[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Wed Feb 23 08:50:01 UTC 2022


The branch, master has been updated
       via  5e2386336c4 s3:trusts_utils: use a password length of 120 for machine accounts
       via  ad0b5561b49 upgradehelpers.py: add a comment to update_krbtgt_account_password()
       via  725c94d57d3 provision: add a comment that the value of krbtgtpass is ignored in the backend
       via  6bb7c0f2491 upgradehelpers.py: let update_machine_account_password() use 120 character passwords
       via  3b91be36581 provision: use 120 characters for the dns account password
       via  59ac782452c samba-tool/join_member: let py_net_join_member() choose the password
       via  576bdb08c51 s3:py_net: allow machinepass=None to py_net_join_member()
      from  0d8084ed628 ctdb-protocol: CID 1499395: Uninitialized variables (UNINIT)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5e2386336c49fab46c1192db972af5da1e916b32
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Feb 21 15:28:53 2022 +0100

    s3:trusts_utils: use a password length of 120 for machine accounts
    
    This is important when we change the machine password against
    an RODC that proxies the request to an RWDC.
    
    An RODC using NetrServerPasswordSet2() to proxy PasswordUpdateForward via
    NetrLogonSendToSam() ignores a return of NT_STATUS_INVALID_PARAMETER
    and reports NT_STATUS_OK as result of NetrServerPasswordSet2().
    This hopefully found the last hole in our very robust machine account
    password handling logic inside of trust_pw_change().
    
    The lesson is: try to be as identical to how windows works as possible,
    everything else may use is untested code paths on Windows.
    
    A similar problem was fixed by this commit:
    
        commit 609ca657652862fd9c81fd11f818efb74f72ff55
        Author: Joseph Sutton <josephsutton at catalyst.net.nz>
        Date:   Wed Feb 24 02:03:25 2021 +1300
    
            provision: Decrease the length of random machine passwords
    
            The current length of 128-255 UTF-16 characters currently causes
            generation of crypt() passwords to typically fail. This commit
            decreases the length to 120 UTF-16 characters, which is the same as
            that used by Windows.
    
            BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
    
            Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
            Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
            Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Wed Feb 23 08:49:54 UTC 2022 on sn-devel-184

commit ad0b5561b492dfa28acfc9604b2358bb8b490703
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Feb 21 15:23:54 2022 +0100

    upgradehelpers.py: add a comment to update_krbtgt_account_password()
    
    The backend generates its own random krbtgt password values.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 725c94d57d3d656bc94633dacbac683a4c11d3e6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Feb 21 15:22:50 2022 +0100

    provision: add a comment that the value of krbtgtpass is ignored in the backend
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 6bb7c0f24918329804b7f4fb71908e8fab99e266
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Feb 21 15:22:06 2022 +0100

    upgradehelpers.py: let update_machine_account_password() use 120 character passwords
    
    We already changed provision to use 120 character passwords with commit
    609ca657652862fd9c81fd11f818efb74f72ff55.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 3b91be36581de1007427d539daffdaa62752412d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Feb 21 15:08:34 2022 +0100

    provision: use 120 characters for the dns account password
    
    We should use the same as for the computer account.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 59ac782452c4993274fa837256a8b9c5675e707b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Feb 21 15:03:22 2022 +0100

    samba-tool/join_member: let py_net_join_member() choose the password
    
    It means we'll let trust_pw_new_value() generate the password.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 576bdb08c51c47c390cc390fbefdcfee275b7f0f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Feb 21 23:48:37 2022 +0100

