Andreas Schneider [Mon, 12 Sep 2022 14:31:05 +0000 (16:31 +0200)]
s3:auth: Flush the GETPWSID in memory cache for NTLM auth
Example valgrind output:
==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075
==22502== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==22502== by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16)
==22502== by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0)
==22502== by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502== by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502== by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so)
==22502== by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so)
==22502== by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so)
==22502== by 0x14E464: ??? (in /usr/sbin/winbindd)
==22502== by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd)
==22502== by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd)
==22502== by 0x167DE0: ??? (in /usr/sbin/winbindd)
==22502== by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x16A243: ??? (in /usr/sbin/winbindd)
==22502== by 0x16AA04: ??? (in /usr/sbin/winbindd)
==22502== by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F4C7: main (in /usr/sbin/winbindd)
You can find one for each string in pdb_copy_sam_account(), in total
this already has 67 MB in total for this valgrind run.
pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184
(cherry picked from commit
9ef2f7345f0d387567fca598cc7008af95598903)
Stefan Metzmacher [Tue, 6 Dec 2022 12:36:17 +0000 (13:36 +0100)]
CVE-2022-38023 testparm: warn about unsecure schannel related options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
Stefan Metzmacher [Wed, 30 Nov 2022 14:13:47 +0000 (15:13 +0100)]
CVE-2022-38023 testparm: warn about server/client schannel != yes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f964c0c357214637f80d0089723b9b11d1b38f7e)
Stefan Metzmacher [Fri, 25 Nov 2022 13:05:30 +0000 (14:05 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
Stefan Metzmacher [Fri, 2 Dec 2022 13:31:26 +0000 (14:31 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
Stefan Metzmacher [Fri, 25 Nov 2022 15:53:35 +0000 (16:53 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7732a4b0bde1d9f98a0371f17d22648495329470)
Stefan Metzmacher [Wed, 30 Nov 2022 16:15:36 +0000 (17:15 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
689507457f5e6666488732f91a355a2183fb1662)
Stefan Metzmacher [Wed, 30 Nov 2022 15:57:24 +0000 (16:57 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f43dc4f0bd60d4e127b714565147f82435aa4f07)
Stefan Metzmacher [Wed, 30 Nov 2022 13:57:20 +0000 (14:57 +0100)]
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific
allow nt4 crypto:COMPUTERACCOUNT = yes and
server reject md5 schannel:COMPUTERACCOUNT = no
in order to allow legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(backported from commit
7ae3735810c2db32fa50f309f8af3c76ffa29768)
Stefan Metzmacher [Fri, 25 Nov 2022 12:13:36 +0000 (13:13 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
configuration if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
43df4be35950f491864ae8ada05d51b42a556381)
Stefan Metzmacher [Fri, 25 Nov 2022 13:02:11 +0000 (14:02 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
Stefan Metzmacher [Fri, 25 Nov 2022 12:31:14 +0000 (13:31 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
bd429d025981b445bf63935063e8e302bfab3f9b)
Stefan Metzmacher [Fri, 25 Nov 2022 12:13:36 +0000 (13:13 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.
'allow nt4 crypto = no' is already the default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
69b36541606d7064de9648cd54b35adfdf8f0e8f)
Stefan Metzmacher [Fri, 25 Nov 2022 09:31:08 +0000 (10:31 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
Stefan Metzmacher [Thu, 24 Nov 2022 17:26:18 +0000 (18:26 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
c8e53394b98b128ed460a6111faf05dfbad980d1)
Stefan Metzmacher [Fri, 25 Nov 2022 08:54:17 +0000 (09:54 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
b6339fd1dcbe903e73efeea074ab0bd04ef83561)
Stefan Metzmacher [Mon, 28 Nov 2022 14:02:13 +0000 (15:02 +0100)]
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.
