summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data ↵Nicolas Williams2022-12-141-24/+33
| | | | | | | | | | | | | | | | | | | | | | signatures We were using the enctype from the PA-TGS-REQ's AP-REQ's Ticket to decide what key from the service's realm's krbtgt principal to use. This breaks when: a) we're doing cross-realm, b) the service's realm's krbtgt principal doesn't have keys for the enctype used in the cross-realm TGT. The fix is to pick the correct key (strongest or first, per-config) from the service's realm's krbtgt principal. (backported from Heimdal commit 8586d9f88efcf60b971466f0d83ea0bc1962e24f) [jsutton@samba.org Fixed conflicts due to different Heimdal revision] BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 [This is 4.15 only] Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 selftest: Run S4U tests against FL2003 DCJoseph Sutton2022-12-143-6/+71
| | | | | | | | | | | | | | This shows that changes around RC4 encryption types do not break older functional levels where only RC4 keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5) [jsutton@samba.org Fixed import conflict]
* CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ↵Joseph Sutton2022-12-1410-141/+1549
| | | | | | | | | | | | | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit 371d7e63fcb966ab54915a3dedb888d48adbf0c0) [jsutton@samba.org Removed unneeded fast_tests.py change, added non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and tests.py] [jsutton@samba.org Fixed conflicts in tests and knownfails] [jsutton@samba.org Fixed conflicts in raw_testcase.py, tests.py; moved test_fast_rc4 knownfail to 'KDC TGS tests' section with other FAST knownfails]
* CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objectsJoseph Sutton2022-12-141-2/+5
| | | | | | | | | | | | | As we will assume, as part of the fixes for CVE-2022-37966, that trust objects with no msDS-SupportedEncryptionTypes attribute support AES keys, RC4 support must now be explicitly indicated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)
* CVE-2022-37966 samba-tool: Fix 'domain trust create' documentationJoseph Sutton2022-12-141-1/+1
| | | | | | | | | | | This option does the opposite of what the documentation claims. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 6b155b22e6afa52ce29cc475840c1d745b0f1f5e)
* CVE-2022-37966 third_party/heimdal: Fix error message typoJoseph Sutton2022-12-141-1/+1
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d6b3d68efc296190a133b4e38137bdfde39257f4) [jsutton@samba.org Adapted to older Heimdal version]
* CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak ↵Andrew Bartlett2022-12-143-0/+29
| | | | | | | | | | | | | session keys" Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
* CVE-2022-37966 param: Add support for new option "kdc default domain ↵Joseph Sutton2022-12-144-0/+125
| | | | | | | | | | | | | | | | | | | | | supportedenctypes" This matches the Windows registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit d861d4eb28bd4c091955c11669edcf867b093a6f) [jsutton@samba.org Fixed header include conflict] [jsutton@samba.org Fixed loadparm conflicts]
* CVE-2022-37967 Add new PAC checksumJoseph Sutton2022-12-1414-54/+413
| | | | | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit a50a2be622afaa7a280312ea12f5eb9c9a0c41da) [jsutton@samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py] [jsutton@samba.org Fixed conflicts in kdc_base_test.py, raw_testcase.py, knownfails, tests.py. Adapted KDC PAC changes to older function.] [jsutton@samba.org Fixed conflict in raw_testcase.py; adapted to older Heimdal version]
* CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients ↵Andrew Bartlett2022-12-142-6/+1
| | | | | | | | | | | | | | | | | | | | | | etype list to select a session key We need to select server, not client, to compare client etypes against. (It is not useful to compare the client-supplied encryption types with the client's own long-term keys.) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec) [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Fixed knownfail conflicts; adapted to older Heimdal version]
* CVE-2022-37966 selftest: Don't strictly check etype-info when obtaining a TGTJoseph Sutton2022-12-142-6/+25
| | | | | | | | | | | | | | This padata type is less well tested in Samba 4.15 than we should like, and hence the encryption type tests reveal some inconsistencies that cause the tests to fail. Not strictly checking them in these tests allows them to continue passing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> [This is 4.15 only]
* CVE-2022-37966 tests/krb5: Add a test requesting tickets with various ↵Joseph Sutton2022-12-148-0/+384
| | | | | | | | | | | | | | | | | | | | | | encryption types The KDC should leave the choice of ticket encryption type up to the target service, and admit no influence from the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (similar to commit 177334c04230d0ad74bfc2b6825ffbebd5afb9af) [jsutton@samba.org Fixed conflicts in usage.py, knownfails, tests.py] [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Added new enctype bits; re-added expect_edata parameter to _test_as_exchange(); fixed conflicts in usage.py, knownfails, tests.py]
* CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()Joseph Sutton2022-12-141-1/+3
| | | | | | | | | | | | | | | This lets us select the encryption types we claim to support in the request body. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de) [jsutton@samba.org Adapted to 4.17 version of function taking different parameters]
