summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* VERSION: Disable GIT_SNAPSHOT for the 4.14.10 release.samba-4.14.10Jule Anger2021-11-081-1/+1
| | | | | | Signed-off-by: Jule Anger <janger@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Karolin Seeger <kseeger@samba.org>
* WHATSNEW: Add release notes for Samba 4.14.10.Jule Anger2021-11-081-2/+111
| | | | | | Signed-off-by: Jule Anger <janger@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Karolin Seeger <kseeger@samba.org>
* CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helperStefan Metzmacher2021-11-082-43/+7
| | | | | | | | | | | | | | | This avoids a crash that's triggered by windows clients using handles from samr_Connect*() on across multiple connections within an association group. In other cases is not strictly required, but it makes it easier to audit that source4/rpc_server no longer calls samdb_connect() directly and also improves the auditing for the dcesrv_samdb_connect_as_system() case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/netlogon: make use of ↵Stefan Metzmacher2021-11-081-118/+18
| | | | | | | | | | | | | dcesrv_samdb_connect_as_*() helper This is not strictly required, but it makes it easier to audit that source4/rpc_server no longer calls samdb_connect() directly and also improves auditing for the dcesrv_samdb_connect_as_system() case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() ↵Stefan Metzmacher2021-11-081-6/+1
| | | | | | | | | | | | | helper This avoids a crash that's triggered by windows clients using handles from OpenPolicy[2]() on across multiple connections within an association group. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/dnsserver: make use of ↵Stefan Metzmacher2021-11-081-9/+2
| | | | | | | | | | | | dcesrv_samdb_connect_as_user() helper This is not strictly required, but it makes it easier to audit that source4/rpc_server no longer calls samdb_connect() directly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware ↵Stefan Metzmacher2021-11-082-37/+19
| | | | | | | | | | | | | | | dcesrv_samdb_connect_as_*() helpers This avoids a crash that's triggered by windows clients using DsCrackNames across multiple connections within an association group on the same DsBind context(policy) handle. It also improves the auditing for the dcesrv_samdb_connect_as_system() case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware ↵Stefan Metzmacher2021-11-081-16/+105
| | | | | | | | | | | | | | | | | | | | | | | | dcesrv_samdb_connect_as_{system,user}() helpers We already had dcesrv_samdb_connect_as_system(), but it uses the per connection memory of auth_session_info and remote_address. But in order to use the samdb connection on a per association group context/policy handle, we need to make copies, which last for the whole lifetime of the 'samdb' context. We need the same logic also for all cases we make use of the almost same logic where we want to create a samdb context on behalf of the authenticated user (without allowing system access), so we introduce dcesrv_samdb_connect_as_user(). In the end we need to replace all direct callers to samdb_connect() from source4/rpc_server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()Stefan Metzmacher2021-11-081-3/+6
| | | | | | | | | | We want to use this also in code without existing stackframe. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* testsStefan Metzmacher2021-11-082-0/+173
| | | | | | | | | | | This adds a reproducer for an invalid memory access, when using the context handle from DsBind across multiple connections within an association group. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentialsStefan Metzmacher2021-11-082-0/+4
| | | | | | | | | | | | | This will be used in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Backported from patch for master to use the older popt functions as master has the new common command line handling]
* CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentialsStefan Metzmacher2021-11-082-2/+2
| | | | | | | | | | We want to use the credentials of the joined dc account in future tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()Stefan Metzmacher2021-11-083-11/+16
| | | | | | | | | This will make it easier to reuse. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we ↵Stefan Metzmacher2021-11-081-0/+9
| | | | | | | | | | | require kerberos We should not send NTLM[v2] nor plaintext data on the wire if the user asked for kerberos only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego ↵Stefan Metzmacher2021-11-081-0/+14
| | | | | | | | | | | authentication if we require kerberos We should not send NTLM[v2] data on the wire if the user asked for kerberos only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contextsStefan Metzmacher2021-11-086-46/+109
| | | | | | | | | All other fragments blindly inherit it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: add tests to check how security ↵Stefan Metzmacher2021-11-082-0/+1293
| | | | | | | | | contexts relate to fragmented requests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)Stefan Metzmacher2021-11-081-17/+20
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use ↵Stefan Metzmacher2021-11-081-3/+3
| | | | | | | | | g_auth_level in all places BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into ↵Stefan Metzmacher2021-11-082-151/+151
| | | | | | | | | assertNotEqual() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips ↵Stefan Metzmacher2021-11-081-31/+16
| | | | | | | | | | | DCERPC_PFC_FLAG_DID_NOT_EXECUTE That makes the callers much simpler and allow better debugging. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()Stefan Metzmacher2021-11-081-5/+24
| | | | | | | | | It's better to see the location that triggered the fault. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192 librpc: Remove the gensec dependency from library dcerpc-bindingVolker Lendecke2021-11-0810-490/+613
