[SCM] Samba Shared Repository - branch master updated
Douglas Bagnall
dbagnall at samba.org
Thu Oct 31 00:24:02 UTC 2024
The branch, master has been updated
via 4f3005f851a netcmd: More explicit warning when python-gpg is missing
via 7a5ad9f64a9 libcli/auth: split out netlogon_creds_cli_check_transport()
via 8edbdd65ef7 libcli/auth: let netlogon_creds_copy() copy all scalar elements
via 132629ee3a9 s4:librpc/rpc: make use of netlogon_creds_client_verify()
via 1a5984ac631 libcli/auth: make use of netlogon_creds_client_verify()
via 45faf6c35a0 libcli/auth: split out netlogon_creds_client_verify() that takes auth_{type,level}
via 2956c7eb3c9 libcli/auth: pass auth_{type,level} to netlogon_creds_server_step_check()
via 7b02fb50143 libcli/auth: pass auth_{type,level} to schannel_check_creds_state()
via 131f5c0b251 libcli/auth: return INVALID_PARAMETER for DES in netlogon_creds_{de,en}crypt_samlogon_logon
via d43dc47eb14 libcli/auth: make sure low level crypto function are not used directly
via 834197dafef s4:rpc_server/netlogon: make use of netlogon_creds_decrypt_SendToSam
via f1c1b8661a9 s4:rpc_server/netlogon: make use of netlogon_creds_decrypt_samr_CryptPassword
via 7a7cb0d0426 s4:rpc_server/netlogon: make use of netlogon_creds_{de,en}crypt_samr_Password()
via a359b4139c8 s3:rpc_server/netlogon: make use of netlogon_creds_decrypt_samr_CryptPassword()
via 550d20fd3dd s3:rpc_server/netlogon: make use of netlogon_creds_{de,en}crypt_samr_Password
via 172ce406d48 s4:torture/rpc: make use of netlogon_creds_{de,en}crypt_samr_Password
via 2d7a47a1753 s4:torture/rpc: make use of netlogon_creds_encrypt_samr_CryptPassword()
via a177d15c875 s4:torture/rpc: make use of netlogon_creds_decrypt_samlogon_validation()
via 1666d1d74de s4:torture/rpc: make use of netlogon_creds_encrypt_samlogon_logon()
via e92d0509d6b libcli/auth: make use of netlogon_creds_{de,en}crypt_samr_Password
via 2bd77ff7314 libcli/auth: make use of netlogon_creds_encrypt_SendToSam
via 285ec9ecde7 libcli/auth: make use of netlogon_creds_encrypt_samr_CryptPassword
via 1edcd5df80b libcli/auth: make netlogon_creds_des_{de,en}crypt_LMKey() static
via 730dcc6dec7 auth/credentials: remove unused netlogon_creds_session_encrypt()
via 0ff7f41248f pycredentials: remove unused .encrypt_samr_password()
via e7d57fc6e99 python/tests: use encrypt_netr_PasswordInfo in KDCBaseTest._test_samlogon()
via fac378485f5 pycredentials: add py_creds_encrypt_netr_PasswordInfo helper
via ea792fa342d pycredentials: make use of netlogon_creds_encrypt_samr_CryptPassword in py_creds_encrypt_netr_crypt_password
via b8681c16573 libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()
via 8eb95a155de libcli/auth: add netlogon_creds_{de,en}crypt_samr_CryptPassword()
via 851a9b18ecc libcli/auth: add netlogon_creds_{de,en}crypt_samr_Password()
via 3d4ea276bdf libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_logon()
via a56356e3993 libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation()
via de8de55a5fe netlogon.idl: add netr_ServerAuthenticateKerberos() and related stuff
via 62afadb3eba s3:rpc_server: add DCESRV_COMPAT_NOT_USED_ON_WIRE() helper macro
via 01577b93cbb dcesrv_core: add DCESRV_NOT_USED_ON_WIRE() helper macro
via e4132c492de s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticateGeneric()
via f92def2f943 s4:dsdb/common: dsdb_trust_get_incoming_passwords only needs a const ldb_message
via e9767315cf0 libcli/auth: split out netlogon_creds_alloc()
via 3792fe37288 libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy
via 17394ed7bbf libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()
via 8b972fea097 libcli/auth: also use netlogon_creds_CredentialState_extra_info for the client
via 498fc88c155 s4:torture/rpc: let test_netlogon_capabilities() fail on legacy servers
via fd4b027511b s4:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2
via 484a046d8e1 s3:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2
via dfbc5e5a194 libcli/auth: remember client_requested_flags and auth_time in netlogon_creds_server_init()
via a9308c490cb libcli/auth: remove unused creds->sid
via 4533afc9e12 s4:rpc_server/netlogon: make use of creds->ex->client_sid
via 88a84d9330d s3:rpc_server/netlogon: make use of creds->ex->client_sid
via 453587fbc1e librpc/rpc: make use of creds->ex->client_sid in dcesrv_netr_check_schannel_get_state()
via 518f57b93bd libcli/auth: split out netlogon_creds_CredentialState_extra_info
via c2ef866fca2 libcli/auth: pass client_sid to netlogon_creds_server_init()
via 2e8949495f6 s4:rpc_server/netlogon: add client_sid helper variables
via eda3728a407 s3:rpc_server/netlogon: add client_sid helper variables
via c9eaf5e22de s4:dsdb/common: samdb_confirm_rodc_allowed_to_repl_to() only needs a const sid
via 7f478656dcf s3:cli_netlogon: let rpccli_connect_netlogon() use force_reauth = true on retry
via d174b6595a9 s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags
via 0b6ac4b082d s4:librpc/rpc: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities
via 25294685b1c s4:librpc/rpc: define required schannel flags and enforce them
via 69b0cbd13d0 s4:librpc/rpc: don't allow any unexpected upgrades of negotiate_flags
via 24de5d1cbd2 s4:librpc/rpc: do LogonControl after LogonGetCapabilities downgrade
via 25a2105ca78 libcli/auth: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities
via 276137e9506 libcli/auth: use a LogonControl after a LogonGetCapabilities downgrade
via 3da40f1c681 libcli/auth: if we require aes we don't need to require arcfour nor strong key
via a9040c8ce76 libcli/auth: don't allow any unexpected upgrades of negotiate_flags
