summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* CVE-2020-25717: tests/krb5: Add method to automatically obtain server ↵Joseph Sutton2021-11-181-0/+42
| | | | | | | | | | | credentials BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 5ea347d3673e35891613c90ca837d1ce4833c1b0)
* CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the ↵Stefan Metzmacher2021-11-181-5/+21
| | | | | | | | | | | | | configured domain We already check the sid belongs to the domain, but checking the name too feels better and make it easier to understand. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit bfd093648b4af51d104096c0cb3535e8706671e5)
* IPA DC: add missing checksAlexander Bokovoy2021-11-182-0/+2
| | | | | | | | | | | | | | | | | When introducing FreeIPA support, two places were forgotten: - schannel gensec module needs to be aware of IPA DC - _lsa_QueryInfoPolicy should treat IPA DC as PDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184 (cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)
* s3:winbindd: fix "allow trusted domains = no" regressionStefan Metzmacher2021-11-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | add_trusted_domain() should only reject domains based on is_allowed_domain(), which now also checks "allow trusted domains = no", if we don't have an explicit trust to the domain (SEC_CHAN_NULL). We use at least SEC_CHAN_LOCAL for local domains like BUILTIN. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 (cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-14-test): Wed Nov 10 23:45:06 UTC 2021 on sn-devel-184
* lib: handle NTTIME_THAW in nt_time_to_full_timespec()Ralph Boehme2021-11-102-4/+3
| | | | | | | | | | | | | | | Preliminary handling of NTTIME_THAW to avoid NTTIME_THAW is passed as some mangled value down to the VFS set timestamps function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127 RN: Avoid storing NTTIME_THAW (-2) as value on disk Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 6ed71ad7e6aa98a34cfde95d7d62c46694d58469) Autobuild-User(v4-14-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-14-test): Wed Nov 10 15:54:35 UTC 2021 on sn-devel-184
* torture: add a test for NTTIME_FREEZE and NTTIME_THAWRalph Boehme2021-11-102-0/+209
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 0659069f8292996be475d407b53d161aa3f35554)
* lib: add a test for null_nttime(NTTIME_THAW)Ralph Boehme2021-11-101-0/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 194faa76161a12ae1eae2b471d6f159d97ef75a8)
* lib: update null_nttime() of -1: -1 is NTTIME_FREEZERalph Boehme2021-11-102-2/+2
| | | | | | | | | | | | NTTIME_FREEZE is not a nil sentinel value, instead it implies special, yet unimplemented semantics. Callers must deal with those values specifically and null_nttime() must not lie about their nature. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 5503bde93bddf3634b183e665773399c110251d4)
* lib: use NTTIME_FREEZE in a null_nttime() testRalph Boehme2021-11-101-1/+1
| | | | | | | | | | No change in behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit e2740e4868f2a49877a86a8666d26226b5657317)
* lib: fix null_nttime() testsRalph Boehme2021-11-101-1/+1
| | | | | | | | | | | | | | | The test was checking -1 twice: torture_assert(tctx, null_nttime(-1), "-1"); torture_assert(tctx, null_nttime(-1), "-1"); The first line was likely supposed to test the value "0". BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit d84779302cc54a7b84c05ccc458e04b27fd142f4)
* lib: add NTTIME_THAWRalph Boehme2021-11-101-0/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit f73aff502cadabb7fe6b94a697f0a2256d1d4aca)
* VERSION: Bump version up to Samba 4.14.11...Stefan Metzmacher2021-11-091-2/+2
| | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher <metze@samba.org>
* VERSION: Disable GIT_SNAPSHOT for the 4.14.10 release.samba-4.14.10Jule Anger2021-11-081-1/+1
| | | | | | Signed-off-by: Jule Anger <janger@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Karolin Seeger <kseeger@samba.org>
* WHATSNEW: Add release notes for Samba 4.14.10.Jule Anger2021-11-081-2/+111
| | | | | | Signed-off-by: Jule Anger <janger@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Karolin Seeger <kseeger@samba.org>
* CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helperStefan Metzmacher2021-11-082-43/+7
| | | | | | | | | | | | | | | This avoids a crash that's triggered by windows clients using handles from samr_Connect*() on across multiple connections within an association group. In other cases is not strictly required, but it makes it easier to audit that source4/rpc_server no longer calls samdb_connect() directly and also improves the auditing for the dcesrv_samdb_connect_as_system() case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/netlogon: make use of ↵Stefan Metzmacher2021-11-081-118/+18
| | | | | | | | | | | | | dcesrv_samdb_connect_as_*() helper This is not strictly required, but it makes it easier to audit that source4/rpc_server no longer calls samdb_connect() directly and also improves auditing for the dcesrv_samdb_connect_as_system() case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() ↵Stefan Metzmacher2021-11-081-6/+1
| | | | | | | | | | | | | helper This avoids a crash that's triggered by windows clients using handles from OpenPolicy[2]() on across multiple connections within an association group. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/dnsserver: make use of ↵Stefan Metzmacher2021-11-081-9/+2
| | | | | | | | | | | | dcesrv_samdb_connect_as_user() helper This is not strictly required, but it makes it easier to audit that source4/rpc_server no longer calls samdb_connect() directly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware ↵Stefan Metzmacher2021-11-082-37/+19
| | | | | | | | | | | | | | | dcesrv_samdb_connect_as_*() helpers This avoids a crash that's triggered by windows clients using DsCrackNames across multiple connections within an association group on the same DsBind context(policy) handle. It also improves the auditing for the dcesrv_samdb_connect_as_system() case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware ↵Stefan Metzmacher2021-11-081-16/+105
