Jule Anger [Thu, 15 Dec 2022 15:59:56 +0000 (16:59 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Thu, 15 Dec 2022 15:59:16 +0000 (16:59 +0100)]
WHATSNEW: Add release notes for Samba 4.15.13.
Signed-off-by: Jule Anger <janger@samba.org>
Luke Howard [Thu, 20 Oct 2022 00:27:31 +0000 (13:27 +1300)]
kdc: avoid re-encoding KDC-REQ-BODY
Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.
[abartlet@samba.org adapted from Heimdal commit
ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
by removing references to FAST and GSS-pre-auth.
This fixes the Windows 11 22H2 issue with TGS-REQ
as seen at https://github.com/heimdal/heimdal/issues/1011 and so
removes the knownfail file for this test]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org private autobuild passed]
Joseph Sutton [Wed, 19 Oct 2022 23:36:44 +0000 (12:36 +1300)]
tests/krb5: Add test requesting a TGT expiring post-2038
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
(backported from commit
50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
[abartlet@samba.org Adapted from
50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2
as the kerberos tests have changed parameters in newer versions
breaking the context]
Joseph Sutton [Mon, 3 Oct 2022 23:25:08 +0000 (12:25 +1300)]
tests/krb5: Add test requesting a service ticket expiring post-2038
Windows 11 22H2 performs such requests, with year 9999.
The test fails with KDC_ERR_BAD_INTEGRITY on older
Heimdal versions, which are unable to verify a checksum
over the modified request body (due to a re-encoding failure).
REF: https://github.com/heimdal/heimdal/issues/1011
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
[abartlet@samba.org Add knownfail for backport - as Samba
4.15 and earlier fail this test, adapted commit
67811e121fbef08337675d473390160793544719 to test
paraemters in 4.15]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(backported from commit
67811e121fbef08337675d473390160793544719)
Stefan Metzmacher [Tue, 29 Nov 2022 13:14:32 +0000 (14:14 +0100)]
CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
This allows the tests to be executed without an explicit
PYTHONPATH="bin/python".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
(similar to commit
987cba90573f955fe9c781830daec85ad4d5bf92)
[jsutton@samba.org Fixed conflicts; removed changes to non-existent
tests]
[jsutton@samba.org Fixed conflicts; removed changes to non-existent
tests]
[metze@samba.org private autobuild and a pipeline passes]
Stefan Metzmacher [Tue, 6 Dec 2022 11:55:45 +0000 (12:55 +0100)]
CVE-2022-37966 samba-tool: add 'domain trust modify' command
For now it only allows the admin to modify
the msDS-SupportedEncryptionTypes values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit
d1999c152acdf939b4cd7eb446dd9921d3edae29)
Stefan Metzmacher [Wed, 30 Nov 2022 08:39:19 +0000 (09:39 +0100)]
CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
cca3c024fc514bee79bb60a686e470605cc98d6f)
Stefan Metzmacher [Tue, 29 Nov 2022 13:13:36 +0000 (14:13 +0100)]
CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
This allows admins to disable enctypes completely if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
36d0a495159f72633f1f41deec979095417a1727)
Stefan Metzmacher [Wed, 30 Nov 2022 08:05:51 +0000 (09:05 +0100)]
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
fa64f8fa8d92167ed15d1109af65bbb4daab4bad)
[jsutton@samba.org Fixed conflicts]
Stefan Metzmacher [Wed, 30 Nov 2022 08:02:41 +0000 (09:02 +0100)]
CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
This is not squashed in order to allow easier backports...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7504a4d6fee7805aac7657b9dab88c48353d6db4)
Stefan Metzmacher [Thu, 24 Mar 2022 14:44:40 +0000 (15:44 +0100)]
CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
We need to take the value from the msDS-SupportedEncryptionTypes
attribute and only take the default if there's no value or
if the value is 0.
For krbtgt and DC accounts we need to force support for
ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits
in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is
completely ignored the hardcoded value is the default, so there's
no AES256-SK for krbtgt).
