<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Salvatore Bonaccorso pushed to branch buster-security
at <a href="https://salsa.debian.org/samba-team/samba">Debian Samba Team / samba</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/075a0298b1ac07686e9dcc7b8b639f2b64744e27">075a0298</a></strong>
<div>
<span>by Andrew Bartlett</span>
<i>at 2021-11-22T13:43:22+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25722 Ensure the structural objectclass cannot be changed
If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.
Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
[jsutton@samba.org Adapted knownfails to ad_dc_ntvfs and fixed knownfail
conflicts]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/799d8e078616e18463af6d4433634b090cd6e7ae">799d8e07</a></strong>
<div>
<span>by Andrew Bartlett</span>
<i>at 2021-11-22T13:43:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
The remaining failures in the priv_attrs (not the strict one) test are
due to missing objectclass constraints on the administrator which should
be addressed, but are not a security issue.
A better test for confirming constraints between objectclass and
userAccountControl UF_NORMAL_ACCONT/UF_WORKSTATION_TRUST values would
be user_account_control.py.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/b12ef30250911b91539094bc7895ccd3bb7d374f">b12ef302</a></strong>
<div>
<span>by Salvatore Bonaccorso</span>
<i>at 2021-11-22T13:49:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add patches for CVE-2020-25722
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/c46ccd69e2dddd271fa3ed7d424361d461a817be">c46ccd69</a></strong>
<div>
<span>by Ralph Boehme</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">s3/auth: use set_current_user_info() in auth3_generate_session_info_pac()
This delays reloading config slightly, but I don't see how could affect
observable behaviour other then log messages coming from the functions in
between the different locations for lp_load_with_shares() like
make_session_info_krb5() are sent to a different logfile if "log file" uses %U.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit dc4b1e39ce1f2201a2d6ae2d4cffef2448f69a62)
[scabrero@samba.org Prerequisite for CVE-2020-25717 backport]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/bad7935b16598764b24815e7c21464c30d4ed1c4">bad7935b</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selftest: Fix ktest usermap file
The user was not mapped:
user_in_list: checking user |KTEST/administrator| against |KTEST\Administrator|
The user 'KTEST/administrator' has no mapping. Skip it next time.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
[scabrero@samba.org Once smb_getpswnam() fallbacks are removed the user
has to be mapped]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/98da177d89c201826a4b8f10a64342f59156a9d5">98da177d</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
(cherry picked from commit 89b9cb8b786c3e4eb8691b5363390b68d8228a2d)
[scabrero@samba.org Backported to 4.10]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/4d5d75d73c8d496a557d6b49e4d6b84b200e66f2">4d5d75d7</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/c644de47b98e4dff44efcf58d7262e77ae4a401d">c644de47</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[scabrero@samba.org Backported for 4.10 due to no logon_id for
log_authentication() neither is_allowed_domain()]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/505ffe1d9c8788a6ff0d853db2df40c43f806b4c">505ffe1d</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/309d04765d790f5da8cbc4e99986b1ece0eaff2e">309d0476</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s4:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/88608552fde83b8d3350f30ad6924125d7c66883">88608552</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s4:smb_server: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/0bf999f5f614b90b5d3ccecf13962fa9a90a9805">0bf999f5</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s4:auth_simple: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/d175d1a87b0a8b86982be1f3bc0fec27d7b142a4">d175d1a8</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/026d3cfef10d01b165ab17db9f2084e0f3e5987e">026d3cfe</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[scabrero@samba.org Backported to 4.10 due to missing commit
a5548af018643f2e78c482e33ef0e6073db149e4 to check return value
of SMBOWFencrypt()]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/0f4893faf19624049a4cae95473aeeb5c373be4c">0f4893fa</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:rpcclient: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/d71bda264d2715374ecd72cbd77caa8a7e374c84">d71bda26</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[scabrero@samba.org Backported to 4.10 due to missing commits
7f75dec865256049e99f7fcf46317cd2d53e95d1 and
434030ba711e677fdd167a255d05c1cd4db943b7]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/5cd521836dda5ccbf98789056cca0a58b40446aa">5cd52183</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/59c8f7212368332e6e619a7a2097c9601d911b27">59c8f721</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: loadparm: Add new parameter "min domain uid"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported from master/4.15 due to
conflicts with other new parameters]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/b670388f2a6ac377a0500c5029e1398b291e8d1f">b670388f</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/cb358a513a9156dc11ca6b45891d1406a9614f74">cb358a51</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: Check minimum domain uid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/16f14c3024a195aa97ea84210e34cb8a69fc02de">16f14c30</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
We should avoid autocreation of users as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/118260ff644ec3b0b392e03d84c82df357c46a46">118260ff</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).
