[SCM] Samba Shared Repository - branch v4-13-stable updated
Jule Anger
janger at samba.org
Fri Oct 29 06:20:54 UTC 2021
The branch, v4-13-stable has been updated
via 88d73d0b4ee VERSION: Disable GIT_SNAPSHOT for the 4.13.13 release.
via 665022c7590 WHATSNEW: Add release notes for Samba 4.13.13.
via 74e65d7c06c ldb: Release ldb 2.2.1
via c532b425e73 pyldb: Make ldb.Message containment testing consistent with indexing
via 64c41d30986 pyldb: Add tests for ldb.Message containment testing
via 65f3e987675 pyldb: Raise TypeError for an invalid ldb.Message index
via 4ff0a23a04b pyldb: Add test for an invalid ldb.Message index type
via f45e89e4326 s4/torture/drs/python: Fix attribute existence check
via 4d1c5cc73b0 pyldb: Fix deleting an ldb.Control critical flag
via 5e9441d55f6 pytest:segfault: Add test for deleting an ldb.Control critical flag
via a2e0682d928 pyldb: Fix deleting an ldb.Message dn
via d2189833c7e pytest:segfault: Add test for deleting an ldb.Message dn
via c7c10298973 Fix Python docstrings
via 0c36416e319 pyldb: Avoid use-after-free in msg_diff()
via 400d04533ab ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
via f47f0f9f459 pytest:segfault: Add test for ldb.msg_diff()
via 0cea7f53c01 lib/krb5_wrap: Fix missing error check in new salt code
via 274f16103f6 dsdb: Allow special chars like "@" in samAccountName when generating the salt
via ae6d74c9ef8 tests/krb5: Add tests for account salt calculation
via d3b491c3116 tests/krb5: Fix account salt calculation to match Windows
via a742af325f9 tests/krb5: Allow specifying the UPN for test accounts
via 3f376eeaa88 tests/krb5: Allow creating machine accounts without a trailing dollar
via a2a173d70ad tests/krb5: Allow specifying prefix or suffix for test account names
via 4056198f4c9 tests/krb5: Decrease length of test account prefix
via 89b9cb8b786 selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
via 88f824aeb3f selftest/Samba3: remove unused close(USERMAP); calls
via c9e54bbe242 waf: Allow building with MIT KRB5 >= 1.20
via f01e4e19cf6 selftest: Improve error handling and perl style when setting up users in Samba4.pm
via 2bf0e4224f8 selftest: Remove duplicate setup of $base_dn and $ldbmodify
via 38ebe186f42 selftest: krb5 account creation: clarify account type as an enum
via 18bce6fc477 pytest: dynamic tests optionally add __doc__
via a64c25ff097 selftest: Increase account lockout windows to make test more realiable
via a203de48197 pytest/rodc_rwdc: try to avoid race.
