[SCM] Samba Shared Repository - branch v4-17-stable updated
Jule Anger
janger at samba.org
Thu Dec 15 16:32:26 UTC 2022
The branch, v4-17-stable has been updated
via ab48448c650 VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.
via f676c903ad5 WHATSNEW: Add release notes for Samba 4.17.4.
via 1c7d60ee090 s4:libnet: correctly handle gnutls_pbkdf2() errors
via 77fb5b47621 s4:libnet: fix error string for failing samr_ChangePasswordUser4()
via 5048d63c92e CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
via 701c98858c9 CVE-2022-37966 samba-tool: add 'domain trust modify' command
via dd4832f10a7 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
via 17db57685f6 CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
via 428aa9b001d CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
via 91be2dbb305 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
via 2d1f56c67e6 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
via 82739352398 CVE-2022-37966 python:tests/krb5: test much more etype combinations
via c642bd9f2e9 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
via afc05bec7ec CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
via d1b65794c8c CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
via 0f63356c8bb CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
via 6a4531ad9fb CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
via bf633c58114 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
via 9c106afa804 CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
via bf27c7ba92e CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
via d7efa582a41 CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
via 42c12b8c36d CVE-2022-37966 s4:kdc: use the strongest possible keys
via ceda758dd73 CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
via e741eac059f CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
via 96fcd2b2b1f CVE-2022-37966 s3:net_ads: no longer reference des encryption types
via 8b9e670c5ce CVE-2022-37966 s3:libnet: no longer reference des encryption types
via edccbf1a637 CVE-2022-37966 s3:libads: no longer reference des encryption types
via c894010ae87 CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
via e2e29876b69 CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
via b10529349fb CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
via d022b9fa3ae CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
via 91680bf61f5 CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
via 425dc5a2a09 CVE-2022-37966 system_mitkrb5: require support for aes enctypes
via 4ad0303ece5 CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
via 5f8854208d7 CVE-2022-37966 s4:kdc: also limit the krbtgt history to their strongest keys
via 82f3c2876a8 CVE-2022-37966 kdc: Assume trust objects support AES by default
via 71e538e7e03 CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
via 3d85ff9dd57 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
via 64bfe0ef786 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
via 123b3c056af CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected Users group
via d8cef2fa342 CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
via 42150ff93ba CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
via 350a2e5fda5 CVE-2022-37966 third_party/heimdal: Fix error message typo
via ac8a4665a8d CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
via 3d276a19e30 CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
via 25918f9c16c CVE-2022-37967 Add new PAC checksum
via 6ff9fc58cd3 CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
via 15835e21e84 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
via 649854b0fad CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
via 4870b9c8e57 CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
via 91dcb8d0442 CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
via 362de0199e3 CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
via 9fa6585a4cc CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
via d08d54c944d CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
via fea5bde53c4 CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
via c5eda69a10b CVE-2022-37966 s3:utils: Fix old-style function definition
via 9166254b4bb CVE-2022-37966 s3:client: Fix old-style function definition
via 523f9aa70a8 CVE-2022-37966 s3:param: Fix old-style function definition
via f4d487bda53 CVE-2022-38023 testparm: warn about unsecure schannel related options
via 0d4f8c70446 CVE-2022-38023 testparm: warn about server/client schannel != yes
via e5e03583f19 CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
via 8f7d77ecb52 CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
via 65d8624cd21 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
via de639278eb1 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
via cf649bf2772 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
via ff1c42ee451 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
via f0cdff380b8 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
via 1d2e938ab67 CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
via 2cb10f9648e CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
via 277bd2c6d31 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
via c919351058b CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
via f69766398ef CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
via eb1f1c37548 CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled
via 07518e76dc9 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
via 84d53540268 CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
via a656f2a3d66 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
via 4d143e92adf CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
via a31898e1769 CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
via 911874a9582 CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
via 93566433316 CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
via b04f9cd924e CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
via 15253c4da88 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
via ff5f2c81e97 CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
via 6c7aa761f3b CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
via 285ecad0a84 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
via d39c37292f9 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
via 810b57b19dd CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
via 121c471b5ee CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
via fd50943b2a4 selftest: make filter-subunit much more efficient for large knownfail lists
via 8578a24c288 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
via 7bb1180c5ad CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec
via 7b90f5c8296 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test
via c258b48da9f s3:utils: Fix stack smashing in net offlinejoin
via 404ca2b665c smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories
via a019803de67 torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
via c37b4d797ae CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
via 50fd29d8b88 nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
via d7e34c8b157 nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, not try and embedd it directly.
