[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Apr 10 00:00:02 UTC 2024
The branch, master has been updated
via dbba6c22a41 auth/credentials: Read managed_password.passwords.query_interval only after parsing
via 811c184bbb3 smbd: Simplify an if-condition
via 51c950c1629 smbd: Save 3 lines
via f573a513415 smbd: Remove an obsolete comment
via 798826d4f1a smbXsrv_session: Remove a "can't happen" NULL check
via 89981987379 smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB
via 292c2645468 smbXsrv_session: Remove two implicit NULL initializations
via c5f98c0d95c smbXsrv_session: Use struct initialization
via 005ce15aab3 python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change
via 50f424e8d35 s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3()
via 8df1728e124 s3:rpc_server: Implement lsa_CreateTrustedDomain_common()
via 3385c2fe44a s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck()
via 8f52b649799 s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2()
via 56e1051ad7e s3:rpc_client: Implement createtrustdomex3 command
via bb4d8de9a80 s3:rpc_client: Implement createtrustdomex2 command
via d078ee6af61 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes()
via 97499a47550 s4:torture: Add test for lsa_CreateTrustedDomainEx3
via f390981c1a7 s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3()
via 933ba496073 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3()
via 87595140c34 s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA
via 0177cd898ef s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain
via b957cb34d44 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx
via 1790828bc5f s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2
via 6d90397ff28 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common()
via dad8c78edc7 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck()
via 18af510bd50 s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain()
via 8b1c0bd718b s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c
via 354f61d868d s4:torture: Use dcerpc_lsa_OpenPolicy3_r()
via 8e35e5f5675 s4:torture: Use rpc_lsa_encrypt_trustdom_info()
via 05e9cb36b77 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info()
via dbe9e9a8393 s4:torture: Use init_lsa_String() from init_lsa.h
via 84d51503630 librpc:rpc: Add dcerpc_lsa.h
via 2d60d1b96aa python: Use OpenPolicyFallback() in trust.py
via 859e7f8c5f1 python: Implement CreateTrustedDomainFallback()
via 812d4e0d6cc python: Add aead_aes_256_cbc_hmac_sha512()
via 23e61d2cebc python: Use secrets.token_bytes instead of random
via decacb0e7e1 python: Set parameter types for CreateTrustedDomainRelax()
via 9e5fc815644 python:tests: Clean lsa_utils.py code according to Python standards
via e32be2ade4f python:tests: Rename createtrustrelax.py to lsa_utils.py
via 00ed209e483 python: Implement OpenPolicyFallback()
via 85d0ab38f7c python:samba: Rename trust_utils.py to lsa_utils.py
via 01940ae7afa buildtools: Fix PYTHONPATH and print it
from be2ade2d88b netcmd: fix broken shell command missing Model
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit dbba6c22a41ab12bd9804f10a878c965100ac7c0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 9 16:11:16 2024 +1200
auth/credentials: Read managed_password.passwords.query_interval only after parsing
The code previously read the uninitialised stack not the parsed
structure, and so could segfault if the stack was not zero.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Apr 9 23:59:54 UTC 2024 on atb-devel-224
commit 811c184bbb30f8364a6c2f1835732d0c25e1b9c7
Author: Volker Lendecke <vl at samba.org>
Date: Fri Feb 9 12:37:53 2024 +0100
smbd: Simplify an if-condition
current_sid == NULL is true if and only if we could not assign current_sid
because num_sids was too small. Make that more explicit.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 51c950c16297ce45aeec85dff53af04f7f3b620f
Author: Volker Lendecke <vl at samba.org>
Date: Fri Feb 9 12:47:48 2024 +0100
smbd: Save 3 lines
Just cosmetic
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f573a5134151e029329f19f292e6d6a324e291b8
Author: Volker Lendecke <vl at samba.org>
Date: Thu Feb 8 18:16:39 2024 +0100
smbd: Remove an obsolete comment
This looks like a cut&paste from other smbXsrv files.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 798826d4f1a826086b8bac6568672ad11ceeed9d
Author: Volker Lendecke <vl at samba.org>
Date: Thu Feb 8 12:51:32 2024 +0100
smbXsrv_session: Remove a "can't happen" NULL check
This should really not happen, crashing would be the right
response. Align with fdca0558efa.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8998198737973252518a4db47c72d5488b81f713
Author: Volker Lendecke <vl at samba.org>
Date: Thu Feb 8 12:47:07 2024 +0100
smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB
Use the toplevel talloc pool, align with 0c709cb6b70.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 292c2645468b131365414f2ff2bc6daa820d0533
Author: Volker Lendecke <vl at samba.org>
Date: Thu Feb 8 12:23:21 2024 +0100
smbXsrv_session: Remove two implicit NULL initializations
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c5f98c0d95ca750bf2df879ccc6caea793cd9ade
Author: Volker Lendecke <vl at samba.org>
Date: Thu Feb 8 11:50:42 2024 +0100
smbXsrv_session: Use struct initialization
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 005ce15aab35bb0981e694cc12580cf31b135b0a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Apr 10 09:53:00 2024 +1200
