[Pkg-samba-maint] [Git][samba-team/samba][master] 294 commits: VERSION: Bump version up to Samba 4.13.14...
Mathieu Parent (@sathieu)
gitlab at salsa.debian.org
Tue Nov 9 20:20:21 GMT 2021
Mathieu Parent pushed to branch master at Debian Samba Team / samba
Commits:
6671c881 by Jule Anger at 2021-10-29T08:12:27+02:00
VERSION: Bump version up to Samba 4.13.14...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
0c32ab5f by Douglas Bagnall at 2021-11-02T21:52:16+00:00
ldb/attrib_handler casefold: simplify space dropping
As seen in CVE-2021-20277, ldb_handler_fold() has been making mistakes
when collapsing spaces down to a single space.
This patch fixes the way it handles internal spaces (CVE-2021-20277
was about leading spaces), and involves a rewrite of the parsing loop.
The bug has a detailed description of the problem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Apr 7 03:16:39 UTC 2021 on sn-devel-184
(cherry picked from commit 24ddc1ca9cad95673bdd8023d99867707b37085f)
- - - - -
e431362a by Douglas Bagnall at 2021-11-02T21:52:16+00:00
ldb_match: trailing chunk must match end of string
A wildcard search is divided into chunks by the asterisks. While most
chunks match the first suitable string, the last chunk matches the
last possible string (unless there is a trailing asterisk, in which
case this distinction is moot).
We always knew this in our hearts, but we tried to do it in a funny
complicated way that stepped through the string, comparing here and
there, leading to CVE-2019-3824 and missed matches (bug 14044).
With this patch, we just jump to the end of the string and compare it.
As well as being correct, this should also improve performance, as the
previous algorithm involved a quadratic loop of erroneous memmem()s.
See https://tools.ietf.org/html/rfc4517
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Björn Jacke <bjacke at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cc098f1cad04b2cfec4ddd6b2511cd5a600f31c6)
- - - - -
cb04bfc5 by Douglas Bagnall at 2021-11-02T21:52:16+00:00
ldb: fix ldb_comparison_fold off-by-one overrun
We run one character over in comparing all the bytes in two ldb_vals.
In almost all circumstances both ldb_vals would have an allocated '\0'
in the overrun position, but it is best not to rely on that.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2b2f4f519454beb6f2a46705675a62274019fc09)
- - - - -
f2c0ab2d by Stefan Metzmacher at 2021-11-02T21:52:16+00:00
pyldb: catch potential overflow error in py_timestring
Pair-Programmed-With: Björn Baumbach <bb at sernet.de>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Björn Baumbach <bb at sernet.de>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 71e8b24b8a031de26b21539e36a60f459257d2fd)
- - - - -
7e8d2bcc by Douglas Bagnall at 2021-11-02T21:52:16+00:00
ldb_match: remove redundant check
We already ensure the no-trailing-asterisk case ends at the end of the
string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Björn Jacke <bjacke at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fa93339978040eab52b2722c1716028b48d8d084)
- - - - -
933fbc8c by Joseph Sutton at 2021-11-02T21:52:16+00:00
pyldb: Fix Message.items() for a message containing elements
Previously, message elements were being freed before the call to
Py_BuildValue(), resulting in an exception being raised. Additionally,
only the first element of the returned list was ever assigned to.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 3e4ec0a90a222c1cff4a91912afc703ca4cbbb0e)
- - - - -
e96b3f71 by Andreas Schneider at 2021-11-02T21:52:16+00:00
lib:ldb: Add missing break in switch statement
error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1ffacac547a8ce29c6696dda73991a8db7e34dfd)
- - - - -
1253ee80 by Douglas Bagnall at 2021-11-02T21:52:16+00:00
ldb.h: remove undefined async_ctx function signatures
These functions do not exist.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1a05b58edaf96e7da707f9ad0a237551dbe13eb5)
- - - - -
90729aed by Douglas Bagnall at 2021-11-02T21:52:16+00:00
ldb: correct comments in attrib_handers val_to_int64
c.f. the identical static function in lib/ldb-samba/ldif_handlers.c
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 46e6f6ef8436df7e083f34556c25f66f65ea1ce5)
- - - - -
bbc5373b by Douglas Bagnall at 2021-11-02T21:52:16+00:00
ldb: improve comments for ldb_module_connect_backend()
There is no flags argument.
There are more URI forms.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 48068a58df0313cd904f27e2c918ee10275ae373)
- - - - -
5363e034 by Björn Baumbach at 2021-11-02T21:52:16+00:00
pyldb: fix a typo
Signed-off-by: Björn Baumbach <bb at sernet.de>
Reviewed-by: Rowland penny <rpenny at samba.org>
(cherry picked from commit 6fcde09f093db5d26c582a3c28531265f06b9fde)
- - - - -
68d736a7 by Andreas Schneider at 2021-11-02T21:52:16+00:00
lib:ldb: Use C99 initializers for builtin_popt_options[]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a593065c7f22e17434f33d0132cc6a7073acf414)
- - - - -
7dd52901 by Andreas Schneider at 2021-11-02T21:52:16+00:00
lib:ldb-samba: Improve calculate_popt_array_length()
Note that memcmp() doesn't work well with padding bytes. So avoid it!
(gdb) ptype/o struct poptOption
/* offset | size */ type = struct poptOption {
/* 0 | 8 */ const char *longName;
/* 8 | 1 */ char shortName;
/* XXX 3-byte hole */
/* 12 | 4 */ unsigned int argInfo;
/* 16 | 8 */ void *arg;
/* 24 | 4 */ int val;
/* XXX 4-byte hole */
/* 32 | 8 */ const char *descrip;
/* 40 | 8 */ const char *argDescrip;
/* total size (bytes): 48 */
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c2c7c1f50a8acb3169e19ba4329aa78839b66def)
- - - - -
8c29175f by Douglas Bagnall at 2021-11-02T21:52:16+00:00
ldb_controls: control_to_string avoids crash
Otherwise a malformed control with unexpected NULL data will segfault
ldb_control_to_string(), though this is not very likely to affect
anyone in practice as converting controls to strings is rarely
necessary. If it happens at all in Samba it is in Python code.