via 9dbbce3f4e7 vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FNTIMES
via 4a3dcb32578 vfs_glusterfs: Simplify SMB_VFS_FDOPENDIR implementation
via 9f307955d8a vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FGETXATTR
via d904e80ef35 vfs_glusterfs: Do not use glfs_fgetxattr() for SMB_VFS_GET_REAL_FILENAME_AT
via 2ce1a1eca56 vfs_glusterfs: Simplify SMB_VFS_GET_REAL_FILENAME_AT implementation
via 2c1b957433b s3:rpc_server: Fix include directive substitution when enumerating shares
via 969df454453 s3:tests: Add substitution test for listing shares
via 560805be834 s3:tests: Add substitution test for include directive
via e3207e6c250 lib/replace: fix memory leak in snprintf replacements
via 3e1f07b1027 VERSION: Bump version up to Samba 4.17.4...
via 120f7790f6b Merge tag 'samba-4.17.3' into v4-17-test
via 2803e76fba0 smbd: Fix Bug 15221
via b1cf93f7a48 heimdal: Fix the 32-bit build on FreeBSD
via 159054c3bb7 third_party/heimdal: Introduce macro for common plugin structure elements
via 5c32c822edd docs-xml: ea support option restricted to user ns
via f4507b399cf s3: smbd: Consistently map EAs to user namespace
via 057f60cc715 python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls
via e84108f30a1 s4/rpc_server/sambr: don't mutate the return of samdb_set_password_aes
via c57b3d3751d s4:libnet: If we successfully changed the password we are done
via d26e2da30c0 s3:rpcclient: Pass salt down to init_samr_CryptPasswordAES()
via c59f9c33192 s3:librpc: Improve GSE error message
via 743a56e5ccf s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time
via b615bf4333a lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler()
via 419986dcc0b lib/tsocket: remember the first error as tstream_bsd->error
via 5c051d38065 lib/tsocket: check for errors indicated by poll() before getsockopt(fd, SOL_SOCKET, SO_ERROR)
via 8a4ef3d92e7 lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending()
via dcac415e949 lib/tsocket: Add tests for loop on EAGAIN
from 212ebbf7f4f VERSION: Disable GIT_SNAPSHOT for the 4.17.3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 159 +-
buildtools/wafsamba/samba_autoconf.py | 4 +-
docs-xml/manpages/samba-tool.8.xml | 5 +
docs-xml/smbdotconf/logon/allownt4crypto.xml | 85 +-
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 101 +-
docs-xml/smbdotconf/protocol/easupport.xml | 9 +
.../security/allowdcerpcauthlevelconnect.xml | 2 +-
docs-xml/smbdotconf/security/clientschannel.xml | 2 +-
.../security/kdcdefaultdomainsupportedenctypes.xml | 42 +
.../security/kdcforceenablerc4weaksessionkeys.xml | 24 +
.../smbdotconf/security/kdcsupportedenctypes.xml | 40 +
.../security/kerberosencryptiontypes.xml | 12 +-
docs-xml/smbdotconf/security/serverschannel.xml | 47 +-
.../security/serverschannelrequireseal.xml | 118 ++
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 9 +-
docs-xml/smbdotconf/winbind/requirestrongkey.xml | 4 +-
lib/krb5_wrap/krb5_samba.c | 6 -
