summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() ↵Samuel Cabrero2023-01-231-17/+28
| | | | | | | | | | | | calls go through dcesrv_netr_check_schannel() Some checks are also required for _netr_LogonSamLogonEx(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit ca07f4340ce58a7e940a1123888b7409176412f7)
* CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check()Samuel Cabrero2023-01-234-165/+58
| | | | | | | | | | After s3 and s4 rpc servers merge we can avoid duplicated code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 25300d354c80995997d552581cd91dddaf4bbf48)
* CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check ↵Samuel Cabrero2023-01-235-546/+644
| | | | | | | | | | | | functions to librpc Will be used later by s3 netlogon server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 121e7b0e39478c5291100652ac92c263f406076b)
* CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyleSamuel Cabrero2023-01-231-122/+168
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit d9e6b490db3ead7e79bb3ff0c1f9ef8ab8bdc65b)
* CVE-2022-38023 selftest:Samba3: avoid global 'server schannel = auto'Samuel Cabrero2023-01-231-1/+15
| | | | | | | | | | | | Instead of using the generic deprecated option use the specific server require schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 3cd18690f83d2f85e847fc703ac127b4b04189fc)
* CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to ↵Samuel Cabrero2023-01-231-11/+28
| | | | | | | | | | | | | | dcesrv_interface_netlogon_bind Follow s4 netlogon server changes and move the checks to the RPC bind hook. Next commits will remove the s3 netr_creds_server_step_check() function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 8141eae47aad849741beb138fae866c772e4ec4c)
* s4: libcli: Ignore errors when getting A records after fetching AAAA records.Jeremy Allison2023-01-161-6/+8
| | | | | | | | | | | | | | | | | The target may only be available over IPv6. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15226 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Nov 9 20:34:07 UTC 2022 on sn-devel-184 (cherry picked from commit 10537a89bb0b461ba31d614b7c9ed56a842422e7) Autobuild-User(v4-16-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-16-test): Mon Jan 16 10:47:49 UTC 2023 on sn-devel-184
* s3: smbd: In synthetic_pathref() change DBG_ERR -> DBG_NOTICE to avoid ↵Jeremy Allison2023-01-161-1/+1
| | | | | | | | | | | | | | | | | spamming the logs. Can easily be seen by doing make test TESTS=fruit and looking in st/nt4_dc/smbd_test.log. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15210 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed Nov 16 06:00:56 UTC 2022 on sn-devel-184 (cherry picked from commit f0ca9546102acf09f1834c03f8907ed26bfc80f8)
* s3: smbd: Cause SMB2_OP_FLUSH to go synchronous in a compound anywhere but ↵Jeremy Allison2023-01-162-2/+14
| | | | | | | | | | | | | | | | | | | the last operation in the list. Async read and write go synchronous in the same case, so do the same here. Remove knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Thu Nov 17 05:55:42 UTC 2022 on sn-devel-184 (cherry picked from commit 26adf3344337f4e8d5d2107e6ba42e5ea7656372)
* s3: smbd: Add utility function smbd_smb2_is_last_in_compound().Jeremy Allison2023-01-162-0/+7
| | | | | | | | | | | Not yet used. Returns true if we're processing the last SMB2 request in a compound. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit e668c3a82cd566b405c976d45659dd79786948de)
* s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_FLUSH test to ↵Jeremy Allison2023-01-162-0/+116
| | | | | | | | | | | | | | | | | | | | | | | smb2.compound_async. Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_FLUSH compound if we immediately close the file afterward. Internally the flushes go async and we free the req, then we process the close. When the flushes complete they try to access already freed data. Extra test which will allow me to test when the final component (flush) of the compound goes async and returns NT_STATUS_PENDING. Add knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 6f149dfd9d8d2619a9e18975ebcf5e69df2b7766)
* s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_CLOSE test to ↵Jeremy Allison2023-01-164-0/+121
| | | | | | | | | | | | | | | | | | | | smb2.compound_async. Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_CLOSE compound. Internally the flush goes async and we free the req, then we process the close. When the flush completes it tries to access already freed data. Found using the Apple MacOSX client at SNIA SDC 2022. Add knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (back-ported from commit 17a110c1b58196eb8ecf3c76eb97e8508976c544)
* nsswitch:libwbclient - fix leak in wbcCtxPingDc2Andrew Walker2023-01-161-0/+1