Found by Honggfuzz using fuzz_ldb_parse_control.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Wed Jul 29 04:43:23 UTC 2020 on sn-devel-184
(cherry picked from commit 2aace18f170644da9c293342a6df5e5b2ae8da25)
- - - - -
9ad6b86c by Volker Lendecke at 2021-11-02T21:52:16+00:00
lib: Add "hex_byte()" to replace.h
This is required in quite a few places, and replace.h has things like
ZERO_STRUCT already, so this is not completely outplaced.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit c8d9ce3f7c8c486ab21e320a0adcb71311dcb453)
- - - - -
0dc05f59 by Volker Lendecke at 2021-11-02T21:52:16+00:00
ldb: Use hex_byte() in ldb_binary_decode()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b6a57c49c00a778f954aaf10db6ebe6dca8f5ae2)
- - - - -
767bafc5 by Björn Jacke at 2021-11-02T21:52:16+00:00
ldb_kv_index: fix empty initializer compile warning
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c862ad64aea31d1d5ec66385bb50d9b97e609071)
- - - - -
20ce7400 by Stefan Metzmacher at 2021-11-02T22:41:39+00:00
ldb: version 2.2.3
Backport all C code changes from ldb-2.4.1
to be available for Samba 4.13.x
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(v4-13-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-13-test): Tue Nov 2 22:41:39 UTC 2021 on sn-devel-184
- - - - -
05b27742 by Stefan Metzmacher at 2021-11-08T10:52:08+01:00
CVE-2020-25717 winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint
This makes it clear that it's a hint from the parent to the
child.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 1576421dbdd2cfe9a47516224cb54bf15ba51132)
- - - - -
0792d340 by Stefan Metzmacher at 2021-11-08T10:52:08+01:00
CVE-2020-25717 s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_*
Currently these enums have the same values, but that will
change in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 58e9b62222ad62c81cdf11d704859a227cb2902b)
- - - - -
340e2153 by Stefan Metzmacher at 2021-11-08T10:52:08+01:00
CVE-2020-25717 test_idmap_tdb_common: correctly initialize the idmap domain with an init function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit f5eec89011cf7b577375d83247524587f170b592)
- - - - -
337cb084 by Stefan Metzmacher at 2021-11-08T10:52:08+01:00
CVE-2020-25717 winbindd/idmap: apply const to struct idmap_methods pointers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 95b0dac0af5bc7ee85c6c8099dda135c36c9684b)
- - - - -
68a823fd by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 winbindd/idmap: apply const to struct nss_info_methods pointers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 7518a0ca32cade2b8b9eac0e2b5416ae685ffcff)
- - - - -
d4c9be23 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead
This is the only aspect we need here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 7dbe5b4897448aa71b5a8a2175850b4010316b88)
- - - - -
861bc4dd by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead
This is the only aspect we need here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 5cc21a9d319e00397ad98900d81ffb9d1d70514f)
- - - - -
39da0df3 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead
This is the only aspect we need here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 1694de1ae6ce63377d0afc47e84e55e4745905d7)
- - - - -
b7b4bb1c by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 winbindd: add and use idmap_child_pid()
We should avoid calling idmap_child() as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 2103543629004a3a22e7bf60305bb15bf3b316be)
- - - - -
aebe4cec by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 winbindd: add and use is_idmap_child()
We should avoid calling idmap_child() as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit cd9a9702c1f97c47bd3447e2014eeff3e56268cf)
- - - - -
f3957ca5 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 winbindd: add generic wb_parent_idmap_setup_send/recv() helpers
This is more or less a copy of wb_xids2sids_init_dom_maps_send/recv,
but it's more generic and doesn't imply global state.
It also closes a initialization race by using a tevent_queue to
serialize the calls.
In the next commits we'll replace wb_xids2sids_init_dom_maps_send/recv.
We'll also use the new function in the wb_sids2xids code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 209e81a2ea8c972ee57e2f0c9579da843c0e2ac7)
- - - - -
5e04b985 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit a8f57c94fc2294c309ecb18ea79d0acac86c495b)
- - - - -
a3cca16f by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step
This isn't really used yet, but it will in the next commits.
Also idmap_child_handle() will soon assert that
wb_parent_idmap_setup_send/recv() was called before it's used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit d42aaeba6e0820acd17f204ff7ab6d1aede1b303)
- - - - -
12fb0f40 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 82fd07793f065e150729848566e7c30f4f4d472e)
- - - - -
be816313 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit b8c74b7b46d1c7f6b66e565ee08f8c88d6dc2cc4)
- - - - -
3812930e by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 winbindd: defer the setup_child() from init_idmap_child()
At startup we trigger a wb_parent_idmap_setup_send() and make
sure setup_child() is called just before wb_parent_idmap_setup_recv()
finished.
This makes sure our view of the idmap config in the parent matches
what we have in the child.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 28e020c0a863411cfa95e3b1ed943d922b8635bd)
- - - - -
713f9c96 by Ralph Boehme at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: split out wb_sids2xids_next_sids2unix()
Put the code that calls the per-domain idmap backend
in its own function.
This makes further reconstruction easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 79c1d3aaf6d465a8edd1871edb85211f8715fea1)
- - - - -
e226e0a1 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache
Entries with domain_index == UINT32_MAX are valid cache entries.
In the following commits we'll fill in missing entries step by step
until all entries are marked as filled.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 04956350a5725325954b2caba662ecd6dace7829)
- - - - -
27b73f9d by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: rename 'non_cached' to 'lookup_sids'
This array is used to pass to wb_lookupsids_send()
and that will be the only reason to have this in future.
For now it's used for all non cached sids, but that will
also change in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 797b11f198e819300007997ce536bc6d05f19843)
- - - - -
ca5cf8d3 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix()
For the first run this is a no-op, but it simplified the caller.
We'll call wb_sids2xids_next_sids2unix() in a few more places in future
and it's easier to have this all within wb_sids2xids_next_sids2unix()..
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 231c8d04b19a1c17937f988d142ca5c0f889d4e0)
- - - - -
5e4491e8 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix()
Instead of re-creating the dom_ids element,
we just use a pre-allocated map_ids_in array.
This is a bit tricky as we need to use map_ids_out as a copy of
map_ids_in, because the _ids argument of dcerpc_wbint_Sids2UnixIDs_send()
in [in,out], which means that _ids->ids is changed between
dcerpc_wbint_Sids2UnixIDs_send() and dcerpc_wbint_Sids2UnixIDs_recv()!
If the domain doesn't need any mappings, we'll move to the next domain
early, for now this can't happend but it will in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit f6bb0ed21f82f2cf1f238f9f00cd049ecf8673af)
- - - - -
ab4f028d by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: refactor wb_sids2xids_done() a bit
Here we don't change the logic.
It will make the following changes easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit cda61f592a0b33d36da8da9b6837312396cceec4)
- - - - -
ed766403 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done()
With all the indexes we have into various array, this makes clear
'li' is the index into the state->lookup_sids array.
This makes the following changes easier to review.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 19c8b6a8b188e45a6342a3d1308085800388a38e)
- - - - -
0ec6beec by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: directly use state->all_ids to collect results
In order to translate the indexes from state->lookup_sids[]
for wb_lookupsids_send/recv() and state->map_ids.ids[]
for dcerpc_wbint_Sids2UnixIDs_send/recv() back to
state->all_ids.ids[] or state->sids[] we have state->tmp_idx[].
