script b/ctdb/config/events/legacy/10.interface.script
index 72e0c101d47..d87f6c52c58 100755
--- a/ctdb/config/events/legacy/10.interface.script
+++ b/ctdb/config/events/legacy/10.interface.script
@@ -25,7 +25,8 @@ fi
get_all_interfaces ()
{
# Get all the interfaces listed in the public_addresses file
- all_interfaces=$(sed -e 's/^[^\t ]*[\t ]*//' \
+ all_interfaces=$(sed -e '/^#.*/d' \
+ -e 's/^[^\t ]*[\t ]*//' \
-e 's/,/ /g' \
-e 's/[\t ]*$//' "$ctdb_public_addresses")
diff --git a/ctdb/config/functions b/ctdb/config/functions
index 2395d8d4dc8..a4e73ad0594 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -611,6 +611,9 @@ drop_all_public_ips ()
# _x is intentionally ignored
# shellcheck disable=SC2034
while read _ip _x ; do
+ case "$_ip" in
+ \#*) continue ;;
+ esac
drop_ip "$_ip"
done <"${CTDB_BASE}/public_addresses"
}
diff --git a/ctdb/tests/UNIT/eventscripts/scripts/local.sh b/ctdb/tests/UNIT/eventscripts/scripts/local.sh
index 14017e95365..8d5c1eab612 100644
--- a/ctdb/tests/UNIT/eventscripts/scripts/local.sh
+++ b/ctdb/tests/UNIT/eventscripts/scripts/local.sh
@@ -281,6 +281,7 @@ setup_public_addresses ()
echo "Setting up public addresses in ${_f}"
cat >"$_f" <<EOF
+# This is a comment
10.0.0.1/24 dev123
10.0.0.2/24 dev123
10.0.0.3/24 dev123
diff --git a/ctdb/tests/UNIT/eventscripts/stubs/ctdb b/ctdb/tests/UNIT/eventscripts/stubs/ctdb
index 12627de16a5..fc7bd4fdd84 100755
--- a/ctdb/tests/UNIT/eventscripts/stubs/ctdb
+++ b/ctdb/tests/UNIT/eventscripts/stubs/ctdb
@@ -425,7 +425,7 @@ ctdb_ifaces()
# Assume -Y.
echo "|Name|LinkStatus|References|"
while read _ip _iface ; do
- case "_$ip" in
+ case "$_ip" in
\#*) : ;;
*)
_status=1
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 20ce86c708d..fff5b4e2a22 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -456,19 +456,20 @@ int smb_krb5_get_pw_salt(krb5_context context,
*
* @see smb_krb5_salt_principal2data
*/
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal)
+ krb5_principal *salt_princ)
{
TALLOC_CTX *frame = talloc_stackframe();
char *upper_realm = NULL;
const char *principal = NULL;
int principal_len = 0;
+ krb5_error_code krb5_ret;
- *_salt_principal = NULL;
+ *salt_princ = NULL;
if (sAMAccountName == NULL) {
TALLOC_FREE(frame);
@@ -512,7 +513,6 @@ int smb_krb5_salt_principal(const char *realm,
*/
if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
int computer_len = 0;
- char *tmp = NULL;
computer_len = strlen(sAMAccountName);
if (sAMAccountName[computer_len-1] == '$') {
@@ -520,60 +520,186 @@ int smb_krb5_salt_principal(const char *realm,
}
if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
- principal = talloc_asprintf(frame, "krbtgt/%*.*s",
- computer_len, computer_len,
- sAMAccountName);
- if (principal == NULL) {
+ const char *krbtgt = "krbtgt";
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(krbtgt),
+ krbtgt,
+ computer_len,
+ sAMAccountName,
+ 0);
+ if (krb5_ret != 0) {
TALLOC_FREE(frame);
- return ENOMEM;
+ return krb5_ret;
}
} else {
-
- tmp = talloc_asprintf(frame, "host/%*.*s.%s",
- computer_len, computer_len,
- sAMAccountName, realm);
+ const char *host = "host";
+ char *tmp = NULL;
+ char *tmp_lower = NULL;
+
+ tmp = talloc_asprintf(frame, "%*.*s.%s",
+ computer_len,
+ computer_len,
+ sAMAccountName,
+ realm);
if (tmp == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- principal = strlower_talloc(frame, tmp);
- TALLOC_FREE(tmp);
- if (principal == NULL) {
+ tmp_lower = strlower_talloc(frame, tmp);
+ if (tmp_lower == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- }
- principal_len = strlen(principal);
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(host),
+ host,
+ strlen(tmp_lower),
+ tmp_lower,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+ }
} else if (userPrincipalName != NULL) {
- char *p;
+ /*
+ * We parse the name not only to allow an easy
+ * replacement of the realm (no matter the realm in
+ * the UPN, the salt comes from the upper-case real
+ * realm, but also to correctly provide a salt when
+ * the UPN is host/foo.bar
+ *
+ * This can fail for a UPN of the form foo at bar@REALM
+ * (which is accepted by windows) however.
