[Pkg-samba-maint] [Git][samba-team/samba][master] 135 commits: lib/tsocket: Add tests for loop on EAGAIN
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Thu Dec 15 17:35:35 GMT 2022
Michael Tokarev pushed to branch master at Debian Samba Team / samba
Commits:
dcac415e by Andrew Bartlett at 2022-10-31T09:05:10+00:00
lib/tsocket: Add tests for loop on EAGAIN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f0fb8b9508346aed50528216fd959a9b1a941409)
- - - - -
8a4ef3d9 by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending()
This will be used on its own soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9950efd83e1a4b5e711f1d36fefa8a5d5e8b2410)
- - - - -
5c051d38 by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
lib/tsocket: check for errors indicated by poll() before getsockopt(fd, SOL_SOCKET, SO_ERROR)
This also returns an error if we got TCP_FIN from the peer,
which is only reported by an explicit POLLRDHUP check.
Also on FreeBSD getsockopt(fd, SOL_SOCKET, SO_ERROR) fetches
and resets the error, so a 2nd call no longer returns an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 29a65da63d730ecead1e7d4a81a76dd1c8c179ea)
- - - - -
419986dc by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
lib/tsocket: remember the first error as tstream_bsd->error
If we found that the connection is broken, there's no point
in trying to use it anymore, so just return the first error we detected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4c7e2b9b60de5d02bb3f69effe7eddbf466a6155)
- - - - -
b615bf43 by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler()
There were some reports that strace output an LDAP server socket is in
CLOSE_WAIT state, returning EAGAIN for writev over and over (after a call to
epoll() each time).
In the tstream_bsd code the problem happens when we have a pending
writev_send, while there's no readv_send pending. In that case
we still ask for TEVENT_FD_READ in order to notice connection errors
early, so we try to call writev even if the socket doesn't report TEVENT_FD_WRITE.
And there are situations where we do that over and over again.
It happens like this with a Linux kernel:
tcp_fin() has this:
struct tcp_sock *tp = tcp_sk(sk);
inet_csk_schedule_ack(sk);
sk->sk_shutdown |= RCV_SHUTDOWN;
sock_set_flag(sk, SOCK_DONE);
switch (sk->sk_state) {
case TCP_SYN_RECV:
case TCP_ESTABLISHED:
/* Move to CLOSE_WAIT */
tcp_set_state(sk, TCP_CLOSE_WAIT);
inet_csk_enter_pingpong_mode(sk);
break;
It means RCV_SHUTDOWN gets set as well as TCP_CLOSE_WAIT, but
sk->sk_err is not changed to indicate an error.
tcp_sendmsg_locked has this:
...
err = -EPIPE;
if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
goto do_error;
while (msg_data_left(msg)) {
int copy = 0;
skb = tcp_write_queue_tail(sk);
if (skb)
copy = size_goal - skb->len;
if (copy <= 0 || !tcp_skb_can_collapse_to(skb)) {
bool first_skb;
new_segment:
if (!sk_stream_memory_free(sk))
goto wait_for_space;
...
wait_for_space:
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
if (copied)
tcp_push(sk, flags & ~MSG_MORE, mss_now,
TCP_NAGLE_PUSH, size_goal);
err = sk_stream_wait_memory(sk, &timeo);
if (err != 0)
goto do_error;
It means if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN)) doesn't
hit as we only have RCV_SHUTDOWN and sk_stream_wait_memory returns
-EAGAIN.
tcp_poll has this:
if (sk->sk_shutdown & RCV_SHUTDOWN)
mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;
So we'll get EPOLLIN | EPOLLRDNORM | EPOLLRDHUP triggering
TEVENT_FD_READ and writev/sendmsg keeps getting EAGAIN.
So we need to always clear TEVENT_FD_READ if we don't
have readable handler in order to avoid burning cpu.
But we turn it on again after a timeout of 1 second
in order to monitor the error state of the connection.
And now that our tsocket_bsd_error() helper checks for POLLRDHUP,
we can check if the socket is in an error state before calling the
writable handler when TEVENT_FD_READ was reported.
Only on error we'll call the writable handler, which will pick
the error without calling writev().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e232ba946f00aac39d67197d9939bc923814479c)
- - - - -
743a56e5 by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time
If the client is not able to receive the results within connections idle
time, then we should treat it as dead. It's value is 15 minutes (900 s)
by default.