lib/param/loadparm.c | 147 ++
lib/replace/snprintf.c | 2 +
lib/tsocket/tests/socketpair_tcp.c | 89 ++
.../tsocket/tests/socketpair_tcp.h | 30 +-
lib/tsocket/tests/test_tstream.c | 517 +++++++
lib/tsocket/tsocket_bsd.c | 274 +++-
lib/tsocket/wscript_build | 6 +
libcli/auth/netlogon_creds_cli.c | 88 +-
libcli/auth/netlogon_creds_cli.h | 4 +-
librpc/idl/drsuapi.idl | 9 +
librpc/idl/krb5pac.idl | 4 +-
librpc/idl/netlogon.idl | 1 +
librpc/idl/security.idl | 1 +
nsswitch/pam_winbind.c | 24 +-
python/samba/drs_utils.py | 12 +-
python/samba/netcmd/domain.py | 130 +-
python/samba/tests/auth_log_pass_change.py | 20 +-
python/samba/tests/krb5/alias_tests.py | 6 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 5 +-
python/samba/tests/krb5/as_req_tests.py | 28 +-
python/samba/tests/krb5/compatability_tests.py | 22 +
python/samba/tests/krb5/etype_tests.py | 597 ++++++++
python/samba/tests/krb5/fast_tests.py | 11 +-
python/samba/tests/krb5/kdc_base_test.py | 131 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 467 ++++--
python/samba/tests/krb5/kpasswd_tests.py | 8 +-
python/samba/tests/krb5/lockout_tests.py | 11 +-
python/samba/tests/krb5/nt_hash_tests.py | 8 +-
python/samba/tests/krb5/pac_align_tests.py | 6 +-
python/samba/tests/krb5/protected_users_tests.py | 55 +-
python/samba/tests/krb5/raw_testcase.py | 129 +-
python/samba/tests/krb5/rfc4120_constants.py | 1 +
python/samba/tests/krb5/rodc_tests.py | 8 +-
python/samba/tests/krb5/s4u_tests.py | 122 +-
python/samba/tests/krb5/salt_tests.py | 6 +-
python/samba/tests/krb5/spn_tests.py | 8 +-
python/samba/tests/krb5/test_ccache.py | 6 +-
python/samba/tests/krb5/test_idmap_nss.py | 6 +-
python/samba/tests/krb5/test_ldap.py | 6 +-
python/samba/tests/krb5/test_min_domain_uid.py | 7 +-
python/samba/tests/krb5/test_rpc.py | 6 +-
python/samba/tests/krb5/test_smb.py | 6 +-
python/samba/tests/source_chars.py | 1 +
python/samba/tests/usage.py | 1 +
selftest/knownfail | 1 +
selftest/knownfail_mit_kdc | 1601 +++++++++++++++++++-
selftest/subunithelper.py | 32 +-
selftest/target/Samba3.pm | 17 +
selftest/target/Samba4.pm | 126 +-
selftest/tests.py | 3 +
source3/client/clitar.c | 2 +-
source3/libads/kerberos.c | 6 +-
source3/libads/kerberos_keytab.c | 4 -
source3/libnet/libnet_join.c | 9 +-
source3/librpc/crypto/gse.c | 21 +-
source3/modules/vfs_glusterfs.c | 97 +-
source3/param/loadparm.c | 7 +-
source3/rpc_client/cli_netlogon.c | 2 +-
source3/rpc_client/init_samr.c | 15 +-
source3/rpc_client/init_samr.h | 1 +
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 8 +
source3/rpcclient/cmd_samr.c | 8 +
source3/script/tests/test_substitutions.sh | 27 +
source3/smbd/dosmode.c | 7 +
source3/smbd/filename.c | 16 +-
source3/smbd/smb2_trans2.c | 23 +-
source3/utils/destroy_netlogon_creds_cli.c | 2 +-
source3/utils/net.c | 6 +
source3/utils/net_ads.c | 27 +-
source3/utils/net_dom.c | 2 +
source3/utils/net_join.c | 2 +
source3/utils/net_offlinejoin.c | 13 +-