This simplifies wb_sids2xids_recv() a lot and make further
restructuring much easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 374acc2e5fcc3c4b40f41906d0349499e3304841)
- - - - -
69c53f9c by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: fill cache as soon as possible
After adding entries to the cache we can mark them
as filled from the cache by setting its domain_index
to UINT32_MAX.
This will allow further changes to fill the results
into state->all_ids in steps.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 3f4626ea6d235470195918b77af35ac2cfeb227c)
- - - - -
ed1542b9 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config
In future we'll try to avoid wb_lookupsids_send() and only call
it if needed.
The domain name passed should be only relevant to find the correct
idmap backend, and these should all be available in
wb_parent_idmap_config as it was created before the idmap child was forked.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit c55f4f37589130a0d8952489da175bbcf53f6748)
- - - - -
04e10a84 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE
This must only be used between winbindd parent and child!
It must not leak into outside world.
Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.
This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87)
- - - - -
bd12ce56 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE
We try to give a valid hint for predefined sids and
pass ID_TYPE_BOTH as a hint that the domain part of the sid is valid.
In most cases the idmap child/backend does not require a type_hint
as mappings already exist.
This is a speed up as we no longer need to contact a domain controller.
It's also possible to accept kerberos authentication without reaching
out to a domain controller at all (if the idmap backend doesn't need a
hint).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 23 04:47:26 UTC 2020 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 54b4d2d3cb307019a260d15c6e6b4a3fb7fc337c)
- - - - -
4925a110 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH
idmap_hash used to bounce back the requested type,
which was ID_TYPE_UID, ID_TYPE_GID or ID_TYPE_NOT_SPECIFIED
before as the winbindd parent always used a lookupsids.
When the lookupsids failed because of an unknown domain,
the idmap child weren't requested at all and the caller
sees ID_TYPE_NOT_SPECIFIED.
This module should have supported ID_TYPE_BOTH since
samba-4.1.0, similar to idmap_rid and idmap_autorid.
Now that the winbindd parent will pass ID_TYPE_BOTH in order to
indicate that the domain exists, it's better to always return
ID_TYPE_BOTH instead of a random mix of ID_TYPE_UID, ID_TYPE_GID
or ID_TYPE_BOTH. In order to request a type_hint it will return
ID_REQUIRE_TYPE for ID_TYPE_NOT_SPECIFIED, which means that
the parent at least assures that the domain sid exists.
And the caller still gets ID_TYPE_NOT_SPECIFIED if the
domain doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Jan 22 11:32:46 UTC 2021 on sn-devel-184
(cherry picked from commit d8339056eef2845805f573bd8b0f3323370ecc8f)
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(v4-14-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-14-test): Wed Jan 27 17:06:51 UTC 2021 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 99673b77b069674a6145552eb870de8829dfa503)
- - - - -
4a68c748 by Ralph Boehme at 2021-11-08T10:52:09+01:00
CVE-2020-25717 winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14804
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 39c2ec72cb77945c3eb611fb1d7d7e9aad52bdfd)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 7d1dd87a6538f8c7f1e4938b0ff52cbd231fff90)
- - - - -
4a39d8a1 by Ralph Boehme at 2021-11-08T10:52:09+01:00
CVE-2020-25717 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14804
RN: winbindd can crash because idmap child state is not fully initialized
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Sep 2 15:20:06 UTC 2021 on sn-devel-184
(cherry picked from commit d0f6d54354b02f5591706814fbd1e4844788fdfa)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 446f89510f2e55a551e2975a6cbf01c6a023ba0c)
- - - - -
eb4123b5 by Alexander Bokovoy at 2021-11-08T10:52:09+01:00
CVE-2020-25717 auth_sam: use pdb_get_domain_info to look up DNS forest information
When Samba is used as a part of FreeIPA domain controller, Windows
clients for a trusted AD forest may try to authenticate (perform logon
operation) as a REALM\name user account.
Fix auth_sam plugins to accept DNS forest name if we are running on a DC
with PASSDB module providing domain information (e.g. pdb_get_domain_info()
returning non-NULL structure). Right now, only FreeIPA or Samba AD DC
PASSDB backends return this information but Samba AD DC configuration is
explicitly ignored by the two auth_sam (strict and netlogon3) modules.
Detailed logs below:
[2020/11/11 09:23:53.281296, 1, pid=42677, effective(65534, 65534), real(65534, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:482(ndr_print_function_debug)
netr_LogonSamLogonWithFlags: struct netr_LogonSamLogonWithFlags
in: struct netr_LogonSamLogonWithFlags
server_name : *
server_name : '\\master.ipa.test'
computer_name : *
computer_name : 'AD1'
credential : *
credential: struct netr_Authenticator
cred: struct netr_Credential
data : 529f4b087c5f6546
timestamp : Wed Nov 11 09:23:55 AM 2020 UTC
return_authenticator : *
return_authenticator: struct netr_Authenticator
cred: struct netr_Credential
data : 204f28f622010000
timestamp : Fri May 2 06:37:50 AM 1986 UTC
logon_level : NetlogonNetworkTransitiveInformation (6)
logon : *
logon : union netr_LogonLevel(case 6)
network : *
network: struct netr_NetworkInfo
identity_info: struct netr_IdentityInfo
domain_name: struct lsa_String
length : 0x0010 (16)
size : 0x01fe (510)
string : *
string : 'IPA.TEST'
parameter_control : 0x00002ae0 (10976)
0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED
0: MSV1_0_UPDATE_LOGON_STATISTICS
0: MSV1_0_RETURN_USER_PARAMETERS
0: MSV1_0_DONT_TRY_GUEST_ACCOUNT
1: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
1: MSV1_0_RETURN_PASSWORD_EXPIRY
1: MSV1_0_USE_CLIENT_CHALLENGE
0: MSV1_0_TRY_GUEST_ACCOUNT_ONLY
1: MSV1_0_RETURN_PROFILE_PATH
0: MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY
1: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
0: MSV1_0_DISABLE_PERSONAL_FALLBACK
1: MSV1_0_ALLOW_FORCE_GUEST
0: MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED
0: MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY
0: MSV1_0_ALLOW_MSVCHAPV2
0: MSV1_0_S4U2SELF
0: MSV1_0_CHECK_LOGONHOURS_FOR_S4U
0: MSV1_0_SUBAUTHENTICATION_DLL_EX
logon_id : 0x0000000000884ef2 (8933106)
account_name: struct lsa_String
length : 0x000e (14)
size : 0x000e (14)
string : *
string : 'idmuser'
workstation: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
challenge : 417207867bd33c74
nt: struct netr_ChallengeResponse
length : 0x00c0 (192)
size : 0x00c0 (192)
data : *
data: ARRAY(192)
[0000] A5 24 62 6E 31 DF 69 66 9E DC 54 D6 63 4C D6 2F .$bn1.if ..T.cL./
[0010] 01 01 00 00 00 00 00 00 50 37 D7 60 0C B8 D6 01 ........ P7.`....