In order to limit that further an admin can use 'socket options'
and set TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and/or TCP_USER_TIMEOUT
to useful values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 19 17:13:39 UTC 2022 on sn-devel-184
(cherry picked from commit eb2f3526032803f34c88ef1619a832a741f71910)
- - - - -
c59f9c33 by Andreas Schneider at 2022-10-31T09:05:10+00:00
s3:librpc: Improve GSE error message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
(cherry picked from commit e3ebda8c6ae6e0c202e2b11a65b98b4f247ae4db)
- - - - -
d26e2da3 by Andreas Schneider at 2022-10-31T09:05:10+00:00
s3:rpcclient: Pass salt down to init_samr_CryptPasswordAES()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
(cherry picked from commit 16335412ff312ecb330f7890bd3e94117a5fa6ff)
- - - - -
c57b3d37 by Andreas Schneider at 2022-10-31T09:05:10+00:00
s4:libnet: If we successfully changed the password we are done
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
(cherry picked from commit 30ca92a8164e1c3a76cdb798ee997d27621a5abb)
- - - - -
e84108f3 by Noel Power at 2022-10-31T09:05:10+00:00
s4/rpc_server/sambr: don't mutate the return of samdb_set_password_aes
prior to this commit return of samdb_set_password_aes was set to
NT_STATUS_WRONG_PASSWORD on failure. Useful status that should be
returned such as NT_STATUS_PASSWORD_RESTRICTION are swallowed here
otherwise (and in this case can be partially responsible for failures
in test samba.tests.auth_log_pass_change (with later gnutls)
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 416bf5a41827a4e486215bfc8e47abc570c6e899)
- - - - -
057f60cc by Noel Power at 2022-10-31T10:08:34+00:00
python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls
later gnutls that support GNUTLS_PBKDF2 currently fail,
we need to conditionally switch test data to reflect use of
'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
depending on whether GNUTLS_PBKDF2 is supported or not
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ce7c418ca4f8f82e61a9a02a6589ab1c4df51d63)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Mon Oct 31 10:08:34 UTC 2022 on sn-devel-184
- - - - -
f4507b39 by Daniel Kobras at 2022-10-31T21:06:12+00:00
s3: smbd: Consistently map EAs to user namespace
Samba has always been mapping Windows EAs to the 'user' namespace on the
POSIX side. However, in the opposite direction, the mapping would also map
other user-readable POSIX EA namespaces to Windows EAs, only stripping the
'user' namespace prefix, and passing all other EA names verbatim.
This means any POSIX EA 'other.foo' collides with 'user.other.foo' on the
Windows side, hence the mapping of non-user namespaces is unreliable.
Also, copy operations via Windows would rename an existing POSIX EA
'other.foo' in the source file to 'user.other.foo' in the destination. The
'user' namespace, however, may not be enabled on the underlying filesystem,
leading to subtle failure modes like the ones reported in eg.
<https://bugzilla.samba.org/show_bug.cgi?id=15186>
Fix the issues by restricting the mapping to the 'user' POSIX EA namespace
consistently for either direction.
Link: https://lists.samba.org/archive/samba-technical/2022-September/137634.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15186
Signed-off-by: Daniel Kobras <kobras at puzzle-itc.de>
Reviewed-by: Michael Weiser <michael.weiser at atos.net>
Tested-by: Michael Weiser <michael.weiser at atos.net>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 34c6db64c2ff62673f8df218487cda4139c10843)
- - - - -
5c32c822 by Daniel Kobras at 2022-10-31T22:03:46+00:00
docs-xml: ea support option restricted to user ns
Update documentation to match current behavior.
Signed-off-by: Daniel Kobras <kobras at puzzle-itc.de>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15186
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Oct 28 07:24:18 UTC 2022 on sn-devel-184
(cherry picked from commit 69273c3a836ede97c7fde74e2f1fdc84e92ec86f)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Mon Oct 31 22:03:46 UTC 2022 on sn-devel-184
- - - - -
159054c3 by Joseph Sutton at 2022-11-08T08:21:19+00:00
third_party/heimdal: Introduce macro for common plugin structure elements
Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
it, doesn't work on 32-bit builds due to structure fields being arranged
in the wrong order. This problem presents itself in the form of
segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
builds thanks to extra structure padding absorbing the errant fields.