source3/utils/net_proto.h | 2 +
source3/utils/net_rpc.c | 10 +
source3/utils/net_util.c | 14 +
source3/utils/ntlm_auth.c | 12 +-
source3/utils/testparm.c | 89 +-
source3/winbindd/winbindd_cm.c | 41 +-
source4/auth/ntlm/auth_sam.c | 1 +
source4/auth/ntlm/auth_winbind.c | 2 +-
source4/auth/sam.c | 9 +-
source4/auth/tests/sam.c | 24 +-
source4/dsdb/pydsdb.c | 1 +
source4/kdc/db-glue.c | 251 ++-
source4/kdc/hdb-samba4.c | 2 +-
source4/kdc/kdc-heimdal.c | 23 +-
source4/kdc/mit_samba.c | 4 +-
source4/kdc/pac-glue.c | 24 +
source4/kdc/sdb.c | 91 ++
source4/kdc/sdb.h | 12 +
source4/kdc/sdb_to_hdb.c | 28 +-
source4/kdc/wdc-samba4.c | 2 +-
source4/ldap_server/ldap_server.c | 5 +
source4/libnet/libnet_join.c | 4 +-
source4/libnet/libnet_passwd.c | 127 +-
source4/libnet/libnet_passwd.h | 7 +
source4/libnet/py_net.c | 18 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 1044 +++++++++++--
source4/rpc_server/samr/samr_password.c | 1 -
source4/selftest/tests.py | 45 +-
source4/torture/ntp/ntp_signd.c | 2 +-
source4/torture/rpc/lsa.c | 4 +-
source4/torture/rpc/netlogon.c | 24 +-
source4/torture/rpc/netlogon_crypto.c | 2 +-
source4/torture/rpc/remote_pac.c | 14 +-
source4/torture/rpc/samba3rpc.c | 15 +-
source4/torture/rpc/samr.c | 27 +
source4/torture/smb2/create.c | 47 +
third_party/heimdal/kdc/csr_authorizer_plugin.h | 4 +-
third_party/heimdal/kdc/gss_preauth.c | 2 +-
.../heimdal/kdc/gss_preauth_authorizer_plugin.h | 4 +-
third_party/heimdal/kdc/kdc-plugin.h | 4 +-
third_party/heimdal/kdc/kerberos5.c | 45 +-
third_party/heimdal/kdc/krb5tgs.c | 8 +-
third_party/heimdal/kdc/misc.c | 4 +-
third_party/heimdal/kdc/token_validator_plugin.h | 4 +-
.../heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq | Bin 0 -> 55 bytes
third_party/heimdal/lib/asn1/gen_decode.c | 12 +-
third_party/heimdal/lib/asn1/gen_encode.c | 4 +-
third_party/heimdal/lib/asn1/gen_free.c | 7 +
third_party/heimdal/lib/asn1/gen_template.c | 5 +-
third_party/heimdal/lib/asn1/krb5.asn1 | 1 +
third_party/heimdal/lib/base/common_plugin.h | 6 +-
third_party/heimdal/lib/base/heimbase-svc.h | 5 +
third_party/heimdal/lib/base/log.c | 2 +-
third_party/heimdal/lib/base/plugin.c | 2 +-
third_party/heimdal/lib/hdb/hdb-ldap.c | 3 +-
third_party/heimdal/lib/hdb/hdb.asn1 | 3 +-
third_party/heimdal/lib/hdb/hdb.c | 40 +-
third_party/heimdal/lib/hdb/hdb.h | 4 +-
third_party/heimdal/lib/hdb/test_namespace.c | 8 +-
third_party/heimdal/lib/kadm5/kadm5-hook.h | 6 +-
third_party/heimdal/lib/krb5/an2ln_plugin.h | 6 +-
third_party/heimdal/lib/krb5/db_plugin.h | 6 +-
third_party/heimdal/lib/krb5/init_creds_pw.c | 2 +-
third_party/heimdal/lib/krb5/kuserok_plugin.h | 6 +-
third_party/heimdal/lib/krb5/locate_plugin.h | 6 +-
third_party/heimdal/lib/krb5/pac.c | 169 ++-
third_party/heimdal/lib/krb5/send_to_kdc_plugin.h | 5 +-
third_party/heimdal/lib/krb5/store-int.c | 2 +-
third_party/heimdal/lib/krb5/ticket.c | 2 +-
wscript_configure_system_mitkrb5 | 4 +-