For UF_USE_DES_KEY_ONLY on the account we reset
the value to 0, these accounts are in fact disabled completely,
as they always result in KRB5KDC_ERR_ETYPE_NOSUPP.
Then we try to get all encryption keys marked in
supported_enctypes, and the available_enctypes
is a reduced set depending on what keys are
actually stored in the database.
We select the supported session key enctypes by the available
keys and in addition based on AES256-SK as well as the
"kdc force enable rc4 weak session keys" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
fde745ec3491a4fd7b23e053a67093a2ccaf0905)
[jsutton@samba.org Adapted to older KDC code]
[jsutton@samba.org Adapted to older KDC code]
Stefan Metzmacher [Tue, 29 Nov 2022 16:11:01 +0000 (17:11 +0100)]
CVE-2022-37966 python:tests/krb5: test much more etype combinations
This tests work out the difference between
- msDS-SupportedEncryptionTypes value or it's default
- software defined extra flags for DC accounts
- accounts with only an nt hash being stored
- the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1dfa91682efd3b12d7d6af75287efb12ebd9e526)
Stefan Metzmacher [Tue, 29 Nov 2022 19:59:52 +0000 (20:59 +0100)]
CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c7c576208960e336da276e251ad7a526e1b3ed45)
Stefan Metzmacher [Tue, 29 Nov 2022 15:42:58 +0000 (16:42 +0100)]
CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
77bd3258f1db0ddf4639a83a81a1aad3ee52c87d)
[jsutton@samba.org Fixed conflicts in parameters]
Stefan Metzmacher [Tue, 29 Nov 2022 19:27:14 +0000 (20:27 +0100)]
CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f434a30ee7c40aac4a223fcabac9ddd160a155a5)
Stefan Metzmacher [Tue, 29 Nov 2022 13:15:40 +0000 (14:15 +0100)]
CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)
Stefan Metzmacher [Tue, 29 Nov 2022 08:48:09 +0000 (09:48 +0100)]
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
I'm using the following options:
SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=
A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=
A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1
in order to run these:
python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e0f89b7bc8025db615dccf096aab4ca87e655368)
[jsutton@samba.org Fixed conflicts in parameters; brought in rep_padata
non-None assertion]
[jsutton@samba.org Fixed parameter conflicts in as_req_tests.py; removed
changes to non-existent check_reply_padata()]
Stefan Metzmacher [Tue, 29 Nov 2022 14:45:56 +0000 (15:45 +0100)]
CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)
Stefan Metzmacher [Thu, 24 Mar 2022 13:09:50 +0000 (14:09 +0100)]
CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
271cd82cd681d723572fcaeed24052dc98a8361)
[jsutton@samba.org Adapted to older version of libnet_SetPassword() that
doesn't set FIPS lax mode]
Stefan Metzmacher [Tue, 29 Nov 2022 14:42:27 +0000 (15:42 +0100)]
CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
9e69289b099b47e0352ef67ef7e6529d11688e9a)
Stefan Metzmacher [Thu, 3 Feb 2022 15:27:15 +0000 (16:27 +0100)]
CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
For now this is only for debugging in order to see
DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta
data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f1c5fa28c460f7e011049606b1b9ef96443e5e1f)
Stefan Metzmacher [Tue, 7 Nov 2017 17:03:45 +0000 (18:03 +0100)]
CVE-2022-37966 s4:kdc: use the strongest possible keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d7ea197ed1a9903f601030e6466cc822f9b8f794)
[jsutton@samba.org Adapted to configuration parameters having been
renamed from {as,tgs} to {tgt,svc}]
Stefan Metzmacher [Wed, 23 Nov 2022 14:27:14 +0000 (15:27 +0100)]
CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
621b8c3927b63776146940b183b03b3ea77fd2d7)
Stefan Metzmacher [Tue, 22 Nov 2022 08:48:45 +0000 (09:48 +0100)]
CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b7260c89e0df18822fa276e681406ec4d3921caa)
Stefan Metzmacher [Wed, 23 Nov 2022 14:20:40 +0000 (15:20 +0100)]
CVE-2022-37966 s3:net_ads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4cedaa643bf95ef2628f1b631feda833bb2e7da1)
Stefan Metzmacher [Wed, 23 Nov 2022 14:20:40 +0000 (15:20 +0100)]
CVE-2022-37966 s3:libnet: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
40b47c194d7c41fbc6515b6029d5afafb0911232)
Stefan Metzmacher [Wed, 23 Nov 2022 14:20:40 +0000 (15:20 +0100)]
CVE-2022-37966 s3:libads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a683507e560a499336c50b88abcd853d49618bf4)
Stefan Metzmacher [Wed, 23 Nov 2022 14:20:40 +0000 (15:20 +0100)]
CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
16b805c8f376e0992a8bbb359d6bd8f0f96229db)
Stefan Metzmacher [Wed, 23 Nov 2022 14:19:48 +0000 (15:19 +0100)]
CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f3fe1f2ce64ed36be5b001fb4fea92428e73e4e3)
Stefan Metzmacher [Wed, 23 Nov 2022 14:19:48 +0000 (15:19 +0100)]
CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1a36c348d7a984bed8d0f3de5bf9bebd1cb3c47a)
Stefan Metzmacher [Wed, 23 Nov 2022 14:18:02 +0000 (15:18 +0100)]
CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2bd27955ce1000c13b468934eed8b0fdeb66e3bf)
Stefan Metzmacher [Wed, 23 Nov 2022 14:16:51 +0000 (15:16 +0100)]
CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c9b10ee32c7e91521d024477a28fb7a622e4eb04)
Stefan Metzmacher [Wed, 23 Nov 2022 14:12:47 +0000 (15:12 +0100)]
CVE-2022-37966 system_mitkrb5: require support for aes enctypes
This will never fail as we already require a version that supports aes,
but this makes it clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a80f8e1b826ee3f9bbb22752464a73b97c2a612d)
[jsutton@samba.org Fixed conflicts due to missing lib='krb5' argument]
Stefan Metzmacher [Wed, 23 Nov 2022 14:12:14 +0000 (15:12 +0100)]
CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
9da028c46f70db60a80d47f5dadbec194510211f)
Joseph Sutton [Mon, 21 Nov 2022 22:32:34 +0000 (11:32 +1300)]
CVE-2022-37966 kdc: Assume trust objects support AES by default
As part of matching the behaviour of Windows, assume that trust objects
support AES256, but not RC4, if not specified otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4bb50c868c8ed14372cb7d27e53cdaba265fc33d)
[jsutton@samba.org Added knownfail removals]
Andrew Bartlett [Tue, 1 Nov 2022 02:20:47 +0000 (15:20 +1300)]
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(similar to commit
975e43fc45531fdea14b93a3b1529b3218a177e6)
[jsutton@samba.org Fixed knownfail conflicts]
[jsutton@samba.org Adapted to older KDC code; fixed knownfail conflicts]
[jsutton@samba.org Fixed knownfail conflicts; adapted to older KDC and
Heimdal code]
Joseph Sutton [Thu, 24 Nov 2022 22:48:59 +0000 (11:48 +1300)]
CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256 rather than RC4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[This is 4.15 only]
Joseph Sutton [Thu, 24 Nov 2022 22:48:41 +0000 (11:48 +1300)]
CVE-2022-37966 auth/credentials: Allow specifying password to cli_credentials_get_aes256_key()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[This is 4.15 only]
Joseph Sutton [Mon, 9 May 2022 02:35:05 +0000 (14:35 +1200)]
CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key()
This allows us to generate AES256 keys from a given password and salt.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0d9835e1e497d667ce49f00d5127d2231055793f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Nicolas Williams [Wed, 9 Nov 2011 01:54:45 +0000 (19:54 -0600)]
CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data signatures
We were using the enctype from the PA-TGS-REQ's AP-REQ's Ticket to
decide what key from the service's realm's krbtgt principal to use.
