summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.samba-4.15.13v4-15-stableJule Anger2022-12-151-1/+1
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* WHATSNEW: Add release notes for Samba 4.15.13.Jule Anger2022-12-151-2/+150
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* kdc: avoid re-encoding KDC-REQ-BODYLuke Howard2022-12-154-38/+5
| | | | | | | | | | | | | | | | | | | | Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT. [abartlet@samba.org adapted from Heimdal commit ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e by removing references to FAST and GSS-pre-auth. This fixes the Windows 11 22H2 issue with TGS-REQ as seen at https://github.com/heimdal/heimdal/issues/1011 and so removes the knownfail file for this test] BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> [metze@samba.org private autobuild passed]
* tests/krb5: Add test requesting a TGT expiring post-2038Joseph Sutton2022-12-141-2/+11
| | | | | | | | | | | | | | | | | | | | This demonstrates the behaviour of Windows 11 22H2 over Kerberos, which changed to use a year 9999 date for a forever timetime in tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184 (backported from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2) [abartlet@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2 as the kerberos tests have changed parameters in newer versions breaking the context]
* tests/krb5: Add test requesting a service ticket expiring post-2038Joseph Sutton2022-12-142-0/+16
| | | | | | | | | | | | | | | | | | | | Windows 11 22H2 performs such requests, with year 9999. The test fails with KDC_ERR_BAD_INTEGRITY on older Heimdal versions, which are unable to verify a checksum over the modified request body (due to a re-encoding failure). REF: https://github.com/heimdal/heimdal/issues/1011 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 [abartlet@samba.org Add knownfail for backport - as Samba 4.15 and earlier fail this test, adapted commit 67811e121fbef08337675d473390160793544719 to test paraemters in 4.15] Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (backported from commit 67811e121fbef08337675d473390160793544719)
* CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") ↵Stefan Metzmacher2022-12-1416-48/+55
| | | | | | | | | | | | | | | | | | | | | | | | | before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184 (similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92) [jsutton@samba.org Fixed conflicts; removed changes to non-existent tests] [jsutton@samba.org Fixed conflicts; removed changes to non-existent tests] [metze@samba.org private autobuild and a pipeline passes]
* CVE-2022-37966 samba-tool: add 'domain trust modify' commandStefan Metzmacher2022-12-142-0/+126
| | | | | | | | | | | | For now it only allows the admin to modify the msDS-SupportedEncryptionTypes values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> (cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29)
* CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"Stefan Metzmacher2022-12-141-2/+10
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f)
* CVE-2022-37966 param: Add support for new option "kdc supported enctypes"Stefan Metzmacher2022-12-142-0/+109
| | | | | | | | | | | This allows admins to disable enctypes completely if required. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)
* CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean ↵Stefan Metzmacher2022-12-146-10/+13
| | | | | | | | | | | | | | | | the default In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad) [jsutton@samba.org Fixed conflicts]
* CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak ↵Stefan Metzmacher2022-12-142-5/+0
| | | | | | | | | | | | | session keys" to false/"no" This is not squashed in order to allow easier backports... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4)
* CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.Stefan Metzmacher2022-12-145-3050/+768
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to take the value from the msDS-SupportedEncryptionTypes attribute and only take the default if there's no value or if the value is 0. For krbtgt and DC accounts we need to force support for ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is completely ignored the hardcoded value is the default, so there's no AES256-SK for krbtgt). For UF_USE_DES_KEY_ONLY on the account we reset the value to 0, these accounts are in fact disabled completely, as they always result in KRB5KDC_ERR_ETYPE_NOSUPP. Then we try to get all encryption keys marked in supported_enctypes, and the available_enctypes is a reduced set depending on what keys are actually stored in the database. We select the supported session key enctypes by the available keys and in addition based on AES256-SK as well as the "kdc force enable rc4 weak session keys" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fde745ec3491a4fd7b23e053a67093a2ccaf0905) [jsutton@samba.org Adapted to older KDC code] [jsutton@samba.org Adapted to older KDC code]
* CVE-2022-37966 python:tests/krb5: test much more etype combinationsStefan Metzmacher2022-12-143-515/+4046
| | | | | | | | | | | | | | | | This tests work out the difference between - msDS-SupportedEncryptionTypes value or it's default - software defined extra flags for DC accounts - accounts with only an nt hash being stored - the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 1dfa91682efd3b12d7d6af75287efb12ebd9e526)
* CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert ↵Stefan Metzmacher2022-12-141-2/+2
| | | | | | | | | | | message BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45)
* CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation ↵Stefan Metzmacher2022-12-141-6/+32
| | | | | | | | | | | | | | | | of KDCBaseTest This will allow us to create tests accounts with only an nt4 hash stored, without any aes keys. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d) [jsutton@samba.org Fixed conflicts in parameters]
* CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials ↵Stefan Metzmacher2022-12-141-0/+2
| | | | | | | | | | | attributes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5)
* CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed ↵Stefan Metzmacher2022-12-141-3/+8
| | | | | | | | | | | KdcTgsBaseTests._{as,tgs}_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)
* CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022Stefan Metzmacher2022-12-143-8/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | I'm using the following options: SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \ SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \ DOMAIN=W2022-L7 REALM=W2022-L7.BASE \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \ CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \ FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1 in order to run these: python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368) [jsutton@samba.org Fixed conflicts in parameters; brought in rep_padata non-None assertion] [jsutton@samba.org Fixed parameter conflicts in as_req_tests.py; removed changes to non-existent check_reply_padata()]
* CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash ↵Stefan Metzmacher2022-12-141-3/+15
| | | | | | | | | | | via SAMR level 18 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)
* CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to ↵Stefan Metzmacher2022-12-142-0/+76
| | | | | | | | | | | | | | set nthash only BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a8361) [jsutton@samba.org Adapted to older version of libnet_SetPassword() that doesn't set FIPS lax mode]
* CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments ↵Stefan Metzmacher2022-12-142-2/+4
| | | | | | | | | | | explicitly to zero by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a)
* CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID valuesStefan Metzmacher2022-12-141-0/+9
| | | | | | | | | | | | | | For now this is only for debugging in order to see DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta data. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f1c5fa28c460f7e011049606b1b9ef96443e5e1f)
* CVE-2022-37966 s4:kdc: use the strongest possible keysStefan Metzmacher2022-12-141-15/+8
| | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794) [jsutton@samba.org Adapted to configuration parameters having been renamed from {as,tgs} to {tgt,svc}]
* CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SKStefan Metzmacher2022-12-141-0/+1
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7)
* CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print ↵Stefan Metzmacher2022-12-141-0/+6
| | | | | | | | | | | AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit b7260c89e0df18822fa276e681406ec4d3921caa)
* CVE-2022-37966 s3:net_ads: no longer reference des encryption typesStefan Metzmacher2022-12-141-1/+2
| | | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4cedaa643bf95ef2628f1b631feda833bb2e7da1)
* CVE-2022-37966 s3:libnet: no longer reference des encryption typesStefan Metzmacher2022-12-141-3/+2
| | | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 40b47c194d7c41fbc6515b6029d5afafb0911232)
* CVE-2022-37966 s3:libads: no longer reference des encryption typesStefan Metzmacher2022-12-141-1/+1
| | | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a683507e560a499336c50b88abcd853d49618bf4)
* CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption typesStefan Metzmacher2022-12-141-2/+0
| | | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 16b805c8f376e0992a8bbb359d6bd8f0f96229db)
* CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*Stefan Metzmacher2022-12-141-4/+0
| | | | | | | | | | | aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f3fe1f2ce64ed36be5b001fb4fea92428e73e4e3)
* CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*Stefan Metzmacher2022-12-141-4/+0
| | | | | | | | | | | aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 1a36c348d7a984bed8d0f3de5bf9bebd1cb3c47a)
* CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*Stefan Metzmacher2022-12-142-8/+0
| | | | | | | | | | | aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 2bd27955ce1000c13b468934eed8b0fdeb66e3bf)
* CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*Stefan Metzmacher2022-12-141-4/+0
| | | | | | | | | | | aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c9b10ee32c7e91521d024477a28fb7a622e4eb04)
* CVE-2022-37966 system_mitkrb5: require support for aes enctypesStefan Metzmacher2022-12-141-2/+2
| | | | | | | | | | | | | | This will never fail as we already require a version that supports aes, but this makes it clearer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a80f8e1b826ee3f9bbb22752464a73b97c2a612d) [jsutton@samba.org Fixed conflicts due to missing lib='krb5' argument]
* CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)Stefan Metzmacher2022-12-141-1/+3
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9da028c46f70db60a80d47f5dadbec194510211f)
* CVE-2022-37966 kdc: Assume trust objects support AES by defaultJoseph Sutton2022-12-142-7/+2