| | | | | | | | | | | | | | | Memory allocated for response is never freed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15164 Signed-off-by: Andrew Walker <awalker@ixsystems.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Sep 6 20:10:17 UTC 2022 on sn-devel-184 (cherry picked from commit aa9f3a2da97ae13cce3e50fe3d58f143200e9a17)
* s3: libsmbclient: Fix smbc_getxattr() to return 0 on success.Jeremy Allison2023-01-162-2/+5
| | | | | | | | | | | | | | Remove knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Nov 1 18:31:22 UTC 2022 on sn-devel-184 (cherry picked from commit bdbb38d16c8eaff33484bb747efa639c4d8e7f35)
* s4: torture: Show return value for smbc_getxattr() is incorrect (returns >0 ↵Jeremy Allison2023-01-162-0/+95
| | | | | | | | | | | | | | | for success, should return zero). Add torture test to show smbc_getxattr() should return -1 on failure, 0 on success. Add knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org> (cherry picked from commit 74636dfe24c15677261fc40c0a4ec62404898cf4)
* s4:lib/messaging: fix interaction between imessaging_context_destructor and ↵Stefan Metzmacher2023-01-132-0/+16
| | | | | | | | | | | | | irpc_destructor BUG: https://bugzilla.samba.org/show_bug.cgi?id=15280 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 0d096931196524a2d1bf59470bc629dc9231131e) Autobuild-User(v4-16-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-16-test): Fri Jan 13 10:31:22 UTC 2023 on sn-devel-184
* s3:rpc_server/srvsvc: make sure we (re-)load all shares as root.Stefan Metzmacher2023-01-132-13/+16
| | | | | | | | | | | | | | | | | | | | | | | This fixes a regression in commit f03665bb7e8ea97699062630f2aa1bac4c5dfc7f The use of reload_services() has a lot of side effects, e.g. reopen of log files and other things, which are only useful in smbd, but not in rpcd_classic. It was also unloading the user and registry shares we loaded a few lines above. We need to do all (re-)loading as root, otherwise we won't be able to read root only smb.conf files, access registry shares, ... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Walker <awalker@ixsystems.com> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Dec 29 21:14:02 UTC 2022 on sn-devel-184 (cherry picked from commit f28553105be7465026bcc0fcbbed6a1a8c2133dd)
* selftest: add samba3.blackbox.registry_shareStefan Metzmacher2023-01-134-0/+75
| | | | | | | | | | | | | This demonstrates the regression introduced by f03665bb7e8ea97699062630f2aa1bac4c5dfc7f, where registry shares are no longer listed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Walker <awalker@ixsystems.com> (cherry picked from commit a00c7395fbc7974a61a70ae54ea6ae6349933de2)
* testprogs: Add testit_grep_count() helperVolker Lendecke2023-01-131-0/+29
| | | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 55feb593012fc5b24e795a00081666fca740429c) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266
* testprogs: Reformat subunit.shAndreas Schneider2023-01-131-53/+62
| | | | | | | | shfmt -w -p -i 0 -fn testprogs/blackbox/subunit.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> (cherry picked from commit 561e9256551ae3fe1d6ff4974884714d69d91898)
* s3:client: Fix a use-after-free issue in smbclientAndreas Schneider2023-01-031-2/+3
| | | | | | | | | | | | | | | | | Detected by make test TESTS="samba3.blackbox.chdir-cache" with an optimized build or with AddressSanitizer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15268 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 9c707b4be27e2a6f79886d3ec8b5066c922b99bd) Autobuild-User(v4-16-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-16-test): Tue Jan 3 19:19:57 UTC 2023 on sn-devel-184
* s3:script: Improve test_chdir_cache.shAndreas Schneider2023-01-031-4/+8
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15268 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 0d1961267cd9e8f1158a407c5d135514c363f37e)
* s3:tests: Reformat test_chdir_cache.shAndreas Schneider2023-01-031-16/+22
| | | | | | | shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:params:lp_do_section - protect against NULL derefAndrew Walker2023-01-031-1/+1
| | | | | | | | | | | | | | | | | | iServiceIndex may indicate an empty slot in the ServicePtrs array. In this case, lpcfg_serivce_ok(ServicePtrs[iServiceIndex]) may trigger a NULL deref and crash. Skipping the check here will cause a scan of the array in add_a_service() and the NULL slot will be used safely. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15267 Signed-off-by: Andrew Walker <awalker@ixsystems.com> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Dec 20 18:49:54 UTC 2022 on sn-devel-184 (cherry picked from commit 5b19288949e97a5af742ff2719992d56f21e364a)
* rpc_server:srvsvc - retrieve share ACL via root contextAndrew2023-01-031-3/+14
| | | | | | | | | | | | | | | share_info.tdb has permissions of 0o600 and so we need to become_root() prior to retrieving the security info. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15265 Signed-off-by: Andrew Walker <awalker@ixsystems.com> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Dec 19 20:41:15 UTC 2022 on sn-devel-184 (cherry picked from commit 80c0b416892bfacc0d919fe032461748d7962f05)