via 69cb9aea67d libcli/auth: make use of netlogon_creds_cli_store_internal() in netlogon_creds_cli_auth_srvauth_done()
via cf0e07a3d2a libcli/auth: remove unused netlogon_creds_client_init_session_key()
via 86176598eee netlogon.idl: the capabilities in query_level=2 are the ones send by the client
via a0bc372dee6 s4:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag
via e5bc5ee3e04 s3:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag
via b27661f832c s3:rpc_server/netlogon: correctly negotiate flags in ServerAuthenticate2/3
via 3dcbc8eea5b s4:torture/rpc: without weak crypto we should require AES
via 36310650ee7 s4:torture/rpc: check that DOWNGRADE_DETECTED has no bits negotiated
from fdd133ae650 smbd: fix sharing access check for directories
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4f3005f851ae62ea5beb3914b4f4dac455767681
Author: Andréas Leroux <aleroux at tranquil.it>
Date: Wed Oct 30 15:34:35 2024 +0100
netcmd: More explicit warning when python-gpg is missing
Signed-off-by: Andréas Leroux <aleroux at tranquil.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Thu Oct 31 00:23:09 UTC 2024 on atb-devel-224
commit 7a5ad9f64a905f5744430c6e0796c646baf9432e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 29 13:42:06 2024 +0100
libcli/auth: split out netlogon_creds_cli_check_transport()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8edbdd65ef78e3f26357d0254b58db3120a32880
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 19 21:02:23 2023 +0200
libcli/auth: let netlogon_creds_copy() copy all scalar elements
This version is good for now, as we want it to be backportable.
For master we'll add a ndr_deepcopy_struct() helper in order
to avoid future problems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 132629ee3a9b73d0888d1110e4d0a45ded778e5a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 29 10:31:52 2024 +0100
s4:librpc/rpc: make use of netlogon_creds_client_verify()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1a5984ac6312b204b51590057b8327cf4698383b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 29 10:02:40 2024 +0100
libcli/auth: make use of netlogon_creds_client_verify()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 45faf6c35a033ec46a546dfb9d5d6aeb2fb2b83c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 29 09:54:42 2024 +0100
libcli/auth: split out netlogon_creds_client_verify() that takes auth_{type,level}
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2956c7eb3c9fc2161fd2748e5aac1fc94478e8c7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 29 09:46:07 2024 +0100
libcli/auth: pass auth_{type,level} to netlogon_creds_server_step_check()
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7b02fb50143ba5044605ec67ed41180391835dcb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 29 09:44:52 2024 +0100
libcli/auth: pass auth_{type,level} to schannel_check_creds_state()
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 131f5c0b251e456c466eaca744525504e1d69492
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 16:54:48 2024 +0100
libcli/auth: return INVALID_PARAMETER for DES in netlogon_creds_{de,en}crypt_samlogon_logon
For the NetlogonGenericInformation case we want an error instead of no
encryption if only DES was negotiated...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d43dc47eb1481796d1c5f1e0a02235be3b33e6ad
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 17:51:21 2024 +0100
libcli/auth: make sure low level crypto function are not used directly
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 834197dafef0f3779ba69c8e350cbd7bb9333284
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 16:30:19 2024 +0100
s4:rpc_server/netlogon: make use of netlogon_creds_decrypt_SendToSam
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f1c1b8661a9121e1ff02784955c98d9f33bca8bd
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 16:30:19 2024 +0100
s4:rpc_server/netlogon: make use of netlogon_creds_decrypt_samr_CryptPassword
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7a7cb0d0426a891185f5acf825573d98360e98e1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 16:28:47 2024 +0100
s4:rpc_server/netlogon: make use of netlogon_creds_{de,en}crypt_samr_Password()
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a359b4139c8043ee3c3277b7559cb6d4f58f4044
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 16:25:11 2024 +0100
s3:rpc_server/netlogon: make use of netlogon_creds_decrypt_samr_CryptPassword()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 550d20fd3dd04397b3a38f8b9e0cfa574453eea1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 17:12:16 2024 +0100
s3:rpc_server/netlogon: make use of netlogon_creds_{de,en}crypt_samr_Password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 172ce406d48916c57f0742b6a0e064ac170ec8ff
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 17:43:40 2024 +0100
s4:torture/rpc: make use of netlogon_creds_{de,en}crypt_samr_Password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2d7a47a175337729f4c671d7a6223f6e0ea23ebe
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 16:22:36 2024 +0100
s4:torture/rpc: make use of netlogon_creds_encrypt_samr_CryptPassword()
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a177d15c875030dfc6c11ead3ec3a3ec851261cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 16:57:53 2024 +0100
s4:torture/rpc: make use of netlogon_creds_decrypt_samlogon_validation()
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1666d1d74dec3978837ab49f8749d59c0abcf595
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 12:58:11 2024 +0100