This breaks when: a) we're doing cross-realm, b) the service's
realm's krbtgt principal doesn't have keys for the enctype used in
the cross-realm TGT.
The fix is to pick the correct key (strongest or first, per-config)
from the service's realm's krbtgt principal.
(backported from Heimdal commit
8586d9f88efcf60b971466f0d83ea0bc1962e24f)
[jsutton@samba.org Fixed conflicts due to different Heimdal revision]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[This is 4.15 only]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 23 Nov 2022 03:05:04 +0000 (16:05 +1300)]
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
[jsutton@samba.org Fixed import conflict]
Joseph Sutton [Thu, 17 Nov 2022 23:11:39 +0000 (12:11 +1300)]
CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(similar to commit
371d7e63fcb966ab54915a3dedb888d48adbf0c0)
[jsutton@samba.org Removed unneeded fast_tests.py change, added
non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and
tests.py]
[jsutton@samba.org Fixed conflicts in tests and knownfails]
[jsutton@samba.org Fixed conflicts in raw_testcase.py, tests.py; moved
test_fast_rc4 knownfail to 'KDC TGS tests' section with other FAST
knownfails]
Joseph Sutton [Mon, 21 Nov 2022 00:47:06 +0000 (13:47 +1300)]
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
086646865eef247a54897f5542495a2105563a5e)
Joseph Sutton [Mon, 21 Nov 2022 00:45:22 +0000 (13:45 +1300)]
CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
This option does the opposite of what the documentation claims.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6b155b22e6afa52ce29cc475840c1d745b0f1f5e)
Joseph Sutton [Mon, 21 Nov 2022 01:01:47 +0000 (14:01 +1300)]
CVE-2022-37966 third_party/heimdal: Fix error message typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d6b3d68efc296190a133b4e38137bdfde39257f4)
[jsutton@samba.org Adapted to older Heimdal version]
Andrew Bartlett [Fri, 18 Nov 2022 00:44:28 +0000 (13:44 +1300)]
CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
ee18bc29b8ef6a3f09070507cc585467e55a1628)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Joseph Sutton [Tue, 15 Nov 2022 05:14:36 +0000 (18:14 +1300)]
CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
This matches the Windows registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
d861d4eb28bd4c091955c11669edcf867b093a6f)
[jsutton@samba.org Fixed header include conflict]
[jsutton@samba.org Fixed loadparm conflicts]
Joseph Sutton [Wed, 9 Nov 2022 00:45:13 +0000 (13:45 +1300)]
CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(similar to commit
a50a2be622afaa7a280312ea12f5eb9c9a0c41da)
[jsutton@samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]
[jsutton@samba.org Fixed conflicts in kdc_base_test.py, raw_testcase.py,
knownfails, tests.py. Adapted KDC PAC changes to older function.]
[jsutton@samba.org Fixed conflict in raw_testcase.py; adapted to older
Heimdal version]
Andrew Bartlett [Tue, 1 Nov 2022 01:47:12 +0000 (14:47 +1300)]
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.
