Gary Lockyer [Wed, 20 Feb 2019 01:03:41 +0000 (01:03 +0000)]
CVE-2019-3824 ldb: Release ldb 1.2.4
* CVE-2019-3824 out of bounds read in wildcard compare (bug 13773)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(v4-7-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-7-test): Tue Feb 26 16:52:19 CET 2019 on sn-devel-144
Gary Lockyer [Mon, 18 Feb 2019 21:24:38 +0000 (10:24 +1300)]
CVE-2019-3824 ldb: Add tests for ldb_wildcard_match
Add cmocka tests for ldb_wildcard_match.
Running test_wildcard_match under valgrind reproduces
CVE-2019-3824 out of bounds read in wildcard compare (bug 13773)
valgrind --suppressions=lib/ldb/tests/ldb_match_test.valgrind\
bin/ldb_match_test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Mon, 18 Feb 2019 21:26:56 +0000 (10:26 +1300)]
CVE-2019-3824 ldb: wildcard_match end of data check
ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0'
to the data, to make them safe to use the C string functions on.
However testing for the trailing '\0' is not the correct way to test for
the end of a value, the length should be checked instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Mon, 18 Feb 2019 21:26:25 +0000 (10:26 +1300)]
CVE-2019-3824 ldb: wildcard_match check tree operation
Check the operation type of the passed parse tree, and return
LDB_INAPPROPRIATE_MATCH if the operation is not LDB_OP_SUBSTRING.
A query of "attribute=*" gets parsed as LDB_OP_PRESENT, checking the
operation and failing ldb_wildcard_match should help prevent confusion
writing tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Mon, 18 Feb 2019 21:25:24 +0000 (10:25 +1300)]
CVE-2019-3824 ldb: ldb_parse_tree use talloc_zero
Initialise the created ldb_parse_tree with talloc_zero, this ensures
that it is correctly initialised if inadvertently passed to a function
expecting a different operation type.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 3 Feb 2019 22:22:50 +0000 (11:22 +1300)]
CVE-2019-3824 ldb: Improve code style and layout in wildcard processing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 3 Feb 2019 22:22:34 +0000 (11:22 +1300)]
CVE-2019-3824 ldb: Extra comments to clarify no pointer wrap in wildcard processing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Lukas Slebodnik [Fri, 18 Jan 2019 15:37:24 +0000 (16:37 +0100)]
CVE-2019-3824 ldb: Out of bound read in ldb_wildcard_compare
There is valgrind error in few tests tests/test-generic.sh
91 echo "Test wildcard match"
92 $VALGRIND ldbadd $LDBDIR/tests/test-wildcard.ldif || exit 1
93 $VALGRIND ldbsearch '(cn=test*multi)' || exit 1
95 $VALGRIND ldbsearch '(cn=*test_multi)' || exit 1
97 $VALGRIND ldbsearch '(cn=test*multi*test*multi)' || exit 1
e.g.
==3098== Memcheck, a memory error detector
==3098== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3098== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==3098== Command: ./bin/ldbsearch (cn=test*multi)
==3098==
==3098== Invalid read of size 1
==3098== at 0x483CEE7: memchr (vg_replace_strmem.c:890)
==3098== by 0x49A9073: memmem (in /usr/lib64/libc-2.28.9000.so)
==3098== by 0x485DFE9: ldb_wildcard_compare (ldb_match.c:313)
==3098== by 0x485DFE9: ldb_match_substring (ldb_match.c:360)
==3098== by 0x485DFE9: ldb_match_message (ldb_match.c:572)
==3098== by 0x558F8FA: search_func (ldb_kv_search.c:549)
==3098== by 0x48C78CA: ??? (in /usr/lib64/libtdb.so.1.3.17)
==3098== by 0x48C7A60: tdb_traverse_read (in /usr/lib64/libtdb.so.1.3.17)
==3098== by 0x557B7C4: ltdb_traverse_fn (ldb_tdb.c:274)
==3098== by 0x558FBFA: ldb_kv_search_full (ldb_kv_search.c:594)
==3098== by 0x558FBFA: ldb_kv_search (ldb_kv_search.c:854)
==3098== by 0x558E497: ldb_kv_callback (ldb_kv.c:1713)
==3098== by 0x48FCD58: tevent_common_invoke_timer_handler (in /usr/lib64/libtevent.so.0.9.38)
==3098== by 0x48FCEFD: tevent_common_loop_timer_delay (in /usr/lib64/libtevent.so.0.9.38)
==3098== by 0x48FE14A: ??? (in /usr/lib64/libtevent.so.0.9.38)
==3098== Address 0x4b4ab81 is 0 bytes after a block of size 129 alloc'd
==3098== at 0x483880B: malloc (vg_replace_malloc.c:309)
==3098== by 0x491048B: talloc_strndup (in /usr/lib64/libtalloc.so.2.1.15)
==3098== by 0x48593CA: ldb_casefold_default (ldb_utf8.c:59)
==3098== by 0x485F68D: ldb_handler_fold (attrib_handlers.c:64)
==3098== by 0x485DB88: ldb_wildcard_compare (ldb_match.c:257)
