git.samba.org - samba.git/log

mdssvc: Align an integer type

In libjansson 2.13.1 json_array_size() returns a size_t

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3: smbd: Add two new functions in a new file, smb2_posix.c: smb2_posix_cc_info(), store_smb2_posix_info()

Not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Feb 1 17:25:45 UTC 2022 on sn-devel-184

s3: smbd: smbd_smb2_request_process_negprot() - Allow SMB2 unix extensions to be negotiated. Currently not allowed.

As lp_smb2_unix_extensions() currently always returns false,
this code path cannot be executed. This will change once the
whole client and server fixes are in place and tests are passing.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3: smbd: Plumb in POSIX lock requests through SMB2 lock calls if done on a POSIX handle. Currently not allowed.

Note there is currently no way to create a POSIX file
handle in SMB2 so this code can't be accessed.

This will remain so until client and server code are ready to
turn on SMB2 POSIX extensions and the tests are in place.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3: smbd: Update widelinks_warning() to cope with SMB1 and SMB2 unix extensions.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3: smbd: lp_widelinks(). Turn off widelinks if either SMB1 or SMB2 unix extensions are turned on.

NB. Currently it's impossible to turn on SMB2 unix extensions.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3: smbd: Add lp_smb2_unix_extensions() function. Always returns false for now.

For now *always* returns false. This allows me to
add code into smbd contingent on lp_smb2_unix_extensions()
which I know will not be executed until all the parts
are in place. Then the real parameter can be added
(default to off) and testing added.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3: smbd: Add the definition for SMB2_FIND_POSIX_INFORMATION info level.

Will be used by smb2_query_directory. Not yet used or available.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3: smbd: Add the definition for SMB2_FILE_POSIX_INFORMATION info level.

Will be used by smb2_getinfo. Not yet used or available.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli: Add SMB2 posix negotiate context flag.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3: smbd: Add an SMB2 server flag posix_extensions_negotiated.

This allows the server to only enable smb2 unix open handles if
the smb.conf parameter is set and the client client correctly
negotiated smb2 unix on the connection.

Currently there is no "smb2 unix extensions" parameter so
this can never be set to true.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT().

We need to take SMB1+POSIX into account here and do an LSTAT if it's
a POSIX name.

Remove knownfail.d/posix_sylink_rename

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 31 16:26:26 UTC 2022 on sn-devel-184

CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename.

Add a knownfail.d/posix_sylink_rename

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert().

If filename_convert() fails to convert the path, we never call
check_name(). This means we can return an incorrect error code
(NT_STATUS_ACCESS_DENIED) if we ran into a symlink that points
outside the share to a non-readable directory. We need to make
sure in this case we always call check_name().

Remove knownfail.d/symlink_traversal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks.

NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure.
NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure.

Remove:

samba3.blackbox.test_symlink_traversal.SMB1.posix
samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\)
samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\)

in knownfail.d/symlink_traversal as we now pass these. Only one more fix
remaining to get rid of knownfail.d/symlink_traversal completely.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND.

Matches the error return from openat_pathref_fsp().

NT_STATUS_OBJECT_PATH_NOT_FOUND is for a bad component in a path, not
a bad terminal symlink.

Remove knownfail.d/simple_posix_open, we now pass.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture.

Trying to open a symlink as a terminal component should return
NT_STATUS_OBJECT_NAME_NOT_FOUND, not NT_STATUS_OBJECT_PATH_NOT_FOUND.

Mark as knownfail.d/simple_posix_open until we fix the server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND.

For SMB1/2/3 (minus posix) we need to treat bad symlinks
as though they don't exist.

Add to knwownfail.d/symlink_traversal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix

Add to knownfail.d/symlink_traversal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.

Add to knownfail.d/symlink_traversal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2.

