summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2022-38023 s3:rpc_server/netlogon: Avoid unnecessary loadparm_context ↵v4-15-testSamuel Cabrero2023-01-231-19/+2
| | | | | | | | | | | | | | | | | | | | allocations After s3 and s4 rpc servers merge the loadparm_context is available in the dcesrv_context structure. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jan 9 15:17:14 UTC 2023 on sn-devel-184 (cherry picked from commit 56837f3d3169a02d0d92bd085d9c8250415ce29b) Autobuild-User(v4-15-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-15-test): Mon Jan 23 10:01:41 UTC 2023 on sn-devel-184
* CVE-2022-38023 docs-xml/smbdotconf: The "server schannel require ↵Samuel Cabrero2023-01-231-3/+2
| | | | | | | | | | seal[:COMPUTERACCOUNT]" options are also honoured by s3 netlogon server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 02fba22b8c9e9b33ab430555ef45500c45eaa9d1)
* CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel ↵Samuel Cabrero2023-01-231-0/+12
| | | | | | | | | | | | | | require seal" By default we'll now require schannel connections with privacy/sealing/encryption. But we allow exceptions for specific computer/trust accounts. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit a0b97e262318dc56fe663da89b0ee3172b2e7848)
* CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() ↵Samuel Cabrero2023-01-231-9/+29
| | | | | | | | | | | | calls go through dcesrv_netr_check_schannel() Some checks are also required for _netr_LogonSamLogonEx(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit ca07f4340ce58a7e940a1123888b7409176412f7)
* CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check()Samuel Cabrero2023-01-234-164/+58
| | | | | | | | | | After s3 and s4 rpc servers merge we can avoid duplicated code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 25300d354c80995997d552581cd91dddaf4bbf48)
* CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check ↵Samuel Cabrero2023-01-235-546/+644
| | | | | | | | | | | | functions to librpc Will be used later by s3 netlogon server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 121e7b0e39478c5291100652ac92c263f406076b)
* CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyleSamuel Cabrero2023-01-231-122/+168
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit d9e6b490db3ead7e79bb3ff0c1f9ef8ab8bdc65b)
* CVE-2022-38023 selftest:Samba3: avoid global 'server schannel = auto'Samuel Cabrero2023-01-231-1/+16
| | | | | | | | | | | | Instead of using the generic deprecated option use the specific server require schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 3cd18690f83d2f85e847fc703ac127b4b04189fc)
* CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to ↵Samuel Cabrero2023-01-231-11/+29
| | | | | | | | | | | | | | dcesrv_interface_netlogon_bind Follow s4 netlogon server changes and move the checks to the RPC bind hook. Next commits will remove the s3 netr_creds_server_step_check() function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 8141eae47aad849741beb138fae866c772e4ec4c)
* VERSION: Bump version up to Samba 4.15.14...Jule Anger2022-12-151-2/+2
| | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <janger@samba.org>
* VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.samba-4.15.13v4-15-stableJule Anger2022-12-151-1/+1
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* WHATSNEW: Add release notes for Samba 4.15.13.Jule Anger2022-12-151-2/+150
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* kdc: avoid re-encoding KDC-REQ-BODYLuke Howard2022-12-154-38/+5
| | | | | | | | | | | | | | | | | | | | Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT. [abartlet@samba.org adapted from Heimdal commit ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e by removing references to FAST and GSS-pre-auth. This fixes the Windows 11 22H2 issue with TGS-REQ as seen at https://github.com/heimdal/heimdal/issues/1011 and so removes the knownfail file for this test] BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> [metze@samba.org private autobuild passed]
* tests/krb5: Add test requesting a TGT expiring post-2038Joseph Sutton2022-12-141-2/+11
| | | | | | | | | | | | | | | | | | | | This demonstrates the behaviour of Windows 11 22H2 over Kerberos, which changed to use a year 9999 date for a forever timetime in tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184 (backported from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2) [abartlet@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2 as the kerberos tests have changed parameters in newer versions breaking the context]
* tests/krb5: Add test requesting a service ticket expiring post-2038Joseph Sutton2022-12-142-0/+16
| | | | | | | | | | | | | | | | | | | | Windows 11 22H2 performs such requests, with year 9999. The test fails with KDC_ERR_BAD_INTEGRITY on older Heimdal versions, which are unable to verify a checksum over the modified request body (due to a re-encoding failure). REF: https://github.com/heimdal/heimdal/issues/1011 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 [abartlet@samba.org Add knownfail for backport - as Samba 4.15 and earlier fail this test, adapted commit 67811e121fbef08337675d473390160793544719 to test paraemters in 4.15] Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (backported from commit 67811e121fbef08337675d473390160793544719)
* CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") ↵Stefan Metzmacher2022-12-1416-48/+55
| | | | | | | | | | | | | | | | | | | | | | | | | before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184 (similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92) [jsutton@samba.org Fixed conflicts; removed changes to non-existent tests] [jsutton@samba.org Fixed conflicts; removed changes to non-existent tests] [metze@samba.org private autobuild and a pipeline passes]
* CVE-2022-37966 samba-tool: add 'domain trust modify' commandStefan Metzmacher2022-12-142-0/+126
| | | | | | | | | | | | For now it only allows the admin to modify the msDS-SupportedEncryptionTypes values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> (cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29)
* CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"Stefan Metzmacher2022-12-141-2/+10
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f)
* CVE-2022-37966 param: Add support for new option "kdc supported enctypes"Stefan Metzmacher2022-12-142-0/+109
| | | | | | | | | | | This allows admins to disable enctypes completely if required. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)
* CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean ↵Stefan Metzmacher2022-12-146-10/+13
| | | | | | | | | | | | | | | | the default In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad) [jsutton@samba.org Fixed conflicts]
* CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak ↵Stefan Metzmacher2022-12-142-5/+0
| | | | | | | | | | | | | session keys" to false/"no" This is not squashed in order to allow easier backports... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4)
* CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.Stefan Metzmacher2022-12-145-3050/+768
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to take the value from the msDS-SupportedEncryptionTypes attribute and only take the default if there's no value or if the value is 0. For krbtgt and DC accounts we need to force support for ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is completely ignored the hardcoded value is the default, so there's no AES256-SK for krbtgt). For UF_USE_DES_KEY_ONLY on the account we reset the value to 0, these accounts are in fact disabled completely, as they always result in KRB5KDC_ERR_ETYPE_NOSUPP. Then we try to get all encryption keys marked in supported_enctypes, and the available_enctypes is a reduced set depending on what keys are actually stored in the database. We select the supported session key enctypes by the available keys and in addition based on AES256-SK as well as the "kdc force enable rc4 weak session keys" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fde745ec3491a4fd7b23e053a67093a2ccaf0905) [jsutton@samba.org Adapted to older KDC code] [jsutton@samba.org Adapted to older KDC code]
* CVE-2022-37966 python:tests/krb5: test much more etype combinationsStefan Metzmacher2022-12-143-515/+4046
| | | | | | | | | | | | | | | | This tests work out the difference between - msDS-SupportedEncryptionTypes value or it's default - software defined extra flags for DC accounts - accounts with only an nt hash being stored - the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 1dfa91682efd3b12d7d6af75287efb12ebd9e526)
* CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert ↵Stefan Metzmacher2022-12-141-2/+2
| | | | | | | | | | | message BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45)
* CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation ↵Stefan Metzmacher2022-12-141-6/+32
| | | | | | | | | | | | | | | | of KDCBaseTest This will allow us to create tests accounts with only an nt4 hash stored, without any aes keys. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d) [jsutton@samba.org Fixed conflicts in parameters]
* CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials ↵Stefan Metzmacher2022-12-141-0/+2
| | | | | | | | | | | attributes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5)
* CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed ↵Stefan Metzmacher2022-12-141-3/+8
| | | | | | | | | | | KdcTgsBaseTests._{as,tgs}_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)
* CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022Stefan Metzmacher2022-12-143-8/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | I'm using the following options: SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \ SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \ DOMAIN=W2022-L7 REALM=W2022-L7.BASE \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \ CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \ FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1 in order to run these: python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368) [jsutton@samba.org Fixed conflicts in parameters; brought in rep_padata non-None assertion] [jsutton@samba.org Fixed parameter conflicts in as_req_tests.py; removed changes to non-existent check_reply_padata()]
* CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash ↵Stefan Metzmacher2022-12-141-3/+15
| | | | | | | | | | | via SAMR level 18 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)
* CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to ↵Stefan Metzmacher2022-12-142-0/+76