==3098== by 0x485DB88: ldb_match_substring (ldb_match.c:360)
==3098== by 0x485DB88: ldb_match_message (ldb_match.c:572)
==3098== by 0x558F8FA: search_func (ldb_kv_search.c:549)
==3098== by 0x48C78CA: ??? (in /usr/lib64/libtdb.so.1.3.17)
==3098== by 0x48C7A60: tdb_traverse_read (in /usr/lib64/libtdb.so.1.3.17)
==3098== by 0x557B7C4: ltdb_traverse_fn (ldb_tdb.c:274)
==3098== by 0x558FBFA: ldb_kv_search_full (ldb_kv_search.c:594)
==3098== by 0x558FBFA: ldb_kv_search (ldb_kv_search.c:854)
==3098== by 0x558E497: ldb_kv_callback (ldb_kv.c:1713)
==3098== by 0x48FCD58: tevent_common_invoke_timer_handler (in /usr/lib64/libtevent.so.0.9.38)
==3098==
# record 1
dn: cn=test_multi_test_multi_test_multi,o=University of Michigan,c=TEST
cn: test_multi_test_multi_test_multi
description: test multi wildcards matching
objectclass: person
sn: multi_test
name: test_multi_test_multi_test_multi
distinguishedName: cn=test_multi_test_multi_test_multi,o=University of Michiga
n,c=TEST
# returned 1 records
# 1 entries
# 0 referrals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
Signed-off-by: Lukas Slebodnik <lslebodn@fedoraproject.org>
Stefan Metzmacher [Wed, 28 Nov 2018 14:21:56 +0000 (15:21 +0100)]
CVE-2018-14629 dns: fix CNAME loop prevention using counter regression
The loop prevention should only be done for CNAME records!
Otherwise we truncate the answer records for A, AAAA or
SRV queries, which is a bad idea if you have more than 20 DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 4 08:52:29 CET 2018 on sn-devel-144
(cherry picked from commit
34f4491d79b47b2fe2457b8882f11644cf773bc4)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-7-test): Fri Dec 7 16:59:16 CET 2018 on sn-devel-144
Aaron Haslett [Fri, 30 Nov 2018 05:37:27 +0000 (18:37 +1300)]
CVE-2018-14629: Tests to expose regression from dns cname loop fix
These tests expose the regression described by Stefan Metzmacher in
discussion on the bugzilla paged linked below.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
14399fd818b130a6347eec860460929c292d5996)
Andrew Bartlett [Tue, 26 Jun 2018 02:59:26 +0000 (14:59 +1200)]
.gitlab-ci.yml: Adapt to current GitLab CI setup
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
fb522c1ba0afa1b2298e66dfde42806cae72e5b9)
Joe Guo [Tue, 19 Sep 2017 21:33:27 +0000 (09:33 +1200)]
gitlab-ci: add .gitlab-ci.yml
Add .gitlab-ci.yml file, and define build jobs in groups.
Once gitlab-runner set up, builds and tests can be triggered
automatically in parallel when push to gitlab.
Also, with gitlab-runner autoscale mode, build instances
will be created and removed on demand.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 31 15:32:16 CET 2017 on sn-devel-144
(cherry picked from commit
8be4236b323b5f755ff6c0bf0a4a5fb99343c84d)
Isaac Boukris [Wed, 7 Nov 2018 20:53:35 +0000 (22:53 +0200)]
CVE-2018-16853: fix crash in expired passowrd case
When calling encode_krb5_padata_sequence() make sure to
pass a null terminated array as required.
Fixes expired passowrd case in samba4.blackbox.kinit test.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 28 Sep 2016 05:22:32 +0000 (07:22 +0200)]
CVE-2018-16853: Do not segfault if client is not set
This can be triggered with FAST but we don't support this yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Sat, 18 Aug 2018 13:01:59 +0000 (16:01 +0300)]
CVE-2018-16853: Add a test to verify s4u2self doesn't crash
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Fri, 17 Aug 2018 21:40:30 +0000 (00:40 +0300)]
CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
This happens when we are called from S4U2Self flow, and in that case
kdcreq->client is NULL. Use the name from client entry instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Sat, 18 Aug 2018 12:32:43 +0000 (15:32 +0300)]
CVE-2018-16853: Fix kinit test on system lacking ldbsearch
By fixing bindir variable name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Karolin Seeger [Tue, 27 Nov 2018 10:08:33 +0000 (11:08 +0100)]
VERSION: Bump version up to 4.7.13.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 27 Nov 2018 10:08:12 +0000 (11:08 +0100)]
Merge tag 'samba-4.7.12' into v4-7-test
samba: tag release samba-4.7.12
Karolin Seeger [Mon, 26 Nov 2018 08:43:45 +0000 (09:43 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.7.12 release.