| | | | | | | | | | | | | | | As part of matching the behaviour of Windows, assume that trust objects support AES256, but not RC4, if not specified otherwise. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d) [jsutton@samba.org Added knownfail removals]
* CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ↵Andrew Bartlett2022-12-1411-622/+289
| | | | | | | | | | | | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. We set the etypes available for session keys depending on the encryption types that are supported by the principal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit 975e43fc45531fdea14b93a3b1529b3218a177e6) [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Adapted to older KDC code; fixed knownfail conflicts] [jsutton@samba.org Fixed knownfail conflicts; adapted to older KDC and Heimdal code]
* CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with ↵Joseph Sutton2022-12-142-19/+37
| | | | | | | | | | | AES256 rather than RC4 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> [This is 4.15 only]
* CVE-2022-37966 auth/credentials: Allow specifying password to ↵Joseph Sutton2022-12-142-6/+2
| | | | | | | | | | | cli_credentials_get_aes256_key() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> [This is 4.15 only]
* CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key()Joseph Sutton2022-12-142-0/+70
| | | | | | | | | | | | This allows us to generate AES256 keys from a given password and salt. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 0d9835e1e497d667ce49f00d5127d2231055793f) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data ↵Nicolas Williams2022-12-141-24/+33
| | | | | | | | | | | | | | | | | | | | | | signatures We were using the enctype from the PA-TGS-REQ's AP-REQ's Ticket to decide what key from the service's realm's krbtgt principal to use. This breaks when: a) we're doing cross-realm, b) the service's realm's krbtgt principal doesn't have keys for the enctype used in the cross-realm TGT. The fix is to pick the correct key (strongest or first, per-config) from the service's realm's krbtgt principal. (backported from Heimdal commit 8586d9f88efcf60b971466f0d83ea0bc1962e24f) [jsutton@samba.org Fixed conflicts due to different Heimdal revision] BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 [This is 4.15 only] Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 selftest: Run S4U tests against FL2003 DCJoseph Sutton2022-12-143-6/+71
| | | | | | | | | | | | | | This shows that changes around RC4 encryption types do not break older functional levels where only RC4 keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5) [jsutton@samba.org Fixed import conflict]
* CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ↵Joseph Sutton2022-12-1410-141/+1549
| | | | | | | | | | | | | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit 371d7e63fcb966ab54915a3dedb888d48adbf0c0) [jsutton@samba.org Removed unneeded fast_tests.py change, added non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and tests.py] [jsutton@samba.org Fixed conflicts in tests and knownfails] [jsutton@samba.org Fixed conflicts in raw_testcase.py, tests.py; moved test_fast_rc4 knownfail to 'KDC TGS tests' section with other FAST knownfails]
* CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objectsJoseph Sutton2022-12-141-2/+5
| | | | | | | | | | | | | As we will assume, as part of the fixes for CVE-2022-37966, that trust objects with no msDS-SupportedEncryptionTypes attribute support AES keys, RC4 support must now be explicitly indicated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)
* CVE-2022-37966 samba-tool: Fix 'domain trust create' documentationJoseph Sutton2022-12-141-1/+1
| | | | | | | | | | | This option does the opposite of what the documentation claims. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 6b155b22e6afa52ce29cc475840c1d745b0f1f5e)
* CVE-2022-37966 third_party/heimdal: Fix error message typoJoseph Sutton2022-12-141-1/+1
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d6b3d68efc296190a133b4e38137bdfde39257f4) [jsutton@samba.org Adapted to older Heimdal version]
* CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak ↵Andrew Bartlett2022-12-143-0/+29
| | | | | | | | | | | | | session keys" Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
* CVE-2022-37966 param: Add support for new option "kdc default domain ↵Joseph Sutton2022-12-144-0/+125
| | | | | | | | | | | | | | | | | | | | | supportedenctypes" This matches the Windows registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit d861d4eb28bd4c091955c11669edcf867b093a6f) [jsutton@samba.org Fixed header include conflict] [jsutton@samba.org Fixed loadparm conflicts]
* CVE-2022-37967 Add new PAC checksumJoseph Sutton2022-12-1414-54/+413
| | | | | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit a50a2be622afaa7a280312ea12f5eb9c9a0c41da) [jsutton@samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py] [jsutton@samba.org Fixed conflicts in kdc_base_test.py, raw_testcase.py, knownfails, tests.py. Adapted KDC PAC changes to older function.] [jsutton@samba.org Fixed conflict in raw_testcase.py; adapted to older Heimdal version]
* CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients ↵Andrew Bartlett2022-12-142-6/+1
| | | | | | | | | | | | | | | | | | | | | | etype list to select a session key We need to select server, not client, to compare client etypes against. (It is not useful to compare the client-supplied encryption types with the client's own long-term keys.) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec) [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Fixed knownfail conflicts; adapted to older Heimdal version]
View Lorry Controller Status