This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/29b11916adfeb42a62106db30e0dc0f634b8df40">29b11916</a></strong>
<div>
<span>by Ralph Boehme</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!
As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!
For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().
The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.
Note: use 'git show -w'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[scabrero@samba.org Backported to 4.9 removing
selftest/knownfail.d/ktest after fixing user mapping in ktest
environment]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/402283b9cd0a2fe4051ffc1b4d09cf5474eb3e24">402283b9</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/b8f184b82475f641442452396d5969ea0b99df8c">b8f184b8</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
on the service account, which can only be explicitly configured,
but that's an invalid configuration!
We still try to support standalone servers in an MIT realm,
as legacy setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/12d6a5c7fbad4004ee683bbc941028bb36e67632">12d6a5c7</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
We'll require a PAC at the main gensec layer already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported from master/4.15 as
check_password is sync in 4.14]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/a458985792ddc920aee4c9626986a3ebcfb7a60e">a4589857</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/fb06852f77c0f064243a1000457ad543582f8f62">fb06852f</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/f96d694550043b3319d6f6d5e74a6d45dd8804c1">f96d6945</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported due to change in structure
initialization with { 0 } to zero ]
[abartlet@samba.org backported to 4.12 due to conflict
with code not present to reload shared on krb5 login]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/6d7cf6bc3d3d7e243f5e0c5331bbcd20743ab819">6d7cf6bc</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.
This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.
As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.
As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[scabrero@samba.org Backported to 4.11 Run winbindd in offline mode
but keep the user name mapping to avoid having to backport fixes
for bso#14539]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/cd30eb98fc8a914c137d94e86e255e1340a2b8d3">cd30eb98</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
without a PAC in order to keep the code sane.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported to Samba 4.12 has conflcits
as the share reload code is in a different spot]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/4b4d8fa509c713f6ee909ae6badf045f0a0dd41f">4b4d8fa5</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
This code is only every called in standalone mode on a MIT realm,
it means we never have a PAC and we also don't have winbindd arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/beb0739af0accc6c23617ea06dbaa6f3a3f91bed">beb0739a</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T13:51:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
This is only ever be called in standalone mode with an MIT realm,
so we don't have a PAC/info3 structure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/3d75e2a796d321096974ec9d21ff67683c82fb5f">3d75e2a7</a></strong>
<div>
<span>by Salvatore Bonaccorso</span>
<i>at 2021-11-22T13:52:11+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add patches for CVE-2020-25717
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/ee57b9179bb34133153765d1142faf797546435d">ee57b917</a></strong>
<div>
<span>by Volker Lendecke</span>
<i>at 2021-11-22T19:24:43+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">lib: Add dom_sid_str_buf
This is modeled after server_id_str_buf, which as an API to me is easier to
use: I can rely on the compiler to get the buffer size right.
