[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Mon Oct 16 15:39:02 UTC 2023
The branch, master has been updated
via bf79979f847 s4:kdc: fix user2user tgs-requests for normal user accounts
via cbb8145d0c5 third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))
via c99fe118fdf tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account
via 97e4aab1a6e CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
via 70586061128 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container
via 498542be0bb CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()
via 7f8b15faa76 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container
via 0c329a0fda3 CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files
via 3be190dcf71 CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()
from 6e862bd3690 s4/torture: fix exit status of raw.bench-lookup
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bf79979f847de36db9da9646a396cdfe6b0e1c6f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 11 15:58:22 2023 +0200
s4:kdc: fix user2user tgs-requests for normal user accounts
User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.
In addition User2User also asserts that client and server
are the same account (cecked based on the sid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224
commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 16 12:33:15 2023 +1300
third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))
This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.
But for User2User the account password is not used,
so it is safe to return the server entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Adapted to be an import from lorikeet-heimdal as requested]
commit c99fe118fdf11c641d74a51d33b52ac411db95f5
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 11 15:54:15 2023 +0200
tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 29 23:35:31 2016 +0100
CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 70586061128f90afa33f25e104d4570a1cf778db
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 7 18:18:58 2023 +0200
CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 498542be0bbf4f26558573c1f87b77b8e3509371
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 15:14:24 2023 +0200
CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()
This makes the next change easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 29 23:34:15 2016 +0100
CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container
This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0c329a0fda37d87ed737e4b579b6d04ec907604c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 29 23:33:37 2016 +0100
CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3be190dcf7153e479383f7f3d29ddca43fe121b8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 29 23:30:59 2016 +0100
CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()
samba-tool drs clone-dc-database was quite useful to find
the true value of nTSecurityDescriptor of the CN=Delete Objects
containers.
Only the auto inherited SACL is available via a ldap search.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/dbchecker.py | 27 +++++++++--
python/samba/descriptor.py | 25 +++++++++-
python/samba/provision/__init__.py | 5 ++
python/samba/provision/sambadns.py | 4 ++
python/samba/tests/krb5/kdc_tgs_tests.py | 36 +++++++++++++++
selftest/knownfail.d/samba4.ldap.confidential_attr | 1 +
selftest/knownfail_mit_kdc | 1 +
source4/dsdb/samdb/ldb_modules/dirsync.c | 53 ++--------------------
source4/kdc/db-glue.c | 30 ++++++++++--
source4/kdc/sdb.h | 4 +-
...eck-link-output-missing-link-sid-corruption.txt | 8 ++--
.../expected-links-after-dbcheck.ldif | 2 +-
.../release-4-5-0-pre1/rootdse-version.final.txt | 2 +-
source4/setup/provision.ldif | 1 +
source4/setup/provision_configuration.ldif | 1 +
source4/setup/provision_dnszones_add.ldif | 1 +
testprogs/blackbox/dbcheck-links.sh | 12 +++++
third_party/heimdal/kdc/krb5tgs.c | 7 ++-
third_party/heimdal/lib/hdb/hdb.h | 1 +
19 files changed, 156 insertions(+), 65 deletions(-)
create mode 100644 selftest/knownfail.d/samba4.ldap.confidential_attr
Changeset truncated at 500 lines:
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 84513694fab..48669b5c521 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -20,7 +20,7 @@
import ldb
import samba
import time
-from base64 import b64decode
+from base64 import b64decode, b64encode
from samba import dsdb
from samba import common
from samba.dcerpc import misc
@@ -29,7 +29,11 @@ from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc import drsblobs
from samba.samdb import dsdb_Dn
from samba.dcerpc import security
-from samba.descriptor import get_wellknown_sds, get_diff_sds
+from samba.descriptor import (
+ get_wellknown_sds,
+ get_deletedobjects_descriptor,
+ get_diff_sds
+)
from samba.auth import system_session, admin_session
from samba.netcmd import CommandError
from samba.netcmd.fsmo import get_fsmo_roleowner
@@ -351,6 +355,12 @@ class dbcheck(object):
listwko.append('%s:%s' % (wko_prefix, dn))
guid_suffix = ""
+
+ domain_sid = security.dom_sid(self.samdb.get_domain_sid())
+ sec_desc = get_deletedobjects_descriptor(domain_sid,
+ name_map=self.name_map)
+ sec_desc_b64 = b64encode(sec_desc).decode('utf8')
+
# Insert a brand new Deleted Objects container
self.samdb.add_ldif("""dn: %s
objectClass: top
@@ -359,7 +369,8 @@ description: Container for deleted objects
isDeleted: TRUE
isCriticalSystemObject: TRUE
showInAdvancedViewOnly: TRUE
-systemFlags: -1946157056%s""" % (dn, guid_suffix),
+nTSecurityDescriptor:: %s
+systemFlags: -1946157056%s""" % (dn, sec_desc_b64, guid_suffix),