[0020] 15 1B 38 4F 47 95 4D 62 00 00 00 00 02 00 0E 00 ..8OG.Mb ........
[0030] 57 00 49 00 4E 00 32 00 30 00 31 00 36 00 01 00 W.I.N.2. 0.1.6...
[0040] 06 00 41 00 44 00 31 00 04 00 18 00 77 00 69 00 ..A.D.1. ....w.i.
[0050] 6E 00 32 00 30 00 31 00 36 00 2E 00 74 00 65 00 n.2.0.1. 6...t.e.
[0060] 73 00 74 00 03 00 20 00 61 00 64 00 31 00 2E 00 s.t... . a.d.1...
[0070] 77 00 69 00 6E 00 32 00 30 00 31 00 36 00 2E 00 w.i.n.2. 0.1.6...
[0080] 74 00 65 00 73 00 74 00 05 00 18 00 77 00 69 00 t.e.s.t. ....w.i.
[0090] 6E 00 32 00 30 00 31 00 36 00 2E 00 74 00 65 00 n.2.0.1. 6...t.e.
[00A0] 73 00 74 00 07 00 08 00 50 37 D7 60 0C B8 D6 01 s.t..... P7.`....
[00B0] 06 00 04 00 02 00 00 00 00 00 00 00 00 00 00 00 ........ ........
lm: struct netr_ChallengeResponse
length : 0x0018 (24)
size : 0x0018 (24)
data : *
data : 000000000000000000000000000000000000000000000000
validation_level : 0x0006 (6)
flags : *
flags : 0x00000000 (0)
0: NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT
0: NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP
0: NETLOGON_SAMLOGON_FLAG_RODC_TO_OTHER_DOMAIN
0: NETLOGON_SAMLOGON_FLAG_RODC_NTLM_REQUEST
In such case checks for a workgroup name will not match the DNS forest
name used in the username specification:
[2020/11/11 09:23:53.283055, 3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:200(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [IPA.TEST]\[idmuser]@[] with the new password interface
[2020/11/11 09:23:53.283073, 3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:203(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [IPA.TEST]\[idmuser]@[]
[2020/11/11 09:23:53.283082, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:213(auth_check_ntlm_password)
check_ntlm_password: auth_context challenge created by fixed
[2020/11/11 09:23:53.283091, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:216(auth_check_ntlm_password)
challenge is:
[2020/11/11 09:23:53.283099, 5, pid=42677, effective(65534, 65534), real(65534, 0)] ../../lib/util/util.c:678(dump_data)
[0000] 41 72 07 86 7B D3 3C 74 Ar..{.<t
[2020/11/11 09:23:53.283113, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:209(auth_sam_netlogon3_auth)
auth_sam_netlogon3_auth: Check auth for: [IPA.TEST]\[idmuser]
[2020/11/11 09:23:53.283123, 5, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:234(auth_sam_netlogon3_auth)
auth_sam_netlogon3_auth: IPA.TEST is not our domain name (DC for IPA)
[2020/11/11 09:23:53.283131, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:249(auth_check_ntlm_password)
auth_check_ntlm_password: sam_netlogon3 had nothing to say
and overall authentication attempt will fail: auth_winbind will complain
that this domain is not a trusted one and refuse operating on it:
[2020/11/11 09:23:53.283784, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:742(process_request_send)
process_request_send: process_request: Handling async request smbd(42677):PAM_AUTH_CRAP
[2020/11/11 09:23:53.283796, 3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam_auth_crap.c:110(winbindd_pam_auth_crap_send)
[42677]: pam auth crap domain: [IPA.TEST] user: idmuser
[2020/11/11 09:23:53.283810, 3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam.c:409(find_auth_domain)
Authentication for domain [IPA.TEST] refused as it is not a trusted domain
[2020/11/11 09:23:53.283825, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:810(process_request_done)
process_request_done: [smbd(42677):PAM_AUTH_CRAP]: NT_STATUS_NO_SUCH_USER
[2020/11/11 09:23:53.283844, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:855(process_request_written)
process_request_written: [smbd(42677):PAM_AUTH_CRAP]: delivered response to client
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 2a8b672652dcbcf55ec59be537773d76f0f14d0a)
- - - - -
654b09ec by Alexander Bokovoy at 2021-11-08T10:52:09+01:00
CVE-2020-25717 lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 31c703766fd2b89737826fb7e9a707f0622bb8cd)
- - - - -
031fc798 by Björn Jacke at 2021-11-08T10:52:09+01:00
CVE-2020-25717 auth_generic: fix empty initializer compile warning
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit cce4e8012c5eafb6d98111b92923d748d72d077b)
- - - - -
b2fffcfa by Andreas Schneider at 2021-11-08T10:52:09+01:00
CVE-2020-25717 selftest: Pass down the machine account name to provision_ad_member
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit fbe68dcbb783409589cdefd8ee551c9971c51f08)
Needed as preparation for CVE-2020-25717
- - - - -
b2e1e518 by Andreas Schneider at 2021-11-08T10:52:09+01:00
CVE-2020-25717 selftest: Only set netbios aliases for the ad_member env
The provision_ad_member() function is reused by different
setup_ad_member*() functions. Each environment needs to have unique
netbios aliases as they are all in the same network.
The aliases should only be set for the 'ad_member' environment.
Signed-Off-By: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Jun 11 01:26:36 UTC 2021 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit e165dcc770ec58c3749d653d6cb85f6ecf9479d6)
- - - - -
ad4192e8 by Volker Lendecke at 2021-11-08T10:52:09+01:00
CVE-2020-25717 auth3: Simplify check_samba4_security()
First set up "server_info" in a local variable and once it's fully set
up, assign it to the out parameter "pserver_info".