This commit reorders the HDB plugin structure fields to prevent crashes
and introduces a common macro to ensure every plugin presents a
consistent interface.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 074e92849715ed3485703cfbba3771d405e4e78a)
- - - - -
b1cf93f7 by Volker Lendecke at 2022-11-08T08:21:19+00:00
heimdal: Fix the 32-bit build on FreeBSD
REF: https://github.com/heimdal/heimdal/pull/1004
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15220
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ab4c7bda8daccdb99adaf6ec7fddf8b5f84be09a)
- - - - -
2803e76f by Volker Lendecke at 2022-11-08T09:23:52+00:00
smbd: Fix Bug 15221
In 4.17 process_symlink_open() will replace smb_fname_rel->base_name with the
link target relative to the share root. So if the link target ends up in a
subdirectory of a share, we put a target including a slash into the memcache.
Later access will trust the stat cache, passing the target directly to
openat_pathref_fsp() which will panic if it gets a real dirfsp and a relname
with a slash.
Name mangling is not required: Accessing a symlink pointing at a subdirectory
at least 2 levels deep in the share with a wrong upper/lower case combination
reproduces it.
This patch is really a workaround. The "real" fix would be to backport the
patches removing process_symlink_open() from master, but this is a bigger
change.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15221
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Tue Nov 8 09:23:52 UTC 2022 on sn-devel-184
- - - - -
120f7790 by Jule Anger at 2022-11-15T17:13:45+01:00
Merge tag 'samba-4.17.3' into v4-17-test
samba: tag release samba-4.17.3
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
3e1f07b1 by Jule Anger at 2022-11-15T17:14:48+01:00
VERSION: Bump version up to Samba 4.17.4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
e3207e6c by Stefan Metzmacher at 2022-11-23T12:44:16+00:00
lib/replace: fix memory leak in snprintf replacements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15230
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Nov 9 11:18:02 UTC 2022 on sn-devel-184
(cherry picked from commit 76adda9d2fea9f93f4cf97536db5c0be6deeb98c)
- - - - -
560805be by Andreas Schneider at 2022-11-23T12:44:16+00:00
s3:tests: Add substitution test for include directive
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit ce3d27a9f5a98b4680af5fb5a595b0e7e94f8c30)
- - - - -
969df454 by Andreas Schneider at 2022-11-23T12:44:16+00:00
s3:tests: Add substitution test for listing shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit c213ead8c4c1b5287294a67e65f271fbb0b922b2)
- - - - -
2c1b9574 by Andreas Schneider at 2022-11-23T12:44:16+00:00
s3:rpc_server: Fix include directive substitution when enumerating shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit f03665bb7e8ea97699062630f2aa1bac4c5dfc7f)
- - - - -
2ce1a1ec by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Simplify SMB_VFS_GET_REAL_FILENAME_AT implementation
It was unnecessary to construct full directory path as "dir/." which is
same as "dir". We could just directly use dirfsp->fsp_name->base_name
for glfs_getxattr() and return the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8cbd9e63724d80c06565d0c90bd107166dfd9bbe)
- - - - -
d904e80e by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Do not use glfs_fgetxattr() for SMB_VFS_GET_REAL_FILENAME_AT
glfs_fgetxattr() or generally fgetxattr() will return EBADF as dirfsp
here is a pathref fsp. GlusterFS client log had following entries
indicating the error:
W [MSGID: 114031] [client-rpc-fops_v2.c:993:client4_0_fgetxattr_cbk] \
0-vol-client-0: remote operation failed. [{errno=9}, {error=Bad file descriptor}]
Therefore use glfs_getxattr() only for implementing get_real_filename_at
logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 6a6bd1a0530424def64d2d462b54e4c1f4f9bebb)
- - - - -
9f307955 by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FGETXATTR
Fallback mechanism was missing in vfs_gluster_fgetxattr() for path based
call. Therefore adding a similar mechanism as seen with other calls like
vfs_gluster_fsetxattr, vfs_gluster_flistxattr etc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7af4bfe8285714c137b6347b17305c9cd0702bdd)
- - - - -
4a3dcb32 by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Simplify SMB_VFS_FDOPENDIR implementation
It was unnecessary to construct full directory path as "dir/." which is