* ctdb: Fix a use-after-free in run_procVolker Lendecke2023-01-031-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you happen to talloc_free(run_ctx) before all the tevent_req's hanging off it, you run into the following: ==495196== Invalid read of size 8 ==495196== at 0x10D757: run_proc_state_destructor (run_proc.c:413) ==495196== by 0x488F736: _tc_free_internal (talloc.c:1158) ==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) ==495196== by 0x4890F41: _talloc_free (talloc.c:1792) ==495196== by 0x48538B1: tevent_req_received (tevent_req.c:293) ==495196== by 0x4853429: tevent_req_destructor (tevent_req.c:129) ==495196== by 0x488F736: _tc_free_internal (talloc.c:1158) ==495196== by 0x4890AF6: _tc_free_children_internal (talloc.c:1669) ==495196== by 0x488F967: _tc_free_internal (talloc.c:1184) ==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) ==495196== by 0x4890F41: _talloc_free (talloc.c:1792) ==495196== by 0x10DE62: main (run_proc_test.c:86) ==495196== Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd ==495196== at 0x48399AB: free (vg_replace_malloc.c:538) ==495196== by 0x488FB25: _tc_free_internal (talloc.c:1222) ==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) ==495196== by 0x4890F41: _talloc_free (talloc.c:1792) ==495196== by 0x10D315: run_proc_context_destructor (run_proc.c:329) ==495196== by 0x488F736: _tc_free_internal (talloc.c:1158) ==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) ==495196== by 0x4890F41: _talloc_free (talloc.c:1792) ==495196== by 0x10DE62: main (run_proc_test.c:86) ==495196== Block was alloc'd at ==495196== at 0x483877F: malloc (vg_replace_malloc.c:307) ==495196== by 0x488EAD9: __talloc_with_prefix (talloc.c:783) ==495196== by 0x488EC73: __talloc (talloc.c:825) ==495196== by 0x488F0FC: _talloc_named_const (talloc.c:982) ==495196== by 0x48925B1: _talloc_zero (talloc.c:2421) ==495196== by 0x10C8F2: proc_new (run_proc.c:61) ==495196== by 0x10D4C9: run_proc_send (run_proc.c:381) ==495196== by 0x10DDF6: main (run_proc_test.c:79) This happens because run_proc_context_destructor() directly does a talloc_free() on the struct proc_context's and not the enclosing tevent_req's. run_proc_kill() makes sure that we don't follow proc->req, but it forgets the "state->proc", which is free()'ed, but later dereferenced in run_proc_state_destructor(). This is an attempt at a quick fix, I believe we should convert run_proc_context->plist into an array of tevent_req's, so that we can properly TALLOC_FREE() according to the "natural" hierarchy and not just pull an arbitrary thread out of that heap. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15269 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Oct 6 15:10:20 UTC 2022 on sn-devel-184 (cherry picked from commit 688be0177b04d04709813a02ae6da1e983ac25dd)
* VERSION: Bump version up to Samba 4.16.9...Jule Anger2022-12-151-2/+2
| | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <janger@samba.org>
* VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release.samba-4.16.8Jule Anger2022-12-151-1/+1
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* WHATSNEW: Add release notes for Samba 4.16.8.Jule Anger2022-12-151-2/+150
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") ↵Stefan Metzmacher2022-12-1418-56/+64
| | | | | | | | | | | | | | | | | | | | | | | before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184 (similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92) [jsutton@samba.org Fixed conflicts; removed changes to non-existent tests] Autobuild-User(v4-16-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-16-test): Wed Dec 14 11:34:00 UTC 2022 on sn-devel-184
* CVE-2022-37966 samba-tool: add 'domain trust modify' commandStefan Metzmacher2022-12-142-0/+126
| | | | | | | | | | | | For now it only allows the admin to modify the msDS-SupportedEncryptionTypes values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> (cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29)
* CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"Stefan Metzmacher2022-12-141-2/+10
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f)
* CVE-2022-37966 param: Add support for new option "kdc supported enctypes"Stefan Metzmacher2022-12-142-0/+109
| | | | | | | | | | | This allows admins to disable enctypes completely if required. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)
* CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean ↵Stefan Metzmacher2022-12-146-10/+13
| | | | | | | | | | | | | | the default In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)
* CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak ↵Stefan Metzmacher2022-12-142-5/+0