    s3:py_net: allow machinepass=None to py_net_join_member()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/netcmd/domain.py      |  2 --
 python/samba/provision/__init__.py |  5 ++++-
 python/samba/upgradehelpers.py     | 11 +++++++----
 source3/libsmb/trusts_util.c       | 14 +++++++++++---
 source3/utils/py_net.c             |  2 +-
 5 files changed, 23 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 1bdc0ee535a..e814a47233d 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -691,8 +691,6 @@ class cmd_domain_join(Command):
                     os.rename(f.name, smb_conf)
                 s3_lp = s3param.get_context()
                 s3_lp.load(smb_conf)
-                if machinepass is None:
-                    machinepass = samba.generate_random_machine_password(14, 40)
                 s3_net = s3_Net(creds, s3_lp, server=server)
                 (sid, domain_name) = s3_net.join_member(netbios_name,
                                                         machinepass=machinepass,
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 1723d9935d4..ff9b8fac916 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1924,11 +1924,14 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
         invocationid = str(uuid.uuid4())
 
     if krbtgtpass is None:
+        # Note that the machinepass value is ignored
+        # as the backend (password_hash.c) will generate its
+        # own random values for the krbtgt keys
         krbtgtpass = samba.generate_random_machine_password(128, 255)
     if machinepass is None:
         machinepass = samba.generate_random_machine_password(120, 120)
     if dnspass is None:
-        dnspass = samba.generate_random_password(128, 255)
+        dnspass = samba.generate_random_password(120, 120)
 
     samdb.transaction_start()
     try:
diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py
index 7f92b45f3fb..c853668058e 100644
--- a/python/samba/upgradehelpers.py
+++ b/python/samba/upgradehelpers.py
@@ -582,7 +582,7 @@ def update_machine_account_password(samdb, secrets_ldb, names):
         assert(len(res) == 1)
 
         msg = ldb.Message(res[0].dn)
-        machinepass = samba.generate_random_machine_password(128, 255)
+        machinepass = samba.generate_random_machine_password(120, 120)
         mputf16 = machinepass.encode('utf-16-le')
         msg["clearTextPassword"] = ldb.MessageElement(mputf16,
                                                       ldb.FLAG_MOD_REPLACE,
@@ -658,9 +658,12 @@ def update_krbtgt_account_password(samdb):
     assert(len(res) == 1)
 
     msg = ldb.Message(res[0].dn)
-    machinepass = samba.generate_random_machine_password(128, 255)
-    mputf16 = machinepass.encode('utf-16-le')
-    msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+    # Note that the machinepass value is ignored
+    # as the backend (password_hash.c) will generate its
+    # own random values for the krbtgt keys
+    krbtgtpass = samba.generate_random_machine_password(128, 255)
+    kputf16 = krbtgtpass.encode('utf-16-le')
+    msg["clearTextPassword"] = ldb.MessageElement(kputf16,
                                                   ldb.FLAG_MOD_REPLACE,
                                                   "clearTextPassword")
 
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 55e3c74494a..71e1a35eba7 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -55,10 +55,18 @@ char *trust_pw_new_value(TALLOC_CTX *mem_ctx,
 			 int security)
 {
 	/*
-	 * use secure defaults.
+	 * use secure defaults, which match
+	 * what windows uses for computer passwords.
+	 *
+	 * We used to have min=128 and max=255 here, but
+	 * it's a bad idea because of bugs in the Windows
+	 * RODC/RWDC PasswordUpdateForward handling via
+	 * NetrLogonSendToSam.
+	 *
+	 * See https://bugzilla.samba.org/show_bug.cgi?id=14984
 	 */
-	size_t min = 128;
-	size_t max = 255;
+	size_t min = 120;
+	size_t max = 120;
 
 	switch (sec_channel_type) {
 	case SEC_CHAN_WKSTA:
diff --git a/source3/utils/py_net.c b/source3/utils/py_net.c
index 3142f83bc7f..0d774bcb805 100644
--- a/source3/utils/py_net.c
+++ b/source3/utils/py_net.c
@@ -88,7 +88,7 @@ static PyObject *py_net_join_member(py_net_Object *self, PyObject *args, PyObjec
 		return NULL;
 	}
 
-	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|ssssssspp:Join",
+	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|sssssszpp:Join",
 					 discard_const_p(char *, kwnames),
 					 &r->in.dnshostname,
 					 &r->in.upn,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list