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Mon, 26 Nov 2018 08:42:44 +0000 (09:42 +0100)]
WHATSNEW: Add release notes for Samba 4.7.12.
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Andrew Bartlett [Tue, 6 Nov 2018 00:32:05 +0000 (13:32 +1300)]
CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Garming Sam [Mon, 5 Nov 2018 03:18:18 +0000 (16:18 +1300)]
CVE-2018-16851 ldap_server: Check ret before manipulating blob
In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.
Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 24 Oct 2018 02:41:28 +0000 (15:41 +1300)]
CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 23 Oct 2018 04:33:46 +0000 (17:33 +1300)]
CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal
In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
mem_ctx.
This was introduced in
9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
MIT KDC effort.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Aaron Haslett [Tue, 23 Oct 2018 04:25:51 +0000 (17:25 +1300)]
CVE-2018-14629 dns: CNAME loop prevention using counter
Count number of answers generated by internal DNS query routine and stop at
20 to match Microsoft's loop prevention mechanism.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Karolin Seeger [Mon, 22 Oct 2018 10:51:33 +0000 (12:51 +0200)]
VERSION: Bump version up to 4.7.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit
787ab0993889f5ac06691426d7eca3d78bded4a6)
Karolin Seeger [Mon, 22 Oct 2018 10:51:33 +0000 (12:51 +0200)]
VERSION: Bump version up to 4.7.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Mon, 22 Oct 2018 10:50:50 +0000 (12:50 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.7.11 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Mon, 22 Oct 2018 10:50:13 +0000 (12:50 +0200)]
WHATSNEW: Add release notes for Samba 4.7.11.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Andreas Schneider [Wed, 20 Jun 2018 09:38:28 +0000 (11:38 +0200)]
s3:winbind: Fix regression introduced with bso #12851
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
c1c764925e24788905ab91aa455b415765d6f71f)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-7-test): Fri Oct 19 15:17:27 CEST 2018 on sn-devel-144
Stefan Metzmacher [Fri, 17 Aug 2018 09:35:41 +0000 (11:35 +0200)]
smb2_server: set req->do_encryption = true earlier
The STATUS_SESSION_EXPIRED error was returned unencrypted,
if the request was encrypted.
If clients use SMB3 encryption and the kerberos authenticated session
expires, clients disconnect the connection instead of doing a reauthentication.
From https://blogs.msdn.microsoft.com/openspecification/2012/10/05/encryption-in-smb-3-0-a-protocol-perspective/
The sender encrypts the message if any of the following conditions is
satisfied:
- If the sender is sending a response to an encrypted request.
- If Session.EncryptData is TRUE and the request or response being
sent is not NEGOTIATE.
- If Session.EncryptData is FALSE, the request or response being sent
is not NEGOTIATE or SESSION_SETUP or TREE_CONNECT, and
<TreeConnect|Share>.EncryptData is TRUE.
[MS-SMB2] 3.3.4.1.4 Encrypting the Message
If Connection.Dialect belongs to the SMB 3.x dialect family and
Connection.ClientCapabilities includes the SMB2_GLOBAL_CAP_ENCRYPTION
bit, the server MUST encrypt the message before sending, if any of the
following conditions are satisfied:
- If the message being sent is any response to a client request for which
Request.IsEncrypted is TRUE.
- If Session.EncryptData is TRUE and the response being sent is not
SMB2_NEGOTIATE or SMB2 SESSION_SETUP.
- If Session.EncryptData is FALSE, the response being sent is not
SMB2_NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and
Share.EncryptData for the share associated with the TreeId in the SMB2
header of the response is TRUE.
The server MUST encrypt the message as specified in section 3.1.4.3,
before sending it to the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 2 14:11:30 CEST 2018 on sn-devel-144
(cherry picked from commit
4ef45e5334d5874f5d0fdc69286b745ebcdc612d)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-7-test): Wed Oct 10 15:51:31 CEST 2018 on sn-devel-144
Stefan Metzmacher [Fri, 28 Sep 2018 10:23:37 +0000 (12:23 +0200)]
s4:torture: split smb2.session.expire{1,2} to run with signing and encryptpion
This reproduces the problem we have with expired encrypted sessions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
01b868455c9bae309d1ca7ddad54077fc5d7f4b1)
Jeremy Allison [Thu, 27 Sep 2018 21:12:47 +0000 (14:12 -0700)]
s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test.