python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 50f424e8d3592f22fd6ab28c63f65f874edde212
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 4 16:08:46 2024 +0100
s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8df1728e124f0fa0e7d2891f5373d806226a21f3
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 29 10:02:16 2024 +0100
s3:rpc_server: Implement lsa_CreateTrustedDomain_common()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3385c2fe44a19c621527127722454245ccfe82ca
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jan 5 11:16:58 2024 +0100
s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8f52b649799196709ee17928ccd4f772c72717f7
Author: Andreas Schneider <asn at samba.org>
Date: Wed Feb 28 14:50:19 2024 +0100
s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 56e1051ad7e3be2273ca3e5af5a8ca7836511e26
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 29 09:34:10 2024 +0100
s3:rpc_client: Implement createtrustdomex3 command
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bb4d8de9a800ea76900bbd685a0105f59e872b84
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 27 09:08:28 2024 +0100
s3:rpc_client: Implement createtrustdomex2 command
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d078ee6af61528f509c4242c19b64591fe897549
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 27 09:24:52 2024 +0100
s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 97499a475501f6bdb78d1c4105cc85fe3c45a1d8
Author: Andreas Schneider <asn at samba.org>
Date: Tue Nov 28 15:46:54 2023 +0100
s4:torture: Add test for lsa_CreateTrustedDomainEx3
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f390981c1a7c0e6edf74c414209e6b55f810af50
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 21 11:51:02 2023 +0100
s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 933ba496073064e0518a58463d1b3a1d949b7a6b
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 21 10:32:45 2023 +0100
s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 87595140c34cc186c930a29ffa4850f688e15a79
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 21 10:32:25 2023 +0100
s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0177cd898ef4d30f3accde1516a3a3fac8f21d90
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 22 15:07:54 2023 +0100
s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain
This also removes dcesrv_lsa_CreateTrustedDomain_base() as it is unused with
this commit. We need to do it here or the compiler will complain about an unused
function.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b957cb34d4402abe79ed8bb24d82f90151be4317
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 22 15:00:20 2023 +0100
s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1790828bc5fc33ba975b78f5f269c309aa505a2a
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 22 14:58:26 2023 +0100
s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d90397ff28a8dc924292f3593d970e7bf5e57ab
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 20 18:56:14 2023 +0100
s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dad8c78edc7fa72d379ff640659f35ccc2689614
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 15 16:21:32 2023 +0100
s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 18af510bd50ec2c5c6b47c8ca8b9b9cfde315d63
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 21 08:12:22 2023 +0100
s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8b1c0bd718b511c985e3b31dc5871befa6ad2c05
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 15 16:21:15 2023 +0100
s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 354f61d868db1193fce0516adeaed23dbc49206e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 18 18:45:19 2024 +0100
s4:torture: Use dcerpc_lsa_OpenPolicy3_r()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8e35e5f56757f2ece5f5415fad0be56c5bceb941
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 27 09:15:01 2024 +0100
s4:torture: Use rpc_lsa_encrypt_trustdom_info()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 05e9cb36b779bb70a0dbee2a66dfeac9d53f3c6d
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 27 09:07:57 2024 +0100
s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dbe9e9a839307c7fd9a270355ab40ca50d615def
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 27 09:14:24 2024 +0100
s4:torture: Use init_lsa_String() from init_lsa.h
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 84d5150363014a2f81a5dbc725bccd9107a25bb9
Author: Andreas Schneider <asn at samba.org>
Date: Tue Nov 28 15:30:38 2023 +0100
librpc:rpc: Add dcerpc_lsa.h
This adds AES constants by MS.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d60d1b96aa249c83a0a1169ebc51c91d8520d43
Author: Andreas Schneider <asn at samba.org>
Date: Wed Apr 3 11:26:50 2024 +0200
python: Use OpenPolicyFallback() in trust.py
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 859e7f8c5f1bc65361e3da9dee38db5307a4438f
Author: Andreas Schneider <asn at samba.org>
Date: Wed Apr 3 11:16:19 2024 +0200
python: Implement CreateTrustedDomainFallback()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 812d4e0d6cc0ce37a423a22483ba963e2540ca4b
Author: Andreas Schneider <asn at samba.org>
Date: Wed Apr 3 11:15:14 2024 +0200
python: Add aead_aes_256_cbc_hmac_sha512()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 23e61d2cebc999bfdd68628f2140bc81b6633132
Author: Andreas Schneider <asn at samba.org>
Date: Wed Apr 3 10:54:41 2024 +0200
python: Use secrets.token_bytes instead of random
random should not be used to create secure random numbers for tokens.