s4:torture/rpc: make use of netlogon_creds_encrypt_samlogon_logon()
This will make it easier to catch all places where we need to
implement the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e92d0509d6b4d7f86e8626ba8c5efc5b786823f1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 17:19:09 2024 +0100
libcli/auth: make use of netlogon_creds_{de,en}crypt_samr_Password
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2bd77ff7314932dc4116773731a810fe0f7ce4b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 16:00:52 2024 +0100
libcli/auth: make use of netlogon_creds_encrypt_SendToSam
This will help when implementing netr_ServerAuthenticateKerberos()...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 285ec9ecde712e40e6f0981bcb379ee911bfe9d8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 15:56:09 2024 +0100
libcli/auth: make use of netlogon_creds_encrypt_samr_CryptPassword
This will help when implementing netr_ServerAuthenticateKerberos()...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1edcd5df80bdbc4d4da5bdd5e534d7a17ec61f77
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 15:52:13 2024 +0100
libcli/auth: make netlogon_creds_des_{de,en}crypt_LMKey() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 730dcc6dec75049e5f76b170911f46d44fb4adb8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 15:44:07 2024 +0100
auth/credentials: remove unused netlogon_creds_session_encrypt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0ff7f41248f485cbc7685840f0698b490c241860
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 14:04:52 2024 +0100
pycredentials: remove unused .encrypt_samr_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e7d57fc6e992ca212b834d5dd4d381244bca55c6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 15:39:57 2024 +0100
python/tests: use encrypt_netr_PasswordInfo in KDCBaseTest._test_samlogon()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fac378485f5f15ac0a11c3d82207c4bc780bfb80
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 15:22:47 2024 +0100
pycredentials: add py_creds_encrypt_netr_PasswordInfo helper
This will replace py_creds_encrypt_samr_password in the next steps
and prepares the introduction of netr_ServerAuthenticateKerberos().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit ea792fa342deebefa75b77832c9057924cdcb6f6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 14:06:28 2024 +0100
pycredentials: make use of netlogon_creds_encrypt_samr_CryptPassword in py_creds_encrypt_netr_crypt_password
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b8681c165731666bb5eed073ab862490c33ea095
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 13:13:50 2024 +0100
libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8eb95a155de396981375c7f11221695fd3c7f9d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 13:12:24 2024 +0100
libcli/auth: add netlogon_creds_{de,en}crypt_samr_CryptPassword()
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 851a9b18eccece64c3ae0cedd7c7b26a44f0eec6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 13:03:37 2024 +0100
libcli/auth: add netlogon_creds_{de,en}crypt_samr_Password()
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3d4ea276bdf44202250246cd6edae2bc17e92c74
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 12:55:12 2024 +0100
libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_logon()
This will be needed when we implement netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a56356e399339d5bce2e699431cd3e6186229170
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 28 12:43:44 2024 +0100
libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation()
This will be needed when we implement netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit de8de55a5fee573d0718fa8dd13168a4f0a14614
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 30 15:14:47 2024 +0200
netlogon.idl: add netr_ServerAuthenticateKerberos() and related stuff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 62afadb3ebac49a684fb0e5a1beb6d7db6f5e515
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 10 13:56:38 2024 +0200
s3:rpc_server: add DCESRV_COMPAT_NOT_USED_ON_WIRE() helper macro
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 01577b93cbb0a26aba3209cde69475be2e1c5fb8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 10 13:56:38 2024 +0200
dcesrv_core: add DCESRV_NOT_USED_ON_WIRE() helper macro
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e4132c492ded7cadc60371b524e72e41f71f75e9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 17:55:41 2024 +0200
s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticateGeneric()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f92def2f943917d8946b03f71fcf676998701815
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 17:49:26 2024 +0200
s4:dsdb/common: dsdb_trust_get_incoming_passwords only needs a const ldb_message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e9767315cf06bcb257b40014441dd4cd9aad0fb0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 17:47:22 2024 +0200
libcli/auth: split out netlogon_creds_alloc()
Review with: git show --patience
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3792fe372884aad6ea2893f2e62629dd1cddc129
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 10 13:39:38 2024 +0200
libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy
Before storing the structure into a ctdb managed volatile database
we check against netlogon_creds_CredentialState_legacy (the structure
used before recent changes). This makes sure unpatched cluster nodes
would not get a parsing error.
