summaryrefslogtreecommitdiff
path: root/source4
Commit message (Collapse)AuthorAgeFilesLines
...
* s4: torture: Show return value for smbc_getxattr() is incorrect (returns >0 ↵Jeremy Allison2023-01-161-0/+94
| | | | | | | | | | | | | | | for success, should return zero). Add torture test to show smbc_getxattr() should return -1 on failure, 0 on success. Add knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org> (cherry picked from commit 74636dfe24c15677261fc40c0a4ec62404898cf4)
* s4:lib/messaging: fix interaction between imessaging_context_destructor and ↵Stefan Metzmacher2023-01-132-0/+16
| | | | | | | | | | irpc_destructor BUG: https://bugzilla.samba.org/show_bug.cgi?id=15280 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 0d096931196524a2d1bf59470bc629dc9231131e)
* s4:libnet: correctly handle gnutls_pbkdf2() errorsStefan Metzmacher2022-12-141-1/+4
| | | | | | | | | | | | | | | | | | | | We should not ignore the error nor should we map GNUTLS_E_UNWANTED_ALGORITHM to NT_STATUS_WRONG_PASSWORD, instead we use NT_STATUS_CRYPTO_SYSTEM_INVALID as in most other places in the same file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Björn Baumbach <bbaumbach@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Dec 14 13:35:20 UTC 2022 on sn-devel-184 (cherry picked from commit eb5df255faea7326a7b85c1e7ce5a66119a27c3a) Autobuild-User(v4-17-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-17-test): Wed Dec 14 14:46:02 UTC 2022 on sn-devel-184
* s4:libnet: fix error string for failing samr_ChangePasswordUser4()Stefan Metzmacher2022-12-141-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Björn Baumbach <bbaumbach@samba.org> (cherry picked from commit 53d558365161be1793dad78ebcce877c732f2419)
* CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"Stefan Metzmacher2022-12-141-2/+10
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f)
* CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean ↵Stefan Metzmacher2022-12-141-1/+5
| | | | | | | | | | | | | | the default In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)
* CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.Stefan Metzmacher2022-12-143-71/+151
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to take the value from the msDS-SupportedEncryptionTypes attribute and only take the default if there's no value or if the value is 0. For krbtgt and DC accounts we need to force support for ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is completely ignored the hardcoded value is the default, so there's no AES256-SK for krbtgt). For UF_USE_DES_KEY_ONLY on the account we reset the value to 0, these accounts are in fact disabled completely, as they always result in KRB5KDC_ERR_ETYPE_NOSUPP. Then we try to get all encryption keys marked in supported_enctypes, and the available_enctypes is a reduced set depending on what keys are actually stored in the database. We select the supported session key enctypes by the available keys and in addition based on AES256-SK as well as the "kdc force enable rc4 weak session keys" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fde745ec3491a4fd7b23e053a67093a2ccaf0905)
* CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash ↵Stefan Metzmacher2022-12-141-3/+15
| | | | | | | | | | | via SAMR level 18 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)
* CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to ↵Stefan Metzmacher2022-12-142-0/+80
| | | | | | | | | | | set nthash only BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a83612)
* CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments ↵Stefan Metzmacher2022-12-142-2/+4
| | | | | | | | | | | explicitly to zero by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a)
* CVE-2022-37966 s4:kdc: use the strongest possible keysStefan Metzmacher2022-12-141-15/+8
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)
* CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SKStefan Metzmacher2022-12-141-0/+1
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7)
* CVE-2022-37966 s4:kdc: also limit the krbtgt history to their strongest keysStefan Metzmacher2022-12-141-0/+2
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 6b46b764fc5760d3bf83bb1ea5fa398d993cf68d)
* CVE-2022-37966 kdc: Assume trust objects support AES by defaultJoseph Sutton2022-12-141-1/+2
| | | | | | | | | | | | | As part of matching the behaviour of Windows, assume that trust objects support AES256, but not RC4, if not specified otherwise. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d)
* CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ↵Andrew Bartlett2022-12-144-25/+236
| | | | | | | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. We set the etypes available for session keys depending on the encryption types that are supported by the principal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit 975e43fc45531fdea14b93a3b1529b3218a177e6) [jsutton@samba.org Fixed knownfail conflicts]
* CVE-2022-37966 selftest: Run S4U tests against FL2003 DCJoseph Sutton2022-12-141-2/+7
