CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default The rpcecho server is useful in development and testing, but should never have been allowed into production, as it includes the facility to do a blocking sleep() in the single-threaded rpc worker. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check functions to librpc Will be used later by s3 netlogon server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyle BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c These common routines will assist the KDC to do the same access checking as the RPC servers need to do regarding which accounts a RODC can act with regard to. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
s4:rpc_server: Allow to use RC4 for setting passwords Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
librpc: core: Move the s4 handles implementation to the RPC server core Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
build: Do not build selftest binaries for builds without --enable-selftest Add new for_selftest option to SAMBA_BINARY() and SAMBA3_BINARY() This allows us to be much more consistent (at least in the core Samba) and documents clearly why the binary should not be installed. Not modified are - test_lp_load - notifyd-tests - gendrandperf - test* from examples/libsmbclient - dbwrap_torture - split_tokens - locktest2 - msgtest - msg_sink - msg_source - versiontest - rpc_open_tcp - test_headers As these are not tested in selftest so any change would also be untested. Of course they probably should be added in a different MR. Also not modified (because they are not tests, nor part of the build system) are: - smb2mount - notifydd - log2pacp - debug2html - smbfilter - destroy_netlogon_creds_cli - spotlight2* - tevent_glib_tracker These do however appear to be untested. For now, the source4 forked client tools are left unchanged: - smbclient4 - nmblookup4 Finally, the heimdal binaries are left as install=False as they are either part of the build system or end-user tools that we just don't want to install. These are however tested. The motivation is commit like c34ec003b7d45aa4196ff93a0ac29694b25e5309 and da87fa998ab71328f30bcdf5b41aee8675aee48a, which are both totally correct but are not needed if the selftest is not run on MacOS. There are likely other platforms or build environments where building our test binaries is more pain than valuable, see for example also https://lists.samba.org/archive/samba/2019-November/227137.html Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org> Autobuild-User(master): Isaac Boukris <iboukris@samba.org> Autobuild-Date(master): Fri Nov 22 11:48:59 UTC 2019 on sn-devel-184
s4:rpc_server: Move core functions to core library Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
librpc: Add new dcerpc server core library Next commits will move the core of s4 rpc server to this library. Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
s4:rpc_server: Rename common/reply.c to dcesrv_reply.c Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
s4-rpc_server/backupkey: consistently check error codes from GnuTLS This uses the new gnutls_error_to_werror() This should resolve Coverity 1452111 as forwarded by Volker. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
s4-rpc_server: Remove Heimdal-based BackupKey server We rely on a modern GnuTLS now. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
lib/crypto: move gnutls error wrapper to own subsystem Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
waf: Also check for gnutls_privkey_export_x509() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
waf: Add check for gnutls_x509_crt_set_subject_unique_id() This is used by the GnuTLS backupkey implementation. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:rpc_server: Remove obsolete gcrypt init Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:rpc_server: move dcesrv_auth.c and common/reply.c to dcerpc_server They belong to the core dcerpc server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s4:rpc_server: let test_rpc_dns_server_dnsutils depend on dcerpc_server The core dcerpc server is required here, which also implies DCERPC_COMMON. This is required to move common/reply.c dcesrv_auth.c from DCERPC_COMMON to dcerpc_server in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s4:rpc_server: remove dcerpc_remote dependency from dcerpc_server dcerpc_remote is just an implementation and does not belong to the core dcerpc server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
CVE-2018-16852 dcerpc dnsserver: Verification tests Tests to verify Bug 13669 - (CVE-2018-16852) NULL pointer de-reference in Samba AD DC DNS management The presence of the ZONE_MASTER_SERVERS property or the ZONE_SCAVENGING_SERVERS property in a zone record causes the server to follow a null pointer and terminate. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>