via f7d6826afea HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
via e9b12d2def9 tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
via 999208d3afa tests/krb5: Ensure PAC is not present if expect_pac is false
via 3eb78cd43b6 kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
via 106dc4a0492 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
via fa32948c1d1 tests/krb5: Add tests for requesting a service ticket without a PAC
via 473278c1301 tests/krb5: Add method to get the PAC from a ticket
via 033249c56e1 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
via 33537398392 tests/krb5: Allow get_tgt() to request including or omitting a PAC
via 543478fe985 heimdal:kdc: Fix ticket signing without a PAC
via 4ff8af7d54d selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
via cb044703b29 krb5: Fix PAC signature leak affecting KDC
via 5919475dc90 s4:kdc: Check ticket signature
via 9d3419c3068 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
via 6fbde548803 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
via e5ca4a51c80 kdc: correctly generate PAC TGS signature
via 61fb0ba82c6 kdc: use ticket client name when signing PAC
via 58bc0a4b7f1 kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
via 49bcbcbb4d6 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
via c73825d0b01 krb5: rework PAC validation loop
via c17bfba3001 krb5: allow NULL parameter to krb5_pac_free()
via 4114e57a371 kdc: sign ticket using Windows PAC
via ff31503bd41 kdc: remove KRB5SignedPath, to be replaced with PAC
via 6afc41b262e s4/torture: Expect ticket checksum PAC buffer
via 1486a8a04b0 s4:kdc: Fix debugging messages
via 8b363a630e5 s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
via 0e53c4353a2 tests/krb5: Fix duplicate account creation
via f3c36a06998 tests/krb5: Allow bypassing cache when creating accounts
via 8b947965d4f tests/krb5: Don't include empty AD-IF-RELEVANT
via 2373c1ac1ef tests/krb5: Add constrained delegation tests
via 61ec92dc096 tests/krb5: Verify tickets obtained with get_service_ticket()
via 6a1549a4955 tests/krb5: Require ticket checksums if decryption key is available
via 91faad4ef6b tests/krb5: Add TKT_SIG_SUPPORT environment variable
via 518e990f496 selftest/dbcheck: Fix up RODC one-way links
via 1ca795a0cb9 tests/krb5: Fix sha1 checksum type
via 2c6b918ab92 tests/krb5: Provide clearer assertion messages for test failures
via d46f0d1793b tests/krb5: Disable debugging output for tests
via 90d58c72bd7 tests/krb5: Simplify padata checking
via b08fd85bcb2 tests/krb5: Check logon name in PAC
via 07ace448a5c tests/krb5: Check padata types when STRICT_CHECKING=0
via 54fb144fe9a tests/krb5: Add environment variable to specify KDC FAST support
via 8ee28d96b29 tests/krb5: Fix padata checking at functional level 2003
via d82e7716f48 tests/krb5: Clarify checksum type assertion message
via 07e242da411 tests/krb5: Use correct principal name type
via 5f72fd098f0 tests/krb5: Add compatability tests for ticket checksums
via 7f3d6f9d925 tests/krb5: Add parameter to enforce presence of ticket checksums
via b0f9a83846b tests/krb5: Supply supported account enctypes in tgs_req()
via 5bc46c831ef tests/krb5: Allow specifying options and expected flags when obtaining a ticket
via 129772e049d tests/krb5: Save account SPN
via e56da60d01b tests/krb5: Check constrained delegation PAC buffer
via cb49059ab46 tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
via 334361501a9 tests/krb5: Add expect_claims parameter to kdc_exchange_dict
via 86e97e83ce4 tests/krb5: Fix checking for presence of error data
via f1fad85fe18 tests/krb5: Remove unneeded parameters from ticket cache key
via 896eea26d35 tests/krb5: Fix assertElementFlags()
via 4f6e02bf1db tests/krb5: Make expected_sname checking more explicit
via 8a6c15b431c tests/krb5: Fix status code checking
