libcli/security: check again for NULL values Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224
libcli/security: claims_conversions: check for NULL in claims array If by mistake we end up with a NULL in our array of claims pointers, it is better to return an error than crash. There can be NULLs in the array if a resource attribute ACE has a claim that uses 0 as a relative data pointer. Samba assumes this means a NULL pointer, rather than a zero offset. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries() Previously any errors noticed during the main loop would be ignored. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224
samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export Since 87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has silently unlinked the given target file. Instead, the administrator now needs to specify a file that does not exist. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
s4-libnet: Prepare for a "rolling update" keytab export This mode will allow keytabs to be exported with all current keys added to historical keys, which will be useful in a domain with many gMSA servers that require wireshark decryption. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab" This will keep stale keys in the keytab, which may be useful for wireshark but is not correct if the keytab is used for accepting Kerberos tickets, as tickets encrypted with old passwords would still be accepted. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry() The two callers of this function want two very different things, the common point was wanting to call smb_krb5_kt_seek_and_delete_old_entries() however this is now done earlier in sdb_kt_copy() with smb_krb5_remove_obsolete_keytab_entries() or an unlink() in libnet_export_keytab(). Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
lib/krb5_wrap: Rename confusing add_salt parameter to smb_krb5_kt_add_entry() This just adds the key directly, it is not related to if salting is used or not. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords() This is unused in Samba currently, but is a subtle race that will be difficult to debug if this is ever used, so this makes things easier for some future developer. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
s4-kdc: Prepare for gMSA support by recording it on the entry This will allow the "samba-tool domain exportkeytab" code to do special gMSA processing and in the future will allow the KDC to know it needs to check if the keys in the DB need refreshing. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
auth/credentials: Make cli_credentials_get_aes256_key into generic key access Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>