We'll remove this again in master when we try to implement
netr_ServerAuthenticateKerberos() and the related changes
to netlogon_creds_CredentialState, which will break the compat...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 17394ed7bbf8fa50570a5732f1ce84ccd5e69393
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 10 13:24:37 2024 +0200
libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8b972fea0978101575f847eac33b09d2fd8d02e7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 19:06:59 2024 +0200
libcli/auth: also use netlogon_creds_CredentialState_extra_info for the client
In order to allow backports and cluster updates we simulate a
dom_sid, so that the old code is able to parse the blob.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 498fc88c155b57a0de6150c3b1e3cfcac181d45b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 29 09:27:30 2024 +0100
s4:torture/rpc: let test_netlogon_capabilities() fail on legacy servers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fd4b027511b18615e215b66183f95b54bcab683e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 19 18:00:31 2023 +0200
s4:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 484a046d8e179a3b21ead8b5bc3660095314e816
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 19 18:03:09 2023 +0200
s3:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit dfbc5e5a19420311eac3db5ede1c665a9198395d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 19:06:59 2024 +0200
libcli/auth: remember client_requested_flags and auth_time in netlogon_creds_server_init()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a9308c490cb5ec8908a3e4c13e2ce8a08b9027e9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 19:04:02 2024 +0200
libcli/auth: remove unused creds->sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4533afc9e12c4dbbc7d11c13e775888c113d497c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 19:01:39 2024 +0200
s4:rpc_server/netlogon: make use of creds->ex->client_sid
creds->sid will be removed soon...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 88a84d9330d2bb03176f888a0d8e5066e1e21bf6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 19:01:39 2024 +0200
s3:rpc_server/netlogon: make use of creds->ex->client_sid
creds->sid will be removed soon...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 453587fbc1ef74a3b997235e84040553261fa13e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 19:00:45 2024 +0200
librpc/rpc: make use of creds->ex->client_sid in dcesrv_netr_check_schannel_get_state()
creds->sid will be removed soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 518f57b93bdb84900d3b58cd94bdf1046f82a5a6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 18:54:05 2024 +0200
libcli/auth: split out netlogon_creds_CredentialState_extra_info
As server we are free to change the netlogon_creds_CredentialState
database record format at will as it uses CLEAR_IF_FIRST.
For now that format doesn't really changes, because we
only move dom_sid into a wrapper structure.
In order to avoid changing all callers in this commit,
we maintain creds->sid as in memory pointer.
In the following patches we'll also use it in order
to store client related information...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c2ef866fca296c8f3eb1620fdd2bb9bf289d96fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 18:46:43 2024 +0200
libcli/auth: pass client_sid to netlogon_creds_server_init()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2e8949495f601d3fd117cceccd1b464a6ae43251
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 18:06:44 2024 +0200
s4:rpc_server/netlogon: add client_sid helper variables
This will make the following changes simpler...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit eda3728a4079c5399f693b1d68e64e5660647c72
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 18:06:44 2024 +0200
s3:rpc_server/netlogon: add client_sid helper variables
This will make the following changes simpler...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c9eaf5e22de730f1e7575f6697f32dbb377eae06
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 18:04:27 2024 +0200
s4:dsdb/common: samdb_confirm_rodc_allowed_to_repl_to() only needs a const sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7f478656dcf08619bc3a7ad390c7db3bfdef924e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 30 12:10:49 2024 +0100
s3:cli_netlogon: let rpccli_connect_netlogon() use force_reauth = true on retry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d174b6595a962230bf71cc5c2f512a2c93a4cc1b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 20 13:29:12 2023 +0200
s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0b6ac4b082ddec5dae1392537727f3a7123ec279
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 16:38:53 2024 +0200
s4:librpc/rpc: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 25294685b1c2c8652f0ca0220e8f3729e0b347e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 16:38:53 2024 +0200
s4:librpc/rpc: define required schannel flags and enforce them
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 69b0cbd13d06fa640a900acab6757425b5b77cac
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 16:44:26 2024 +0200
s4:librpc/rpc: don't allow any unexpected upgrades of negotiate_flags
Only remove the unsupported flags from local_negotiate_flags for
the next try...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 24de5d1cbd25fabae6b01565907b53f5e51ea06d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 16:15:46 2024 +0200
s4:librpc/rpc: do LogonControl after LogonGetCapabilities downgrade
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 25a2105ca7816c47a9c4a7fded88a922e4ccf88b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 13:43:36 2024 +0200
libcli/auth: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 276137e950696fbf36450dceebd6c0250c6242d0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 14:25:19 2024 +0200
libcli/auth: use a LogonControl after a LogonGetCapabilities downgrade
If LogonGetCapabilities was downgraded by an DCERPC Fault, we
rely on the schannel message ordering to detect failures.