| | | | | | | | | | | | This shows that changes around RC4 encryption types do not break older functional levels where only RC4 keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
* CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ↵Joseph Sutton2022-12-141-4/+12
| | | | | | | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit 371d7e63fcb966ab54915a3dedb888d48adbf0c0) [jsutton@samba.org Removed unneeded fast_tests.py change, added non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and tests.py]
* CVE-2022-37967 Add new PAC checksumJoseph Sutton2022-12-144-5/+50
| | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit a50a2be622afaa7a280312ea12f5eb9c9a0c41da) [jsutton@samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]
* CVE-2022-37966 tests/krb5: Add a test requesting tickets with various ↵Joseph Sutton2022-12-141-0/+4
| | | | | | | | | | | | | | | | encryption types The KDC should leave the choice of ticket encryption type up to the target service, and admit no influence from the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (similar to commit 177334c04230d0ad74bfc2b6825ffbebd5afb9af) [jsutton@samba.org Fixed conflicts in usage.py, knownfails, tests.py]
* CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require ↵Stefan Metzmacher2022-12-141-1/+243
| | | | | | | | | | | | | | | | seal[:COMPUTERACCOUNT]" By default we'll now require schannel connections with privacy/sealing/encryption. But we allow exceptions for specific computer/trust accounts. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
* CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to ↵Stefan Metzmacher2022-12-141-40/+153
| | | | | | | | | | | | | dcesrv_netr_check_schannel() It's enough to warn the admin once per connection. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
* CVE-2022-38023 s4:rpc_server/netlogon: make sure all ↵Stefan Metzmacher2022-12-141-7/+29
| | | | | | | | | | | | | | dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() We'll soon add some additional contraints in dcesrv_netr_check_schannel(), which are also required for dcesrv_netr_LogonSamLogonEx(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
* CVE-2022-38023 s4:rpc_server/netlogon: split out ↵Stefan Metzmacher2022-12-141-33/+51
| | | | | | | | | | | | | | dcesrv_netr_check_schannel() function This will allow us to reuse the function in other places. As it will also get some additional checks soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)
* CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow ↵Stefan Metzmacher2022-12-141-0/+143
| | | | | | | | | | | | | | nt4 crypto' misconfigurations This allows the admin to notice what's wrong in order to adjust the configuration if required. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381)
* CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 ↵Stefan Metzmacher2022-12-141-3/+55
| | | | | | | | | | | | | | | | schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' This makes it more flexible when we change the global default to 'reject md5 servers = yes'. 'allow nt4 crypto = no' is already the default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
* CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found ↵Stefan Metzmacher2022-12-141-23/+53
| | | | | | | | | | | | | | the account in our SAM We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', which means we'll need use the account name from our SAM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
* CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabledStefan Metzmacher2022-12-142-1/+10
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51)
* CVE-2022-38023 s4:rpc_server/netlogon: split out ↵Stefan Metzmacher2022-12-141-47/+67
| | | | | | | | | | | | | | dcesrv_netr_ServerAuthenticate3_check_downgrade() We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', which means we'll need the downgrade detection in more places. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)
* CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by defaultStefan Metzmacher2022-12-144-18/+27
| | | | | | | | | | | | | For generic tests we should use the best available features. And AES will be required by default soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
* CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) ↵Stefan Metzmacher2022-12-141-41/+106
| | | | | | | | | | | | | | | | | debug messages In order to avoid generating useless debug messages during make test, we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. Review with: git show -w BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)
* CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in ↵Stefan Metzmacher2022-12-141-22/+19
| | | | | | | | | | | | | dcesrv_netr_creds_server_step_check() This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)
* CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to ↵Stefan Metzmacher2022-12-141-13/+19
| | | | | | | | | | | | | dcesrv_netr_creds_server_step_check() This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)
* CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to ↵Stefan Metzmacher2022-12-141-3/+4
| | | | | | | | | | | | | dcesrv_netr_creds_server_step_check() This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
* CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to ↵Stefan Metzmacher2022-12-141-11/+15
| | | | | | | | | | | | | dcesrv_interface_netlogon_bind This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
* CVE-2021-20251: s4:auth: fix use after free in ↵Stefan Metzmacher2022-12-126-17/+25
| | | | | | | | | | | | | | | | | | | | authsam_logon_success_accounting() This fixes a use after free problem introduced by commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124, which has msg = current; which means the lifetime of the 'msg' memory is no longer in the scope of th caller. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 1414269dccfd7cb831889cc92df35920b034457c) Autobuild-User(v4-17-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-17-test): Mon Dec 12 13:39:00 UTC 2022 on sn-devel-184
* torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directoryRalph Boehme2022-12-051-0/+47
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fdb19ce8aa189f6cfbd2d1fd7ed6fe809ba93cf3)
* python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutlsNoel Power2022-10-311-3/+6
| | | | | | | | | | | | | | later gnutls that support GNUTLS_PBKDF2 currently fail, we need to conditionally switch test data to reflect use of 'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4' depending on whether GNUTLS_PBKDF2 is supported or not Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit ce7c418ca4f8f82e61a9a02a6589ab1c4df51d63) Autobuild-User(v4-17-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-17-test): Mon Oct 31 10:08:34 UTC 2022 on sn-devel-184
* s4/rpc_server/sambr: don't mutate the return of samdb_set_password_aesNoel Power2022-10-311-1/+0
| | | | | | | | | | | | prior to this commit return of samdb_set_password_aes was set to NT_STATUS_WRONG_PASSWORD on failure. Useful status that should be returned such as NT_STATUS_PASSWORD_RESTRICTION are swallowed here otherwise (and in this case can be partially responsible for failures in test samba.tests.auth_log_pass_change (with later gnutls) Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 416bf5a41827a4e486215bfc8e47abc570c6e899)
* s4:libnet: If we successfully changed the password we are doneAndreas Schneider2022-10-311-14/+18
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Noel Power <noel.power@suse.com> (cherry picked from commit 30ca92a8164e1c3a76cdb798ee997d27621a5abb)
* s3:rpcclient: Pass salt down to init_samr_CryptPasswordAES()Andreas Schneider2022-10-312-6/+34
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Noel Power <noel.power@suse.com> (cherry picked from commit 16335412ff312ecb330f7890bd3e94117a5fa6ff)
* s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit ↵Stefan Metzmacher2022-10-311-0/+5
| | | | | | | | | | | | | | | | | | | | | | the time If the client is not able to receive the results within connections idle time, then we should treat it as dead. It's value is 15 minutes (900 s) by default. In order to limit that further an admin can use 'socket options' and set TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and/or TCP_USER_TIMEOUT to useful values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 19 17:13:39 UTC 2022 on sn-devel-184 (cherry picked from commit eb2f3526032803f34c88ef1619a832a741f71910)
* CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()Joseph Sutton2022-10-242-0/+1265
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4: torture: libsmbclient: Add a torture test to ensure smbc_stat() returns ↵Jeremy Allison2022-10-191-0/+63
| | | | | | | | | | | | ENOENT on a non-existent file. Add knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15195 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> (cherry picked from commit 9eda432836bfff3d3d4a365a08a5ecb54f0f2e34)
* s4:messaging: let imessaging_client_init() use ↵Stefan Metzmacher2022-10-191-1/+1
| | | | | | | | | | | | | | | | | | | | imessaging_init_discard_incoming() imessaging_client_init() is for temporary stuff only, so we should drop (unexpected) incoming messages unless we expect irpc responses. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Thu Oct 13 13:32:30 UTC 2022 on sn-devel-184 (cherry picked from commit 266bcedc18efc52e29efde6bad220623a5423e30) Autobuild-User(v4-17-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-17-test): Wed Oct 19 09:51:29 UTC 2022 on sn-devel-184
* s4:messaging: add imessaging_init_discard_incoming()Stefan Metzmacher2022-10-193-1/+85
| | | | | | | | | | | | | | | | We often create imessaging contexts just for sending messages, but we'll never process incoming messages because a temporary event context was used and we just queue a lot of imessaging_post_state structures with immediate events. With imessaging_init_discard_incoming() we'll discard any incoming messages unless we have pending irpc requests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit a120fb1c724dfaed5a99e34aaf979502586f17c0)