It is designed to violate README.Coding's "Make use of helper variables", but
as this API is simple enough and the output should never be a surprise at all,
I think that's worth it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Nov 2 20:11:11 CET 2018 on sn-devel-144
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/aee43c9d548ce10ff89d6398098a718bdad62025">aee43c9d</a></strong>
<div>
<span>by Salvatore Bonaccorso</span>
<i>at 2021-11-22T19:25:07+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add "lib: Add dom_sid_str_buf" patch
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/bca1a7280e2aa02ac3605cddf11f71abf7ce1f37">bca1a728</a></strong>
<div>
<span>by Stefan Metzmacher</span>
<i>at 2021-11-22T19:25:08+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: idmap_nss: verify that the name of the sid belongs to the configured domain
We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
[abartlet@samba.org backorted from commit bfd093648b4af51d104096c0cb3535e8706671e5
as header libcli/security/dom_sid.h was not present for struct dom_sid_buf]
[abartlet@samba.org fix CVE marker]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/8a2243bcf80da2df362d32f4e3f42a715330add5">8a2243bc</a></strong>
<div>
<span>by Andrew Bartlett</span>
<i>at 2021-11-22T19:25:08+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.
Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.
This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.
In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org moved the new logic into the fallback codepath only
in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
[abartlet@samba.org backported from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
as usage.py is not present in Samba 4.10]
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/ac4ae3a12f8447b43f7644b97702c56272df7bdb">ac4ae3a1</a></strong>
<div>
<span>by Salvatore Bonaccorso</span>
<i>at 2021-11-22T19:25:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add patches to address upstream bug 14901
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/5fd01fe53af1e855e234bcc3569d88be3942462c">5fd01fe5</a></strong>
<div>
<span>by Mathieu Parent</span>
<i>at 2021-11-25T10:11:49+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop libparse-pidl-perl package (Closes: #939419)
See also https://gitlab.com/samba-team/samba/commit/e24e344d0da58013fd5fa404529fe1d25ef403bf
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/46d2d5ca348d75d7f626accce37e9dae4c5a3c1e">46d2d5ca</a></strong>
<div>
<span>by Lutz Justen</span>
<i>at 2021-11-25T10:11:49+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">waf: install: Remove installation of PIDL and manpages.
It's not used outside of Samba other than wireshark
who have their own vendor fork.
Signed-off-by: Lutz Justen <ljusten@google.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 23 02:08:56 UTC 2019 on sn-devel-144
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/d374540abd5365974d6bfce81fb53bd3fe37b3ca">d374540a</a></strong>
<div>
<span>by Salvatore Bonaccorso</span>
<i>at 2021-11-25T10:11:49+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add patch to remove installation of PIDL and manpages
Gbp-Dch: Ignore
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/samba-team/samba/-/commit/6abbb5ee46bee080b3a0d79c7b06410f68895dbf">6abbb5ee</a></strong>
<div>
<span>by Salvatore Bonaccorso</span>
<i>at 2021-11-27T10:35:09+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Prepare changelog for release
Gbp-Dch: Ignore
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#ad462ff026e43477e18e9b8f1bb1a8ba607251c9">
auth/gensec/gensec_util.c
</a>
</li>
<li class="file-stats">
<a href="#df1151fa8fcf1360a4878d0376c50ac14f9e97f6">
auth/ntlmssp/ntlmssp_server.c
</a>