(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(similar to commit
538315a2aa6d03b7639b49eb1576efa8755fefec)
[jsutton@samba.org Fixed knownfail conflicts]
[jsutton@samba.org Fixed knownfail conflicts]
[jsutton@samba.org Fixed knownfail conflicts; adapted to older Heimdal
version]
Joseph Sutton [Wed, 23 Nov 2022 02:15:40 +0000 (15:15 +1300)]
CVE-2022-37966 selftest: Don't strictly check etype-info when obtaining a TGT
This padata type is less well tested in Samba 4.15 than we should like,
and hence the encryption type tests reveal some inconsistencies that
cause the tests to fail. Not strictly checking them in these tests
allows them to continue passing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[This is 4.15 only]
Joseph Sutton [Tue, 25 Oct 2022 06:32:27 +0000 (19:32 +1300)]
CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
177334c04230d0ad74bfc2b6825ffbebd5afb9af)
[jsutton@samba.org Fixed conflicts in usage.py, knownfails, tests.py]
[jsutton@samba.org Fixed knownfail conflicts]
[jsutton@samba.org Added new enctype bits; re-added expect_edata
parameter to _test_as_exchange(); fixed conflicts in usage.py,
knownfails, tests.py]
Joseph Sutton [Wed, 26 Oct 2022 01:29:54 +0000 (14:29 +1300)]
CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
This lets us select the encryption types we claim to support in the
request body.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de)
[jsutton@samba.org Adapted to 4.17 version of function taking different
parameters]
Joseph Sutton [Wed, 26 Oct 2022 01:26:01 +0000 (14:26 +1300)]
CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
We will use it for testing our handling of encryption types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
50e075d2db21e9f23d686684ea3df9454b6b560e)
[jsutton@samba.org Adapted to 4.17 version of function]
Andrew Bartlett [Mon, 31 Oct 2022 23:34:57 +0000 (12:34 +1300)]
CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
This makes it easier to test against a server that is not accessible via DNS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
c7cd6889177e8c705bb637172a60a5cf26734a3f)
Stefan Metzmacher [Mon, 5 Dec 2022 20:45:08 +0000 (21:45 +0100)]
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0248907e34945153ff2be62dc11d75c956a05932)
[abartlet@samba.org Added missing loadparm to netlogon_creds_cli]
Stefan Metzmacher [Mon, 5 Dec 2022 20:36:23 +0000 (21:36 +0100)]
CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
c0c25cc0217b082c12330a8c47869c8428a20d0c)
Stefan Metzmacher [Mon, 5 Dec 2022 20:31:37 +0000 (21:31 +0100)]
CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
a4f6f51cbed53775cdfedc7eec2f28c7beb875cc)
Andreas Schneider [Thu, 27 Oct 2022 06:47:32 +0000 (08:47 +0200)]
CVE-2022-37966 s3:utils: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
b787692b5e915031d4653bf375995320ed1aca07)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 27 Oct 2022 06:46:39 +0000 (08:46 +0200)]
CVE-2022-37966 s3:client: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
81f4335dfb847c041bfd3d6110fc8f1d5741d41f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 27 Oct 2022 06:44:58 +0000 (08:44 +0200)]
CVE-2022-37966 s3:param: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
80dc3bc2b80634ab7c6c71fa1f9b94f0216322b2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 11 Apr 2022 03:43:00 +0000 (15:43 +1200)]
CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2f17cbf3b295663a91e4facb0dc8f09ef4a77f4a)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[jsutton@samba.org Removed changes to protected_users_tests.py]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 23 Mar 2022 00:07:29 +0000 (13:07 +1300)]
CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
By putting this in the caller we potentially allow samba_kdc_message2entry_keys()
to be reused by a non-KDC caller.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
29eb7e2488e2c55ceacb859a57836a08cbb7f8e8)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[jsutton@samba.org Adapted to older code without support for Protected
Users or older keys; kept still-needed 'kdc_db_ctx'