controls=["relax:0", "provision:0"])
delta = ldb.Message()
@@ -2458,7 +2469,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
error_count += 1
continue
- if self.reset_well_known_acls:
+ if dn == deleted_objects_dn or self.reset_well_known_acls:
try:
well_known_sd = self.get_wellknown_sd(dn)
except KeyError:
@@ -2467,7 +2478,13 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
current_sd = ndr_unpack(security.descriptor,
obj[attrname][0])
- diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid()))
+ ignoreAdditionalACEs = False
+ if not self.reset_well_known_acls:
+ ignoreAdditionalACEs = True
+
+ diff = get_diff_sds(well_known_sd, current_sd,
+ security.dom_sid(self.samdb.get_domain_sid()),
+ ignoreAdditionalACEs=ignoreAdditionalACEs)
if diff != "":
self.err_wrong_default_sd(dn, well_known_sd, diff)
error_count += 1
diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index f0568dd9e8e..362510c8c64 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -55,6 +55,16 @@ def get_empty_descriptor(domain_sid, name_map=None):
# "get_schema_descriptor" is located in "schema.py"
+def get_deletedobjects_descriptor(domain_sid, name_map=None):
+ if name_map is None:
+ name_map = {}
+
+ sddl = "O:SYG:SYD:PAI" \
+ "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \
+ "(A;;RPLC;;;BA)"
+ return sddl2binary(sddl, domain_sid, name_map)
+
+
def get_config_descriptor(domain_sid, name_map=None):
if name_map is None:
name_map = {}
@@ -485,6 +495,7 @@ def get_wellknown_sds(samdb):
# Then subcontainers
subcontainers = [
(ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor),
+ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor),
(ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor),
(ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor),
(ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor),
@@ -495,6 +506,7 @@ def get_wellknown_sds(samdb):
(ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor),
(ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor),
+ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor),
(ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor),
(ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
(ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor),
@@ -519,6 +531,9 @@ def get_wellknown_sds(samdb):
if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn:
c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor)
subcontainers.append(c)
+ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)),
+ get_deletedobjects_descriptor)
+ subcontainers.append(c)
c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)),
get_domain_delete_protected1_descriptor)
subcontainers.append(c)
@@ -534,6 +549,9 @@ def get_wellknown_sds(samdb):
if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn:
c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor)
subcontainers.append(c)
+ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)),
+ get_deletedobjects_descriptor)
+ subcontainers.append(c)
c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)),
get_domain_delete_protected1_descriptor)
subcontainers.append(c)
@@ -626,7 +644,8 @@ def get_clean_sd(sd):
return sd_clean
-def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
+def get_diff_sds(refsd, cursd, domainsid, checkSacl=True,
+ ignoreAdditionalACEs=False):
"""Get the difference between 2 sd
This function split the textual representation of ACL into smaller
@@ -681,6 +700,10 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
h_ref.remove(k)
if len(h_cur) + len(h_ref) > 0:
+ if txt == "" and len(h_ref) == 0:
+ if ignoreAdditionalACEs:
+ return ""
+
txt = "%s\tPart %s is different between reference" \
" and current here is the detail:\n" % (txt, part)
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 461219d63aa..f87bb1c82bd 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -81,6 +81,7 @@ from samba.provision.backend import (
LDBBackend,
)
from samba.descriptor import (
+ get_deletedobjects_descriptor,
get_config_descriptor,
get_config_partitions_descriptor,
get_config_sites_descriptor,
@@ -1450,6 +1451,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD,
"subRefs")
+ deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8')
+
samdb.invocation_id = invocationid
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
@@ -1481,6 +1484,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
"FOREST_FUNCTIONALITY": str(forestFunctionality),
"DOMAIN_FUNCTIONALITY": str(domainFunctionality),
"NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
+ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
"LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
"SERVICES_DESCRIPTOR": protected1_descr,
"PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
@@ -1545,6 +1549,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
"RIDAVAILABLESTART": str(next_rid + 600),
"POLICYGUID_DC": policyguid_dc,
"INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
+ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
"LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
"SYSTEM_DESCRIPTOR": system_desc,
"BUILTIN_DESCRIPTOR": builtin_desc,
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 9c37876671f..78fa8976da8 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -40,6 +40,7 @@ from samba.dsdb import (
DS_GUID_USERS_CONTAINER
)
from samba.descriptor import (
+ get_deletedobjects_descriptor,
get_domain_descriptor,
get_domain_delete_protected1_descriptor,
get_domain_delete_protected2_descriptor,
@@ -252,6 +253,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
descriptor = get_dns_partition_descriptor(domainsid)