| | | | | | | | | | | | | session keys" to false/"no" This is not squashed in order to allow easier backports... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4)
* CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.Stefan Metzmacher2022-12-145-3051/+768
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to take the value from the msDS-SupportedEncryptionTypes attribute and only take the default if there's no value or if the value is 0. For krbtgt and DC accounts we need to force support for ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is completely ignored the hardcoded value is the default, so there's no AES256-SK for krbtgt). For UF_USE_DES_KEY_ONLY on the account we reset the value to 0, these accounts are in fact disabled completely, as they always result in KRB5KDC_ERR_ETYPE_NOSUPP. Then we try to get all encryption keys marked in supported_enctypes, and the available_enctypes is a reduced set depending on what keys are actually stored in the database. We select the supported session key enctypes by the available keys and in addition based on AES256-SK as well as the "kdc force enable rc4 weak session keys" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fde745ec3491a4fd7b23e053a67093a2ccaf0905) [jsutton@samba.org Adapted to older KDC code]
* CVE-2022-37966 python:tests/krb5: test much more etype combinationsStefan Metzmacher2022-12-143-515/+4046
| | | | | | | | | | | | | | | | This tests work out the difference between - msDS-SupportedEncryptionTypes value or it's default - software defined extra flags for DC accounts - accounts with only an nt hash being stored - the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 1dfa91682efd3b12d7d6af75287efb12ebd9e526)
* CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert ↵Stefan Metzmacher2022-12-141-2/+2
| | | | | | | | | | | message BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45)
* CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation ↵Stefan Metzmacher2022-12-141-6/+32
| | | | | | | | | | | | | | | | of KDCBaseTest This will allow us to create tests accounts with only an nt4 hash stored, without any aes keys. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d) [jsutton@samba.org Fixed conflicts in parameters]
* CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials ↵Stefan Metzmacher2022-12-141-0/+2
| | | | | | | | | | | attributes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5)
* CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed ↵Stefan Metzmacher2022-12-141-3/+8
| | | | | | | | | | | KdcTgsBaseTests._{as,tgs}_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)
* CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022Stefan Metzmacher2022-12-143-7/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | I'm using the following options: SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \ SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \ DOMAIN=W2022-L7 REALM=W2022-L7.BASE \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \ CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \ FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1 in order to run these: python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368) [jsutton@samba.org Fixed conflicts in parameters; brought in rep_padata non-None assertion]
* CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash ↵Stefan Metzmacher2022-12-141-3/+15
| | | | | | | | | | | via SAMR level 18 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)
* CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to ↵Stefan Metzmacher2022-12-142-0/+80
| | | | | | | | | | | set nthash only BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a83612)
* CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments ↵Stefan Metzmacher2022-12-142-2/+4
| | | | | | | | | | | explicitly to zero by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a)
* CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID valuesStefan Metzmacher2022-12-141-0/+9
| | | | | | | | | | | | | | For now this is only for debugging in order to see DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta data. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f1c5fa28c460f7e011049606b1b9ef96443e5e1f)
* CVE-2022-37966 s4:kdc: use the strongest possible keysStefan Metzmacher2022-12-141-15/+8
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)
* CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SKStefan Metzmacher2022-12-141-0/+1
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7)
* CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print ↵Stefan Metzmacher2022-12-141-0/+6
| | | | | | | | | | | AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit b7260c89e0df18822fa276e681406ec4d3921caa)
* CVE-2022-37966 s3:net_ads: no longer reference des encryption typesStefan Metzmacher2022-12-141-1/+2
| | | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4cedaa643bf95ef2628f1b631feda833bb2e7da1)
View Lorry Controller Status