same as "dir". We could just directly use fsp->fsp_name->base_name and
return directory stream obtained from glfs_opendir().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Oct 12 12:48:50 UTC 2022 on sn-devel-184
(cherry picked from commit cc397175cb9a1b06f268ecf6b3d62f621947cbba)
- - - - -
9dbbce3f by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FNTIMES
Fallback mechanism was missing in vfs_gluster_fntimes() for path based
call. Therefore adding a similar mechanism as seen with other calls like
vfs_gluster_fsetxattr, vfs_gluster_fgetxattr etc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 5d91ecf01dce95400da5d6ac181144df1e32ca35)
- - - - -
d7e34c8b by Jeremy Allison at 2022-11-23T12:44:16+00:00
nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, not try and embedd it directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Wed Nov 16 15:09:45 UTC 2022 on sn-devel-184
(cherry picked from commit 7cb50405515298b75dcc512633fb3877045aabc6)
- - - - -
50fd29d8 by Noel Power at 2022-11-23T13:56:46+00:00
nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Nov 16 19:29:21 UTC 2022 on sn-devel-184
(cherry picked from commit f6284877ce07fc5ddf4f4e2d824013b645d6e12c)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Wed Nov 23 13:56:47 UTC 2022 on sn-devel-184
- - - - -
c37b4d79 by Stefan Metzmacher at 2022-11-23T16:22:55+00:00
CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Wed Nov 23 16:22:55 UTC 2022 on sn-devel-184
- - - - -
a019803d by Ralph Boehme at 2022-12-05T09:26:17+00:00
torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fdb19ce8aa189f6cfbd2d1fd7ed6fe809ba93cf3)
- - - - -
404ca2b6 by Ralph Boehme at 2022-12-05T10:23:58+00:00
smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories
Cf MS-FSA 2.1.5.14.2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Nov 28 10:14:12 UTC 2022 on sn-devel-184
(cherry picked from commit 535a08dfc4c045d7b0c0ed335f76b5d560dd7bbd)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Mon Dec 5 10:23:58 UTC 2022 on sn-devel-184
- - - - -
c258b48d by Andreas Schneider at 2022-12-06T12:39:53+00:00
s3:utils: Fix stack smashing in net offlinejoin
Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka
'unsigned long *') increases required alignment from 4 to 8
==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8
WRITE of size 8 at 0x7ffdc6784fc0 thread T0
#0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220
#1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245
#2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267
#3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74
#4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453
#5 0x563631fe8a9f in main ../../source3/utils/net.c:1358
#6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit ef8c8ac54cdf75ca4333223c1f3e580e31efca92)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Tue Dec 6 12:39:53 UTC 2022 on sn-devel-184
- - - - -
7b90f5c8 by Andrew Bartlett at 2022-12-06T15:06:10+00:00
CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test
A new file will shorlty fail as it is binary input
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5a02915913a2410904886e186ada90a36492571f)
- - - - -
7bb1180c by Nicolas Williams at 2022-12-06T16:03:55+00:00
CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
(cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Dec 6 13:41:05 UTC 2022 on sn-devel-184
(cherry picked from commit 68fc909a7f4d69c254d34bec85cf8431bcb6e72f)
Autobuild-User(v4-17-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-17-test): Tue Dec 6 16:03:55 UTC 2022 on sn-devel-184
- - - - -
9986fd39 by Michael Tokarev at 2022-12-08T14:28:16+03:00
d/autodeps.py, d/library-equivalents: remove
- - - - -
8578a24c by Stefan Metzmacher at 2022-12-12T13:39:00+00:00
CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
This fixes a use after free problem introduced by
commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124,
which has msg = current; which means the lifetime
of the 'msg' memory is no longer in the scope of th
caller.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1414269dccfd7cb831889cc92df35920b034457c)
Autobuild-User(v4-17-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-17-test): Mon Dec 12 13:39:00 UTC 2022 on sn-devel-184
- - - - -
fd50943b by Andrew Bartlett at 2022-12-14T11:39:16+00:00
selftest: make filter-subunit much more efficient for large knownfail lists
By compiling the knownfail lists ahead of time we change a 20min test
into a 90sec test.