Pointer dereferencing obfuscates the code for me.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 062a0c14c6ee0b74e7619af73747df59c5e67672)
- - - - -
d7a295b9 by Volker Lendecke at 2021-11-08T10:52:09+01:00
CVE-2020-25717 auth: Simplify DEBUG statements in make_auth3_context_for_ntlm()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 8536bf7fce41c43bbed25f7ed4ce5775a1b9c0d5)
- - - - -
bba5ff7c by Volker Lendecke at 2021-11-08T10:52:09+01:00
CVE-2020-25717 auth4: Make auth_anonymous pseudo-async
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 759573136876ef2b1b1c7484f99570d7de957e0d)
- - - - -
b64de25a by Volker Lendecke at 2021-11-08T10:52:09+01:00
CVE-2020-25717 auth4: Make auth_developer pseudo-async
This is a simpler approach to really just wrap the code.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 43a1e42815718591faa8d526319b96d089a758fa)
- - - - -
78c76cf5 by Volker Lendecke at 2021-11-08T10:52:09+01:00
CVE-2020-25717 auth4: Make auth_unix pseudo-async
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit a6f42ab8a778b9863990da3112c2e868cd006303)
- - - - -
25d6b0c5 by Volker Lendecke at 2021-11-08T10:52:09+01:00
CVE-2020-25717 auth4: Make auth_sam pseudo-async
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit f852fb4cd4e2bcd676a9ea104c5bf00979771eed)
- - - - -
4fea58a5 by Volker Lendecke at 2021-11-08T10:52:09+01:00
CVE-2020-25717 auth4: Remove sync check_password from auth_operations
Remove complexity in the data structures, and pushes the async-ness
one level down.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 254af19ba89b4c42e5f45ec731e6577d2fcc6736)
- - - - -
1bfde439 by Stefan Metzmacher at 2021-11-08T10:52:09+01:00
CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
- - - - -
7f4e1798 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
This is easier to reason with regarding which cases should work
and which cases should fail, avoiding issues where more success
than expected would be OK because a self.fail() was missed in a
try: block.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 298515cac2f35082483c2b4e4b7dbfe4df1d2e0c)
- - - - -
62fe5530 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU
We set and use a single self.OU to ensure consistancy and
reduce string duplication.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 8b078bbf8717b9407cdbc1588dd065164ab78e1b)
- - - - -
0777ea3d by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py
self.addCleanup() is called regardless of the test failure or error status
and so is more reliable, particularly during development.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 8c455268165f0bbfce17407df2c1746a0e03f828)
- - - - -
10d33e2e by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit fb6c0b9e2a10c9559d3e056bb020bd2c990da998)
- - - - -
52611c7f by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
This is a nice easy example of how the test generation
code works, and it combined nicely with the earlier
patch to return string names from the UF_ constants.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 8701ce492fc3a209035b152961d8c17e801b082a)
- - - - -
d8762d35 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
This generates a single test per bit which is easier to
debug. Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 60f1b6cf0ef0bf6736d8db9c53fa48fe9f3d8e75)
- - - - -
884b2d4c by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
This generates a single test per bit which is easier to
debug. Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
(cherry picked from commit 17ae0319db53a7b88e7fb44a9e2fd4bf1d1daa0e)
- - - - -
ff8f61b7 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019
This gets us closer to passing against Windows 2019, without
making major changes to what was tested. More tests are needed,
but it is important to get what was being tested tested again.
Account types (eg UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT)
are now required on all objects, this can't be omitted any more.
Also for UF_NORMAL_ACCOUNT for these accounts without a password
set |UF_PASSWD_NOTREQD must be included.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 15 08:49:11 UTC 2021 on sn-devel-184
(cherry picked from commit d12cb47724c2e8d19a28286d4c3ef72271a002fd)
- - - - -
4ee79401 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test
This changes most of the simple pattern with self.samdb.modify()
to use the wrapper. Some other calls still need to be converted, while
the complex decision tree tests should remain as-is for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Oct 4 21:55:43 UTC 2021 on sn-devel-184
(cherry picked from commit b45190bdac7bd9dcefd5ed88be4bd9a97a712664)
- - - - -
d2eee68c by Joseph Sutton at 2021-11-08T10:52:09+01:00
CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184
(cherry picked from commit c174e9ebe715aad6910d53c1f427a0512c09d651)
- - - - -
d82cba0d by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
This, except for where we choose to disagree, does pass
against Windows 2019.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
0c20aa46 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
This allows the add of an RODC, before setting the password, to avoid
this module, which helps isolate testing of security around the
msDS-SecondaryKrbTgtNumber attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
44858595 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
The remaining failures in the priv_attrs (not the strict one) test are
due to missing objectclass constraints on the administrator which should
be addressed, but are not a security issue.
A better test for confirming constraints between objectclass and
userAccountControl UF_NORMAL_ACCONT/UF_WORKSTATION_TRUST values would
be user_account_control.py.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
20e466c1 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
0e3e5260 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
The idea here is to split out the restrictions seen on Windows 2019
at the schema level, as seen when acting as an administrator.
These pass against Windows 2019 except for the account type swapping
which is not wanted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
20720ec0 by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
This allows for any failures here to be handled via the knownfail system.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
9ff11f2a by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
This allows future patches to restrict changing the account type
without triggering an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
081a7c7f by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
This will allow these to be listed in a knownfail shortly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
e3021deb by Andrew Bartlett at 2021-11-08T10:52:09+01:00
CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
This default applies even to users with administrator rights,
as changing the default based on permissions would break
to many assumptions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
8d54b763 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
This helps ensure we cover off all the cases that matter
for objectclass/trailing-doller/userAccountControl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
761b80e1 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f77231f1 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
The restriction is not applied to users with administrator rights,
as this breaks a lot of tests and provides no security benefit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
cc9259de by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
d7187adb by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
This makes many of our tests pass again. We do not pass against Windows 2019 on all
as this does not have this restriction at this time.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
08f9f8a9 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
This makes the code less indented and simpler to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
a76d5d62 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
20ce152f by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
Objects with objectclass computer now have UF_WORKSTATION_TRUST_ACCOUNT
by default and so this test must adapt.
The changes to this test passes against Windows 2019 except for
the new behaviour around the UF_WORKSTATION_TRUST_ACCOUNT default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
55d821ca by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
c212f3fe by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
The parts that create and delete a single object can be
safely split out into an individual test.
At this point the parts that fail against Windows 2019 are:
error: __main__.SamTests.test_userAccountControl_computer_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_computer_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_0_uac [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
71c2d0d6 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
We now enforce that a trust account must be a user.
These can not be added over LDAP anyway, and our C
code in the RPC server gets this right in any case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
70b724f6 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
4dfc225b by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
46672d19 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
Objects of objectclass computer are computers by default now and this changes
the sAMAccountType and primaryGroupID as well as userAccountControl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
7bba5741 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
17c4928b by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
This favors a test that confirms we got an error over getting exactly
the right error, at least for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
1282c823 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
This new restriction breaks a large number of assumptions in the tests, like
that you can remove some UF_ flags, because it turns out doing so will
make the 'computer' a 'user' again, and this will fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
52a50551 by Andrew Bartlett at 2021-11-08T10:52:10+01:00
CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
696ae3cb by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e2a1affc by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
24f75942 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a61c71a6 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25722 tests/krb5: Allow creating server accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
17a08609 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 tests/krb5: Add is_tgt() helper method
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
66d2176a by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5837a12c by Joseph Sutton at 2021-11-08T10:52:10+01:00
MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
49ddf616 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c2d7c9a8 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
This allows us to use get_tgt() and get_service_ticket() to obtain
tickets, which simplifies the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5fc5247a by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
894be09a by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f4841ce8 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
98f570d0 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6b82704c by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f839cc40 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 tests/krb5: Add principal aliasing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
62af3d24 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
94635645 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
718aefaa by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2966b615 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if
no PAC is available.