via 0e33a8d82fe tests/krb5: Fix handling authdata with missing PAC
via e3cd9b3649f tests/krb5: Allow excluding the PAC server checksum
via 2052395dd89 tests/krb5: Fix checksum generation and verification
via d310714c221 tests/krb5: Fix method for creating invalid length zeroed checksum
via 91d385abffb tests/krb5: Introduce helper method for creating invalid length checksums
via 501d5e76a82 tests/krb5: Add assertion to make failures clearer
via 1506b1c29bb tests/krb5: Allow created accounts to use resource-based constrained delegation
via 39bba78a5d0 tests/krb5: Rename allowed_to_delegate_to parameter for clarity
via 528c950eff9 tests/krb5: Fix PA-PAC-OPTIONS checking
via 7ba4cad1a76 tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
via 82606cd6f31 tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
via 5c1ab0b2697 tests/krb5: Remove unused parameter
via b047ed0c87d tests/krb5: Rename method parameter
via ab9034dd824 tests/krb5: Add classes for testing invalid checksums
via 0b5f8ac5b4d tests/krb5: Add method to determine if principal is krbtgt
via 279bb102fe8 tests/krb5: Verify checksums of tickets obtained from the KDC
via 65ff3ff171e tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
via 74f90d6b1a6 tests/krb5: Simplify account creation
via dc44a5b6fdf tests/krb5: Provide ticket enc-part key to tgs_req()
via 5b2c7c0930d tests/krb5: Fix checking for presence of authorization data
via 466f694f2fd tests/krb5: Add method to get DC credentials
via 1e4e8d883b6 tests/krb5: Allow tgs_req() to check the returned ticket enc-part
via 6d3e996b480 tests/krb5: Set key version number for all accounts created with create_account()
via e238315bbdf tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
via 4c561dbb3ca tests/krb5: Get supported enctypes for credentials from database
via 68da62728d2 tests/krb5: Add methods to convert between enctypes and bitfields
via 74b4bcc2b98 tests/krb5: Make get_default_enctypes() return a set of enctype constants
via 3d1e55d0607 tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
via bce8a8bd915 tests/krb5: Add method for modifying a ticket and creating PAC checksums
via 0eccbbc2748 tests/krb5: Add method to verify ticket PAC checksums
via 891195fa81e tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
via 454a8a7e687 tests/krb5: Add methods for creating zeroed checksums and verifying checksums
via b1466890632 tests/krb5: Cache obtained tickets
via 3fdc427411c tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
via c6a2b7f196e tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
via a54629359b6 tests/krb5: Allow get_tgt() to specify expected and unexpected flags
via 1c05c3f7433 tests/krb5: Allow get_tgt() to specify different kdc-options
via 7446e1cd801 tests/krb5: Allow get_tgt() to get tickets from the RODC
via b619f4cb768 tests/krb5: Allow get_service_ticket() to get tickets from the RODC
via e380626903e tests/krb5: Set DN of created accounts to ldb.Dn type
via a8c139de2af tests/krb5: Don't manually create PAC request and options in fast_tests
via cb35919a14f tests/krb5: Use PAC buffer type constants from krb5pac.idl
via bb236fc2432 tests/krb5: Allow as_req() to specify different kdc-options
via e93ed34f928 tests/krb5: Allow tgs_req() to send requests to the RODC
via d97a975e92a tests/krb5: Allow tgs_req() to specify different kdc-options
via 2850771dfcb tests/krb5: Allow tgs_req() to send additional padata
via c106983b6fa tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
via 286d69daf8b tests/krb5: Check correct flags element
via b2f98011015 tests/krb5: Add helper method for modifying PACs
via 3f2c977d478 python/join: Check for correct msDS-KrbTgtLink attribute
via 4b9b3e92256 python: Don't leak file handles
via b68eae6687b tests/krb5: Allow replicating accounts to the created RODC