Instead of letting any real winbindd request trigger this,
we do it directly in netlogon_creds_cli_check() with
a LogonControl that is also used for 'wbinfo --ping-dc'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3da40f1c6818550eb08a6d7d680c213c3f1d0649
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 10 12:31:18 2024 +0200
libcli/auth: if we require aes we don't need to require arcfour nor strong key
But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a9040c8ce76cb9911c4c0c5d623cc479e49f460d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 15:03:21 2024 +0200
libcli/auth: don't allow any unexpected upgrades of negotiate_flags
Only remove the unsupported flags from state->current_flags for
the next try...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 69cb9aea67de0613f467f7ce2d460364ff2be241
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 19 17:43:00 2023 +0200
libcli/auth: make use of netlogon_creds_cli_store_internal() in netlogon_creds_cli_auth_srvauth_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit cf0e07a3d2a085d31f7d682633af9ec57c155e57
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 2 19:06:59 2024 +0200
libcli/auth: remove unused netlogon_creds_client_init_session_key()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 86176598eee4c83dc63a9dac163f32c886477129
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 19 09:27:48 2023 +0200
netlogon.idl: the capabilities in query_level=2 are the ones send by the client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a0bc372dee68ad255da005d2e2078da754bbef2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 10 12:34:33 2024 +0200
s4:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag
With SAMBA_WEAK_CRYPTO_DISALLOWED dcesrv_netr_ServerAuthenticate3_check_downgrade()
will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not
negotiated...
And if AES was negotiated there's no harm in returning the ARCFOUR
flag...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e5bc5ee3e04138b10c0630640469a08fad847e56
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 10 12:34:33 2024 +0200
s3:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag
With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED with negotiate_flags = 0,
if AES was not negotiated...
And if AES was negotiated there's no harm in returning the ARCFOUR
flag...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b27661f832cc4c56cc582cf7041d90f178736ef7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 19 12:55:33 2023 +0200
s3:rpc_server/netlogon: correctly negotiate flags in ServerAuthenticate2/3
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3dcbc8eea5bc53a8332b3ad93ea4c3df99af7830
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 10 15:02:16 2024 +0200
s4:torture/rpc: without weak crypto we should require AES
We should check that we can actually negotiated the strong AES
crypto instead of just checking that NETLOGON_NEG_ARCFOUR is not
there...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 36310650ee7a64603128139f512d3a4e039f8822
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 10 15:08:01 2024 +0200
s4:torture/rpc: check that DOWNGRADE_DETECTED has no bits negotiated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 46 --
auth/credentials/credentials.h | 4 -
auth/credentials/pycredentials.c | 76 ++-
libcli/auth/credentials.c | 364 ++++++++++---
libcli/auth/libcli_auth.h | 1 +
libcli/auth/netlogon_creds_cli.c | 648 +++++++++++++++--------
libcli/auth/proto.h | 66 ++-
libcli/auth/schannel_state.h | 2 +
libcli/auth/schannel_state_tdb.c | 15 +-
libcli/samsync/decrypt.c | 2 +
librpc/idl/netlogon.idl | 33 +-
librpc/idl/schannel.idl | 73 ++-
librpc/rpc/dcesrv_core.h | 8 +
librpc/rpc/server/netlogon/schannel_util.c | 6 +-
python/samba/netcmd/user/readpasswords/common.py | 6 +-
python/samba/tests/krb5/kdc_base_test.py | 10 +-
source3/rpc_client/cli_netlogon.c | 1 +
source3/rpc_server/netlogon/srv_netlog_nt.c | 169 ++++--
source3/rpc_server/rpc_pipes.h | 6 +
source4/dsdb/common/rodc_helper.c | 2 +-
source4/dsdb/common/util_trusts.c | 2 +-
source4/librpc/rpc/dcerpc_schannel.c | 333 +++++++++++-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 343 ++++++++----
source4/torture/ntp/ntp_signd.c | 1 +
source4/torture/rpc/forest_trust.c | 17 +-
source4/torture/rpc/lsa.c | 21 +-
source4/torture/rpc/netlogon.c | 194 +++++--
source4/torture/rpc/netlogon_crypto.c | 7 +-
source4/torture/rpc/remote_pac.c | 42 +-
source4/torture/rpc/samba3rpc.c | 21 +-
source4/torture/rpc/samlogon.c | 38 +-
source4/torture/rpc/samr.c | 21 +-
source4/torture/rpc/schannel.c | 85 ++-
33 files changed, 1984 insertions(+), 679 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index aade70cd2c1..a88a458f82b 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1996,49 +1996,3 @@ cli_credentials_get_smb_encryption(struct cli_credentials *creds)
{
return creds->encryption_state;
}
-
-/**
- * Encrypt a data blob using the session key and the negotiated encryption
- * algorithm
- *
- * @param state Credential state, contains the session key and algorithm
- * @param data Data blob containing the data to be encrypted.