For now we want to look for ACCESS_DENIED as this allows
the test to pass (showing that gensec:require_pac = true
is a useful partial mitigation).
This will also help others doing backports that do not
take the full patch set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f507539d by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
[jsutton at samba.org Added knownfail entries]
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2aa37d59 by Joseph Sutton at 2021-11-08T10:52:10+01:00
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5966f8c2 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
66cd97e5 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9b73069d by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s4:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
38e7562c by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s4:smb_server: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
49779027 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s4:auth_simple: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
25fd512f by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
04ca59a5 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9b977f50 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8a946f27 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6ca265b8 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b9d8f802 by Samuel Cabrero at 2021-11-08T10:52:10+01:00
CVE-2020-25717: loadparm: Add new parameter "min domain uid"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org Backported from master/4.15 due to
conflicts with other new parameters]
- - - - -
37c2f73c by Samuel Cabrero at 2021-11-08T10:52:10+01:00
CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
This environment creates an AD member that doesn't have
'nss_winbind' configured, while winbindd is still started.
For testing we map a DOMAIN\root user to the local root
account and unix token of the local root user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org backported to Samba 4.14 without offline
tests in Samba3.pm]
- - - - -
eea64478 by Samuel Cabrero at 2021-11-08T10:52:10+01:00
CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Fixed knowfail per instruction from metze]
- - - - -
c703f7a5 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ce47a81e by Samuel Cabrero at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:auth: Check minimum domain uid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Removed knownfail on advice from metze]
- - - - -
885fe6e3 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
We should avoid autocreation of users as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d079628a by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).
This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
844faf2f by Ralph Boehme at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!
As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!
For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().
The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.
Note: use 'git show -w'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b0031f53 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
is_allowed_domain() is a central place we already use to
trigger NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, so
we can add additional logic there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e8e0bea9 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
39cf01d0 by Alexander Bokovoy at 2021-11-08T10:52:10+01:00
CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.
It means that role won't result in ROLE_STANDALONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
eba5e132 by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
on the service account, which can only be explicitly configured,
but that's an invalid configuration!
We still try to support standalone servers in an MIT realm,
as legacy setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[jsutton at samba.org Removed knownfail entries]
- - - - -
e95392aa by Stefan Metzmacher at 2021-11-08T10:52:10+01:00
CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
We'll require a PAC at the main gensec layer already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9f73360e by Stefan Metzmacher at 2021-11-08T10:52:11+01:00
CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
131d5ceb by Stefan Metzmacher at 2021-11-08T10:52:11+01:00
CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a152f36b by Stefan Metzmacher at 2021-11-08T10:52:11+01:00
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6a1f5f57 by Stefan Metzmacher at 2021-11-08T10:52:11+01:00
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.
This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.
As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.
As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9f807fdd by Stefan Metzmacher at 2021-11-08T10:52:11+01:00
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
without a PAC in order to keep the code sane.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
27d71917 by Stefan Metzmacher at 2021-11-08T10:52:11+01:00
CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
This code is only every called in standalone mode on a MIT realm,
it means we never have a PAC and we also don't have winbindd arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ef4df24b by Stefan Metzmacher at 2021-11-08T10:52:11+01:00
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
This is only ever be called in standalone mode with an MIT realm,
so we don't have a PAC/info3 structure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
0bb53df9 by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25722 Add test for SPN deletion followed by addition
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Removed transaction hooks, these do nothing over
remote LDAP]
- - - - -
7cbf3940 by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
Without these calls the tests could pass if an expected error did not
occur.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Included in backport as changing ACLs while
ACL tests are not checking for unexpected success would be bad]
- - - - -
038767ae by Nadezhda Ivanova at 2021-11-08T10:52:11+01:00
CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
Validate Writes and Control Access Rights should only grant access if the
object is of the type listed in the Right's appliesTo attribute.
Tests to verify this behavior
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ae9eb6c7 by Nadezhda Ivanova at 2021-11-08T10:52:11+01:00
CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute
Validate Writes and Control Access Rights only grant access if the
object is of the type listed in the Right's appliesTo attribute. For
example, even though a Validated-SPN access may be granted to a user
object in the SD, it should only pass if the object is of class
computer This patch enforces the appliesTo attribute classes for
access checks from within the ldb stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f1c64ed2 by Andrew Bartlett at 2021-11-08T10:52:11+01:00
CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
Thankfully we are aleady in a loop over all the message elements in
acl_modify() so this is an easy and safe change to make.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
ef7f5827 by Andrew Bartlett at 2021-11-08T10:52:11+01:00
CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
We should not fail open on error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
a65866a6 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
You can give ldb_err() it a number, an LdbError, or a sequence of
numbers, and it will return the corresponding strings. Examples:
ldb_err(68) # "LDB_ERR_ENTRY_ALREADY_EXISTS"
LDB_ERR_LUT[68] # "LDB_ERR_ENTRY_ALREADY_EXISTS"
expected = (ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
ldb.ERR_INVALID_CREDENTIALS)
try:
foo()
except ldb.LdbError as e:
self.fail(f"got {ldb_err(e)}, expected one of {ldb_err(expected)}")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f64fe0b1 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
This makes it easier to convert tests that don't have good messages.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c1973ced by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3e349608 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
55c6c01a by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 samba-tool spn: accept -H for database url
Following the convention and making testing easier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
47279630 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 samba-tool spn add: remove --force option
This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.
It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5650323f by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
It is soon going to be impossible to add duplicate SPNs (short of
going behind DSDB's back on the local filesystem). Our test of adding
SPNs on non-admin users doubled as the test for adding a duplicate (using
--force). As --force is gone, we add these tests on Guest after the SPN
on Administrator is gone.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
50f5069a by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/provision: add host/ SPNs at the start
There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.
This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
26bfddd4 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
We need to have the SPNs there before someone else nabs them, which
makes the re-provisioned old releases different from the reference
versions that we keep for this comparison.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
40a3b71e by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
Because the sam account name + the dns host name is used as the
default user principal name, we need to check for collisions between
these. Fixes are coming in upcoming patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
38e858b1 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4b5a370e by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
These need to stay a little bit in sync. The reverse comment is there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
935997b9 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
This takes a string of logic out of samldb_unique_attr_check() that we
are going to need in other places, and that would be very tedious to
repeat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
90957fba by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4439ac7b by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
We already know duplicate sAMAccountNames and UserPrincipalNames are bad,
but we also have to check against the values these imply in each other.
For example, imagine users with SAM account names "Alice" and "Bob" in
the realm "example.com". If they do not have explicit UPNs, by the logic
of MS-ADTS 5.1.1.1.1 they use the implict UPNs "alice at example.com" and
"bob at example.com", respectively. If Bob's UPN gets set to
"alice at example.com", it will clash with Alice's implicit one.