via 8c7d0544035 tests/krb5: Create RODC account for testing
via c7491a9e760 tests/krb5: Allow replicating accounts to the RODC
via 329fcc65aa6 tests/krb5: Add get_secrets() method to get the secret attributes of a DN
via 9b151de2653 tests/krb5: Add method to get RODC krbtgt credentials
via 7d6ad51b20c tests/krb5: Sign-extend kvno from 32-bit integer
via c2cbe6e9aab tests/krb5: Generate padata for FAST tests
via 860f7704650 tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
via 9926198bce0 tests/krb5: Get encpart decryption key from kdc_exchange_dict
via ac14815f849 tests/krb5: Get expected cname from TGT for TGS-REQ messages
via 36f8c7080a7 tests/krb5: Allow specifying status code to be checked
via a57391cf431 tests/krb5: Create testing accounts in appropriate containers
via 26b6b6e630b tests/krb5: Check for presence of 'key-expiration' element
via 39541dfa2d0 tests/krb5: Check 'caddr' element
via eef81ead620 tests/krb5: Check for presence of 'renew-till' element
via 829de7f89a7 tests/krb5: Allow Kerberos requests to be sent to DC or RODC
via 9bd79bfe7a8 tests/krb5: Make time assertion less strict
via af38bdc0569 tests/krb5: Allow specifying ticket flags expected to be set or reset
via f86766afd92 tests/krb5: Remove magic constants
via e4c5a3ea34f tests/krb5: Don't create PAC request or options manually in fast_tests
via 36eb76b6c2f tests/krb5: Don't create PAC request manually in as_req_tests
via 99702d5d7db tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
via dcde84d9268 tests/krb5: Move padata generation methods to base class
via 1837ddb3481 tests/krb5: Keep track of account DN in credentials object
via a2d8713c55c tests/krb5: Allow specifying additional User Account Control flags for account
via 9b75a279c03 tests/krb5: Allow specifying an OU to create accounts in
via 4892fa1315f tests/krb5: Replace expected_cname_private with expected_anon parameter
via c978fcdf535 tests/krb5: Use more compact dict lookup
via 735d514ec11 tests/krb5: Add KDCOptions flag for constrained delegation
via 20df014fb13 tests/krb5: Use signed integers to represent key version numbers in ASN.1
via a91f36d7bc4 tests/krb5: Add methods to obtain the length of checksum types
via efb8340f41f tests/krb5: Calculate expected salt if not given explicitly
via d5572676f51 security.idl: Add well-known SIDs for FAST
via 0d0d609dc07 krb5pac.idl: Add ticket checksum PAC buffer type
via 6882fb5c3e6 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
via d4872f50bc4 python/join: use the provided krbtgt link in cleanup_old_accounts
via 283a128129f python: Move dsdb_Dn to samdb
via beaae4c5d67 wscript: fix installing pre-commit with 'git worktree'
via 3ba31fd4de8 script/bisect-test.py: add support git worktree
via 0e62cfec458 wafsamba: add support git worktree to vcs_dir_contents()
via 2b97c11bca6 VERSION: Bump version up to Samba 4.13.13...
from aa756f3f9fc VERSION: Disable GIT_SNAPSHOT for the 4.13.12 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 101 +-
auth/credentials/credentials_krb5.c | 12 +-
buildtools/wafsamba/samba_dist.py | 2 +-
lib/krb5_wrap/krb5_samba.c | 192 ++-
lib/krb5_wrap/krb5_samba.h | 13 +-
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.2.2.sigs} | 0
...pyldb-util-2.1.0.sigs => pyldb-util-2.2.2.sigs} | 0
lib/ldb/common/ldb_msg.c | 6 +-
lib/ldb/pyldb.c | 69 +-
lib/ldb/tests/python/api.py | 29 +
lib/ldb/wscript | 2 +-
lib/tdb/pytdb.c | 2 +-
lib/tevent/pytevent.c | 2 +-
librpc/idl/krb5pac.idl | 7 +-
librpc/idl/security.idl | 3 +
python/samba/__init__.py | 12 +-
python/samba/common.py | 79 --
python/samba/dbchecker.py | 2 +-
python/samba/join.py | 7 +-
python/samba/kcc/kcc_utils.py | 2 +-
python/samba/kcc/ldif_import_export.py | 3 +-
python/samba/ms_schema.py | 6 +-
python/samba/samdb.py | 75 +
python/samba/schema.py | 9 +-
python/samba/tests/__init__.py | 3 +-