+ deletedobjects_desc = get_deletedobjects_descriptor(domainsid)
setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
"ZONE_DN": domainzone_dn,
@@ -274,6 +276,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
"ZONE_DNS": domainzone_dns,
"CONFIGDN": configdn,
"SERVERDN": serverdn,
+ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
"LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
"INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
})
@@ -293,6 +296,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
"ZONE_DNS": forestzone_dns,
"CONFIGDN": configdn,
"SERVERDN": serverdn,
+ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
"LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
"INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
})
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index 7dccdf2479f..f6d8921635a 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -1076,6 +1076,29 @@ class KdcTgsTests(KdcTgsBaseTests):
tgt = self._get_tgt(creds)
self._user2user(tgt, creds, expected_error=0)
+ def test_user2user_user_self_req(self):
+ creds = self._get_user_creds()
+ tgt = self._get_tgt(creds)
+ username = creds.get_username()
+ sname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[username])
+ self._user2user(tgt, creds, sname=sname, user_tgt=tgt, user_creds=creds, expected_error=0)
+
+ def test_user2user_computer_self_princ1_req(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds)
+ username = creds.get_username()
+ sname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[username])
+ self._user2user(tgt, creds, sname=sname, user_tgt=tgt, user_creds=creds, expected_error=0)
+
+ def test_user2user_computer_self_princ2_req(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds)
+ self._user2user(tgt, creds, user_tgt=tgt, user_creds=creds, expected_error=0)
+
def test_fast_req(self):
creds = self._get_creds()
tgt = self._get_tgt(creds)
@@ -3114,6 +3137,19 @@ class KdcTgsTests(KdcTgsBaseTests):
'id': 2
})
+ def _get_user_creds(self,
+ replication_allowed=False,
+ replication_denied=False,
+ revealed_to_rodc=False):
+ return self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={
+ 'allowed_replication_mock': replication_allowed,
+ 'denied_replication_mock': replication_denied,
+ 'revealed_to_mock_rodc': revealed_to_rodc,
+ 'id': 3
+ })
+
def _get_non_existent_rid(self):
return (1 << 30) - 1
diff --git a/selftest/knownfail.d/samba4.ldap.confidential_attr b/selftest/knownfail.d/samba4.ldap.confidential_attr
new file mode 100644
index 00000000000..46a75ce928b
--- /dev/null
+++ b/selftest/knownfail.d/samba4.ldap.confidential_attr
@@ -0,0 +1 @@
+^samba4.ldap.confidential_attr.python.*.__main__.*.test_search_with_dirsync_deleted_objects
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 22cc6f4358d..c89feb1dbb1 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -411,6 +411,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_cname_host
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm
diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c
index 61b5bf6ec6a..ac16e96f169 100644
--- a/source4/dsdb/samdb/ldb_modules/dirsync.c
+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c
@@ -151,10 +151,6 @@ static int dirsync_filter_entry(struct ldb_request *req,
* list only the attribute that have been modified since last interrogation
*
*/
- newmsg = ldb_msg_new(dsc->req);
- if (newmsg == NULL) {
- return ldb_oom(ldb);
- }
for (i = msg->num_elements - 1; i >= 0; i--) {
if (ldb_attr_cmp(msg->elements[i].name, "uSNChanged") == 0) {
int error = 0;
@@ -201,11 +197,6 @@ static int dirsync_filter_entry(struct ldb_request *req,
*/
return LDB_SUCCESS;
}
- newmsg->dn = ldb_dn_new(newmsg, ldb, "");
- if (newmsg->dn == NULL) {
- return ldb_oom(ldb);
- }
-
el = ldb_msg_find_element(msg, "objectGUID");
if ( el != NULL) {
guidfound = true;
@@ -216,48 +207,14 @@ static int dirsync_filter_entry(struct ldb_request *req,
* we will uncomment the code below
*/
SMB_ASSERT(guidfound == true);
- /*
- if (guidfound == false) {
- struct GUID guid;
- struct ldb_val *new_val;
- DATA_BLOB guid_blob;
-
- tmp[0] = '\0';
- txt = strrchr(txt, ':');
- if (txt == NULL) {
- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
- }
- txt++;
-
- status = GUID_from_string(txt, &guid);
- if (!NT_STATUS_IS_OK(status)) {
- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
- }
-
- status = GUID_to_ndr_blob(&guid, msg, &guid_blob);
- if (!NT_STATUS_IS_OK(status)) {
- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
- }
-
- new_val = talloc(msg, struct ldb_val);
- if (new_val == NULL) {
- return ldb_oom(ldb);
- }
- new_val->data = talloc_steal(new_val, guid_blob.data);
- new_val->length = guid_blob.length;
- if (ldb_msg_add_value(msg, "objectGUID", new_val, NULL) != 0) {
- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
- }
- }
- */
- ldb_msg_add(newmsg, el, LDB_FLAG_MOD_ADD);
- talloc_steal(newmsg->elements, el->name);
- talloc_steal(newmsg->elements, el->values);
-
- talloc_steal(newmsg->elements, msg);
return ldb_module_send_entry(dsc->req, msg, controls);
}
+ newmsg = ldb_msg_new(dsc->req);
+ if (newmsg == NULL) {
+ return ldb_oom(ldb);
+ }
+
ndr_err = ndr_pull_struct_blob(replMetaData, dsc, &rmd,
(ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 89de751f616..5da274c2a4a 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -626,6 +626,24 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
}
+ if (flags & SDB_F_USER2USER_PRINCIPAL) {
+ /*
+ * User2User uses the session key
+ * from the additional ticket,
+ * so we just provide random keys
+ * here in order to make sure
+ * we never expose the user password
+ * keys.