| | | | | | | | | | | | | | set nthash only BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a8361) [jsutton@samba.org Adapted to older version of libnet_SetPassword() that doesn't set FIPS lax mode]
* CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments ↵Stefan Metzmacher2022-12-142-2/+4
| | | | | | | | | | | explicitly to zero by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a)
* CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID valuesStefan Metzmacher2022-12-141-0/+9
| | | | | | | | | | | | | | For now this is only for debugging in order to see DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta data. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f1c5fa28c460f7e011049606b1b9ef96443e5e1f)
* CVE-2022-37966 s4:kdc: use the strongest possible keysStefan Metzmacher2022-12-141-15/+8
| | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794) [jsutton@samba.org Adapted to configuration parameters having been renamed from {as,tgs} to {tgt,svc}]
* CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SKStefan Metzmacher2022-12-141-0/+1
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7)
* CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print ↵Stefan Metzmacher2022-12-141-0/+6
| | | | | | | | | | | AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit b7260c89e0df18822fa276e681406ec4d3921caa)
* CVE-2022-37966 s3:net_ads: no longer reference des encryption typesStefan Metzmacher2022-12-141-1/+2
| | | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4cedaa643bf95ef2628f1b631feda833bb2e7da1)
* CVE-2022-37966 s3:libnet: no longer reference des encryption typesStefan Metzmacher2022-12-141-3/+2
| | | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 40b47c194d7c41fbc6515b6029d5afafb0911232)
* CVE-2022-37966 s3:libads: no longer reference des encryption typesStefan Metzmacher2022-12-141-1/+1
| | | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a683507e560a499336c50b88abcd853d49618bf4)
* CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption typesStefan Metzmacher2022-12-141-2/+0
| | | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 16b805c8f376e0992a8bbb359d6bd8f0f96229db)
* CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*Stefan Metzmacher2022-12-141-4/+0
| | | | | | | | | | | aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f3fe1f2ce64ed36be5b001fb4fea92428e73e4e3)
* CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*Stefan Metzmacher2022-12-141-4/+0
| | | | | | | | | | | aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 1a36c348d7a984bed8d0f3de5bf9bebd1cb3c47a)
* CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*Stefan Metzmacher2022-12-142-8/+0
| | | | | | | | | | | aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 2bd27955ce1000c13b468934eed8b0fdeb66e3bf)
* CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*Stefan Metzmacher2022-12-141-4/+0
| | | | | | | | | | | aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c9b10ee32c7e91521d024477a28fb7a622e4eb04)
* CVE-2022-37966 system_mitkrb5: require support for aes enctypesStefan Metzmacher2022-12-141-2/+2
| | | | | | | | | | | | | | This will never fail as we already require a version that supports aes, but this makes it clearer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a80f8e1b826ee3f9bbb22752464a73b97c2a612d) [jsutton@samba.org Fixed conflicts due to missing lib='krb5' argument]
* CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)Stefan Metzmacher2022-12-141-1/+3
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9da028c46f70db60a80d47f5dadbec194510211f)
* CVE-2022-37966 kdc: Assume trust objects support AES by defaultJoseph Sutton2022-12-142-7/+2
| | | | | | | | | | | | | | | As part of matching the behaviour of Windows, assume that trust objects support AES256, but not RC4, if not specified otherwise. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d) [jsutton@samba.org Added knownfail removals]
* CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ↵Andrew Bartlett2022-12-1411-622/+289
| | | | | | | | | | | | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. We set the etypes available for session keys depending on the encryption types that are supported by the principal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit 975e43fc45531fdea14b93a3b1529b3218a177e6) [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Adapted to older KDC code; fixed knownfail conflicts] [jsutton@samba.org Fixed knownfail conflicts; adapted to older KDC and Heimdal code]
* CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with ↵Joseph Sutton2022-12-142-19/+37
| | | | | | | | | | | AES256 rather than RC4 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> [This is 4.15 only]
* CVE-2022-37966 auth/credentials: Allow specifying password to ↵Joseph Sutton2022-12-142-6/+2
| | | | | | | | | | | cli_credentials_get_aes256_key() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> [This is 4.15 only]
* CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key()Joseph Sutton2022-12-142-0/+70
| | | | | | | | | | | | This allows us to generate AES256 keys from a given password and salt. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 0d9835e1e497d667ce49f00d5127d2231055793f) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org>
View Lorry Controller Status