This could be improved further by combining this into a single regular expression,
but this is enough for now. The 'reason' is thankfully not used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15258
Pair-programmed-with: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 22128c718cadd34af892df102bd52df6a6b03303)
- - - - -
121c471b by Ralph Boehme at 2022-12-14T11:39:16+00:00
CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
- - - - -
810b57b1 by Ralph Boehme at 2022-12-14T11:39:16+00:00
CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)
- - - - -
d39c3729 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209)
- - - - -
285ecad0 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
This warns the admin about insecure options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
- - - - -
6c7aa761 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
This makes sure domain member related 'net' commands print warnings
about unsecure smb.conf options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
- - - - -
ff5f2c81 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)
- - - - -
15253c4d by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
- - - - -
b04f9cd9 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
- - - - -
93566433 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
- - - - -
911874a9 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)
- - - - -
a31898e1 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)
- - - - -
4d143e92 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)
- - - - -
a656f2a3 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)
- - - - -
84d53540 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.
And AES will be required by default soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
- - - - -
07518e76 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)
- - - - -
eb1f1c37 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51)
- - - - -
f6976639 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)
- - - - -
c9193510 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
- - - - -
277bd2c6 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.
'allow nt4 crypto = no' is already the default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
- - - - -
2cb10f96 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b)
- - - - -
1d2e938a by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
- - - - -
f0cdff38 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
configuration if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381)
- - - - -
ff1c42ee by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific
allow nt4 crypto:COMPUTERACCOUNT = yes and
server reject md5 schannel:COMPUTERACCOUNT = no
in order to allow legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)
- - - - -
cf649bf2 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)
- - - - -
de639278 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
- - - - -
65d8624c by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)
- - - - -
8f7d77ec by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
- - - - -
e5e03583 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
- - - - -
0d4f8c70 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 testparm: warn about server/client schannel != yes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)
- - - - -
f4d487bd by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 testparm: warn about unsecure schannel related options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
- - - - -
523f9aa7 by Andreas Schneider at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:param: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 80dc3bc2b80634ab7c6c71fa1f9b94f0216322b2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
9166254b by Andreas Schneider at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:client: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 81f4335dfb847c041bfd3d6110fc8f1d5741d41f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
c5eda69a by Andreas Schneider at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:utils: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b787692b5e915031d4653bf375995320ed1aca07)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
fea5bde5 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
(cherry picked from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
d08d54c9 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit a4f6f51cbed53775cdfedc7eec2f28c7beb875cc)
- - - - -
9fa6585a by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c0c25cc0217b082c12330a8c47869c8428a20d0c)
- - - - -
362de019 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932)
- - - - -
91dcb8d0 by Andrew Bartlett at 2022-12-14T11:39:17+00:00
CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
This makes it easier to test against a server that is not accessible via DNS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit c7cd6889177e8c705bb637172a60a5cf26734a3f)
- - - - -
4870b9c8 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
We will use it for testing our handling of encryption types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 50e075d2db21e9f23d686684ea3df9454b6b560e)
[jsutton at samba.org Adapted to 4.17 version of function]
- - - - -
649854b0 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
This lets us select the encryption types we claim to support in the
request body.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de)
[jsutton at samba.org Adapted to 4.17 version of function taking different
parameters]
- - - - -
15835e21 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 177334c04230d0ad74bfc2b6825ffbebd5afb9af)
[jsutton at samba.org Fixed conflicts in usage.py, knownfails, tests.py]
- - - - -
6ff9fc58 by Andrew Bartlett at 2022-12-14T11:39:17+00:00
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.
(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec)
[jsutton at samba.org Fixed knownfail conflicts]
- - - - -
25918f9c by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit a50a2be622afaa7a280312ea12f5eb9c9a0c41da)
[jsutton at samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]
- - - - -
3d276a19 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
This matches the Windows registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d861d4eb28bd4c091955c11669edcf867b093a6f)
- - - - -
ac8a4665 by Andrew Bartlett at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
- - - - -
350a2e5f by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 third_party/heimdal: Fix error message typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d6b3d68efc296190a133b4e38137bdfde39257f4)
- - - - -
42150ff9 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
This option does the opposite of what the documentation claims.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6b155b22e6afa52ce29cc475840c1d745b0f1f5e)
- - - - -
d8cef2fa by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)
- - - - -
123b3c05 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected Users group
Extend the RC4 Protected Users tests to use different preauth etypes.