- *
- */
-_PUBLIC_ NTSTATUS netlogon_creds_session_encrypt(
- struct netlogon_creds_CredentialState *state,
- DATA_BLOB data)
-{
- NTSTATUS status;
-
- if (data.data == NULL || data.length == 0) {
- DBG_ERR("Nothing to encrypt "
- "data.data == NULL or data.length == 0\n");
- return NT_STATUS_INVALID_PARAMETER;
- }
- /*
- * Don't crypt an all-zero password it will give away the
- * NETLOGON pipe session key .
- */
- if (all_zero(data.data, data.length)) {
- DBG_ERR("Supplied data all zeros, could leak session key\n");
- return NT_STATUS_INVALID_PARAMETER;
- }
- if (state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- status = netlogon_creds_aes_encrypt(state,
- data.data,
- data.length);
- } else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- status = netlogon_creds_arcfour_crypt(state,
- data.data,
- data.length);
- } else {
- DBG_ERR("Unsupported encryption option negotiated\n");
- status = NT_STATUS_NOT_SUPPORTED;
- }
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- return NT_STATUS_OK;
-}
-
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 4a39899e751..cae6a94b450 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -357,10 +357,6 @@ void cli_credentials_dump(struct cli_credentials *creds);
*/
struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
-NTSTATUS netlogon_creds_session_encrypt(
- struct netlogon_creds_CredentialState *state,
- DATA_BLOB data);
-
/**
* Kerberos FAST handling
*/
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 8008bd0418d..a2457009559 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -24,6 +24,7 @@
#include "param/param.h"
#include "auth/credentials/credentials_internal.h"
#include "auth/credentials/credentials_krb5.h"
+#include "librpc/gen_ndr/dcerpc.h"
#include "librpc/gen_ndr/samr.h" /* for struct samr_Password */
#include "librpc/gen_ndr/netlogon.h"
#include "libcli/util/pyerrors.h"
@@ -1074,9 +1075,11 @@ static PyObject *py_creds_get_old_kerberos_key(PyObject *self, PyObject *args)
static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
PyObject *args)
{
- DATA_BLOB data = data_blob_null;
struct cli_credentials *creds = NULL;
struct netr_CryptPassword *pwd = NULL;
+ struct samr_CryptPassword spwd;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
NTSTATUS status;
PyObject *py_cp = Py_None;
@@ -1100,23 +1103,42 @@ static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
/* pytalloc_get_type sets TypeError */
return NULL;
}
- data.length = sizeof(struct netr_CryptPassword);
- data.data = (uint8_t *)pwd;
- status = netlogon_creds_session_encrypt(creds->netlogon_creds, data);
+
+ memcpy(spwd.data, pwd->data, 512);
+ PUSH_LE_U32(spwd.data, 512, pwd->length);
+
+ status = netlogon_creds_encrypt_samr_CryptPassword(creds->netlogon_creds,
+ &spwd,
+ auth_type,
+ auth_level);
+
+ memcpy(pwd->data, spwd.data, 512);
+ pwd->length = PULL_LE_U32(spwd.data, 512);
+ ZERO_STRUCT(spwd);
PyErr_NTSTATUS_IS_ERR_RAISE(status);
Py_RETURN_NONE;
}
-static PyObject *py_creds_encrypt_samr_password(PyObject *self,
- PyObject *args)
+static PyObject *py_creds_encrypt_netr_PasswordInfo(PyObject *self,
+ PyObject *args,
+ PyObject *kwargs)
{
- DATA_BLOB data = data_blob_null;
- struct cli_credentials *creds = NULL;
- struct samr_Password *pwd = NULL;
+ const char * const kwnames[] = {
+ "info",
+ "auth_type",
+ "auth_level",
+ NULL
+ };
+ struct cli_credentials *creds = NULL;
+ PyObject *py_info = Py_None;
+ enum netr_LogonInfoClass level = NetlogonInteractiveInformation;
+ union netr_LogonLevel logon = { .password = NULL, };
+ uint8_t auth_type = DCERPC_AUTH_TYPE_NONE;
+ uint8_t auth_level = DCERPC_AUTH_LEVEL_NONE;
NTSTATUS status;
- PyObject *py_cp = Py_None;
+ bool ok;
creds = PyCredentials_AsCliCredentials(self);
if (creds == NULL) {
@@ -1129,22 +1151,32 @@ static PyObject *py_creds_encrypt_samr_password(PyObject *self,
return NULL;
}
- if (!PyArg_ParseTuple(args, "O", &py_cp)) {
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Obb",
+ discard_const_p(char *, kwnames),
+ &py_info, &auth_type, &auth_level))
+ {
return NULL;
}
- if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.samr", "Password")) {
+ ok = py_check_dcerpc_type(py_info,
+ "samba.dcerpc.netlogon",
+ "netr_PasswordInfo");
+ if (!ok) {
/* py_check_dcerpc_type sets TypeError */
return NULL;
}
- pwd = pytalloc_get_type(py_cp, struct samr_Password);
- if (pwd == NULL) {
+ logon.password = pytalloc_get_type(py_info, struct netr_PasswordInfo);
+ if (logon.password == NULL) {
/* pytalloc_get_type sets TypeError */
return NULL;
}