* s4/lib/registry: Fix use after free with popt 1.19Noel Power2022-10-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | popt1.19 fixes a leak that exposes a use as free, make sure we duplicate return of poptGetArg if poptFreeContext is called before we use it. ==6357== Command: ./bin/regpatch file ==6357== Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it ==6357== Syscall param openat(filename) points to unaddressable byte(s) ==6357== at 0x4BFE535: open (in /usr/lib64/libc.so.6) ==6357== by 0x4861432: reg_diff_load (patchfile.c:345) ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) ==6357== by 0x10ADF9: main (regpatch.c:114) ==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ADCF: main (regpatch.c:111) ==6357== Block was alloc'd at ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ACBD: main (regpatch.c:79) ==6357== ==6357== Invalid read of size 1 ==6357== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6) ==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6) ==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904) ==6357== by 0x4AD33F2: dbgtext (debug.c:1925) ==6357== by 0x4861515: reg_diff_load (patchfile.c:353) ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) ==6357== by 0x10ADF9: main (regpatch.c:114) ==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ADCF: main (regpatch.c:111) ==6357== Block was alloc'd at ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ACBD: main (regpatch.c:79) ==6357== ==6357== Invalid read of size 1 ==6357== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6) ==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6) ==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904) ==6357== by 0x4AD33F2: dbgtext (debug.c:1925) ==6357== by 0x4861515: reg_diff_load (patchfile.c:353) ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) ==6357== by 0x10ADF9: main (regpatch.c:114) ==6357== Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ADCF: main (regpatch.c:111) ==6357== Block was alloc'd at ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ACBD: main (regpatch.c:79) ==6357== ==6357== Invalid read of size 1 ==6357== at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6) ==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6) ==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6) ==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904) ==6357== by 0x4AD33F2: dbgtext (debug.c:1925) ==6357== by 0x4861515: reg_diff_load (patchfile.c:353) ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) ==6357== by 0x10ADF9: main (regpatch.c:114) ==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ADCF: main (regpatch.c:111) ==6357== Block was alloc'd at ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ACBD: main (regpatch.c:79) ==6357== ==6357== Invalid read of size 1 ==6357== at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6) ==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6) ==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6) ==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904) ==6357== by 0x4AD33F2: dbgtext (debug.c:1925) ==6357== by 0x4861515: reg_diff_load (patchfile.c:353) ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) ==6357== by 0x10ADF9: main (regpatch.c:114) ==6357== Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ADCF: main (regpatch.c:111) ==6357== Block was alloc'd at ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) ==6357== by 0x10ACBD: main (regpatch.c:79) ==6357== Error reading registry patch file `file' BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184 (cherry picked from commit 7e0e3f47cd67e4cadc101691cd14837f45d9506a)
* s4: smbtorture: Add fsync_resource_fork test to fruit tests.Jeremy Allison2022-10-181-0/+80
| | | | | | | | | | | | | This shows we currently hang when sending an SMB2_OP_FLUSH on an AFP_Resource fork. Adds knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org> (cherry picked from commit 1b8a8732848169c632af12b7c2b4cd3ee73be244)
* s4-libnet: Add messages to object count mismatch failuresAndrew Bartlett2022-10-071-0/+11
| | | | | | | | | | | This helps explain these better than WERR_GEN_FAILURE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit 483c48f52d6ff5e8149ed12bfeb2b6608c946f01)
* s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGTAndrew Bartlett2022-10-071-8/+44
| | | | | | | | | | | | | | | | | This emulates older verions of Samba that fail to implement DRSUAPI_DRS_GET_ANC correctly and totally fails to support DRSUAPI_DRS_GET_TGT. This will allow testing of a client-side fallback, allowing migration from sites that run very old Samba versions over DRSUAPI (currently the only option is to attempt an in-place upgrade). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit 314bc44fa9b8fc99c80bfcfff71f2cec67bbda36)
* selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs ↵Andrew Bartlett2022-10-072-0/+107
| | | | | | | | | | | | | | | clone-dc-database This test, compared with the direct to RPC tests, will succeed, then fail once the server is changed to emulate Samba 4.5 and and again succeed once the python code changes to allow skipping the DRSUAPI_DRS_CRITICAL_ONLY step BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit 7ff743d65dcf27ffe0c6861720e8ce531bfa378d)
View Lorry Controller Status