+ */
+ krb5_ret = krb5_parse_name(krb5_ctx,
+ userPrincipalName,
+ salt_princ);
- principal = userPrincipalName;
- p = strchr(principal, '@');
- if (p != NULL) {
- principal_len = PTR_DIFF(p, principal);
- } else {
- principal_len = strlen(principal);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+
+ /*
+ * No matter what realm (including none) in the UPN,
+ * the realm is replaced with our upper-case realm
+ */
+ krb5_ret = smb_krb5_principal_set_realm(krb5_ctx,
+ *salt_princ,
+ upper_realm);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, *salt_princ);
+ TALLOC_FREE(frame);
+ return krb5_ret;
}
} else {
principal = sAMAccountName;
principal_len = strlen(principal);
- }
- *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
- principal_len, principal_len,
- principal, upper_realm);
- if (*_salt_principal == NULL) {
- TALLOC_FREE(frame);
- return ENOMEM;
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ principal_len,
+ principal,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
}
TALLOC_FREE(frame);
return 0;
}
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] uac_flags UF_ACCOUNT_TYPE_MASKed userAccountControl field
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal_str)
+{
+ krb5_principal salt_principal = NULL;
+ char *salt_principal_malloc;
+ krb5_context krb5_ctx;
+ krb5_error_code krb5_ret
+ = smb_krb5_init_context_common(&krb5_ctx);
+ if (krb5_ret != 0) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+
+ krb5_ret = smb_krb5_salt_principal(krb5_ctx,
+ realm,
+ sAMAccountName,
+ userPrincipalName,
+ uac_flags,
+ &salt_principal);
+
+ krb5_ret = krb5_unparse_name(krb5_ctx, salt_principal,
+ &salt_principal_malloc);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, salt_principal);
+ DBG_ERR("kerberos unparse of salt principal failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+ krb5_free_principal(krb5_ctx, salt_principal);
+ *_salt_principal_str
+ = talloc_strdup(mem_ctx, salt_principal_malloc);
+ krb5_free_unparsed_name(krb5_ctx, salt_principal_malloc);
+
+ if (*_salt_principal_str == NULL) {
+ return ENOMEM;
+ }
+ return 0;
+}
+
/**
* @brief Converts the salt principal string into the salt data blob
*
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index ca9a893e4f7..56a2a975278 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -350,12 +350,19 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
int smb_krb5_get_pw_salt(krb5_context context,
krb5_const_principal host_princ,
krb5_data *psalt);
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal);
+ krb5_principal *salt_princ);
+
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal);
int smb_krb5_salt_principal2data(krb5_context context,
const char *salt_principal,
TALLOC_CTX *mem_ctx,
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.3.1.sigs
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 443b677c2c4..d093daedf5c 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -182,6 +182,10 @@ static PyObject *py_ldb_control_get_critical(PyLdbControlObject *self,
--
Samba Shared Repository
More information about the samba-cvs
mailing list