python/samba/tests/common.py | 4 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 11 +-
python/samba/tests/krb5/as_req_tests.py | 57 +-
python/samba/tests/krb5/compatability_tests.py | 48 +-
python/samba/tests/krb5/fast_tests.py | 476 ++-----
python/samba/tests/krb5/kcrypto.py | 28 +-
python/samba/tests/krb5/kdc_base_test.py | 1099 +++++++++++++--
python/samba/tests/krb5/kdc_tests.py | 4 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 137 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 93 +-
python/samba/tests/krb5/raw_testcase.py | 1461 +++++++++++++++-----
python/samba/tests/krb5/rfc4120.asn1 | 3 +-
python/samba/tests/krb5/rfc4120_constants.py | 11 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 3 +-
python/samba/tests/krb5/rodc_tests.py | 73 +
python/samba/tests/krb5/s4u_tests.py | 1074 +++++++++++++-
python/samba/tests/krb5/salt_tests.py | 327 +++++
python/samba/tests/krb5/simple_tests.py | 4 +-
python/samba/tests/krb5/test_ccache.py | 15 +-
python/samba/tests/krb5/test_ldap.py | 4 +-
python/samba/tests/krb5/test_rpc.py | 4 +-
python/samba/tests/krb5/test_smb.py | 4 +-
python/samba/tests/krb5/xrealm_tests.py | 4 +-
python/samba/tests/segfault.py | 23 +
python/samba/tests/usage.py | 2 +
script/autobuild.py | 9 +-
script/bisect-test.py | 2 +-
selftest/knownfail.d/kdc-salt | 1 +
selftest/knownfail.d/python-segfaults | 2 +
selftest/knownfail_heimdal_kdc | 134 ++
selftest/knownfail_mit_kdc | 53 +
selftest/target/Samba3.pm | 16 +-
selftest/target/Samba4.pm | 76 +-
source3/passdb/machine_account_secrets.c | 10 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 23 +-
source4/dsdb/tests/python/rodc_rwdc.py | 8 +-
source4/heimdal/kdc/kerberos5.c | 147 +-
source4/heimdal/kdc/krb5tgs.c | 665 +++------
source4/heimdal/kdc/windc.c | 15 +-
source4/heimdal/kdc/windc_plugin.h | 5 +-
source4/heimdal/lib/asn1/krb5.asn1 | 21 -
source4/heimdal/lib/krb5/authdata.c | 124 ++
source4/heimdal/lib/krb5/pac.c | 484 ++++++-
source4/heimdal/lib/krb5/version-script.map | 5 +
source4/heimdal_build/wscript_build | 2 +-
source4/kdc/mit_samba.c | 14 +-
source4/kdc/pac-glue.c | 10 +-
source4/kdc/pac-glue.h | 3 +-
source4/kdc/wdc-samba4.c | 356 +++--
source4/kdc/wscript_build | 1 +
source4/librpc/ndr/py_security.c | 2 +-
source4/selftest/tests.py | 86 +-
source4/torture/drs/python/repl_rodc.py | 2 +-
source4/torture/drs/python/replica_sync.py | 2 +-
source4/torture/rpc/remote_pac.c | 14 +-
testprogs/blackbox/dbcheck.sh | 2 +-
wscript | 20 +-
83 files changed, 5971 insertions(+), 1952 deletions(-)
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.2.2.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.2.2.sigs} (100%)
create mode 100755 python/samba/tests/krb5/rodc_tests.py
create mode 100755 python/samba/tests/krb5/salt_tests.py
create mode 100644 selftest/knownfail.d/kdc-salt
create mode 100644 source4/heimdal/lib/krb5/authdata.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index a1632f2e7b1..db0ba8a33b0 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 820185349ef..575ae48705f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,101 @@
+ ===============================
+ Release Notes for Samba 4.13.13
+ October 29, 2021
+ ===============================
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.12
+---------------------
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 14868: rodc_rwdc test flaps.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Viktor Dukhovni <viktor at twosigma.com>
+ * BUG 12998: Fix transit path validation.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Luke Howard <lukeh at padl.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o David Mulder <dmulder at suse.com>
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+ * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order
+ violation: brlock.tdb, share_entries.tdb.
