[SCM] Samba Shared Repository - branch v4-14-test updated
Jule Anger
janger at samba.org
Mon Mar 7 11:31:01 UTC 2022
The branch, v4-14-test has been updated
via 24d05601ad7 s3:trusts_utils: use a password length of 120 for machine accounts
via 98714cc2350 upgradehelpers.py: add a comment to update_krbtgt_account_password()
via fcd3dc4e445 provision: add a comment that the value of krbtgtpass is ignored in the backend
via 097dbe8fe86 upgradehelpers.py: let update_machine_account_password() use 120 character passwords
via 8c58c14cd66 provision: use 120 characters for the dns account password
via 00aa1f8bbae provision: Decrease the length of random machine passwords
via 78d24902c79 s4/auth/simple_bind: correctly report TLS state
via f656f6c9179 pytest:auth_log: expect TLS connections when using ldaps
from c2a3c17da9f s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -----------------------------------------------------------------
commit 24d05601ad7517ded8a2a50983c72bf6633c3dab
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 21 15:28:53 2022 +0100
s3:trusts_utils: use a password length of 120 for machine accounts
This is important when we change the machine password against
an RODC that proxies the request to an RWDC.
An RODC using NetrServerPasswordSet2() to proxy PasswordUpdateForward via
NetrLogonSendToSam() ignores a return of NT_STATUS_INVALID_PARAMETER
and reports NT_STATUS_OK as result of NetrServerPasswordSet2().
This hopefully found the last hole in our very robust machine account
password handling logic inside of trust_pw_change().
The lesson is: try to be as identical to how windows works as possible,
everything else may use is untested code paths on Windows.
A similar problem was fixed by this commit:
commit 609ca657652862fd9c81fd11f818efb74f72ff55
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 24 02:03:25 2021 +1300
provision: Decrease the length of random machine passwords
The current length of 128-255 UTF-16 characters currently causes
generation of crypt() passwords to typically fail. This commit
decreases the length to 120 UTF-16 characters, which is the same as
that used by Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Feb 23 08:49:54 UTC 2022 on sn-devel-184
(cherry picked from commit 5e2386336c49fab46c1192db972af5da1e916b32)
Autobuild-User(v4-14-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-14-test): Mon Mar 7 11:30:22 UTC 2022 on sn-devel-184
commit 98714cc23500ef4d4a37ec82dcd70efd37917555
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 21 15:23:54 2022 +0100
upgradehelpers.py: add a comment to update_krbtgt_account_password()
The backend generates its own random krbtgt password values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ad0b5561b492dfa28acfc9604b2358bb8b490703)
commit fcd3dc4e445a404962fe17e8c5d9e970590e9a8b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 21 15:22:50 2022 +0100
provision: add a comment that the value of krbtgtpass is ignored in the backend
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 725c94d57d3d656bc94633dacbac683a4c11d3e6)
commit 097dbe8fe86adcb1868bf0f51351b93bedcaf613
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 21 15:22:06 2022 +0100
upgradehelpers.py: let update_machine_account_password() use 120 character passwords
We already changed provision to use 120 character passwords with commit
609ca657652862fd9c81fd11f818efb74f72ff55.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 6bb7c0f24918329804b7f4fb71908e8fab99e266)
commit 8c58c14cd66504ffde4cd49e6fb4a4c681957a2f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 21 15:08:34 2022 +0100
provision: use 120 characters for the dns account password
We should use the same as for the computer account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3b91be36581de1007427d539daffdaa62752412d)
commit 00aa1f8bbae0d60f05e4f9064f5f5703af73312b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 24 02:03:25 2021 +1300
provision: Decrease the length of random machine passwords
The current length of 128-255 UTF-16 characters currently causes
generation of crypt() passwords to typically fail. This commit
decreases the length to 120 UTF-16 characters, which is the same as
that used by Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 609ca657652862fd9c81fd11f818efb74f72ff55)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
commit 78d24902c7995e6b2fcb061a345371508d37f549
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Dec 23 14:37:29 2021 +1300
s4/auth/simple_bind: correctly report TLS state
It went wrong in 366f8cf0903e3583fda42696df62a5337f22131f
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Jan 26 12:39:52 UTC 2022 on sn-devel-184
(cherry picked from commit 309f1982263677045d407463eb19a2444c165a63)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14996
commit f656f6c91797ddbe06ab5f5de678abf52fdf1251
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jan 26 15:53:45 2022 +1300
pytest:auth_log: expect TLS connections when using ldaps
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit f37682747898591b37405f9e96a8135c15638637)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14996
-----------------------------------------------------------------------
Summary of changes:
python/samba/join.py | 2 +-
python/samba/provision/__init__.py | 7 +++++--
python/samba/tests/auth_log.py | 8 ++++----
python/samba/upgradehelpers.py | 11 +++++++----
source3/libsmb/trusts_util.c | 14 +++++++++++---
source4/auth/ntlm/auth_simple.c | 4 ++--
source4/libnet/libnet_vampire.c | 2 +-
source4/scripting/bin/renamedc | 2 +-
8 files changed, 32 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/join.py b/python/samba/join.py
index 79030cdfd29..d31cabb945a 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -136,7 +136,7 @@ class DCJoinContext(object):
if machinepass is not None:
ctx.acct_pass = machinepass
else:
- ctx.acct_pass = samba.generate_random_machine_password(128, 255)
+ ctx.acct_pass = samba.generate_random_machine_password(120, 120)
ctx.dnsdomain = ctx.samdb.domain_dns_name()
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 136267e7aad..e8903ad846f 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1924,11 +1924,14 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
invocationid = str(uuid.uuid4())
if krbtgtpass is None:
+ # Note that the machinepass value is ignored
+ # as the backend (password_hash.c) will generate its
+ # own random values for the krbtgt keys
krbtgtpass = samba.generate_random_machine_password(128, 255)
if machinepass is None:
- machinepass = samba.generate_random_machine_password(128, 255)
+ machinepass = samba.generate_random_machine_password(120, 120)
if dnspass is None:
- dnspass = samba.generate_random_password(128, 255)
+ dnspass = samba.generate_random_password(120, 120)
samdb.transaction_start()
try:
diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index 3c56bc48e7f..8ac76fe4959 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -566,7 +566,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"])
self.assertEqual("LDAP",
msg["Authentication"]["serviceDescription"])
- self.assertEqual("simple bind",
+ self.assertEqual("simple bind/TLS",
msg["Authentication"]["authDescription"])
self.assertEqual(
EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
@@ -580,7 +580,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
(msg["Authentication"]["status"] ==
"NT_STATUS_WRONG_PASSWORD") and
(msg["Authentication"]["authDescription"] ==
- "simple bind") and
+ "simple bind/TLS") and
(msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
@@ -612,7 +612,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
(msg["Authentication"]["status"] ==
"NT_STATUS_NO_SUCH_USER") and
(msg["Authentication"]["authDescription"] ==
- "simple bind") and
+ "simple bind/TLS") and
(msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
@@ -642,7 +642,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
(msg["Authentication"]["status"] ==
"NT_STATUS_NO_SUCH_USER") and
(msg["Authentication"]["authDescription"] ==
- "simple bind") and
+ "simple bind/TLS") and
(msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py
index 69f6e3675e8..0f4e65fcaed 100644
--- a/python/samba/upgradehelpers.py
+++ b/python/samba/upgradehelpers.py
@@ -584,7 +584,7 @@ def update_machine_account_password(samdb, secrets_ldb, names):
assert(len(res) == 1)
msg = ldb.Message(res[0].dn)
- machinepass = samba.generate_random_machine_password(128, 255)
+ machinepass = samba.generate_random_machine_password(120, 120)
mputf16 = machinepass.encode('utf-16-le')
msg["clearTextPassword"] = ldb.MessageElement(mputf16,
ldb.FLAG_MOD_REPLACE,
@@ -660,9 +660,12 @@ def update_krbtgt_account_password(samdb):
assert(len(res) == 1)
msg = ldb.Message(res[0].dn)
- machinepass = samba.generate_random_machine_password(128, 255)
- mputf16 = machinepass.encode('utf-16-le')
- msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+ # Note that the machinepass value is ignored
+ # as the backend (password_hash.c) will generate its
+ # own random values for the krbtgt keys
+ krbtgtpass = samba.generate_random_machine_password(128, 255)
+ kputf16 = krbtgtpass.encode('utf-16-le')
+ msg["clearTextPassword"] = ldb.MessageElement(kputf16,
ldb.FLAG_MOD_REPLACE,
"clearTextPassword")
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 55e3c74494a..71e1a35eba7 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -55,10 +55,18 @@ char *trust_pw_new_value(TALLOC_CTX *mem_ctx,
int security)
{
/*
- * use secure defaults.
+ * use secure defaults, which match
+ * what windows uses for computer passwords.
+ *
+ * We used to have min=128 and max=255 here, but
+ * it's a bad idea because of bugs in the Windows
+ * RODC/RWDC PasswordUpdateForward handling via
+ * NetrLogonSendToSam.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14984
*/
- size_t min = 128;
- size_t max = 255;
+ size_t min = 120;
+ size_t max = 120;
switch (sec_channel_type) {
case SEC_CHAN_WKSTA:
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 8301aec519c..b2e76381395 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -88,9 +88,9 @@ _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c
user_info->service_description = "LDAP";
if (using_tls) {
- user_info->auth_description = "simple bind";
- } else {
user_info->auth_description = "simple bind/TLS";
+ } else {
+ user_info->auth_description = "simple bind";
}
user_info->password_state = AUTH_PASSWORD_PLAIN;
diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c
index a0de1b7d3e0..3f07b3f20d6 100644
--- a/source4/libnet/libnet_vampire.c
+++ b/source4/libnet/libnet_vampire.c
@@ -164,7 +164,7 @@ NTSTATUS libnet_vampire_cb_prepare_db(void *private_data,
settings.realm = s->realm;
settings.domain = s->domain_name;
settings.server_dn_str = p->dest_dsa->server_dn_str;
- settings.machine_password = generate_random_machine_password(s, 128, 255);
+ settings.machine_password = generate_random_machine_password(s, 120, 120);
settings.targetdir = s->targetdir;
settings.use_ntvfs = true;
status = provision_bare(s, s->lp_ctx, &settings, &result);
diff --git a/source4/scripting/bin/renamedc b/source4/scripting/bin/renamedc
index 6a9bd1c82bd..ef3aa75db76 100755
--- a/source4/scripting/bin/renamedc
+++ b/source4/scripting/bin/renamedc
@@ -95,7 +95,7 @@ if __name__ == '__main__':
# Then change password and samaccountname and dnshostname
msg = ldb.Message(newdn)
- machinepass = samba.generate_random_machine_password(128, 255)
+ machinepass = samba.generate_random_machine_password(120, 120)
mputf16 = machinepass.encode('utf-16-le')
account = "%s$" % opts.newname.upper()
--
Samba Shared Repository
More information about the samba-cvs
mailing list