- data = data_blob_const(pwd->hash, sizeof(pwd->hash));
- status = netlogon_creds_session_encrypt(creds->netlogon_creds, data);
+
+ status = netlogon_creds_encrypt_samlogon_logon(creds->netlogon_creds,
+ level,
+ &logon,
+ auth_type,
+ auth_level);
PyErr_NTSTATUS_IS_ERR_RAISE(status);
@@ -1676,11 +1708,13 @@ static PyMethodDef py_creds_methods[] = {
"the negotiated encryption algorithm in place\n"
"i.e. it overwrites the original data"},
{
- .ml_name = "encrypt_samr_password",
- .ml_meth = py_creds_encrypt_samr_password,
- .ml_flags = METH_VARARGS,
- .ml_doc = "S.encrypt_samr_password(password) -> None\n"
- "Encrypt the supplied password using the session key and\n"
+ .ml_name = "encrypt_netr_PasswordInfo",
+ .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
+ py_creds_encrypt_netr_PasswordInfo),
+ .ml_flags = METH_VARARGS | METH_KEYWORDS,
+ .ml_doc = "S.encrypt_netr_PasswordInfo(info, "
+ "auth_type, auth_level) -> None\n"
+ "Encrypt the supplied password info using the session key and\n"
"the negotiated encryption algorithm in place\n"
"i.e. it overwrites the original data"
},
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 84838be6e73..7a1f6038ef2 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -30,6 +30,12 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
+#undef netlogon_creds_des_encrypt
+#undef netlogon_creds_des_decrypt
+#undef netlogon_creds_arcfour_crypt
+#undef netlogon_creds_aes_encrypt
+#undef netlogon_creds_aes_decrypt
+
bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge)
{
/*
@@ -290,7 +296,7 @@ static NTSTATUS netlogon_creds_step(struct netlogon_creds_CredentialState *creds
/*
DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
*/
-NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+static NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds,
struct netr_LMSessionKey *key)
{
int rc;
@@ -308,7 +314,7 @@ NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState
/*
DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
*/
-NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+static NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds,
struct netr_LMSessionKey *key)
{
int rc;
@@ -473,6 +479,58 @@ NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds
return NT_STATUS_OK;
}
+static struct netlogon_creds_CredentialState *
+netlogon_creds_alloc(TALLOC_CTX *mem_ctx,
+ const char *client_account,
+ const char *client_computer_name,
+ uint16_t secure_channel_type,
+ uint32_t client_requested_flags,
+ const struct dom_sid *client_sid,
+ uint32_t negotiate_flags)
+{
+ struct netlogon_creds_CredentialState *creds = NULL;
+ struct timeval tv = timeval_current();
+ NTTIME now = timeval_to_nttime(&tv);
+
+ creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
+ if (creds == NULL) {
+ return NULL;
+ }
+
+ if (client_sid == NULL) {
+ creds->sequence = tv.tv_sec;
+ }
+ creds->negotiate_flags = negotiate_flags;
+ creds->secure_channel_type = secure_channel_type;
+
+ creds->computer_name = talloc_strdup(creds, client_computer_name);
+ if (!creds->computer_name) {
+ talloc_free(creds);
+ return NULL;
+ }
+ creds->account_name = talloc_strdup(creds, client_account);
+ if (!creds->account_name) {
+ talloc_free(creds);
+ return NULL;
+ }
+
+ creds->ex = talloc_zero(creds,
+ struct netlogon_creds_CredentialState_extra_info);
+ if (creds->ex == NULL) {
+ talloc_free(creds);
+ return NULL;
+ }
+ creds->ex->client_requested_flags = client_requested_flags;
+ creds->ex->auth_time = now;
+ if (client_sid != NULL) {
+ creds->ex->client_sid = *client_sid;
+ } else {
+ creds->ex->client_sid = global_sid_NULL;
+ }
+
+ return creds;
+}
+
/*****************************************************************
The above functions are common to the client and server interface
next comes the client specific functions
@@ -491,30 +549,23 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me
const struct netr_Credential *server_challenge,
const struct samr_Password *machine_password,
struct netr_Credential *initial_credential,
+ uint32_t client_requested_flags,
uint32_t negotiate_flags)
{
- struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
+ struct netlogon_creds_CredentialState *creds = NULL;
NTSTATUS status;
+ creds = netlogon_creds_alloc(mem_ctx,
+ client_account,
+ client_computer_name,
+ secure_channel_type,
+ client_requested_flags,
+ NULL, /* client_sid */
+ negotiate_flags);
if (!creds) {
return NULL;
}
- creds->sequence = time(NULL);
- creds->negotiate_flags = negotiate_flags;
- creds->secure_channel_type = secure_channel_type;