And AES will be required by default soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
Stefan Metzmacher [Wed, 30 Nov 2022 11:26:01 +0000 (12:26 +0100)]
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
63c96ea6c02981795e67336401143f2a8836992c)
Stefan Metzmacher [Wed, 30 Nov 2022 11:37:03 +0000 (12:37 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
16ee03efc194d9c1c2c746f63236b977a419918d)
Stefan Metzmacher [Wed, 30 Nov 2022 11:37:03 +0000 (12:37 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
ec62151a2fb49ecbeaa3bf924f49a956832b735e)
Stefan Metzmacher [Mon, 12 Dec 2022 13:03:50 +0000 (14:03 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0e6a2ba83ef1be3c6a0f5514c21395121621a145)
Stefan Metzmacher [Mon, 12 Dec 2022 13:03:50 +0000 (14:03 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
Stefan Metzmacher [Tue, 6 Dec 2022 09:56:29 +0000 (10:56 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e060ea5b3edbe3cba492062c9605f88fae212ee0)
Stefan Metzmacher [Thu, 24 Nov 2022 17:22:23 +0000 (18:22 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
Stefan Metzmacher [Wed, 30 Nov 2022 13:59:36 +0000 (14:59 +0100)]
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
d60828f6391307a59abaa02b72b6a8acf66b2fef)
Stefan Metzmacher [Wed, 30 Nov 2022 15:16:05 +0000 (16:16 +0100)]
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
This makes sure domain member related 'net' commands print warnings
about unsecure smb.conf options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
Stefan Metzmacher [Wed, 30 Nov 2022 13:47:33 +0000 (14:47 +0100)]
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
This warns the admin about insecure options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(similar to commit
7e7adf86e59e8a673fbe87de46cef0d62221e800)
[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to
getpid()]
Stefan Metzmacher [Wed, 30 Nov 2022 13:46:59 +0000 (14:46 +0100)]
CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
992f39a2c8a58301ceeb965f401e29cd64c5a209)
Ralph Boehme [Tue, 6 Dec 2022 15:05:26 +0000 (16:05 +0100)]
CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
830e865ba5648f6520bc552ffd71b61f754b8251)
Ralph Boehme [Tue, 6 Dec 2022 15:00:36 +0000 (16:00 +0100)]
CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
Andreas Schneider [Tue, 23 Nov 2021 14:48:57 +0000 (15:48 +0100)]
s3:winbind: Fix possible NULL pointer dereference
BUG: https://bugzilla.redhat.com/show_bug.cgi?id=
2019888
Signed-off-by: Andreas Schneider <asn@samba.org>
Rewiewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 29 19:40:50 UTC 2021 on sn-devel-184
(cherry picked from commit
cbf312f02bc86f9325fb89f6f5441bc61fd3974f)
Christof Schmitt [Fri, 5 Mar 2021 23:07:54 +0000 (16:07 -0700)]
idmap_nss: Do not return SID from unixids_to_sids on type mismatch
The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.
Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184
(cherry picked from commit
0e789ba1802ca22e5a01abd6e93ef66cd45566a7)
(cherry picked from commit
3f366878d33cf977230137021f6376936b2a1862)
Christof Schmitt [Fri, 5 Mar 2021 23:01:13 +0000 (16:01 -0700)]
idmap_rfc2307: Do not return SID from unixids_to_sids on type mismatch
The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.
Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
Signed-off-by: Christof Schmitt <cs@samba.org>
(cherry picked from commit
79dd4b133c37451c98fe7f7c45da881e89e91ffc)
(cherry picked from commit
af37d5abae924d095e7b35620d850cf1f19021c4)
Christof Schmitt [Fri, 5 Mar 2021 22:48:29 +0000 (15:48 -0700)]
winbind: Only use unixid2sid mapping when module reports ID_MAPPED
Only consider a mapping to be valid when the idmap module reports
ID_MAPPED. Otherwise return the null SID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
db2afa57e4aa926b478db1be4d693edbdf4d2a23)
(cherry picked from commit
3aa06edf38bc4002f031476baa50712fd1a67f4d)
Ralph Boehme [Thu, 13 Jan 2022 16:03:02 +0000 (17:03 +0100)]
CVE-2021-44142: libadouble: harden parsing code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Thu, 25 Nov 2021 14:04:03 +0000 (15:04 +0100)]
CVE-2021-44142: libadouble: add basic cmocka tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
[slow@samba.org: conflict due to missing test in selftest/tests.py]
Ralph Boehme [Fri, 26 Nov 2021 06:19:32 +0000 (07:19 +0100)]
CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
which is used for parsing ._ AppleDouble sidecar files, and the buffer
ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
buffer out-of-bounds access checks in ad_unpack_xattrs().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Sat, 20 Nov 2021 15:36:42 +0000 (16:36 +0100)]
CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs
This is an internal xattr that should not be user visible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
[slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c]
Ralph Boehme [Thu, 13 Jan 2022 15:48:01 +0000 (16:48 +0100)]
CVE-2021-44142: libadouble: add defines for icon lengths
From https://www.ietf.org/rfc/rfc1740.txt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Fri, 26 Nov 2021 09:57:17 +0000 (10:57 +0100)]
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
sure this behaves identical, but it might work in the standalone server case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
1e61de8306604a0d3858342df8a1d2412d8d418b)
Andrew Bartlett [Fri, 12 Nov 2021 03:10:31 +0000 (16:10 +1300)]
CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.
Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.
This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.
In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org moved the new logic into the fallback codepath only
in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
[abartlet@samba.org backported from commit
0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
as usage.py is not present in Samba 4.10]
Joseph Sutton [Fri, 12 Nov 2021 07:53:30 +0000 (20:53 +1300)]
CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
fdbee5e074ebd76d659613b8b7114d70f938c38a)
Stefan Metzmacher [Fri, 12 Nov 2021 14:27:58 +0000 (15:27 +0100)]
CVE-2020-25717: idmap_nss: verify that the name of the sid belongs to the configured domain
We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
[abartlet@samba.org backorted from commit
bfd093648b4af51d104096c0cb3535e8706671e5
as header libcli/security/dom_sid.h was not present for struct dom_sid_buf]
[abartlet@samba.org fix CVE marker]
Alexander Bokovoy [Fri, 12 Nov 2021 17:06:01 +0000 (19:06 +0200)]
IPA DC: add missing checks
When introducing FreeIPA support, two places were forgotten:
- schannel gensec module needs to be aware of IPA DC
- _lsa_QueryInfoPolicy should treat IPA DC as PDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
(cherry picked from commit
c69b66f649c1d47a7367f7efe25b8df32369a3a5)
Andrew Bartlett [Sun, 26 Sep 2021 22:20:19 +0000 (11:20 +1300)]
CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 26 Oct 2021 07:33:49 +0000 (20:33 +1300)]
CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 26 Oct 2021 07:33:38 +0000 (20:33 +1300)]
CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 29 Sep 2021 03:15:26 +0000 (16:15 +1300)]
krb5pac.idl: Add missing buffer type values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 1 Sep 2021 03:40:59 +0000 (15:40 +1200)]
security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit
0092b4a3ed58b2c256d4dd9117cce927a3edde12)
Joseph Sutton [Wed, 1 Sep 2021 03:39:19 +0000 (15:39 +1200)]
krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit
ff2f38fae79220e16765e17671972f9a55eb7cce)
Stefan Metzmacher [Fri, 8 Oct 2021 16:03:04 +0000 (18:03 +0200)]
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
This is only ever be called in standalone mode with an MIT realm,
so we don't have a PAC/info3 structure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 8 Oct 2021 15:59:59 +0000 (17:59 +0200)]
CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
This code is only every called in standalone mode on a MIT realm,
it means we never have a PAC and we also don't have winbindd arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Oct 2021 16:12:49 +0000 (18:12 +0200)]
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
without a PAC in order to keep the code sane.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported to Samba 4.12 has conflcits
as the share reload code is in a different spot]
Stefan Metzmacher [Tue, 5 Oct 2021 15:14:01 +0000 (17:14 +0200)]
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.
This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.
As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.
As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[scabrero@samba.org Backported to 4.11 Run winbindd in offline mode
but keep the user name mapping to avoid having to backport fixes
for bso#14539]
Stefan Metzmacher [Mon, 4 Oct 2021 17:42:20 +0000 (19:42 +0200)]
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported due to change in structure
initialization with { 0 } to zero ]
[abartlet@samba.org backported to 4.12 due to conflict
with code not present to reload shared on krb5 login]
Stefan Metzmacher [Tue, 21 Sep 2021 10:44:01 +0000 (12:44 +0200)]
CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 21 Sep 2021 10:27:28 +0000 (12:27 +0200)]
CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 11 Oct 2021 21:17:19 +0000 (23:17 +0200)]
CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
We'll require a PAC at the main gensec layer already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported from master/4.15 as
check_password is sync in 4.14]
Stefan Metzmacher [Tue, 5 Oct 2021 16:11:57 +0000 (18:11 +0200)]
CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
on the service account, which can only be explicitly configured,
but that's an invalid configuration!
We still try to support standalone servers in an MIT realm,
as legacy setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Alexander Bokovoy [Wed, 11 Nov 2020 16:50:45 +0000 (18:50 +0200)]
CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.
It means that role won't result in ROLE_STANDALONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported due to conflict with DEBUG
statements and IPA branding changes in comments]
Stefan Metzmacher [Mon, 4 Oct 2021 16:03:55 +0000 (18:03 +0200)]
CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 8 Oct 2021 10:33:16 +0000 (12:33 +0200)]
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!
As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!
For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().
The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.
Note: use 'git show -w'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 8 Oct 2021 16:08:20 +0000 (18:08 +0200)]
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).