The secrets module is exactly for this.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit decacb0e7e11b347b1a3a8172250a51258295b7f
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 21 14:45:41 2024 +0100
python: Set parameter types for CreateTrustedDomainRelax()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9e5fc815644deec3fa3a8f3653bd0e7632548da2
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 21 14:44:21 2024 +0100
python:tests: Clean lsa_utils.py code according to Python standards
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e32be2ade4f2a6df736571efe555f74a4a6d4d9f
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 21 14:06:46 2024 +0100
python:tests: Rename createtrustrelax.py to lsa_utils.py
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 00ed209e483bae38c31d94033826f03d6d87e69d
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 21 11:24:10 2024 +0100
python: Implement OpenPolicyFallback()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 85d0ab38f7ce4e74854e1f4960de33901bd8904a
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 21 10:08:33 2024 +0100
python:samba: Rename trust_utils.py to lsa_utils.py
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 01940ae7afa21a6b70da5bdd5c4b8c3352c30c06
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 21 10:31:36 2024 +0100
buildtools: Fix PYTHONPATH and print it
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_gmsa.c | 21 +-
buildtools/devel_env.sh | 4 +-
librpc/rpc/dcerpc_lsa.h | 44 +++
python/samba/__init__.py | 11 +
python/samba/lsa_utils.py | 193 ++++++++++
python/samba/netcmd/domain/trust.py | 112 ++++--
python/samba/tests/blackbox/gmsa.py | 12 +-
python/samba/tests/dcerpc/createtrustrelax.py | 129 -------
python/samba/tests/dcerpc/lsa_utils.py | 247 +++++++++++++
python/samba/trust_utils.py | 62 ----
source3/rpc_client/init_lsa.c | 338 ++++++++++++++++-
source3/rpc_client/init_lsa.h | 18 +
source3/rpc_server/lsa/srv_lsa_nt.c | 355 ++++++++++++++----
source3/rpcclient/cmd_lsarpc.c | 248 +++++++++++++
source3/smbd/smbXsrv_client.c | 9 -
source3/smbd/smbXsrv_open.c | 17 +-
source3/smbd/smbXsrv_session.c | 81 ++--
source3/wscript_build | 2 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 508 +++++++++++++++++---------
source4/rpc_server/lsa/lsa_init.c | 3 -
source4/selftest/tests.py | 4 +-
source4/torture/rpc/forest_trust.c | 70 ++--
source4/torture/rpc/lsa.c | 316 ++++++++--------
source4/torture/wscript_build | 1 +
24 files changed, 2090 insertions(+), 715 deletions(-)
create mode 100644 librpc/rpc/dcerpc_lsa.h
create mode 100644 python/samba/lsa_utils.py
delete mode 100644 python/samba/tests/dcerpc/createtrustrelax.py
create mode 100644 python/samba/tests/dcerpc/lsa_utils.py
delete mode 100644 python/samba/trust_utils.py
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_gmsa.c b/auth/credentials/credentials_gmsa.c
index 86422624f1e..f85f9c65d70 100644
--- a/auth/credentials/credentials_gmsa.c
+++ b/auth/credentials/credentials_gmsa.c
@@ -40,16 +40,7 @@ NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
DATA_BLOB previous_managed_pw_utf16;
enum ndr_err_code ndr_err;
TALLOC_CTX *frame = talloc_stackframe();
-
- /*
- * We check if this is 'for keytab' as a keytab wants to know
- * about a near-future password as it will be on disk for some
- * time
- */