+ */
+ ret = samba_kdc_set_random_keys(context,
+ supported_enctypes,
+ &entry->keys);
+
+ *supported_enctypes_out = supported_enctypes & ENC_ALL_TYPES;
+
+ goto out;
+ }
+
if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT)
&& (userAccountControl & UF_SMARTCARD_REQUIRED)) {
ret = samba_kdc_set_random_keys(context,
@@ -1099,6 +1117,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
const struct authn_kerberos_client_policy *authn_client_policy = NULL;
const struct authn_server_policy *authn_server_policy = NULL;
int64_t enforced_tgt_lifetime_raw;
+ const bool user2user = (flags & SDB_F_USER2USER_PRINCIPAL);
*entry = (struct sdb_entry) {};
@@ -1185,12 +1204,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
*/
entry->flags.force_canonicalize = true;
- /* Windows 2008 seems to enforce this (very sensible) rule by
+ /*
+ * Windows 2008 seems to enforce this (very sensible) rule by
* default - don't allow offline attacks on a user's password
* by asking for a ticket to them as a service (encrypted with
- * their probably pathetically insecure password) */
+ * their probably pathetically insecure password)
+ *
+ * But user2user avoids using the keys bases on the password,
+ * so we can allow it.
+ */
- if (entry->flags.server
+ if (entry->flags.server && !user2user
&& lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) {
if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
entry->flags.server = 0;
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index e59d22434fd..d2fb67bd9e7 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -120,6 +120,7 @@ struct sdb_entry {
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
#define SDB_F_ARMOR_PRINCIPAL 262144 /* fetch is for the client of an armor ticket */
+#define SDB_F_USER2USER_PRINCIPAL 524288/* fetch is for the server of a user2user tgs-req */
#define SDB_F_HDB_MASK (SDB_F_DECRYPT | \
SDB_F_GET_CLIENT| \
@@ -130,7 +131,8 @@ struct sdb_entry {
SDB_F_KVNO_SPECIFIED | \
SDB_F_FOR_AS_REQ | \
SDB_F_FOR_TGS_REQ | \
- SDB_F_ARMOR_PRINCIPAL)
+ SDB_F_ARMOR_PRINCIPAL| \
+ SDB_F_USER2USER_PRINCIPAL)
/* This is not supported by HDB */
#define SDB_F_FORCE_CANON 16384 /* force canonicalization */
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt
index 34576157f25..a8b65384910 100644
--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt
@@ -1,8 +1,8 @@
-Change DN to <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;<SID=S-1-5-21-4177067393-1453636373-93818738-771>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
-Change DN to <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;<SID=S-1-5-21-4177067393-1453636373-93818738-772>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
+Change DN to <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3773>;<RMD_ORIGINATING_USN=3773>;<RMD_VERSION=2>;<SID=S-1-5-21-4177067393-1453636373-93818738-771>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
+Change DN to <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3772>;<RMD_ORIGINATING_USN=3772>;<RMD_VERSION=1>;<SID=S-1-5-21-4177067393-1453636373-93818738-772>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
Checked 231 objects (2 errors)
Checking 231 objects
-ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
-ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3773>;<RMD_ORIGINATING_USN=3773>;<RMD_VERSION=2>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3772>;<RMD_ORIGINATING_USN=3772>;<RMD_VERSION=1>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
Fixed missing DN SID on attribute member
Fixed missing DN SID on attribute member
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif
index 9ac86fcf1ee..86ff44ea224 100644
--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif
@@ -1381,7 +1381,7 @@ uSNChanged: 3597
dn: CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
DC=samba,DC=corp
-uSNChanged: 3377
+uSNChanged: 3750
# record 215
dn: CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samba,DC=corp
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt
index 0028f9b6e4a..7ed468b6c0c 100644
--- a/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt
+++ b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt
@@ -1 +1 @@
-highestCommittedUSN: 3746
+highestCommittedUSN: 3750
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 5d9eba49f86..7f966fd57f8 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -34,6 +34,7 @@ isDeleted: TRUE
--
Samba Shared Repository
More information about the samba-cvs
mailing list