</li>
<li class="file-stats">
<a href="#9c96da0e9f91d7d8937b69b524702c106258f0d1">
debian/changelog
</a>
</li>
<li class="file-stats">
<a href="#58ef006ab62b83b4bec5d81fe5b32c3b4c2d1cc2">
debian/control
</a>
</li>
<li class="file-stats">
<a href="#5ed562e4a63d2c8af0519456dafbed8cb590c193">
<span class="deleted-file">
−
debian/libparse-pidl-perl.install
</span>
</a>
</li>
<li class="file-stats">
<a href="#91674022117899b359e3ce1611dc06a4ed6257bc">
<span class="new-file">
+
debian/patches/CVE-2020-25717-only-4.9-v2.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#815f2d7b02cecdda6a3565416c251a4daa63e7ec">
<span class="new-file">
+
debian/patches/CVE-2020-25722.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#8f2c0d90be79e53e41444dc89cf45491ef784da7">
<span class="new-file">
+
debian/patches/bug-14901-v4-9.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#b64254f2f26912a18eacf7b33b730e6f4a1d7716">
<span class="new-file">
+
debian/patches/lib-Add-dom_sid_str_buf.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#bc34014ab4b9a49dd7a27bdd8d352912607c3a96">
debian/patches/series
</a>
</li>
<li class="file-stats">
<a href="#af55fad7d2204b68ecfbf4f3b6a472f11621a4ab">
<span class="new-file">
+
debian/patches/waf-install-Remove-installation-of-PIDL-and-manpages.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#8756c63497c8dc39f7773438edf53b220c773f67">
debian/rules
</a>
</li>
<li class="file-stats">
<a href="#e90260f9d34d934aab708bffa1712d01fa313568">
<span class="new-file">
+
docs-xml/smbdotconf/security/mindomainuid.xml
</span>
</a>
</li>
<li class="file-stats">
<a href="#37cf2499435d138e020d1f4e179764953ef7f552">
docs-xml/smbdotconf/winbind/idmapconfig.xml
</a>
</li>
<li class="file-stats">
<a href="#fbb3f1718cad69fee6aae7b7b8aaf112fb9cb234">
lib/param/loadparm.c
</a>
</li>
<li class="file-stats">
<a href="#be1466c153b66e053ea0aff48bbc4e1deedb53d4">
libcli/security/dom_sid.c
</a>
</li>
<li class="file-stats">
<a href="#0d3af02a728c3ea8fce09362298b415a7532ca02">
libcli/security/dom_sid.h
</a>
</li>
<li class="file-stats">
<a href="#eedd02f1ed480904d931a918871c432a8a920faa">
<span class="deleted-file">
−
pidl/lib/wscript_build
</span>
</a>
</li>
<li class="file-stats">
<a href="#9c24f31cf6658ab832744873b677abe4e88ecebf">
pidl/wscript
</a>
</li>
<li class="file-stats">
<a href="#da5ed75d04db4590bd601744a0efa4ad8fe3512b">
selftest/selftest.pl
</a>
</li>
<li class="file-stats">
<a href="#527e1033d396107d2be275d0ed231501759e6241">
selftest/target/Samba3.pm
</a>
</li>
<li class="file-stats">
<a href="#11a7c9c031f6cbcab27336fa4462b9dd072c9715">
selftest/target/Samba4.pm
</a>
</li>
<li class="file-stats">
<a href="#c2c72fcfd70f4660bebbfde80128eb197d28cff4">
source3/auth/auth_generic.c
</a>
</li>
<li class="file-stats">
<a href="#bd3819b9d79f62c1e06f1dc994b603c9f39f10bd">
source3/auth/auth_samba4.c
</a>
</li>
<li class="file-stats">
<a href="#75da9ab2eaeabdc178525139e33c89872342a71f">
source3/auth/auth_util.c
</a>
</li>
<li class="file-stats">
<a href="#2851efe530b8c3fb62d7e1ee4428d5ca6236a6fc">
source3/auth/proto.h
</a>
</li>
<li class="file-stats">
<a href="#defb48b78bfc4cb79ea64d5664f98ce55df73a39">
source3/auth/user_krb5.c
</a>
</li>
<li class="file-stats">
<a href="#3d03994c429eb178d9848811bb36ea898842970b">
source3/param/loadparm.c
</a>
</li>
<li class="file-stats">
<a href="#5ca007c1f539e17846076e7df961c0ab5dad1e34">
source3/rpcclient/cmd_netlogon.c
</a>
</li>
<li class="file-stats">
<a href="#4811423cddd67b2890b56c75a8d35c7c7a47f6fa">
source3/torture/pdbtest.c
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">
—
<br>
<a href="https://salsa.debian.org/samba-team/samba/-/compare/cc11659f797c58937e9c3c2a0851444c55921555...6abbb5ee46bee080b3a0d79c7b06410f68895dbf">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>