Missing fsp talloc free and linked list delete in error
paths in close_directory(). Now matches close_normal_file()
and close_fake_file().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13633
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep 29 05:32:41 CEST 2018 on sn-devel-144
(cherry picked from commit
660dbfaeff493359474ebdb36098ac49b3f7ba0c)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-7-test): Tue Oct 9 17:20:22 CEST 2018 on sn-devel-144
Volker Lendecke [Mon, 7 May 2018 14:53:00 +0000 (16:53 +0200)]
lib: Hold at most 10 outstanding paged result cookies
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13362
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 15 09:37:21 CEST 2018 on sn-devel-144
(cherry picked from commit
9fbd4672b06de5333a9c44fc126b8edac0b9d31a)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-7-test): Fri Sep 28 13:55:34 CEST 2018 on sn-devel-144
Volker Lendecke [Mon, 7 May 2018 14:41:55 +0000 (16:41 +0200)]
lib: Put "results_store" into a doubly linked list
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13362
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
8063995a92fffc93aa9d6d1d92a75bf3f3c9592b)
Alexander Bokovoy [Fri, 16 Feb 2018 16:15:28 +0000 (18:15 +0200)]
krb5-samba: interdomain trust uses different salt principal
Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)
The salt principal for the BLA$ user object was generated wrong.
dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-
4053568372-
2049667917-
3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -
2147483648
trustType: 2
trustAttributes: 8
flatName: BLA
dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-
278041429-
3399921908-
1452754838-1597
accountExpires:
9223372036854775807
sAMAccountName: BLA$
sAMAccountType:
805306370
pwdLastSet:
131485652467995000
The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.
While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144
(cherry picked from commit
f3e349bebc443133fdbe4e14b148ca8db8237060)
Autobuild-User(v4-7-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-7-test): Wed Sep 5 18:44:46 CEST 2018 on sn-devel-144
Stefan Metzmacher [Tue, 4 Sep 2018 08:53:52 +0000 (10:53 +0200)]
testprogs/blackbox: let test_trust_user_account.sh check the correct kerberos salt
This demonstrates the bug we currently have.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1b31fa62567ec549e32c9177b322cfbfb3b6ec1a)
Stefan Metzmacher [Tue, 4 Sep 2018 08:38:44 +0000 (10:38 +0200)]
testprogs/blackbox: add testit[_expect_failure]_grep() to subunit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8526feb100e59bc5a15ceb940e6cecce0de59247)
Stefan Metzmacher [Tue, 4 Sep 2018 08:16:59 +0000 (10:16 +0200)]
samba-tool: add virtualKerberosSalt attribute to 'user getpassword/syncpasswords'
This might be useful for someone, but at least it's very useful for
tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
39c281a23673691bab621de1a632d64df2c1c102)
Alexander Bokovoy [Fri, 16 Feb 2018 16:15:28 +0000 (18:15 +0200)]
s4:selftest: test kinit with the interdomain trust user account
To test it, add a blackbox test that ensures we pass a keytab-based
authentication with the trust user account for a trusted domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7df505298f71432d5adbcffccde8f97c117a57a6)
Ralph Boehme [Thu, 8 Mar 2018 16:34:08 +0000 (17:34 +0100)]
libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK
The name UF_TRUST_ACCOUNT_MASK better reflects the use case and it's not
yet used.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8497d2090900b252853278f29a4aaf3bce7515da)
Volker Lendecke [Tue, 7 Aug 2018 13:10:31 +0000 (15:10 +0200)]
vfs_fruit: Don't unlink the main file
The original fix for bug 13441 was missing a check that verifies that
fruit_ftruncate() is actually called on a stream.
Follow-up to
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441
Pair-Programmed-With: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Aug 23 15:28:48 CEST 2018 on sn-devel-144
(cherry picked from commit
8c14234871820eacde46670d722a676fb5f3a46c)
Volker Lendecke [Tue, 7 Aug 2018 13:11:22 +0000 (15:11 +0200)]
torture: Make sure that fruit_ftruncate only unlinks streams
Follow-up to
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
c39ec64231b261fe4ada02f1f1b9aa344cf35bb5)
Ralph Boehme [Thu, 30 Aug 2018 13:57:33 +0000 (15:57 +0200)]
s3:smbd: add a comment stating that file_close_user() is redundant for SMB2
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep 1 01:26:35 CEST 2018 on sn-devel-144
(cherry picked from commit
5d95f79f604d90c2646225a0f2470f05dd71e19e)
Ralph Boehme [Wed, 29 Aug 2018 15:19:29 +0000 (17:19 +0200)]
s3:smbd: let session logoff close files and tcons before deleting the session
This avoids a race in durable handle reconnects if the reconnect comes
in while the old session is still in the tear-down phase.
The new session is supposed to rendezvous with and wait for destruction
of the old session, which is internally implemented with
dbwrap_watch_send() on the old session record.