- bool only_use_previous_pw =
- managed_password.passwords.query_interval != NULL
- && *managed_password.passwords.query_interval <= gkdi_max_clock_skew
- && for_keytab == false;
+ bool only_use_previous_pw;
/*
* Group Managed Service Accounts are type
@@ -70,6 +61,16 @@ NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
return NT_STATUS_ILL_FORMED_PASSWORD;
}
+ /*
+ * We check if this is 'for keytab' as a keytab wants to know
+ * about a near-future password as it will be on disk for some
+ * time
+ */
+ only_use_previous_pw =
+ managed_password.passwords.query_interval != NULL
+ && *managed_password.passwords.query_interval <= gkdi_max_clock_skew
+ && for_keytab == false;
+
/*
* We look at the old password first as we might bail out
* early if the new password is "too fresh"
diff --git a/buildtools/devel_env.sh b/buildtools/devel_env.sh
index 9f87a4a1b36..430485ab868 100644
--- a/buildtools/devel_env.sh
+++ b/buildtools/devel_env.sh
@@ -3,5 +3,7 @@
# source buildtools/devel_env.sh
# Setup python path for lsp server
-PYTHONPATH="$(pwd)/third_party/waf:$(pwd)/python:$(pwd)/bin/python:$(pwd)/selftest:${PYTHONPATH}"
+echo "Old PYTHONPATH: ${PYTHONPATH}"
+PYTHONPATH="$(pwd)/third_party/waf:$(pwd)/bin/python:$(pwd)/python:$(pwd)/selftest:${PYTHONPATH}"
export PYTHONPATH
+echo "New PYTHONPATH: ${PYTHONPATH}"
diff --git a/librpc/rpc/dcerpc_lsa.h b/librpc/rpc/dcerpc_lsa.h
new file mode 100644
index 00000000000..7049e80ff1e
--- /dev/null
+++ b/librpc/rpc/dcerpc_lsa.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2023 Andreas Schneider <asn at samba.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _DCERPC_LSA_H
+#define _DCERPC_LSA_H
+
+#include <util/discard.h>
+#include "lib/util/data_blob.h"
+
+#define LSA_AES256_ENC_KEY_STRING \
+ "Microsoft LSAD encryption key AEAD-AES-256-CBC-HMAC-SHA512 16"
+/* Including terminating null byte */
+#define LSA_AES256_ENC_KEY_STRING_LEN sizeof(LSA_AES256_ENC_KEY_STRING)
+
+#define LSA_AES256_MAC_KEY_STRING \
+ "Microsoft LSAD MAC key AEAD-AES-256-CBC-HMAC-SHA512 16"
+/* Including terminating null byte */
+#define LSA_AES256_MAC_KEY_STRING_LEN sizeof(LSA_AES256_MAC_KEY_STRING)
+
+static const DATA_BLOB lsa_aes256_enc_key_salt = {
+ .data = discard_const_p(uint8_t, LSA_AES256_ENC_KEY_STRING),
+ .length = LSA_AES256_ENC_KEY_STRING_LEN,
+};
+
+static const DATA_BLOB lsa_aes256_mac_key_salt = {
+ .data = discard_const_p(uint8_t, LSA_AES256_MAC_KEY_STRING),
+ .length = LSA_AES256_MAC_KEY_STRING_LEN,
+};
+
+#endif /* _DCERPC_LSA_H */
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index 6d311d2121e..5b1a3f91ba8 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -357,6 +357,17 @@ def arcfour_encrypt(key, data):
return arcfour_crypt_blob(data, key)
+def aead_aes_256_cbc_hmac_sha512(plaintext, cek, key_salt, mac_salt, iv):
+ from samba.crypto import aead_aes_256_cbc_hmac_sha512_blob
+ return aead_aes_256_cbc_hmac_sha512_blob(
+ plaintext,
+ cek,
+ key_salt,
+ mac_salt,
+ iv
+ )
+
+
GUID_RE = re.compile(
"[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
diff --git a/python/samba/lsa_utils.py b/python/samba/lsa_utils.py
new file mode 100644
index 00000000000..a56675d6b63
--- /dev/null
+++ b/python/samba/lsa_utils.py
@@ -0,0 +1,193 @@
+# trust utils
+#
+# Copyright Isaac Boukris 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+from samba.dcerpc import lsa, drsblobs, misc