Add to knownfail.d/symlink_traversal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2021-44142: libadouble: harden parsing code

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CVE-2021-44142: libadouble: add basic cmocka tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CVE-2021-44142: libadouble: harden ad_unpack_xattrs()

This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
which is used for parsing ._ AppleDouble sidecar files, and the buffer
ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
buffer out-of-bounds access checks in ad_unpack_xattrs().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs

This is an internal xattr that should not be user visible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CVE-2021-44142: libadouble: add defines for icon lengths

From https://www.ietf.org/rfc/rfc1740.txt

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object

If an added SPN already exists on an object, we still want to check the
rest of the element values for conflicts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN

This test currently fails, as re-adding an SPN means that later checks
do not run.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:kdc: Translate HDB flags to SDB flags

We used to have a 1 to 1 mapping, but now we have
a conflict with these:

#define SDB_F_FORCE_CANON 16384
#define HDB_F_PRECHECK 16384

We currently don't really care about HDB_F_PRECHECK,
so we can just filter it out.

In the long run we may change the SDB flags space to uint64...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jan 28 13:33:22 UTC 2022 on sn-devel-184

s4:kdc: Remove trailing spaces in hdb-samba4.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Add a HDB to SDB mask

For most flags the mapping is 1 to 1, but it's not always
the case anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/rpc_server: install elasticsearch_mappings.json

This was removed accidentally remvoed by
a7c65958a15149918415b7456d6f20ee8c9669d2 because the original code
only installed the json file if the mdssvc was built as module:

     if bld.SAMBA3_IS_ENABLED_MODULE('rpc_mdssvc_module'):
         bld.INSTALL_FILES(bld.env.SAMBA_DATADIR,
                           'mdssvc/elasticsearch_mappings.json')

Installing the json file should just depend on Elasticsearch support
being enabled, regardless of the removed module support.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Jan 28 10:22:31 UTC 2022 on sn-devel-184

printing/bgqd: Disable systemd notifications

samba-bgqd daemon is started by existing Samba daemons. When running
under systemd, those daemons control systemd notifications and
samba-bgqd messages need to be silenced.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947

Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Jan 27 10:53:50 UTC 2022 on sn-devel-184

s4/auth/simple_bind: correctly report TLS state

It went wrong in 366f8cf0903e3583fda42696df62a5337f22131f

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 26 12:39:52 UTC 2022 on sn-devel-184

pytest:auth_log: expect TLS connections when using ldaps

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/torture/pdbtest: fix always false condition

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9320

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libnet: Fix uninitialized value "seq_num"

Found by covscan.

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:libnet: Fix trailing whitespace in libnet_vampire.c

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3: smbd: Rename "unix extensions" -> "smb1 unix extensions".

Make 'unix extensions' a synonym for "smb1 unix extensions".

This will allow us to have a separate "smb2 unix extensions"
parameter that we can examine separately.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 25 21:43:59 UTC 2022 on sn-devel-184

s3: smbd: Cleanup - In smbd_do_query_security_desc() we don't need a talloc frame.

Just free the marshalled sd before returning.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>

s3: smbd: Cleanup - Split out smbd_marshall_security_desc() from smbd_do_query_security_desc().

This is part two of a cleanup to split this up into a fetch()/marshal()
pair. Allows easy modification of the sd before returning if we need
to add the SMB2+unix mode information here on a SMB2 posix handle.

Also makes the code much clearer.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>

s3: smbd: Cleanup - Split out smbd_fetch_security_desc() from smbd_do_query_security_desc().

This is part one of a cleanup to split this up into a fetch()/marshal()
pair. Allows easy modification of the sd before returning if we need
to add the SMB2+unix mode information here on a SMB2 posix handle.

Also makes the code much clearer.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>

blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test

This actually reveals that ndr_push_string() for TargetName="" was
failing before because it resulted in 1 byte for a subcontext with
TargetLen=0.

This is fixed now and we no longer expect ndrdump to exit with 1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184

librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0

convert_string_talloc_handle() tries to play an the safe side
and always returns a null terminated array.