If the old session deletes the session record before calling
file_close_user() which marks all file handles as disconnected, the
durable handle reconnect in the new session will fail as the records are
not yet marked as disconnected which is a prerequisite.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
8f6edcc1645e0ed35eaec914bd0b672500ce986c)
Ralph Boehme [Thu, 30 Aug 2018 13:50:02 +0000 (15:50 +0200)]
s3:smbd: reorder tcon global record deletion and closing files of a tcon
As such, this doesn't change overall behaviour, but in case we ever add
semantics acting on tcon record changes via an API like
dbwrap_watch_send(), this will make a difference as it enforces
ordering.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit
b70b8503faded81b10859131f08486349876d132)
Ralph Boehme [Thu, 30 Aug 2018 17:15:19 +0000 (19:15 +0200)]
selftest: add a durable handle test with delayed disconnect
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
5508024a861e7c85e6c837552ad142aa1d5e8eca)
Ralph Boehme [Fri, 31 Aug 2018 06:28:46 +0000 (08:28 +0200)]
s4:selftest: reformat smb2_s3only list
No change besides reformatting the list to one entry per line.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
3255822f75163cb38e53f634a5c6b03d46bfaff1)
Ralph Boehme [Thu, 30 Aug 2018 15:27:08 +0000 (17:27 +0200)]
vfs_delay_inject: adding delay to VFS calls
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
44840ba5b32a2ce7959fd3d7c87822b3159416d3)
Stefan Metzmacher [Tue, 28 Aug 2018 10:52:31 +0000 (12:52 +0200)]
s4:rpc_server/netlogon: don't treet trusted domains as primary in LogonGetDomainInfo()
We need to handle trusted domains differently than our primary
domain. The most important part is that we don't return
NETR_TRUST_FLAG_PRIMARY for them.
NETR_TRUST_FLAG_{INBOUND,OUTBOUND,IN_FOREST} are the relavant flags
for trusts.
This is an example of what Windows returns in a complex trust
environment:
netr_LogonGetDomainInfo: struct netr_LogonGetDomainInfo
out: struct netr_LogonGetDomainInfo
return_authenticator : *
return_authenticator: struct netr_Authenticator
cred: struct netr_Credential
data :
f48b51ff12ff8c6c
timestamp : Tue Aug 28 22:59:03 2018 CEST
info : *
info : union netr_DomainInfo(case 1)
domain_info : *
domain_info: struct netr_DomainInformation
primary_domain: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0014 (20)
size : 0x0016 (22)
string : *
string : 'W2012R2-L4'
dns_domainname: struct lsa_StringLarge
length : 0x0020 (32)
size : 0x0022 (34)
string : *
string : 'w2012r2-l4.base.'
dns_forestname: struct lsa_StringLarge
length : 0x0020 (32)
size : 0x0022 (34)
string : *
string : 'w2012r2-l4.base.'
domain_guid :
0a133c91-8eac-4df0-96ac-
ede69044a38b
domain_sid : *
domain_sid : S-1-5-21-
2930975464-
1937418634-
1288008815
trust_extension: struct netr_trust_extension_container
length : 0x0000 (0)
size : 0x0000 (0)
info : NULL
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domain_count : 0x00000006 (6)
trusted_domains : *
trusted_domains: ARRAY(6)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'FREEIPA'
dns_domainname: struct lsa_StringLarge
length : 0x0018 (24)
size : 0x001a (26)
string : *
string : 'freeipa.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid :
00000000-0000-0000-0000-
000000000000
domain_sid : *
domain_sid : S-1-5-21-
429948374-
2562621466-
335716826
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000022 (34)
0: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
1: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000000 (0)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000008 (8)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0016 (22)
size : 0x0018 (24)
string : *
string : 'S1-W2012-L4'
dns_domainname: struct lsa_StringLarge
length : 0x0036 (54)
size : 0x0038 (56)
string : *
string : 's1-w2012-l4.w2012r2-l4.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid :
afe7fbde-af82-46cf-88a2-
2df6920fc33e
domain_sid : *
domain_sid : S-1-5-21-
1368093395-
3821428921-
3924672915
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000023 (35)
1: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
1: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000004 (4)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000020 (32)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
1: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0006 (6)
size : 0x0008 (8)
string : *
string : 'BLA'
dns_domainname: struct lsa_StringLarge
length : 0x0010 (16)
size : 0x0012 (18)
string : *
string : 'bla.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid :
00000000-0000-0000-0000-
000000000000
domain_sid : *
domain_sid : S-1-5-21-
4053568372-
2049667917-
3384589010
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000022 (34)
0: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