+from samba.ndr import ndr_pack
+from samba import (
+ NTSTATUSError,
+ aead_aes_256_cbc_hmac_sha512,
+ arcfour_encrypt,
+ string_to_byte_array
+)
+from samba.ntstatus import (
+ NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
+)
+from samba import crypto
+from secrets import token_bytes
+
+
+def OpenPolicyFallback(
+ conn: lsa.lsarpc,
+ system_name: str,
+ in_version: int,
+ in_revision_info: lsa.revision_info1,
+ sec_qos: bool = False,
+ access_mask: int = 0,
+):
+ attr = lsa.ObjectAttribute()
+ if sec_qos:
+ qos = lsa.QosInfo()
+ qos.len = 0xc
+ qos.impersonation_level = 2
+ qos.context_mode = 1
+ qos.effective_only = 0
+
+ attr.sec_qos = qos
+
+ try:
+ out_version, out_rev_info, policy = conn.OpenPolicy3(
+ system_name,
+ attr,
+ access_mask,
+ in_version,
+ in_revision_info
+ )
+ except NTSTATUSError as e:
+ if e.args[0] == NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE:
+ out_version = 1
+ out_rev_info = lsa.revision_info1()
+ out_rev_info.revision = 1
+ out_rev_info.supported_features = 0
+
+ policy = conn.OpenPolicy2(system_name, attr, access_mask)
+ else:
+ raise
+
+ return out_version, out_rev_info, policy
+
+
+def CreateTrustedDomainRelax(
+ lsaconn: lsa.lsarpc,
+ policy: misc.policy_handle,
+ trust_info: lsa.TrustDomainInfoInfoEx,
+ mask: int,
+ in_blob: drsblobs.trustAuthInOutBlob,
+ out_blob: drsblobs.trustAuthInOutBlob
+):
+
+ def generate_AuthInfoInternal(session_key, incoming=None, outgoing=None):
+ confounder = string_to_byte_array(token_bytes(512))
+
+ trustpass = drsblobs.trustDomainPasswords()
+
+ trustpass.confounder = confounder
+ trustpass.outgoing = outgoing
+ trustpass.incoming = incoming
+
+ trustpass_blob = ndr_pack(trustpass)
+
+ encrypted_trustpass = arcfour_encrypt(session_key, trustpass_blob)
+
+ auth_blob = lsa.DATA_BUF2()
+ auth_blob.size = len(encrypted_trustpass)
+ auth_blob.data = string_to_byte_array(encrypted_trustpass)
+
+ auth_info = lsa.TrustDomainInfoAuthInfoInternal()
+ auth_info.auth_blob = auth_blob
+
+ return auth_info
+
+ session_key = lsaconn.session_key
+
+ try:
+ if lsaconn.transport_encrypted():
+ crypto.set_relax_mode()
+ auth_info = generate_AuthInfoInternal(session_key,
+ incoming=in_blob,
+ outgoing=out_blob)
+ finally:
+ crypto.set_strict_mode()
+
+ return lsaconn.CreateTrustedDomainEx2(policy, trust_info, auth_info, mask)
+
+
+def CreateTrustedDomainFallback(
+ conn: lsa.lsarpc,
+ policy_handle: misc.policy_handle,
+ trust_info: lsa.TrustDomainInfoInfoEx,
+ access_mask: int,
+ srv_version: int,
+ srv_revision_info1: lsa.revision_info1,
+ in_blob: drsblobs.trustAuthInOutBlob,
+ out_blob: drsblobs.trustAuthInOutBlob
+):
+ def generate_AuthInfoInternalAES(
+ session_key,
+ incoming=None,
+ outgoing=None
+ ):
+ trustpass = drsblobs.trustDomainPasswords()
+
+ trustpass.outgoing = outgoing
+ trustpass.incoming = incoming
+
+ trustpass_blob = ndr_pack(trustpass)
+
+ lsa_aes256_enc_key = (
+ "Microsoft LSAD encryption key AEAD-AES-256-CBC-HMAC-SHA512 16".encode()
+ + b'\x00'
+ )
+ lsa_aes256_mac_key = (
+ "Microsoft LSAD MAC key AEAD-AES-256-CBC-HMAC-SHA512 16".encode()
+ + b'\x00'
+ )
+
+ iv = token_bytes(16)
+ ciphertext, auth_data = aead_aes_256_cbc_hmac_sha512(
+ trustpass_blob,
+ session_key,
+ lsa_aes256_enc_key,
+ lsa_aes256_mac_key,
+ iv,
+ )
+
+ return ciphertext, iv, auth_data