-
- creds->computer_name = talloc_strdup(creds, client_computer_name);
- if (!creds->computer_name) {
- talloc_free(creds);
- return NULL;
- }
- creds->account_name = talloc_strdup(creds, client_account);
- if (!creds->account_name) {
- talloc_free(creds);
- return NULL;
- }
-
dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
@@ -563,25 +614,6 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me
return creds;
}
-/*
- initialise the credentials structure with only a session key. The caller better know what they are doing!
- */
-
-struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx,
- const uint8_t session_key[16])
-{
- struct netlogon_creds_CredentialState *creds;
-
- creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
- if (!creds) {
- return NULL;
- }
-
- memcpy(creds->session_key, session_key, 16);
-
- return creds;
-}
-
/*
step the credentials to the next element in the chain, updating the
current client and server credentials and the seed
@@ -631,14 +663,34 @@ netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds
/*
check that a credentials reply from a server is correct
*/
-bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
- const struct netr_Credential *received_credentials)
+NTSTATUS netlogon_creds_client_verify(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *received_credentials,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
{
if (!received_credentials ||
!mem_equal_const_time(received_credentials->data, creds->server.data, 8)) {
DEBUG(2,("credentials check failed\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ return NT_STATUS_OK;
+}
+
+bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *received_credentials)
+{
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+ NTSTATUS status;
+
+ status = netlogon_creds_client_verify(creds,
+ received_credentials,
+ auth_type,
+ auth_level);
+ if (!NT_STATUS_IS_OK(status)) {
return false;
}
+
return true;
}
@@ -676,20 +728,25 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
const struct samr_Password *machine_password,
const struct netr_Credential *credentials_in,
struct netr_Credential *credentials_out,
+ uint32_t client_requested_flags,
+ const struct dom_sid *client_sid,
uint32_t negotiate_flags)
{
-
- struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
+ struct netlogon_creds_CredentialState *creds = NULL;
NTSTATUS status;
bool ok;
+ creds = netlogon_creds_alloc(mem_ctx,
+ client_account,
+ client_computer_name,
+ secure_channel_type,
+ client_requested_flags,
+ client_sid,
+ negotiate_flags);
if (!creds) {
return NULL;
}
- creds->negotiate_flags = negotiate_flags;
- creds->secure_channel_type = secure_channel_type;
-
dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
@@ -708,17 +765,6 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
return NULL;
}
- creds->computer_name = talloc_strdup(creds, client_computer_name);
- if (!creds->computer_name) {
- talloc_free(creds);
- return NULL;
- }
- creds->account_name = talloc_strdup(creds, client_account);
- if (!creds->account_name) {
- talloc_free(creds);
- return NULL;
- }
-
if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
status = netlogon_creds_init_hmac_sha256(creds,
client_challenge,
@@ -778,7 +824,9 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
const struct netr_Authenticator *received_authenticator,
- struct netr_Authenticator *return_authenticator)
+ struct netr_Authenticator *return_authenticator,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
{
NTSTATUS status;
@@ -810,6 +858,8 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
uint16_t validation_level,
union netr_Validation *validation,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level,
bool do_encrypt)
{
struct netr_SamBaseInfo *base = NULL;
@@ -925,27 +975,37 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
uint16_t validation_level,
- union netr_Validation *validation)
+ union netr_Validation *validation,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
{
return netlogon_creds_crypt_samlogon_validation(creds,
validation_level,
validation,
+ auth_type,
+ auth_level,
false);
}
NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
uint16_t validation_level,
- union netr_Validation *validation)
+ union netr_Validation *validation,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
{
return netlogon_creds_crypt_samlogon_validation(creds,
validation_level,
validation,
+ auth_type,
+ auth_level,
true);
--
Samba Shared Repository
More information about the samba-cvs
mailing list