samba_kdc_message2entry_keys() parameter]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[jsutton@samba.org Adapted to older db-glue code]
Joseph Sutton [Fri, 24 Dec 2021 03:59:12 +0000 (16:59 +1300)]
CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entry
This allows us to return the supported enctypes to the client as
PA-SUPPORTED-ENCTYPES padata.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
cb382f7cddebabde3dac2b4bdb50d5b864463abf)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[jsutton@samba.org Adapted to Samba 4.15; removed FAST-supported bit for
KDC]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Thu, 23 Dec 2021 02:59:21 +0000 (15:59 +1300)]
CVE-2022-37966 tests/krb5: Update supported enctype checking
We now do not expect the claims or compound ID bits to be set unless
explicitly specified, nor the DES bits.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
e9caa1edef846cdea2a719976ee0fd5bd8531048)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Joseph Sutton [Mon, 29 Nov 2021 20:45:13 +0000 (09:45 +1300)]
CVE-2022-37966 tests/krb5: Check encrypted-pa-data if present
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
f94bdb41fccdb085d8f8f5a1a5e4a56581839e8e)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[jsutton@samba.org Fixed MIT knownfail conflict; added import of PADATA_REQ_ENC_PA_REP constant]
Stefan Metzmacher [Tue, 6 Dec 2022 12:36:17 +0000 (13:36 +0100)]
CVE-2022-38023 testparm: warn about unsecure schannel related options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
Stefan Metzmacher [Wed, 30 Nov 2022 14:13:47 +0000 (15:13 +0100)]
CVE-2022-38023 testparm: warn about server/client schannel != yes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f964c0c357214637f80d0089723b9b11d1b38f7e)
Stefan Metzmacher [Fri, 25 Nov 2022 13:05:30 +0000 (14:05 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
Stefan Metzmacher [Fri, 2 Dec 2022 13:31:26 +0000 (14:31 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
Stefan Metzmacher [Fri, 25 Nov 2022 15:53:35 +0000 (16:53 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7732a4b0bde1d9f98a0371f17d22648495329470)
Stefan Metzmacher [Wed, 30 Nov 2022 16:15:36 +0000 (17:15 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
689507457f5e6666488732f91a355a2183fb1662)
Stefan Metzmacher [Wed, 30 Nov 2022 15:57:24 +0000 (16:57 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f43dc4f0bd60d4e127b714565147f82435aa4f07)
Stefan Metzmacher [Wed, 30 Nov 2022 13:57:20 +0000 (14:57 +0100)]
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific
allow nt4 crypto:COMPUTERACCOUNT = yes and
server reject md5 schannel:COMPUTERACCOUNT = no
in order to allow legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7ae3735810c2db32fa50f309f8af3c76ffa29768)
[metze@samba.org fixed conflict in 4.15]
Stefan Metzmacher [Fri, 25 Nov 2022 12:13:36 +0000 (13:13 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
configuration if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
43df4be35950f491864ae8ada05d51b42a556381)
[metze@samba.org remove lpcfg_weak_crypto() check for 4.15]
Stefan Metzmacher [Fri, 25 Nov 2022 13:02:11 +0000 (14:02 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
Stefan Metzmacher [Fri, 25 Nov 2022 12:31:14 +0000 (13:31 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
bd429d025981b445bf63935063e8e302bfab3f9b)
Stefan Metzmacher [Fri, 25 Nov 2022 12:13:36 +0000 (13:13 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.
'allow nt4 crypto = no' is already the default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
69b36541606d7064de9648cd54b35adfdf8f0e8f)
Stefan Metzmacher [Fri, 25 Nov 2022 09:31:08 +0000 (10:31 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
Stefan Metzmacher [Thu, 24 Nov 2022 17:26:18 +0000 (18:26 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
c8e53394b98b128ed460a6111faf05dfbad980d1)
Stefan Metzmacher [Fri, 25 Nov 2022 08:54:17 +0000 (09:54 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
b6339fd1dcbe903e73efeea074ab0bd04ef83561)
Stefan Metzmacher [Mon, 28 Nov 2022 14:02:13 +0000 (15:02 +0100)]
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.