1: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000000 (0)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000008 (8)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x000c (12)
size : 0x000e (14)
string : *
string : 'S4XDOM'
dns_domainname: struct lsa_StringLarge
length : 0x0016 (22)
size : 0x0018 (24)
string : *
string : 's4xdom.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid :
00000000-0000-0000-0000-
000000000000
domain_sid : *
domain_sid : S-1-5-21-
313966788-
4060240134-
2249344781
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000022 (34)
0: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
1: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000000 (0)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000008 (8)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0014 (20)
size : 0x0016 (22)
string : *
string : 'W2012R2-L4'
dns_domainname: struct lsa_StringLarge
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'w2012r2-l4.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid :
0a133c91-8eac-4df0-96ac-
ede69044a38b
domain_sid : *
domain_sid : S-1-5-21-
2930975464-
1937418634-
1288008815
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x0000001d (29)
1: NETR_TRUST_FLAG_IN_FOREST
0: NETR_TRUST_FLAG_OUTBOUND
1: NETR_TRUST_FLAG_TREEROOT
1: NETR_TRUST_FLAG_PRIMARY
1: NETR_TRUST_FLAG_NATIVE
0: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000000 (0)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000000 (0)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0016 (22)
size : 0x0018 (24)
string : *
string : 'S2-W2012-L4'
dns_domainname: struct lsa_StringLarge
length : 0x004e (78)
size : 0x0050 (80)
string : *
string : 's2-w2012-l4.s1-w2012-l4.w2012r2-l4.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid :
29daace6-cded-4ce3-a754-
7482a4d9127c
domain_sid : *
domain_sid : S-1-5-21-
167342819-
981449877-
2130266853
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000001 (1)
1: NETR_TRUST_FLAG_IN_FOREST
0: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
0: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000001 (1)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000000 (0)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
lsa_policy: struct netr_LsaPolicyInformation
policy_size : 0x00000000 (0)
policy : NULL
dns_hostname: struct lsa_StringLarge
length : 0x0036 (54)
size : 0x0038 (56)
string : *
string : 'torturetest.w2012r2-l4.base'
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
workstation_flags : 0x00000003 (3)
1: NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS
1: NETR_WS_FLAG_HANDLES_SPN_UPDATE
supported_enc_types : 0x0000001f (31)
1: KERB_ENCTYPE_DES_CBC_CRC
1: KERB_ENCTYPE_DES_CBC_MD5
1: KERB_ENCTYPE_RC4_HMAC_MD5
1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
0: KERB_ENCTYPE_FAST_SUPPORTED
0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
0: KERB_ENCTYPE_CLAIMS_SUPPORTED
0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
result : NT_STATUS_OK
Best viewed with: git show --histogram -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2099add0657126e4a5427ec2db0fe8025478b355)
Stefan Metzmacher [Tue, 28 Aug 2018 14:30:17 +0000 (16:30 +0200)]
s4:rpc_server/netlogon: make use of talloc_zero_array() for the netr_OneDomainInfo array
It's much safer than having uninitialized memory when we hit an error
case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ef0b489ad0d93199e08415dd895da5cfe2d1c11a)
Stefan Metzmacher [Tue, 28 Aug 2018 09:46:16 +0000 (11:46 +0200)]
s4:rpc_server/netlogon: use samdb_domain_guid()/dsdb_trust_local_tdo_info() to build our netr_OneDomainInfo values
The logic for constructing the values for our own primary domain differs
from the values of trusted domains. In order to make the code easier to
understand we have a new fill_our_one_domain_info() helper that
only takes care of our primary domain.
The cleanup for the trust case will follow in a separate commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
61333f7787d78e3ec5c7bd2874d5a0f1f536275a)
Stefan Metzmacher [Tue, 28 Aug 2018 09:52:27 +0000 (11:52 +0200)]
s4:dsdb/common: add samdb_domain_guid() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0e442e094240abbf79aaca00a9d1a053a200a7e8)
Stefan Metzmacher [Thu, 1 Feb 2018 22:09:26 +0000 (23:09 +0100)]
dsdb:util_trusts: add dsdb_trust_local_tdo_info() helper function
This is similar to dsdb_trust_xref_tdo_info(), but will also work
if we ever support more than one domain in our forest.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c1b0ac95db5c6112d90356c7ada8c3d445e9b668)
Stefan Metzmacher [Thu, 1 Feb 2018 22:08:08 +0000 (23:08 +0100)]
dsdb/util_trusts: domain_dn is an input parameter of dsdb_trust_crossref_tdo_info()
We should not overwrite it within the function.