But for NDR we need to be correct on the wire...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong

convert_string_talloc() never returns a string with len=0 and always
implies zero termination byte(s).

For ndr_push_string this is unexpected as we need to be compatible on
the wire and push 0 bytes for an empty string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

blackbox.ndrdump: adjust example files to the usage of dump_data_diff output.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

ndrdump: make use of dump_data_file_diff() in order to show differences

This makes it much easier to detect differences in the given and
generated buffers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib/util: add dump_data_diff*() helpers

That will make it easy to see the difference
between two memory buffers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

blackbox.ndrdump: adjust example files to changed dump_data() output.

The cleanup using dump_data_block16() fixed the space handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib/util: split out a dump_data_block16() helper

This simplifies the logic a lot for me.

It also fixes some corner cases regarding whitespaces in the
output, that's why we have to mark a few tests as knownfail,
they will be fixed in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

dcesrv_core: wrap gensec_*() calls in [un]become_root() calls

This is important for the source3/rpc_server code as it might
be called embedded in smbd and may not run as root with access
to our private tdb/ldb files.

Note this is only really needed for 4.15 and older, as
we no longer run the rpc_server embedded in smbd,
but we better be consistent for now.

This should be able to fix the problem the printing no longer works
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).

Windows uses NTLMSSP with privacy at the DCERPC layer on top
of NCACN_NP (smb).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

WHATSNEW: Start release notes for Samba 4.17.0pre1.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

ldb: bump version to 2.6.0 for Samba 4.17.x releases

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Mon Jan 24 12:15:09 UTC 2022 on sn-devel-184

VERSION: Bump version up to 4.17.0pre1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

VERSION: Disable GIT_SNAPSHOT for the Samba 4.16.0rc1 release.

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

WHATSNEW: Up to Samba 4.16.0rc1.

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

tdb: version 1.4.6

* Use atomic operations for tdb_[increment|get]_seqnum

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>

s4:librpc: raise log level for failed connection attempts

this keeps the log files silent when other DCs are currently not running. We
saw frequent NT_STATUS_HOST_UNREACHABLE messages at log level 0 for now.

https://bugzilla.samba.org/show_bug.cgi?id=11537

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 23 12:51:44 UTC 2022 on sn-devel-184

s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184

s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:winbindd: Remove trailing spaces from winbindd_ads.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests: Add test for disabling NTLMSSP for ldap client connections

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libads: Improve debug messages for SASL bind

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libads: Disable NTLMSSP for FIPS

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libads: Remove trailing spaces from sasl.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:utils: set ads->auth.flags using krb5_state

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

wafsamba: Add our own implmentation to generate the clangdb

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

wafsamba: Remove clangdb code which doesn't work

This generates an incomplete database where defines and includes are missing.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

build: Without getrandom() require gnutls 3.7.2

gnutls before 3.7.2 and without getrandom() will open /dev/urandom at library
initialization time before main() is run. We use closefrom(3) in samba-bgqd and
samba-dcerpd, which closes /dev/urandom, which then breaks gnutls. On system
with getrandom(), no file descriptor is opened and gnutls 3.7.2+ will open and
close /dev/urandom whenever it needs to access it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 21 21:42:08 UTC 2022 on sn-devel-184

bootstrap: use compat-gnutls37-devel for centos7

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli/dns: Fix TCP fallback

A customer has come across a DNS server that really just cuts a SRV
reply if it's too long. This makes the packet invalid according to
ndr_pull and according to wireshark. DNS_FLAG_TRUNCATION is however
set. As this seems to be legal according to the DNS RFCs, we need to
hand-parse the first two uint16's and look whether DNS_FLAG_TRUNCATION
is set.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 20 18:01:41 UTC 2022 on sn-devel-184

autobuild: Fix path for libwbclient ldd checks

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 20 14:19:02 UTC 2022 on sn-devel-184

s4:dsdb/vlv_pagination: fix segfault in vlv_results()

It can happen that the vlv_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184

s4:dsdb/paged_results: fix segfault in paged_results()

It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

We also should not call ldb_module_done() if paged_results()
fails, as it was already called.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

HEIMDAL: move code from source4/heimdal* to third_party/heimdal*

This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184

s4:torture: Adapt KDC canon test to Heimdal upstream changes

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:torture: Remove PAC-REQUEST check for RESPONSE_TOO_BIG

Needed by the Heimdal upgrade...