This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 8 Oct 2021 15:40:30 +0000 (17:40 +0200)]
CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
We should avoid autocreation of users as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Samuel Cabrero [Tue, 28 Sep 2021 08:45:11 +0000 (10:45 +0200)]
CVE-2020-25717: s3:auth: Check minimum domain uid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 8 Oct 2021 17:57:18 +0000 (19:57 +0200)]
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Samuel Cabrero [Tue, 28 Sep 2021 08:43:40 +0000 (10:43 +0200)]
CVE-2020-25717: loadparm: Add new parameter "min domain uid"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported from master/4.15 due to
conflicts with other new parameters]
Stefan Metzmacher [Tue, 26 Oct 2021 15:42:41 +0000 (17:42 +0200)]
CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 26 Oct 2021 15:42:41 +0000 (17:42 +0200)]
CVE-2020-25717: s3:auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[scabrero@samba.org Backported to 4.10 due to missing commits
7f75dec865256049e99f7fcf46317cd2d53e95d1 and
434030ba711e677fdd167a255d05c1cd4db943b7]
Stefan Metzmacher [Tue, 26 Oct 2021 15:42:41 +0000 (17:42 +0200)]
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 26 Oct 2021 15:42:41 +0000 (17:42 +0200)]
CVE-2020-25717: s3:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[scabrero@samba.org Backported to 4.10 due to missing commit
a5548af018643f2e78c482e33ef0e6073db149e4 to check return value
of SMBOWFencrypt()]
Stefan Metzmacher [Tue, 26 Oct 2021 15:42:41 +0000 (17:42 +0200)]
CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 26 Oct 2021 15:42:41 +0000 (17:42 +0200)]
CVE-2020-25717: s4:auth_simple: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 26 Oct 2021 15:42:41 +0000 (17:42 +0200)]
CVE-2020-25717: s4:smb_server: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 26 Oct 2021 15:42:41 +0000 (17:42 +0200)]
CVE-2020-25717: s4:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 4 Oct 2021 15:29:34 +0000 (17:29 +0200)]
CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 4 Oct 2021 15:29:34 +0000 (17:29 +0200)]
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[scabrero@samba.org Backported for 4.10 due to no logon_id for
log_authentication() neither is_allowed_domain()]
Stefan Metzmacher [Fri, 22 Oct 2021 14:20:36 +0000 (16:20 +0200)]
CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Oct 2021 14:42:00 +0000 (16:42 +0200)]
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
(cherry picked from commit
89b9cb8b786c3e4eb8691b5363390b68d8228a2d)
[scabrero@samba.org Backported to 4.10]
Samuel Cabrero [Thu, 4 Nov 2021 10:51:08 +0000 (11:51 +0100)]
selftest: Fix ktest usermap file
The user was not mapped:
user_in_list: checking user |KTEST/administrator| against |KTEST\Administrator|
The user 'KTEST/administrator' has no mapping. Skip it next time.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
[scabrero@samba.org Once smb_getpswnam() fallbacks are removed the user
has to be mapped]
Ralph Boehme [Sat, 18 Jan 2020 07:06:45 +0000 (08:06 +0100)]
s3/auth: use set_current_user_info() in auth3_generate_session_info_pac()
This delays reloading config slightly, but I don't see how could affect
observable behaviour other then log messages coming from the functions in
between the different locations for lp_load_with_shares() like
make_session_info_krb5() are sent to a different logfile if "log file" uses %U.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
dc4b1e39ce1f2201a2d6ae2d4cffef2448f69a62)
[scabrero@samba.org Prerequisite for CVE-2020-25717 backport]
Stefan Metzmacher [Thu, 27 Oct 2016 08:40:28 +0000 (10:40 +0200)]
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 24 Nov 2016 08:12:59 +0000 (09:12 +0100)]
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 20 Feb 2021 14:50:12 +0000 (15:50 +0100)]
passdb: Simplify sids_to_unixids()
Best reviewed with "git show -b", there's a "continue" statement that
changes subsequent indentation.
Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Wed, 11 Nov 2020 12:42:06 +0000 (13:42 +0100)]
s3:smbd: Fix possible null pointer dereference in token_contains_name()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Nov 12 15:13:47 UTC 2020 on sn-devel-184
(cherry picked from commit
8036bf9717f83e83c3e4a9cf00fded42e9a5de15)
Jeremy Allison [Thu, 5 Nov 2020 23:48:08 +0000 (15:48 -0800)]
s3: spoolss: Make parameters in call to user_ok_token() match all other uses.