Currently it doesn't matter as we don't have multiple domains
within our forest, but that will change in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f5f96f558b499770cdeb3d38998167a387e058b9)
Stefan Metzmacher [Tue, 28 Aug 2018 15:46:46 +0000 (17:46 +0200)]
s4:torture/rpc/netlogon: verify the trusted domains output of LogonGetDomainInfo()
This makes sure we don't treat trusted domains in the same way we treat
our primary domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d5dd8fdc647d6a202c5da0451d395116c2cd92b9)
Stefan Metzmacher [Mon, 3 Sep 2018 07:55:18 +0000 (09:55 +0200)]
s4:torture/rpc/netlogon: assert that cli_credentials_get_{workstation,password} don't return NULL
This is better that generating a segfault while dereferencing a NULL
pointer later.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
dffc182c6943d21513d8db9f6cf66bdc09206b17)
Volker Lendecke [Mon, 3 Sep 2018 13:54:48 +0000 (15:54 +0200)]
smbd: Fix a memleak in async search ask sharemode
fetch_share_mode_unlocked_parser() takes a "struct
fetch_share_mode_unlocked_state *" as
"private_data". fetch_share_mode_send() used a talloc_zero'ed "struct
share_mode_lock". This lead to the parser putting a "struct
share_mode_lock on the NULL talloc_context where nobody really picked it
up.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13602
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0bd109b733fbce774feae2142d25f7e828b56bcb)
Paulo Alcantara [Fri, 17 Aug 2018 14:30:16 +0000 (11:30 -0300)]
s3: util: Do not take over stderr when there is no log file
In case we don't have either a /var/log/samba directory, or pass a
non-existent log directory through '-l' option, all commands that are
daemonized with '-D' option hang when executed within a subshell.
An example on how to trigger that:
# rm -r /var/log/samba
# s=$(nmbd -D -s /etc/samba/smb.conf -l /foo123)
(never returns)
So, when the above command is executed within a subshell the following
happens:
(a) Parent shell creates a pipe, sets write side of it to fd 1
(stdout), call read() on read-side fd, forks off a new child process
and then executes nmbd in it.
(b) nmbd sets up initial logging to go through fd 1 (stdout) by
calling setup_logging(..., DEBUG_DEFAULT_STDOUT). 'state.fd' is now
set to 1.
(c) reopen_logs() is called by the first time which then calls
reopen_logs_internal()
(d) in reopen_logs_internal(), it attempts to create log.nmbd file in
/foo123 directory and fails because directory doesn't exist.
(e) Regardless whether the log file was created or not, it calls
dup2(state.fd, 2) which dups fd 1 into fd 2.
(f) At some point, fd 0 and 1 are closed and set to /dev/null
The problem with that is because parent shell in (a) is still blocked in
read() call and the new write side of the pipe is now fd 2 -- after
dup2() in (e) -- and remains unclosed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13578
Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Jim McDonough <jmcd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Aug 18 01:32:25 CEST 2018 on sn-devel-144
(cherry picked from commit
41aa55f49233ea7682cf14e5a7062617274434ce)
Jeremy Allison [Tue, 21 Aug 2018 19:05:34 +0000 (12:05 -0700)]
s3: smbd: Ensure get_real_filename() copes with empty pathnames.
Needed for vfs_glusterfs, as Gluster requires "." not '\0'.
Based on a fix from Anoop C S <anoopcs@redhat.com>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13585
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Aug 22 21:50:41 CEST 2018 on sn-devel-144
(cherry picked from commit
9c71f61ed8a31d287d343d4f2e68cb40c57a2b89)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-7-test): Wed Aug 29 14:00:12 CEST 2018 on sn-devel-144
Karolin Seeger [Mon, 27 Aug 2018 07:51:59 +0000 (09:51 +0200)]
VERSION: Bump version up to 4.7.9...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Mon, 27 Aug 2018 07:51:10 +0000 (09:51 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.7.10 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Mon, 27 Aug 2018 07:50:08 +0000 (09:50 +0200)]
WHATSNEW: Add release notes for Samba 4.7.10.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Volker Lendecke [Mon, 6 Aug 2018 12:35:15 +0000 (14:35 +0200)]
torture: Demonstrate the invalid lock order panic
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 21 02:33:05 CEST 2018 on sn-devel-144
(cherry picked from commit
ec3c37ee53f21d8c0e80b1d3b3d7e95a4ac8e0bc)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-7-test): Thu Aug 23 15:48:56 CEST 2018 on sn-devel-144
Volker Lendecke [Mon, 6 Aug 2018 12:33:34 +0000 (14:33 +0200)]
vfs_fruit: Fix a leak of "br_lck"
Fix a panic if fruit_access_check detects a locking conflict.
do_lock() returns a valid br_lck even in case of a locking conflict.