+
+ if (srv_version == 1
+ and srv_revision_info1.revision == 1
+ and (srv_revision_info1.supported_features
+ & lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER)):
+
+ ciphertext, iv, auth_data = generate_AuthInfoInternalAES(
+ conn.session_key, in_blob, out_blob
+ )
+
+ auth_blob = lsa.DATA_BUF2()
+ auth_blob.size = len(ciphertext)
+ auth_blob.data = string_to_byte_array(ciphertext)
+
+ auth_info = lsa.TrustDomainInfoAuthInfoInternalAES()
+ auth_info.cipher = auth_blob
+ auth_info.salt = string_to_byte_array(iv)
+ auth_info.auth_data = string_to_byte_array(auth_data)
+
+ return conn.CreateTrustedDomainEx3(
+ policy_handle,
+ trust_info,
+ auth_info,
+ access_mask
+ )
+
+ return CreateTrustedDomainRelax(
+ conn,
+ policy_handle,
+ trust_info,
+ access_mask,
+ in_blob,
+ out_blob
+ )
diff --git a/python/samba/netcmd/domain/trust.py b/python/samba/netcmd/domain/trust.py
index e930f0006bb..20c4ffb9787 100644
--- a/python/samba/netcmd/domain/trust.py
+++ b/python/samba/netcmd/domain/trust.py
@@ -34,7 +34,7 @@ from samba.dcerpc import drsblobs, lsa, nbt, netlogon, security
from samba.net import Net
from samba.netcmd import Command, CommandError, Option, SuperCommand
from samba.samdb import SamDB
-from samba.trust_utils import CreateTrustedDomainRelax
+from samba.lsa_utils import OpenPolicyFallback, CreateTrustedDomainFallback
class LocalDCCredentialsOptions(options.CredentialsOptions):
@@ -210,15 +210,24 @@ class DomainTrustCommand(Command):
return netlogon.netlogon(self.remote_binding_string, self.local_lp, self.remote_creds)
def get_lsa_info(self, conn, policy_access):
- objectAttr = lsa.ObjectAttribute()
- objectAttr.sec_qos = lsa.QosInfo()
-
- policy = conn.OpenPolicy2(b''.decode('utf-8'),
- objectAttr, policy_access)
+ in_version = 1
+ in_revision_info1 = lsa.revision_info1()
+ in_revision_info1.revision = 1
+ in_revision_info1.supported_features = (
+ lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER
+ )
+
+ out_version, out_revision_info1, policy = OpenPolicyFallback(
+ conn,
+ b''.decode('utf-8'),
+ in_version,
+ in_revision_info1,
+ policy_access
+ )
info = conn.QueryInfoPolicy2(policy, lsa.LSA_POLICY_INFO_DNS)
- return (policy, info)
+ return (policy, out_version, out_revision_info1, info)
def get_netlogon_dc_unc(self, conn, server, domain):
try:
@@ -505,7 +514,12 @@ class cmd_domain_trust_show(DomainTrustCommand):
try:
local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION
- (local_policy, local_lsa_info) = self.get_lsa_info(local_lsa, local_policy_access)
+ (
+ local_policy,
+ local_version,
+ local_revision_info1,
+ local_lsa_info
+ ) = self.get_lsa_info(local_lsa, local_policy_access)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS")
@@ -641,8 +655,12 @@ class cmd_domain_trust_modify(DomainTrustCommand):
try:
local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION
- local_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN
- (local_policy, local_lsa_info) = self.get_lsa_info(local_lsa, local_policy_access)
+ (
+ local_policy,
+ local_version,
+ local_revision_info1,
+ local_lsa_info
+ ) = self.get_lsa_info(local_lsa, local_policy_access)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS")
@@ -895,7 +913,12 @@ class cmd_domain_trust_create(DomainTrustCommand):
raise self.LocalRuntimeError(self, error, "failed to connect lsa server")