This helps test the nuances of the new expected behaviour and allows the
tests to continue passing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a7a0b9ad0757d6586905d64bc645a8946fe5c10e)
- - - - -
64bfe0ef by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit 371d7e63fcb966ab54915a3dedb888d48adbf0c0)
[jsutton at samba.org Removed unneeded fast_tests.py change, added
non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and
tests.py]
- - - - -
3d85ff9d by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
- - - - -
71e538e7 by Andrew Bartlett at 2022-12-14T11:39:17+00:00
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit 975e43fc45531fdea14b93a3b1529b3218a177e6)
[jsutton at samba.org Fixed knownfail conflicts]
- - - - -
82f3c287 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 kdc: Assume trust objects support AES by default
As part of matching the behaviour of Windows, assume that trust objects
support AES256, but not RC4, if not specified otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d)
- - - - -
5f885420 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:kdc: also limit the krbtgt history to their strongest keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6b46b764fc5760d3bf83bb1ea5fa398d993cf68d)
- - - - -
4ad0303e by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9da028c46f70db60a80d47f5dadbec194510211f)
- - - - -
425dc5a2 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 system_mitkrb5: require support for aes enctypes
This will never fail as we already require a version that supports aes,
but this makes it clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a80f8e1b826ee3f9bbb22752464a73b97c2a612d)
- - - - -
91680bf6 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c9b10ee32c7e91521d024477a28fb7a622e4eb04)
- - - - -
d022b9fa by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2bd27955ce1000c13b468934eed8b0fdeb66e3bf)
- - - - -
b1052934 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a36c348d7a984bed8d0f3de5bf9bebd1cb3c47a)
- - - - -
e2e29876 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f3fe1f2ce64ed36be5b001fb4fea92428e73e4e3)
- - - - -
c894010a by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 16b805c8f376e0992a8bbb359d6bd8f0f96229db)
- - - - -
edccbf1a by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:libads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a683507e560a499336c50b88abcd853d49618bf4)
- - - - -
8b9e670c by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:libnet: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 40b47c194d7c41fbc6515b6029d5afafb0911232)
- - - - -
96fcd2b2 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:net_ads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4cedaa643bf95ef2628f1b631feda833bb2e7da1)
- - - - -
e741eac0 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b7260c89e0df18822fa276e681406ec4d3921caa)
- - - - -
ceda758d by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7)
- - - - -
42c12b8c by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:kdc: use the strongest possible keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)
- - - - -
d7efa582 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
For now this is only for debugging in order to see
DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta
data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f1c5fa28c460f7e011049606b1b9ef96443e5e1f)
- - - - -
bf27c7ba by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a)
- - - - -
9c106afa by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a83612)
- - - - -
bf633c58 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)
- - - - -
6a4531ad by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
I'm using the following options:
SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1
in order to run these:
python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)
- - - - -
0f63356c by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)
- - - - -
d1b65794 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5)
- - - - -
afc05bec by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d)
- - - - -
c642bd9f by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45)
- - - - -
82739352 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: test much more etype combinations
This tests work out the difference between
- msDS-SupportedEncryptionTypes value or it's default
- software defined extra flags for DC accounts
- accounts with only an nt hash being stored
- the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1dfa91682efd3b12d7d6af75287efb12ebd9e526)
- - - - -
2d1f56c6 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
We need to take the value from the msDS-SupportedEncryptionTypes
attribute and only take the default if there's no value or
if the value is 0.
For krbtgt and DC accounts we need to force support for
ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits
in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is
completely ignored the hardcoded value is the default, so there's
no AES256-SK for krbtgt).
For UF_USE_DES_KEY_ONLY on the account we reset
the value to 0, these accounts are in fact disabled completely,
as they always result in KRB5KDC_ERR_ETYPE_NOSUPP.
Then we try to get all encryption keys marked in
supported_enctypes, and the available_enctypes
is a reduced set depending on what keys are
actually stored in the database.