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
+ * BUG 14868: rodc_rwdc test flaps.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o Nicolas Williams <nico at twosigma.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+ * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
===============================
Release Notes for Samba 4.13.12
September 22, 2021
@@ -72,8 +170,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
===============================
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 20e677e521a..61e55f7032d 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1199,12 +1199,12 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
break;
}
- ret = smb_krb5_salt_principal(realm,
- username, /* sAMAccountName */
- upn, /* userPrincipalName */
- uac_flags,
- mem_ctx,
- &salt_principal);
+ ret = smb_krb5_salt_principal_str(realm,
+ username, /* sAMAccountName */
+ upn, /* userPrincipalName */
+ uac_flags,
+ mem_ctx,
+ &salt_principal);
if (ret) {
talloc_free(mem_ctx);
return ret;
diff --git a/buildtools/wafsamba/samba_dist.py b/buildtools/wafsamba/samba_dist.py
index c211a94d3db..0218cad6271 100644
--- a/buildtools/wafsamba/samba_dist.py
+++ b/buildtools/wafsamba/samba_dist.py
@@ -109,7 +109,7 @@ def vcs_dir_contents(path):
"""
repo = path
while repo != "/":
- if os.path.isdir(os.path.join(repo, ".git")):
+ if os.path.exists(os.path.join(repo, ".git")):
ls_files_cmd = [ 'git', 'ls-files', '--full-name',
os.path.relpath(path, repo) ]
cwd = None
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 20ce86c708d..fff5b4e2a22 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -456,19 +456,20 @@ int smb_krb5_get_pw_salt(krb5_context context,
*
* @see smb_krb5_salt_principal2data
*/
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal)
+ krb5_principal *salt_princ)
{
TALLOC_CTX *frame = talloc_stackframe();
char *upper_realm = NULL;
const char *principal = NULL;
int principal_len = 0;
+ krb5_error_code krb5_ret;
- *_salt_principal = NULL;
+ *salt_princ = NULL;
if (sAMAccountName == NULL) {
TALLOC_FREE(frame);
@@ -512,7 +513,6 @@ int smb_krb5_salt_principal(const char *realm,
*/
if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
int computer_len = 0;
- char *tmp = NULL;
computer_len = strlen(sAMAccountName);
if (sAMAccountName[computer_len-1] == '$') {
@@ -520,60 +520,186 @@ int smb_krb5_salt_principal(const char *realm,
}
if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
- principal = talloc_asprintf(frame, "krbtgt/%*.*s",
- computer_len, computer_len,
- sAMAccountName);
- if (principal == NULL) {
+ const char *krbtgt = "krbtgt";
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(krbtgt),
+ krbtgt,
+ computer_len,
+ sAMAccountName,
+ 0);
+ if (krb5_ret != 0) {
TALLOC_FREE(frame);
- return ENOMEM;
+ return krb5_ret;
}
} else {
-
- tmp = talloc_asprintf(frame, "host/%*.*s.%s",
- computer_len, computer_len,
- sAMAccountName, realm);
+ const char *host = "host";
+ char *tmp = NULL;
+ char *tmp_lower = NULL;
+
+ tmp = talloc_asprintf(frame, "%*.*s.%s",
+ computer_len,
+ computer_len,
+ sAMAccountName,
+ realm);
if (tmp == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- principal = strlower_talloc(frame, tmp);
- TALLOC_FREE(tmp);
- if (principal == NULL) {
+ tmp_lower = strlower_talloc(frame, tmp);
+ if (tmp_lower == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- }
- principal_len = strlen(principal);
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(host),
+ host,
+ strlen(tmp_lower),
+ tmp_lower,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+ }
} else if (userPrincipalName != NULL) {
- char *p;
+ /*
+ * We parse the name not only to allow an easy
+ * replacement of the realm (no matter the realm in
+ * the UPN, the salt comes from the upper-case real
+ * realm, but also to correctly provide a salt when
+ * the UPN is host/foo.bar
+ *
+ * This can fail for a UPN of the form foo at bar@REALM
+ * (which is accepted by windows) however.