try:
- (local_policy, local_lsa_info) = self.get_lsa_info(local_lsa, local_policy_access)
+ (
+ local_policy,
+ local_version,
+ local_revision_info1,
+ local_lsa_info
+ ) = self.get_lsa_info(local_lsa, local_policy_access)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS")
@@ -915,7 +938,12 @@ class cmd_domain_trust_create(DomainTrustCommand):
raise self.RemoteRuntimeError(self, error, "failed to connect lsa server")
try:
- (remote_policy, remote_lsa_info) = self.get_lsa_info(remote_lsa, remote_policy_access)
+ (
+ remote_policy,
+ remote_version,
+ remote_revision_info1,
+ remote_lsa_info
+ ) = self.get_lsa_info(remote_lsa, remote_policy_access)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS")
@@ -1041,12 +1069,16 @@ class cmd_domain_trust_create(DomainTrustCommand):
if remote_trust_info:
self.outf.write("Creating remote TDO.\n")
current_request = {"location": "remote", "name": "CreateTrustedDomainEx2"}
- remote_tdo_handle = CreateTrustedDomainRelax(remote_lsa,
- remote_policy,
- remote_trust_info,
- lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS,
- outgoing_blob,
- incoming_blob)
+ remote_tdo_handle = CreateTrustedDomainFallback(
+ remote_lsa,
+ remote_policy,
+ remote_trust_info,
+ lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS,
+ remote_version,
+ remote_revision_info1,
+ outgoing_blob,
+ incoming_blob
+ )
self.outf.write("Remote TDO created.\n")
if enc_types:
self.outf.write("Setting supported encryption types on remote TDO.\n")
@@ -1057,12 +1089,16 @@ class cmd_domain_trust_create(DomainTrustCommand):
self.outf.write("Creating local TDO.\n")
current_request = {"location": "local", "name": "CreateTrustedDomainEx2"}
- local_tdo_handle = CreateTrustedDomainRelax(local_lsa,
- local_policy,
- local_trust_info,
- lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS,
- incoming_blob,
- outgoing_blob)
+ local_tdo_handle = CreateTrustedDomainFallback(
+ local_lsa,
+ local_policy,
+ local_trust_info,
+ lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS,
+ local_version,
+ local_revision_info1,
+ incoming_blob,
+ outgoing_blob
+ )
self.outf.write("Local TDO created\n")
if enc_types:
self.outf.write("Setting supported encryption types on local TDO.\n")
@@ -1266,7 +1302,12 @@ class cmd_domain_trust_delete(DomainTrustCommand):
raise self.LocalRuntimeError(self, error, "failed to connect lsa server")
try:
- (local_policy, local_lsa_info) = self.get_lsa_info(local_lsa, local_policy_access)
+ (
+ local_policy,
+ local_version,
+ local_revision_info1,
+ local_lsa_info
+ ) = self.get_lsa_info(local_lsa, local_policy_access)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS")
@@ -1302,7 +1343,12 @@ class cmd_domain_trust_delete(DomainTrustCommand):
raise self.RemoteRuntimeError(self, error, "failed to connect lsa server")
try:
- (remote_policy, remote_lsa_info) = self.get_lsa_info(remote_lsa, remote_policy_access)
+ (
+ remote_policy,
+ remote_version,
+ remote_revision_info1,
+ remote_lsa_info
+ ) = self.get_lsa_info(remote_lsa, remote_policy_access)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS")
@@ -1409,7 +1455,12 @@ class cmd_domain_trust_validate(DomainTrustCommand):
raise self.LocalRuntimeError(self, error, "failed to connect lsa server")
--
Samba Shared Repository
More information about the samba-cvs
mailing list