Therefore we refuse to allow a UPN that implies an existing SAM account
name and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9be11622 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
This only for the real account name, not the account name implicit in
a UPN. It doesn't matter if a UPN implies an illegal sAMAccountName,
since that is not going to conflict with a real one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b121b192 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
Not only should it not be possible to add a servicePrincipalName that
is already present in the domain, it should not be possible to add one
that is implied by an entry in sPNMappings, unless the user is adding
an alias to another SPN and has rights to alter that one.
For example, with the default sPNMappings, cifs/ is an alias pointing to
host/, meaning if there is no cifs/example.com SPN, the host/example.com
one will be used instead. A user can add the cifs/example.com SPN only
if they can also change the host/example.com one (because adding the
cifs/ effectively changes the host/). The reverse is refused in all cases,
unless they happen to be on the same object. That is, if there is a
cifs/example.com SPN, there is no way to add host/example.com elsewhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3a4095ae by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
208bbf8c by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
This function collects a superset of all the new values for the specified
attribute that could result from an ldb add or modify message.
In most cases -- where there is a single add or modify -- the exact set
of added values is returned, and this is done reasonably efficiently
using the existing element. Where it gets complicated is when there are
multiple elements for the same attribute in a message. Anything added
before a replace or delete will be included in these results but may not
end up in the database if the message runs its course. Examples:
sequence result
1. ADD the element is returned (exact)
2. REPLACE the element is returned (exact)
3. ADD, ADD both elements are concatenated together (exact)
4. ADD, REPLACE both elements are concatenated together (superset)
5. REPLACE, ADD both elements are concatenated together (exact)
6. ADD, DEL, ADD adds are concatenated together (superset)
7. REPLACE, REPLACE both concatenated (superset)
8. DEL, ADD last element is returned (exact)
Why this? In the past we have treated dsdb_get_single_valued_attr() as if
it returned the complete set of possible database changes, when in fact it
only returned the last non-delete. That is, it could have missed values
in examples 3-7 above.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7913ec03 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
using dsdb_get_expected_new_values().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
437465a9 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
Using dsdb_get_expected_new_values().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
46662056 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
57f7b13f by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
18e4c639 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2991eede by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
There is another call to dsdb_get_expected_new_values() in this function
that we change in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
96fbfe0e by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
dsdb_get_single_valued_attr() was finding the last non-delete element for
userAccountControl and changing its value to the computed value.
Unfortunately, the last non-delete element might not be the last element,
and a subsequent delete might remove it.
Instead we just add a replace on the end.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
63de5098 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1deb16de by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
485db903 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fdd25972 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3f413fb5 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2a57c6e2 by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b8424fad by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
bed2ea1d by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
This tightens the logic a bit, in that a message with trailing DELETE
elements is no longer accepted when the bypass flag is set. In any case
this is an unlikely scenario as this is an internal flag set by a private
control in pdb_samba_dsdb_replace_by_sam().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
223179aa by Douglas Bagnall at 2021-11-08T10:52:11+01:00
CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
Nobody uses it now. It never really did what it said it did. Almost
every use was wrong. It was a trap.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
dd176b4f by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
decb2883 by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25718 tests/krb5: Fix indentation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b4ac46d3 by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
13d066a8 by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4dfa0a77 by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e60e6301 by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5d83f3ba by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a01303f0 by Joseph Sutton at 2021-11-08T10:52:11+01:00
CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
80a8c900 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fad4159d by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
97e5b765 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
05c3582e by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
837e153c by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
51890d84 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5ad45816 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e496c04a by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
04ceb10c by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
241d3956 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
28951862 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.
It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8bd96fc1 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9e29510f by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9990c478 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d151c252 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3c832b5a by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
103a6ebb by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 s4/torture: Expect additional PAC buffers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
0954b59e by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4754bf4d by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9902f1b0 by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 mit-samba: Add ks_free_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
[abartlet at samba.org As submitted in patch to Samba bugzilla
to address this issue as https://attachments.samba.org/attachment.cgi?id=16724
on overall bug https://bugzilla.samba.org/show_bug.cgi?id=14725]
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
940ddac4 by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported due to support for MIT KDB < 10
in Samba 4.14]
- - - - -
0e09aaa3 by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f0b9f23f by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f99cff8c by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d8697708 by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
This does the same check as the hdb plugin now. The client check is already
done earlier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fe94c4bc by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 mit_samba: Create the talloc context earlier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ff747922 by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8ae2a874 by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6b7d62e8 by Andreas Schneider at 2021-11-08T10:52:12+01:00
CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
706004d0 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4d92c401 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 heimdal:kdc: Require authdata to be present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8c1092d8 by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
4b78fe5c by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
This is instead of an array of struct dom_sid *.
The reason is that auth_user_info_dc has an array of struct dom_sid
(the user token) and for checking if an RODC should be allowed
to print a particular ticket, we want to reuse that a rather
then reconstruct it via tokenGroups.
This also avoids a lot of memory allocation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
0a3ebd1d by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
This will allow the creation of a common helper routine that
takes the token SID list (from tokenGroups or struct auth_user_info_dc)
and returns the allowed/denied result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
43f321dc by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
d15ffe1b by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
While these checks were not in the NETLOGON case, there is no sense where
an RODC should be resetting a bad password count on either a
UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
69b14a88 by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
27629a5a by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
This shares the lookup of the tokenGroups attribute.
There will be a new caller that does not want to do this step,
so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list()
rather than part of it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
944d1af2 by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
65b17036 by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
a12d50c5 by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
These are added for the uncommon cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
4cb71559 by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
These common routines will assist the KDC to do the same access
checking as the RPC servers need to do regarding which accounts
a RODC can act with regard to.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
1566a68a by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
aa66df26 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8d94ec0d by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
Looking up the DB twice is subject to a race and is a poor
use of resources, so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.
The client record has already been bound to the the
original client by the SID check in the PAC.
Likewise by looking up server only once we ensure
that the keys looked up originally are in the record
we confirm the SID for here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
c59f5762 by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
8513fe9e by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25722 Ensure the structural objectclass cannot be changed
If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.
Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
60ac2ff3 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
73f6a615 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 heimdal:kdc: Check return code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c493ff06 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
This allows us to use it when validating user-to-user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5f1aeeee by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2eaf906f by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1fb0c6b5 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b6ab45da by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
864623d8 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 heimdal:kdc: Require PAC to be present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
06a46f79 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c05ea456 by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a803247a by Joseph Sutton at 2021-11-08T10:52:12+01:00
CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1c5a0ef8 by Andrew Bartlett at 2021-11-08T10:52:12+01:00
Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
This reverts an earlier commit that was incorrect.
It is not Samba practice to include a revert, but at this point in
the patch preperation the ripple though the knownfail files is
more trouble than can be justified.