| | | | | | | | | | | | | | | | This means yet another library, but having to depend on gensec just for dcerpc_parse_binding() and basic packet parsing seems like a bit overkill to me. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Apr 6 23:33:14 UTC 2021 on sn-devel-184 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 (cherry picked from commit 4d3b6506d30e4bf302f832493dad00a83b73d370)
* CVE-2021-23192 rpc: Give dcerpc_util.c its own headerVolker Lendecke2021-11-0812-74/+113
| | | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 (cherry picked from commit 8945d99758d8bedd374f1c51304b87a6cf10498c)
* CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is ↵Joseph Sutton2021-11-082-15/+12
| | | | | | | | | | | | not bypassed for an add operation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 If one of the objectClass checks passed, samldb_add() could return through one of the samldb_fill_*() functions and skip the servicePrincipalName uniqueness checking. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an ↵Joseph Sutton2021-11-082-0/+23
| | | | | | | | add operation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25722 pytests: Give computer accounts unique (and valid) ↵Stefan Metzmacher2021-11-081-6/+12
| | | | | | | | sAMAccountNames and SPNs BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-25719 selftest: Always expect a PAC in TGS replies with HeimdalAndrew Bartlett2021-11-081-1/+1
| | | | | | | | | This is tested in other places already, but this ensures a global check that a TGS-REP has a PAC, regardless. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"Andrew Bartlett2021-11-081-1/+1
| | | | | | | | | | | | | | | This reverts an earlier commit that was incorrect. It is not Samba practice to include a revert, but at this point in the patch preperation the ripple though the knownfail files is more trouble than can be justified. It is not correct to refuse to parse all tickets with no authorization data, only for the KDC to require that a PAC is found, which is done in "heimdal:kdc: Require PAC to be present" Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not ↵Joseph Sutton2021-11-081-1/+3
| | | | | | | | | revealed to an RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed accountJoseph Sutton2021-11-086-33/+129
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessaryJoseph Sutton2021-11-081-3/+6
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Require PAC to be presentJoseph Sutton2021-11-082-5/+4
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our ↵Andrew Bartlett2021-11-083-12/+23
| | | | | | | | | domain/realm) unless a DC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user ↵Joseph Sutton2021-11-082-16/+28
| | | | | | | | | authentication BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Check name in request against name in ↵Joseph Sutton2021-11-082-4/+55
| | | | | | | | | user-to-user TGT BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user ↵Joseph Sutton2021-11-082-78/+55
| | | | | | | | | TGT client name BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype ↵Joseph Sutton2021-11-081-35/+35
| | | | | | | | | | | selection This allows us to use it when validating user-to-user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Check return codeJoseph Sutton2021-11-081-1/+4
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC bufferJoseph Sutton2021-11-085-75/+185
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25722 Ensure the structural objectclass cannot be changedAndrew Bartlett2021-11-085-34/+37
| | | | | | | | | | | | | | | If the structural objectclass is allowed to change, then the restrictions locking an object to remaining a user or computer will not be enforcable. Likewise other LDAP inheritance rules, which allow only certain child objects can be bypassed, which can in turn allow creation of (unprivileged) users where only DNS objects were expected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID valuesAndrew Bartlett2021-11-084-16/+8
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self checkAndrew Bartlett2021-11-085-78/+52
| | | | | | | | | | | | | | | | | | | Looking up the DB twice is subject to a race and is a poor use of resources, so instead just pass in the record we already got when trying to confirm that the server in S4U2Self is the same as the requesting client. The client record has already been bound to the the original client by the SID check in the PAC. Likewise by looking up server only once we ensure that the keys looked up originally are in the record we confirm the SID for here. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalidJoseph Sutton2021-11-084-12/+8
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticketAndrew Bartlett2021-11-089-54/+187
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.cAndrew Bartlett2021-11-085-12/+2
| | | | | | | | | | | These common routines will assist the KDC to do the same access checking as the RPC servers need to do regarding which accounts a RODC can act with regard to. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processingAndrew Bartlett2021-11-081-1/+17
| | | | | | | | | These are added for the uncommon cases. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25718 s4-rpc_server: Explain why we use ↵Andrew Bartlett2021-11-082-2/+10
| | | | | | | | | DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC checkAndrew Bartlett2021-11-082-4/+1
| | | | | | | | | | In particular the objectGUID is no longer used, and in the NETLOGON case the special case for msDS-KrbTgtLink does not apply. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25718 s4-rpc_server: Provide wrapper ↵Andrew Bartlett2021-11-083-48/+51
| | | | | | | | | | | | | | | samdb_confirm_rodc_allowed_to_repl_to() This shares the lookup of the tokenGroups attribute. There will be a new caller that does not want to do this step, so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list() rather than part of it BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
View Lorry Controller Status