+ */
+ krb5_ret = krb5_parse_name(krb5_ctx,
+ userPrincipalName,
+ salt_princ);
- principal = userPrincipalName;
- p = strchr(principal, '@');
- if (p != NULL) {
- principal_len = PTR_DIFF(p, principal);
- } else {
- principal_len = strlen(principal);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+
+ /*
+ * No matter what realm (including none) in the UPN,
+ * the realm is replaced with our upper-case realm
+ */
+ krb5_ret = smb_krb5_principal_set_realm(krb5_ctx,
+ *salt_princ,
+ upper_realm);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, *salt_princ);
+ TALLOC_FREE(frame);
+ return krb5_ret;
}
} else {
principal = sAMAccountName;
principal_len = strlen(principal);
- }
- *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
- principal_len, principal_len,
- principal, upper_realm);
- if (*_salt_principal == NULL) {
- TALLOC_FREE(frame);
- return ENOMEM;
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ principal_len,
+ principal,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
}
TALLOC_FREE(frame);
return 0;
}
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] uac_flags UF_ACCOUNT_TYPE_MASKed userAccountControl field
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal_str)
+{
+ krb5_principal salt_principal = NULL;
+ char *salt_principal_malloc;
+ krb5_context krb5_ctx;
+ krb5_error_code krb5_ret
+ = smb_krb5_init_context_common(&krb5_ctx);
+ if (krb5_ret != 0) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+
+ krb5_ret = smb_krb5_salt_principal(krb5_ctx,
+ realm,
+ sAMAccountName,
+ userPrincipalName,
+ uac_flags,
+ &salt_principal);
+
+ krb5_ret = krb5_unparse_name(krb5_ctx, salt_principal,
+ &salt_principal_malloc);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, salt_principal);
+ DBG_ERR("kerberos unparse of salt principal failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+ krb5_free_principal(krb5_ctx, salt_principal);
+ *_salt_principal_str
+ = talloc_strdup(mem_ctx, salt_principal_malloc);
+ krb5_free_unparsed_name(krb5_ctx, salt_principal_malloc);
+
+ if (*_salt_principal_str == NULL) {
+ return ENOMEM;
+ }
+ return 0;
+}
+
/**
* @brief Converts the salt principal string into the salt data blob
*
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index ca9a893e4f7..56a2a975278 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -350,12 +350,19 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
int smb_krb5_get_pw_salt(krb5_context context,
krb5_const_principal host_princ,
krb5_data *psalt);
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal);
+ krb5_principal *salt_princ);
+
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal);
int smb_krb5_salt_principal2data(krb5_context context,
const char *salt_principal,
TALLOC_CTX *mem_ctx,
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.2.2.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.2.2.sigs
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.2.2.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.2.2.sigs
diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 2346e66ec39..7131f013f71 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -876,8 +876,10 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
if (msg2 == NULL) return NULL;
- msg2->dn = ldb_dn_copy(msg2, msg2->dn);
- if (msg2->dn == NULL) goto failed;
+ if (msg2->dn != NULL) {
+ msg2->dn = ldb_dn_copy(msg2, msg2->dn);
+ if (msg2->dn == NULL) goto failed;
+ }
for (i=0;i<msg2->num_elements;i++) {
struct ldb_message_element *el = &msg2->elements[i];
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 813cdb0870e..d093daedf5c 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -182,6 +182,10 @@ static PyObject *py_ldb_control_get_critical(PyLdbControlObject *self,
static int py_ldb_control_set_critical(PyLdbControlObject *self, PyObject *value, void *closure)
{
+ if (value == NULL) {
+ PyErr_SetString(PyExc_AttributeError, "cannot delete critical flag");
+ return -1;
+ }
if (PyObject_IsTrue(value)) {
self->data->critical = true;
} else {
@@ -839,7 +843,7 @@ static PyMethodDef py_ldb_dn_methods[] = {
"S.get_component_value(num) -> string\n"
"get the attribute value of the specified component as a binary string" },
{ "set_component", (PyCFunction)py_ldb_dn_set_component, METH_VARARGS,
- "S.get_component_value(num, name, value) -> None\n"
+ "S.set_component(num, name, value) -> None\n"
"set the attribute name and value of the specified component" },
{ "get_rdn_name", (PyCFunction)py_ldb_dn_get_rdn_name, METH_NOARGS,
"S.get_rdn_name() -> string\n"
@@ -1804,6 +1808,7 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args)
struct ldb_message *diff;
struct ldb_context *ldb;
PyObject *py_ret;
+ TALLOC_CTX *mem_ctx = NULL;
if (!PyArg_ParseTuple(args, "OO", &py_msg_old, &py_msg_new))
--
Samba Shared Repository
More information about the samba-cvs
mailing list