And AES will be required by default soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
Stefan Metzmacher [Wed, 30 Nov 2022 11:26:01 +0000 (12:26 +0100)]
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
63c96ea6c02981795e67336401143f2a8836992c)
Stefan Metzmacher [Wed, 30 Nov 2022 11:37:03 +0000 (12:37 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
16ee03efc194d9c1c2c746f63236b977a419918d)
Stefan Metzmacher [Wed, 30 Nov 2022 11:37:03 +0000 (12:37 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
ec62151a2fb49ecbeaa3bf924f49a956832b735e)
Stefan Metzmacher [Mon, 12 Dec 2022 13:03:50 +0000 (14:03 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0e6a2ba83ef1be3c6a0f5514c21395121621a145)
Stefan Metzmacher [Mon, 12 Dec 2022 13:03:50 +0000 (14:03 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
Stefan Metzmacher [Tue, 6 Dec 2022 09:56:29 +0000 (10:56 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e060ea5b3edbe3cba492062c9605f88fae212ee0)
Stefan Metzmacher [Thu, 24 Nov 2022 17:22:23 +0000 (18:22 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
Stefan Metzmacher [Wed, 30 Nov 2022 13:59:36 +0000 (14:59 +0100)]
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
d60828f6391307a59abaa02b72b6a8acf66b2fef)
Stefan Metzmacher [Wed, 30 Nov 2022 15:16:05 +0000 (16:16 +0100)]
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
This makes sure domain member related 'net' commands print warnings
about unsecure smb.conf options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
Stefan Metzmacher [Wed, 30 Nov 2022 13:47:33 +0000 (14:47 +0100)]
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
This warns the admin about insecure options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(similar to commit
7e7adf86e59e8a673fbe87de46cef0d62221e800)
[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to
getpid()]
Stefan Metzmacher [Wed, 30 Nov 2022 13:46:59 +0000 (14:46 +0100)]
CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
992f39a2c8a58301ceeb965f401e29cd64c5a209)
Ralph Boehme [Tue, 6 Dec 2022 15:05:26 +0000 (16:05 +0100)]
CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
830e865ba5648f6520bc552ffd71b61f754b8251)
Ralph Boehme [Tue, 6 Dec 2022 15:00:36 +0000 (16:00 +0100)]
CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
Andrew Bartlett [Tue, 6 Dec 2022 04:16:00 +0000 (17:16 +1300)]
selftest: make filter-subunit much more efficient for large knownfail lists
By compiling the knownfail lists ahead of time we change a 20min test
into a 90sec test.
This could be improved further by combining this into a single regular expression,
but this is enough for now. The 'reason' is thankfully not used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15258
Pair-programmed-with: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
22128c718cadd34af892df102bd52df6a6b03303)
Nicolas Williams [Wed, 12 Oct 2011 06:15:13 +0000 (01:15 -0500)]
CVE-2022-45141 source4/heimdal: Fix check-des
The previous fix was incomplete. But it also finally uncovered an
old check-des problem that I'd had once and which may have gotten
papered over by changing the default of one of the *strongest* KDC
parameters. The old problem is that we were passing the wrong
enctype to _kdc_encode_reply(): we were passing the session key
enctype where the ticket enc-part key's enctype was expected.
The whole enctype being passed in is superfluous anyways. Let's
clean that up next.
(cherry picked from Heimdal commit
4c6976a6bdf8a76c6f3c650ae970d46c931e5c71)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Nicolas Williams [Wed, 12 Oct 2011 04:57:58 +0000 (23:57 -0500)]
CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection
When I added support for configuring how the KDC selects session,
reply, and ticket enc-part keys I accidentally had the KDC use the
session key selection algorithm for selecting the ticket enc-part
key. This becomes a problem when using a Heimdal KDC with an MIT
KDB as the HDB backend and when the krbtgt keys are not in
strongest-to-weakest order, in which case forwardable tickets minted
by the Heimdal KDC will not be accepted by MIT KDCs with the same
KDB.
(cherry picked from Heimdal commit
12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 7 Dec 2022 07:13:25 +0000 (20:13 +1300)]
CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC
Upstream Heimdal fixed this in commit
7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of
ENC-CHALLANGE).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Nicolas Williams [Wed, 10 Mar 2021 22:49:04 +0000 (16:49 -0600)]
CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec
This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
[abartlet@samba.org Adapted from Heimdal commit
ea5ec8f174920cb80ce2b168b49195378420449e for older Heimdal in Samba 4.15
by dropping fuzz-inputs file and EXPORTS entry for fuzzing]
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
git.samba.org / samba.git / log