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:torture: Fix Orpheus' Lyre tests

The enc-pa-rep request protection allows these tests to now pass as
expected.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:torture: Adapt LSA tests to newer Heimdal version

The Heimdal upgrade results in some changes that affect these tests. The
cname is now non-NULL in certain circumstances, the IO counts are
different due to a change between the ordering of capaths and referrals,
some requests no longer fail, and referral tickets are not cached
anymore, and so cannot be checked.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:torture: return ETYPE_INFO2 on PREAUTH_FAILED

This is an alternative to 978bc8681e74ffa17f96fd5d4355094c4a26691c
which got overriten by the upgrade merge.
One difference however, is that we don't return ENC_TIMESTAMP like
in PREAUTH_REQUIRED but only ETYPE_INFO2 same as Windows.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Expect FAST support for both MIT and Heimdal

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: set [libdefaults] fcache_strict_checking = false

We're using uid_wrapper so the checks will fail.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest: knownfail updates after Heimdal Upgrade

The Heimdal upgrade brings the new feature of FAST, allowing more tests to pass.

However it causes a regression in FL2003 for the returned salt format in
the AS-REP, but FL 2003 has not been the default since Samba 4.2 as AES
keys are much stronger and should be preferred.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Update SimpleKerberosTests now that Samba supports FAST

Heimdal matches Windows in this respect

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add option to check reply padata

So far we have only been checking padata in error replies and with FAST.
We should also check it in the general success case.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Return PA-SUPPORTED-ENCTYPES

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Set supported enctypes in KDC entry

This allows us to return the supported enctypes to the client as
PA-SUPPORTED-ENCTYPES padata.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Add PAC_ATTRIBUTES integration for Heimdal

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import

This allows us to continue to avoid CVE-2020-25719 in particular
and pass our tests for expected FAST behaviour as the patches
we requested by upstream to be conditional, not hard-coded.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc/heimdal: Always include the salt in the PA-ETYPE-INFO[2]

This matches Windows and is detected by our samba.tests.krb5.as_canonicalization_tests
test as this always expects the salt, which Windows always provides.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: cope with upstream rename of configuration parameters.

This copes with the upstream commit:

commit c757eb7fb04a9b0ca883ddb72c1bc75bf5d814f3
Author: Nicolas Williams <nico@cryptonector.com>
Date:   Fri Nov 25 17:21:04 2011 -0600

    Rename and fix as/tgs-use-strongest-key config parameters

        Different ticket session key enctype selection options should
        distinguish between target principal type (krbtgt vs. not), not
        between KDC request types.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
[abartlet@samba.org Researched and updated the commit message]
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Move calls using the samba4 name to be right after each other

These all need to be in sync

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Adapt KDC to new Heimdal to load samba4 HDB plugin for keytab

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc/hdb: Store and retrieve a FX-COOKIE value

Note Windows uses the string "MICROSOFT" as cookie,
so it's wrong to have a per DC cookie, but we need to
adjust the Heimdal logic to support that.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal behaviour

This is needed to give hdb_samba4 the full control over the returned
principal, rather than the new code in the Heimdal KDC.

Including changes selected from code by Stefan Metzmacher <metze@samba.org>
in his Heimdal upgrade branch.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kerberos: adapt the heimdal send_to_kdc hooks to the send_to_kdc/realm plugin interface

With the recent heimdal upgrade we better try to use the send_to_realm()
hooks as it allows us to handle the KDC lookup as well as only getting
each logical request just once in the testing code, which makes it
let dependend on the heimdal internal kdc lookup logic.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>