| | | | | | | | | | | | | | | | | | | | | | | | dcesrv_samdb_connect_as_{system,user}() helpers We already had dcesrv_samdb_connect_as_system(), but it uses the per connection memory of auth_session_info and remote_address. But in order to use the samdb connection on a per association group context/policy handle, we need to make copies, which last for the whole lifetime of the 'samdb' context. We need the same logic also for all cases we make use of the almost same logic where we want to create a samdb context on behalf of the authenticated user (without allowing system access), so we introduce dcesrv_samdb_connect_as_user(). In the end we need to replace all direct callers to samdb_connect() from source4/rpc_server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()Stefan Metzmacher2021-11-081-3/+6
| | | | | | | | | | We want to use this also in code without existing stackframe. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* testsStefan Metzmacher2021-11-082-0/+173
| | | | | | | | | | | This adds a reproducer for an invalid memory access, when using the context handle from DsBind across multiple connections within an association group. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentialsStefan Metzmacher2021-11-082-0/+4
| | | | | | | | | | | | | This will be used in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Backported from patch for master to use the older popt functions as master has the new common command line handling]
* CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentialsStefan Metzmacher2021-11-082-2/+2
| | | | | | | | | | We want to use the credentials of the joined dc account in future tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()Stefan Metzmacher2021-11-083-11/+16
| | | | | | | | | This will make it easier to reuse. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we ↵Stefan Metzmacher2021-11-081-0/+9
| | | | | | | | | | | require kerberos We should not send NTLM[v2] nor plaintext data on the wire if the user asked for kerberos only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego ↵Stefan Metzmacher2021-11-081-0/+14
| | | | | | | | | | | authentication if we require kerberos We should not send NTLM[v2] data on the wire if the user asked for kerberos only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contextsStefan Metzmacher2021-11-086-46/+109
| | | | | | | | | All other fragments blindly inherit it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: add tests to check how security ↵Stefan Metzmacher2021-11-082-0/+1293
| | | | | | | | | contexts relate to fragmented requests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)Stefan Metzmacher2021-11-081-17/+20
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use ↵Stefan Metzmacher2021-11-081-3/+3
| | | | | | | | | g_auth_level in all places BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into ↵Stefan Metzmacher2021-11-082-151/+151
| | | | | | | | | assertNotEqual() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips ↵Stefan Metzmacher2021-11-081-31/+16
| | | | | | | | | | | DCERPC_PFC_FLAG_DID_NOT_EXECUTE That makes the callers much simpler and allow better debugging. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()Stefan Metzmacher2021-11-081-5/+24
| | | | | | | | | It's better to see the location that triggered the fault. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192 librpc: Remove the gensec dependency from library dcerpc-bindingVolker Lendecke2021-11-0810-490/+613
| | | | | | | | | | | | | | | | This means yet another library, but having to depend on gensec just for dcerpc_parse_binding() and basic packet parsing seems like a bit overkill to me. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Apr 6 23:33:14 UTC 2021 on sn-devel-184 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 (cherry picked from commit 4d3b6506d30e4bf302f832493dad00a83b73d370)
* CVE-2021-23192 rpc: Give dcerpc_util.c its own headerVolker Lendecke2021-11-0812-74/+113
| | | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 (cherry picked from commit 8945d99758d8bedd374f1c51304b87a6cf10498c)
* CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is ↵Joseph Sutton2021-11-082-15/+12
| | | | | | | | | | | | not bypassed for an add operation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 If one of the objectClass checks passed, samldb_add() could return through one of the samldb_fill_*() functions and skip the servicePrincipalName uniqueness checking. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an ↵Joseph Sutton2021-11-082-0/+23
| | | | | | | | add operation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25722 pytests: Give computer accounts unique (and valid) ↵Stefan Metzmacher2021-11-081-6/+12
| | | | | | | | sAMAccountNames and SPNs BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-25719 selftest: Always expect a PAC in TGS replies with HeimdalAndrew Bartlett2021-11-081-1/+1
| | | | | | | | | This is tested in other places already, but this ensures a global check that a TGS-REP has a PAC, regardless. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"Andrew Bartlett2021-11-081-1/+1
| | | | | | | | | | | | | | | This reverts an earlier commit that was incorrect. It is not Samba practice to include a revert, but at this point in the patch preperation the ripple though the knownfail files is more trouble than can be justified. It is not correct to refuse to parse all tickets with no authorization data, only for the KDC to require that a PAC is found, which is done in "heimdal:kdc: Require PAC to be present" Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not ↵Joseph Sutton2021-11-081-1/+3
| | | | | | | | | revealed to an RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed accountJoseph Sutton2021-11-086-33/+129
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessaryJoseph Sutton2021-11-081-3/+6
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Require PAC to be presentJoseph Sutton2021-11-082-5/+4
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our ↵Andrew Bartlett2021-11-083-12/+23
| | | | | | | | | domain/realm) unless a DC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user ↵Joseph Sutton2021-11-082-16/+28
| | | | | | | | | authentication BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Check name in request against name in ↵Joseph Sutton2021-11-082-4/+55
| | | | | | | | | user-to-user TGT BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user ↵Joseph Sutton2021-11-082-78/+55
| | | | | | | | | TGT client name BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype ↵Joseph Sutton2021-11-081-35/+35
| | | | | | | | | | | selection This allows us to use it when validating user-to-user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status