* CVE-2022-37966 tests/krb5: Split out _tgs_req() into base classJoseph Sutton2022-12-141-131/+133
| | | | | | | | | | | | | We will use it for testing our handling of encryption types. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (similar to commit 50e075d2db21e9f23d686684ea3df9454b6b560e) [jsutton@samba.org Adapted to 4.17 version of function]
* CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the ↵Andrew Bartlett2022-12-142-3/+12
| | | | | | | | | | | | target_hostname binding string This makes it easier to test against a server that is not accessible via DNS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit c7cd6889177e8c705bb637172a60a5cf26734a3f)
* CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about ↵Stefan Metzmacher2022-12-141-0/+16
| | | | | | | | | | | | | "kerberos encryption types=legacy" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932) [abartlet@samba.org Added missing loadparm to netlogon_creds_cli]
* CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'Stefan Metzmacher2022-12-141-0/+8
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit c0c25cc0217b082c12330a8c47869c8428a20d0c)
* CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" ↵Stefan Metzmacher2022-12-141-9/+3
| | | | | | | | | | | should not be used BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit a4f6f51cbed53775cdfedc7eec2f28c7beb875cc)
* CVE-2022-37966 s3:utils: Fix old-style function definitionAndreas Schneider2022-12-141-6/+6
| | | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit b787692b5e915031d4653bf375995320ed1aca07) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 s3:client: Fix old-style function definitionAndreas Schneider2022-12-141-1/+1
| | | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 81f4335dfb847c041bfd3d6110fc8f1d5741d41f) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 s3:param: Fix old-style function definitionAndreas Schneider2022-12-141-2/+2
| | | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 80dc3bc2b80634ab7c6c71fa1f9b94f0216322b2) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()Joseph Sutton2022-12-141-3/+4
| | | | | | | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 2f17cbf3b295663a91e4facb0dc8f09ef4a77f4a) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 [jsutton@samba.org Removed changes to protected_users_tests.py] Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 s4:kdc: Move supported enc-type handling out of ↵Andrew Bartlett2022-12-141-35/+40
| | | | | | | | | | | | | | | | | | | | | | samba_kdc_message2entry_keys() By putting this in the caller we potentially allow samba_kdc_message2entry_keys() to be reused by a non-KDC caller. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 29eb7e2488e2c55ceacb859a57836a08cbb7f8e8) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 [jsutton@samba.org Adapted to older code without support for Protected Users or older keys; kept still-needed 'kdc_db_ctx' samba_kdc_message2entry_keys() parameter] Reviewed-by: Stefan Metzmacher <metze@samba.org> [jsutton@samba.org Adapted to older db-glue code]
* CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entryJoseph Sutton2022-12-142-4/+27
| | | | | | | | | | | | | | | | This allows us to return the supported enctypes to the client as PA-SUPPORTED-ENCTYPES padata. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit cb382f7cddebabde3dac2b4bdb50d5b864463abf) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 [jsutton@samba.org Adapted to Samba 4.15; removed FAST-supported bit for KDC] Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 tests/krb5: Update supported enctype checkingJoseph Sutton2022-12-142-7/+41
| | | | | | | | | | | We now do not expect the claims or compound ID bits to be set unless explicitly specified, nor the DES bits. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit e9caa1edef846cdea2a719976ee0fd5bd8531048) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
* CVE-2022-37966 tests/krb5: Check encrypted-pa-data if presentJoseph Sutton2022-12-143-18/+69
| | | | | | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit f94bdb41fccdb085d8f8f5a1a5e4a56581839e8e) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 [jsutton@samba.org Fixed MIT knownfail conflict; added import of PADATA_REQ_ENC_PA_REP constant]
* CVE-2022-38023 testparm: warn about unsecure schannel related optionsStefan Metzmacher2022-12-141-0/+61
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
* CVE-2022-38023 testparm: warn about server/client schannel != yesStefan Metzmacher2022-12-141-3/+17
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)
* CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require ↵Stefan Metzmacher2022-12-142-1/+271
| | | | | | | | | | | | | | | | seal[:COMPUTERACCOUNT]" By default we'll now require schannel connections with privacy/sealing/encryption. But we allow exceptions for specific computer/trust accounts. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
* CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to ↵Stefan Metzmacher2022-12-141-40/+153
| | | | | | | | | | | | | dcesrv_netr_check_schannel() It's enough to warn the admin once per connection. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
* CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require ↵Stefan Metzmacher2022-12-144-6/+157
| | | | | | | | | | | seal[:COMPUTERACCOUNT]" options BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)
* CVE-2022-38023 s4:rpc_server/netlogon: make sure all ↵Stefan Metzmacher2022-12-141-7/+29
| | | | | | | | | | | | | | dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() We'll soon add some additional contraints in dcesrv_netr_check_schannel(), which are also required for dcesrv_netr_LogonSamLogonEx(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
* CVE-2022-38023 s4:rpc_server/netlogon: split out ↵Stefan Metzmacher2022-12-141-33/+51
| | | | | | | | | | | | | | dcesrv_netr_check_schannel() function This will allow us to reuse the function in other places. As it will also get some additional checks soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)
* CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and ↵Stefan Metzmacher2022-12-141-6/+49
| | | | | | | | | | | | | | | | | | 'reject md5 clients = no' Instead of using the generic deprecated option use the specific allow nt4 crypto:COMPUTERACCOUNT = yes and server reject md5 schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768) [metze@samba.org fixed conflict in 4.15]
* CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow ↵Stefan Metzmacher2022-12-141-0/+121
| | | | | | | | | | | | | | | | nt4 crypto' misconfigurations This allows the admin to notice what's wrong in order to adjust the configuration if required. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381) [metze@samba.org remove lpcfg_weak_crypto() check for 4.15]
* CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 ↵Stefan Metzmacher2022-12-142-6/+103
| | | | | | | | | | | schannel:COMPUTERACCOUNT" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
* CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 ↵Stefan Metzmacher2022-12-141-2/+74
| | | | | | | | | | | crypto:COMPUTERACCOUNT = no" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b)
* CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 ↵Stefan Metzmacher2022-12-141-3/+55
| | | | | | | | | | | | | | | | schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' This makes it more flexible when we change the global default to 'reject md5 servers = yes'. 'allow nt4 crypto = no' is already the default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
* CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found ↵Stefan Metzmacher2022-12-141-23/+53
| | | | | | | | | | | | | | the account in our SAM We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', which means we'll need use the account name from our SAM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
* CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yesStefan Metzmacher2022-12-144-3/+14
| | | | | | | | | | | | | AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, so there's no reason to allow md5 clients by default. However some third party domain members may need it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)
* CVE-2022-38023 s4:rpc_server/netlogon: split out ↵Stefan Metzmacher2022-12-131-47/+67
| | | | | | | | | | | | | | dcesrv_netr_ServerAuthenticate3_check_downgrade() We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', which means we'll need the downgrade detection in more places. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)
* CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by defaultStefan Metzmacher2022-12-134-18/+27
| | | | | | | | | | | | | For generic tests we should use the best available features. And AES will be required by default soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
* CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'Stefan Metzmacher2022-12-131-3/+37
| | | | | | | | | | | | | Instead of using the generic deprecated option use the specific server require schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)
* CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) ↵Stefan Metzmacher2022-12-131-41/+106
| | | | | | | | | | | | | | | | | debug messages In order to avoid generating useless debug messages during make test, we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. Review with: git show -w BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)
* CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in ↵Stefan Metzmacher2022-12-131-22/+19
| | | | | | | | | | | | | dcesrv_netr_creds_server_step_check() This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)
* CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to ↵Stefan Metzmacher2022-12-131-13/+19
| | | | | | | | | | | | | dcesrv_netr_creds_server_step_check() This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)
* CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to ↵Stefan Metzmacher2022-12-131-3/+4
| | | | | | | | | | | | | dcesrv_netr_creds_server_step_check() This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
* CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to ↵Stefan Metzmacher2022-12-131-11/+15
| | | | | | | | | | | | | dcesrv_interface_netlogon_bind This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
* CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yesStefan Metzmacher2022-12-134-4/+9
| | | | | | | | | | | | | | | | | AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no reason to allow md5 servers by default. Note the change in netlogon_creds_cli_context_global() is only cosmetic, but avoids confusion while reading the code. Check with: git show -U35 libcli/auth/netlogon_creds_cli.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
* CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed ↵Stefan Metzmacher2022-12-131-8/+33
| | | | | | | | | | | | | pipes:DOMAIN" and "require strong key:DOMAIN" This avoids advising insecure defaults for the global options. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)
View Lorry Controller Status