We already have p->session_info->unix_info->unix_name, we don't
need to go through a legacy call to uidtoname(p->session_info->unix_token->uid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14568
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 9 04:10:45 UTC 2020 on sn-devel-184
(cherry picked from commit
e5e1759057a767f517bf480a2172a36623df2799)
Andreas Schneider [Tue, 2 Feb 2021 17:10:38 +0000 (18:10 +0100)]
lib:util: Avoid free'ing our own pointer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Feb 3 10:57:01 UTC 2021 on sn-devel-184
(cherry picked from commit
0bdbe50fac680be3fe21043246b8c75005611351)
Andreas Schneider [Wed, 3 Feb 2021 09:37:12 +0000 (10:37 +0100)]
lib:util: Add cache oversize test for memcache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
00543ab3b29e3fbfe8314e51919629803e14ede6)
Andreas Schneider [Wed, 3 Feb 2021 09:30:08 +0000 (10:30 +0100)]
lib:util: Add basic memcache unit test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
bebbf621d6052f797c5cf19a2a9bbc13e699d3f0)
Khem Raj [Thu, 23 Jul 2020 05:42:09 +0000 (22:42 -0700)]
nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h
glibc 2.32 will define these varibles [1] which results in conflicts
with these static function names, therefore prefix these function names
with samba_ to avoid it
[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=
499a92df8b9fc64a054cf3b7f728f8967fc1da7d
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jul 28 10:52:00 UTC 2020 on sn-devel-184
(cherry picked from commit
6e496aa3635557b59792e469f7c7f8eccd822322)
Andreas Schneider [Wed, 3 Feb 2021 11:58:31 +0000 (12:58 +0100)]
Revert "s3:smbd: Use fsp al the talloc memory context"
This reverts commit
958bed1a1e5c9f334a1859bef14f4fe1657c3e49.
Andreas Schneider [Wed, 9 Sep 2020 14:00:52 +0000 (16:00 +0200)]
s3:smbd: Use fsp al the talloc memory context
Somehow the lck pointer gets freed before we call TALLOC_FREE().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Isaac Boukris [Tue, 15 Dec 2020 14:17:04 +0000 (15:17 +0100)]
HACK:s3:winbind: Rely on the domain child for online check
Isaac Boukris [Sat, 20 Jun 2020 15:17:33 +0000 (17:17 +0200)]
Fix usage of ldap_get_values_len for msDS-AdditionalDnsHostName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jun 22 09:59:04 UTC 2020 on sn-devel-184
(cherry picked from commit
f9dd67355ba35539d7ae1774d5135fd05d747b3f)
Isaac Boukris [Thu, 11 Jun 2020 13:51:27 +0000 (16:51 +0300)]
Properly handle msDS-AdditionalDnsHostName returned from Windows DC
Windows DC adds short names for each specified msDS-AdditionalDnsHostName
attribute, but these have a suffix of "\0$" and thus fail with
ldap_get_values(), use ldap_get_values_len() instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Thu Jun 18 16:43:47 UTC 2020 on sn-devel-184
(cherry picked from commit
9a447fb7e0701bf8b2fd922aed44d89f40420251)
Isaac Boukris [Tue, 16 Jun 2020 19:01:49 +0000 (22:01 +0300)]
selftest: add tests for binary msDS-AdditionalDnsHostName
Like the short names added implicitly by Windows DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
4605d7aec5caf494a23f2c9800d6689f710ffbce)
Isaac Boukris [Thu, 11 Jun 2020 18:05:07 +0000 (21:05 +0300)]
Fix a typo in recent net man page changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
4e51e832176a99f2a841c7a0d78fb0424f02956e)
Andreas Schneider [Fri, 17 Jul 2020 10:14:16 +0000 (12:14 +0200)]
docs: Fix documentation for require_membership_of of pam_winbind.conf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
(cherry picked from commit
71b7140fd0a33e7e8c5bf37c2897cea8224b3f01)
Andreas Schneider [Thu, 9 Jul 2020 09:48:26 +0000 (11:48 +0200)]
docs: Fix documentation for require_membership_of of pam_winbind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
4c74db6978c682f8ba4e74a6ee8157cfcbb54971)
Andreas Schneider [Mon, 17 Aug 2020 12:12:48 +0000 (14:12 +0200)]
s3:smbd: Fix %U substitutions if it contains a domain name
'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer
version.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
5de7c91e6d4e98f438157a7675c8582cabdd828d)
(cherry picked from commit
60ddb7b20071b00f0cd7f1cb818022220eb0c279)
git.samba.org / asn / samba.git / log