160 files changed, 7273 insertions(+), 928 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
create mode 100644 lib/tsocket/tests/socketpair_tcp.c
copy source3/lib/namearray.c => lib/tsocket/tests/socketpair_tcp.h (61%)
create mode 100644 lib/tsocket/tests/test_tstream.c
create mode 100755 python/samba/tests/krb5/etype_tests.py
create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index d11f43b45aa..94b85f81683 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6a9245050ee..40f99a45a90 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,159 @@
+ ==============================
+ Release Notes for Samba 4.17.4
+ December 15, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+It also contains security changes in order to address the following defects:
+
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+ RC4-HMAC Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A Samba Active Directory DC will issue weak rc4-hmac
+ session keys for use between modern clients and servers
+ despite all modern Kerberos implementations supporting
+ the aes256-cts-hmac-sha1-96 cipher.
+
+ On Samba Active Directory DCs and members
+ 'kerberos encryption types = legacy' would force
+ rc4-hmac as a client even if the server supports
+ aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+ https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+ Kerberos Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A service account with the special constrained
+ delegation permission could forge a more powerful
+ ticket than the one it was presented with.
+
+ https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+ same algorithms as rc4-hmac cryptography in Kerberos,
+ and so must also be assumed to be weak.
+
+ https://www.samba.org/samba/security/CVE-2022-38023.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-----------------------------------------------------
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow nt4 crypto Deprecated no
+ allow nt4 crypto:COMPUTERACCOUNT New
+ kdc default domain supported enctypes New (see manpage)
+ kdc supported enctypes New (see manpage)
+ kdc force enable rc4 weak session keys New No
+ reject md5 clients New Default, Deprecated Yes
+ reject md5 servers New Default, Deprecated Yes
+ server schannel Deprecated Yes
+ server schannel require seal New, Deprecated Yes
+ server schannel require seal:COMPUTERACCOUNT New
+ winbind sealed pipes Deprecated Yes
+
+Changes since 4.17.3
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
+ Windows.
+ * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+ atomically.
+ * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
+ vulnerability.
+ * BUG 15206: libnet: change_password() doesn't work with
+ dcerpc_samr_ChangePasswordUser4().
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15230: Memory leak in snprintf replacement functions.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
+ (CVE-2021-20251 regression).