We select the supported session key enctypes by the available
keys and in addition based on AES256-SK as well as the
"kdc force enable rc4 weak session keys" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fde745ec3491a4fd7b23e053a67093a2ccaf0905)
- - - - -
91be2dbb by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
This is not squashed in order to allow easier backports...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4)
- - - - -
428aa9b0 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)
- - - - -
17db5768 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
This allows admins to disable enctypes completely if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)
- - - - -
dd4832f1 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f)
- - - - -
701c9885 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 samba-tool: add 'domain trust modify' command
For now it only allows the admin to modify
the msDS-SupportedEncryptionTypes values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29)
- - - - -
5048d63c by Stefan Metzmacher at 2022-12-14T12:40:42+00:00
CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
This allows the tests to be executed without an explicit
PYTHONPATH="bin/python".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
(similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92)
Autobuild-User(v4-17-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-17-test): Wed Dec 14 12:40:42 UTC 2022 on sn-devel-184
- - - - -
77fb5b47 by Stefan Metzmacher at 2022-12-14T13:44:17+00:00
s4:libnet: fix error string for failing samr_ChangePasswordUser4()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Baumbach <bbaumbach at samba.org>
(cherry picked from commit 53d558365161be1793dad78ebcce877c732f2419)
- - - - -
1c7d60ee by Stefan Metzmacher at 2022-12-14T14:46:02+00:00
s4:libnet: correctly handle gnutls_pbkdf2() errors
We should not ignore the error nor should we map
GNUTLS_E_UNWANTED_ALGORITHM to NT_STATUS_WRONG_PASSWORD,
instead we use NT_STATUS_CRYPTO_SYSTEM_INVALID as in most other places
in the same file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Baumbach <bbaumbach at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Dec 14 13:35:20 UTC 2022 on sn-devel-184
(cherry picked from commit eb5df255faea7326a7b85c1e7ce5a66119a27c3a)
Autobuild-User(v4-17-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-17-test): Wed Dec 14 14:46:02 UTC 2022 on sn-devel-184
- - - - -
f676c903 by Jule Anger at 2022-12-15T17:05:11+01:00
WHATSNEW: Add release notes for Samba 4.17.4.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
ab48448c by Jule Anger at 2022-12-15T17:05:36+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
3aa49021 by Michael Tokarev at 2022-12-15T19:43:32+03:00
New upstream version 4.17.4+dfsg
- - - - -
76eb8daa by Michael Tokarev at 2022-12-15T19:44:05+03:00
Update upstream source from tag 'upstream/4.17.4+dfsg'
Update to upstream version '4.17.4+dfsg'
with Debian dir 40d56574171d59db23cf49dc40129f61b65b987e
- - - - -
30a9ca7d by Michael Tokarev at 2022-12-15T19:59:10+03:00
d/changelog: start 4.17.4
- - - - -
60368564 by Michael Tokarev at 2022-12-15T20:29:52+03:00
mention other bugs fixed by 4.17.4 (from WHATSNEW.txt)
- - - - -
080e0ee6 by Michael Tokarev at 2022-12-15T20:29:52+03:00
Revert "create samba-ad-dc metapackage"
This reverts commit db20e0887fe060d93d5f5c5c33c149420f67e024.
- - - - -
b6eb15e9 by Michael Tokarev at 2022-12-15T20:29:52+03:00
Revert "samba-ad-provision.lintian-overrides: license files"
This reverts commit ed8adfa9f76d4ae855a0bbd3c565033ba4fb5560.
- - - - -
7015ee93 by Michael Tokarev at 2022-12-15T20:29:52+03:00
Revert "create samba-ad-provision package with contents of /usr/share/samba/setup"
This reverts commit d5e13a3b36de42381de8160817d9645ce9567790.
- - - - -
40eca3b9 by Michael Tokarev at 2022-12-15T20:29:52+03:00
removed nsswitch-pam-data-time_t.patch
- - - - -
32a4353b by Michael Tokarev at 2022-12-15T20:29:52+03:00
removed CVE-2022-42898-lib-krb5-fix-_krb5_get_int64-on-32bit.patch
- - - - -
30 changed files:
- VERSION
- WHATSNEW.txt
- buildtools/wafsamba/samba_autoconf.py
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1
- ctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1
- ctdb/doc/ping_pong.1
- − debian/autodeps.py
- debian/changelog
- debian/control
- − debian/library-equivalents
- debian/not-installed
- − debian/patches/CVE-2022-42898-lib-krb5-fix-_krb5_get_int64-on-32bit.patch
- − debian/patches/nsswitch-pam-data-time_t.patch
- debian/patches/series
- debian/rules
- − debian/samba-ad-provision.lintian-overrides
- debian/samba.install
- debian/samba.lintian-overrides
- docs-xml/manpages/samba-tool.8.xml
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/47110d7e9de70d7c21427886823674765a970633...32a4353b500b47ca288427a0a79b8ff7c3926551
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/47110d7e9de70d7c21427886823674765a970633...32a4353b500b47ca288427a0a79b8ff7c3926551
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20221215/60c8990e/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list