It is not correct to refuse to parse all tickets with no authorization
data, only for the KDC to require that a PAC is found, which is done
in "heimdal:kdc: Require PAC to be present"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
2b28b9c3 by Andrew Bartlett at 2021-11-08T10:52:12+01:00
CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
This is tested in other places already, but this ensures a global
check that a TGS-REP has a PAC, regardless.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
9ac2254c by Stefan Metzmacher at 2021-11-08T10:52:12+01:00
CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
26a1bd5c by Joseph Sutton at 2021-11-08T10:52:13+01:00
CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
3ed16e74 by Joseph Sutton at 2021-11-08T10:52:13+01:00
CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
If one of the objectClass checks passed, samldb_add() could return
through one of the samldb_fill_*() functions and skip the
servicePrincipalName uniqueness checking.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
83a9fb52 by Volker Lendecke at 2021-11-08T10:52:13+01:00
CVE-2021-23192 rpc: Give dcerpc_util.c its own header
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
(cherry picked from commit 8945d99758d8bedd374f1c51304b87a6cf10498c)
- - - - -
4a893891 by Volker Lendecke at 2021-11-08T10:52:13+01:00
CVE-2021-23192 librpc: Remove the gensec dependency from library dcerpc-binding
This means yet another library, but having to depend on gensec just
for dcerpc_parse_binding() and basic packet parsing seems like a bit
overkill to me.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Apr 6 23:33:14 UTC 2021 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
(cherry picked from commit 4d3b6506d30e4bf302f832493dad00a83b73d370)
- - - - -
6b371124 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
It's better to see the location that triggered the fault.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
- - - - -
714cf311 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
That makes the callers much simpler and allow better debugging.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
- - - - -
6afefee9 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
- - - - -
adcd0d76 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
- - - - -
1f66e3f9 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
- - - - -
f4492f93 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
- - - - -
ec712adf by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
All other fragments blindly inherit it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
- - - - -
4290223e by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
721e40dd by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
f7636fb7 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
This will make it easier to reuse.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3db47b07 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
We want to use the credentials of the joined dc account
in future tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ec1ea05e by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
This will be used in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Backported from patch for master to use
the older popt functions as master has the new common command
line handling]
- - - - -
5337dc5e by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
This adds a reproducer for an invalid memory access, when
using the context handle from DsBind across multiple connections
within an association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6925a53a by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
We want to use this also in code without existing
stackframe.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7c3b0376 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
We already had dcesrv_samdb_connect_as_system(), but it uses the per
connection memory of auth_session_info and remote_address.
But in order to use the samdb connection on a per association group
context/policy handle, we need to make copies, which last for the
whole lifetime of the 'samdb' context.
We need the same logic also for all cases we make use of
the almost same logic where we want to create a samdb context
on behalf of the authenticated user (without allowing system access),
so we introduce dcesrv_samdb_connect_as_user().
In the end we need to replace all direct callers to samdb_connect()
from source4/rpc_server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
061c125c by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
This avoids a crash that's triggered by windows clients using
DsCrackNames across multiple connections within an association group
on the same DsBind context(policy) handle.
It also improves the auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
caf3d32f by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
79d62d83 by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
This avoids a crash that's triggered by windows clients using
handles from OpenPolicy[2]() on across multiple connections within
an association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
08b6c8fd by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and
also improves auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
0203330e by Stefan Metzmacher at 2021-11-08T10:52:13+01:00
CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
This avoids a crash that's triggered by windows clients using
handles from samr_Connect*() on across multiple connections within
an association group.
In other cases is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and also
improves the auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Backported from master as Samba 4.13 does not
call dcerpc_is_transport_encrypted() and so session_info becomes
unused.]
- - - - -
6c14ac87 by Jule Anger at 2021-11-08T12:14:42+01:00
WHATSNEW: Add release notes for Samba 4.13.14.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
db11778b by Jule Anger at 2021-11-08T12:16:24+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.13.14 release.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
87f39159 by Mathieu Parent at 2021-11-09T20:15:33+01:00
New upstream version 4.13.14+dfsg
- - - - -
2faa1d48 by Mathieu Parent at 2021-11-09T20:16:30+01:00
Merge tag 'upstream/4.13.14+dfsg'
Upstream version 4.13.14+dfsg
# gpg: Signature faite le mar. 09 nov. 2021 20:16:20 CET
# gpg: avec la clef RSA AAA58B842E882CF414E0BAB1A7C72A1C782B8C3F
# gpg: issuer "math.parent at gmail.com"
# gpg: Bonne signature de « Mathieu Parent <math.parent at gmail.com> » [inconnu]
# gpg: alias « Mathieu Parent <sathieu at debian.org> » [inconnu]
# gpg: Attention : cette clef n'est pas certifiée avec une signature de confiance.
# gpg: Rien n'indique que la signature appartient à son propriétaire.
# Empreinte de clef principale : AAA5 8B84 2E88 2CF4 14E0 BAB1 A7C7 2A1C 782B 8C3F
- - - - -
039b2f20 by Andrew Walker at 2021-11-09T20:23:30+01:00
s3/winbindd/winbindd_util - fix "allow trusted domains"
At bypass for BUILTIN (S-1-5-32) domain if
"allow trusted domains" is disabled.
- - - - -
1fe83e87 by Mathieu Parent at 2021-11-09T20:28:17+01:00
Add patch trusted_domain_fix_v4.13.patch
>From https://bugzilla.samba.org/show_bug.cgi?id=14725
(https://bugzilla.samba.org/attachment.cgi?id=16982)
- - - - -
6575e415 by Mathieu Parent at 2021-11-09T20:31:52+01:00
Bump ldb build-depends to 2.2.3
- - - - -
78950ba9 by Mathieu Parent at 2021-11-09T20:52:54+01:00
Update d/samba-libs.install
- - - - -
03e3da24 by Mathieu Parent at 2021-11-09T20:53:13+01:00
Release 2:4.13.14+dfsg-1
- - - - -
30 changed files:
- VERSION
- WHATSNEW.txt
- auth/auth_util.c
- auth/credentials/tests/bind.py
- auth/gensec/gensec_util.c
- auth/ntlmssp/ntlmssp_server.c
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1
- ctdb/doc/ctdbd_wrapper.1
- ctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1
- ctdb/doc/ping_pong.1
- debian/changelog
- debian/control
- debian/patches/series
- + debian/patches/trusted_domain_fix_v4.13.patch
- debian/samba-libs.install
- + docs-xml/smbdotconf/security/mindomainuid.xml
- docs-xml/smbdotconf/security/serverrole.xml
- docs-xml/smbdotconf/winbind/idmapconfig.xml
- docs/manpages/cifsdd.8
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/8a4248b8c66b355dcc76b0bc4fbbbb6ce617b8e6...03e3da241f4b9c4d82864ceb0d89c37558144d4b
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/8a4248b8c66b355dcc76b0bc4fbbbb6ce617b8e6...03e3da241f4b9c4d82864ceb0d89c37558144d4b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20211109/3c6f2396/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list