+
+o Noel Power <noel.power at suse.com>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Anoop C S <anoopcs at samba.org>
+ * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15257: Stack smashing in net offlinejoin requestodj.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15231: CVE-2022-37967.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico at twosigma.com>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.17.3
November 15, 2022
@@ -43,8 +199,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.17.2
October 25, 2022
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index 3ca2f334190..834acb70097 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -185,7 +185,8 @@ def CHECK_TYPE_IN(conf, t, headers=None, alternate=None, define=None, cflags='')
@conf
def CHECK_VARIABLE(conf, v, define=None, always=False,
- headers=None, msg=None, lib=None):
+ headers=None, msg=None, lib=None,
+ mandatory=False):
'''check for a variable declaration (or define)'''
if define is None:
define = 'HAVE_%s' % v.upper()
@@ -209,6 +210,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False,
lib=lib,
headers=headers,
define=define,
+ mandatory=mandatory,
always=always)
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 9a40bb1bec4..8e9279cc518 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -676,6 +676,11 @@
<para>Create a domain or forest trust.</para>
</refsect3>
+<refsect3>
+ <title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+ <para>Modify a domain or forest trust.</para>
+</refsect3>
+
<refsect3>
<title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Delete a domain trust.</para>
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index 03dc8fa93f7..ee63e6cc245 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -1,11 +1,18 @@
<samba:parameter name="allow nt4 crypto"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "no" (which will be
+ the hardcoded behavior in future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
- reject clients which does not support NETLOGON_NEG_STRONG_KEYS
+ reject clients which do not support NETLOGON_NEG_STRONG_KEYS
nor NETLOGON_NEG_SUPPORTS_AES.</para>
<para>This option was added with Samba 4.2.0. It may lock out clients
@@ -18,8 +25,82 @@
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
- <para>This option yields precedence to the 'reject md5 clients' option.</para>
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "yes" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
</description>
<value type="default">no</value>
</samba:parameter>
+
+<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
+ it is possible to specify an explicit exception per computer account
+ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "yes",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+ <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
+
+ <programlisting>
+ allow nt4 crypto:LEGACYCOMPUTER1$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ allow nt4 crypto:NASBOX$ = yes
+ server reject md5 schannel:NASBOX$ = no
+ allow nt4 crypto:LEGACYCOMPUTER2$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index 41684ef1080..fe7701d9277 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -1,17 +1,110 @@
<samba:parameter name="reject md5 clients"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in a future release,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in the future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
- <para>You can set this to yes if all domain members support aes.
- This will prevent downgrade attacks.</para>
+ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
+ starting with Server 2008R2 and Windows 7, it's available in Samba
+ starting with 4.0, however third party domain members like NetApp ONTAP
+ still uses RC4 (HMAC-MD5), see
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
+ for more details.
+ </para>
+
+ <para>The default changed from 'no' to 'yes', with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members or trusted domains,
+ which required "reject md5 clients = no" before,
+ it is possible to specify an explicit exception per computer account
+ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
- <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
+ <programlisting>
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ server reject md5 schannel:NASBOX$ = no
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
</description>
-<value type="default">no</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/protocol/easupport.xml b/docs-xml/smbdotconf/protocol/easupport.xml
index 403e48f5a89..0ff9d32f964 100644
--- a/docs-xml/smbdotconf/protocol/easupport.xml
+++ b/docs-xml/smbdotconf/protocol/easupport.xml
@@ -14,8 +14,17 @@
attributes (e.g. the getfattr<manvolnum>1</manvolnum> / setfattr<manvolnum>1</manvolnum>
utilities must work).
</para></listitem>
+ <listitem><para>Access to extended user attributes must be allowed by the underlying
+ filesystem (e.g. when mounted with a system-dependent option like user_xattr on Linux).
+ </para></listitem>
</itemizedlist>
<para>
+ This option exposes the "user" attribute namespace from the underlying filesystem to
+ clients. In order to match Windows conventions, the namespace prefix ("user.") is
+ stripped from the attribute name on the client side. The handling of further attribute
+ namespaces (like "security", "system", or "trusted") is not affected by this option.
+ </para>
+ <para>
Note that the SMB protocol allows setting attributes whose value is 64K bytes long,
and that on NTFS, the maximum storage space for extended attributes per file is 64K.
On most UNIX systems (Solaris and ZFS file system being the exception), the limits
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
index 03531adbfb3..8bccab391cc 100644
--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -15,7 +15,7 @@
<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
- <para>This option yields precedence to the implementation specific restrictions.
+ <para>This option is over-ridden by the implementation specific restrictions.
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
</para>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 5b07da95050..d124ad48181 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -23,7 +23,7 @@
<para>Note that for active directory domains this is hardcoded to
<smbconfoption name="client schannel">yes</smbconfoption>.</para>
- <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
+ <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
</description>
<value type="default">yes</value>
<value type="example">auto</value>
--
Samba Shared Repository
More information about the samba-cvs
mailing list