Not free'ing it leads to a invalid lock order panic later, because
"br_lck" corresponds to a dbwrap lock on brlock.tdb.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
51d57073798f76ec4f1261945e0ba779b2530009)
Christof Schmitt [Fri, 10 Aug 2018 17:38:28 +0000 (10:38 -0700)]
selftest: Load time_audit and full_audit modules for all tests
Previously the only test was to load these modules to trigger the
smb_vfs_assert_all_fns check. As these modules just pass through the
calls, they can be loaded for all tests to ensure that the codepaths are
exercised. This would have found the problem in
smb_time_audit_offload_read_recv.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13568
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 13 22:35:20 CEST 2018 on sn-devel-144
(cherry picked from commit
a98f09a09db2fc7be85f9171b586e65344a39e92)
Ralph Wuerthner [Wed, 8 Aug 2018 15:42:18 +0000 (17:42 +0200)]
s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13568
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
4909b966050c921b0a6a32285fee55f5f14dc3ff)
Volker Lendecke [Tue, 14 Aug 2018 12:31:01 +0000 (14:31 +0200)]
g_lock: Fix lock upgrades
Master has changed significantly, this is a minimum fix for 4.7 without
cleaning up the code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 14 Aug 2018 11:54:56 +0000 (13:54 +0200)]
torture3: Extend the g_lock6 test to also cover upgrades
The fixes for #13195 were incomplete and did not cover upgrades
properly. It's all gone in master with the new code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 20 Dec 2017 08:44:40 +0000 (09:44 +0100)]
torture3: add LOCAL-G-LOCK6 test
This is a regression test for bug #13195.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Douglas Bagnall [Wed, 21 Feb 2018 23:46:47 +0000 (12:46 +1300)]
selftest: subunithelper needs to follow the subunit spec more closely
In particular allow ]\n without \n]\n as used by cmocka
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7d79575de8e47a0ce03e30c3ea84176be696269f)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-7-test): Tue Aug 21 16:10:23 CEST 2018 on sn-devel-144
Douglas Bagnall [Wed, 21 Feb 2018 22:26:00 +0000 (11:26 +1300)]
unittests.lib_util_modules: test module probe with "skel", not "unix"
The unix module is not available as a module on some systems.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
cb5f1f3b262467faba59b3b323e240d1351d5fc0)
David Disseldorp [Fri, 20 Jul 2018 15:20:08 +0000 (17:20 +0200)]
ctdb: add expiry test for ctdb_mutex_ceph_rados_helper
Kill the ctdb_mutex_ceph_rados_helper with SIGKILL and then confirm
that the lock is automatically released following expiry.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Aug 9 16:26:36 CEST 2018 on sn-devel-144
(cherry picked from commit
4abf348ec4cbb78d3216d5e8c5f3020d4499f10a)
David Disseldorp [Thu, 19 Jul 2018 09:55:23 +0000 (11:55 +0200)]
ctdb_mutex_ceph_rados_helper: fix deadlock via lock renewals
RADOS locks without expiry persist indefinitely. This results in CTDB
deadlock during failover if the recovery master dies unexpectedly, as
subsequently elected recovery master nodes can't obtain the recovery
lock.
Avoid deadlock by using a lock expiration time (10s by default), and
renewing it periodically.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13540
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
ce289e89e5c469cf2c5626dc7f2666b945dba3bd)
David Disseldorp [Tue, 17 Jul 2018 21:36:36 +0000 (23:36 +0200)]
ctdb_mutex_ceph_rados_helper: rename timer_ev to ppid_timer_ev
In preparation for adding a lock refresh timer.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
91a89c146453ca203a83dc2ba555bb93276c4d7f)
David Disseldorp [Thu, 19 Jul 2018 16:46:27 +0000 (18:46 +0200)]
ctdb_mutex_ceph_rados_helper: use talloc destructor for cleanup
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
8d30fd591600ac17c742cd78c7bc4056bba6b877)
Samuel Cabrero [Fri, 15 Jun 2018 16:15:53 +0000 (18:15 +0200)]
ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler
Set a handler for SIGINT to release the lock.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
85706bd27535eaa4ec653f99b1910fbd8f2aab88)
David Disseldorp [Mon, 9 Jul 2018 12:53:00 +0000 (14:53 +0200)]
ctdb/build: link ctdb_mutex_ceph_rados_helper against ceph-common
ceph-common linkage is needed with new versions of Ceph.
Also respect the --libcephfs_dir=<path> parameter when provided.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
bd64af6b8861f892e6ae2840a493f037d1e0a06c)
Karolin Seeger [Tue, 14 Aug 2018 10:18:43 +0000 (12:18 +0200)]
VERSION: Bump version up to 4.7.10.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 14 Aug 2018 10:18:19 +0000 (12:18 +0200)]
Merge tag 'samba-4.7.9' into v4-7-test
samba: tag release samba-4.7.9
Karolin Seeger [Sat, 11 Aug 2018 20:02:56 +0000 (22:02 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.7.9 release.
o CVE-2018-1139 (Weak authentication protocol allowed.)
o CVE-2018-10858 (Insufficient input validation on client directory
listing in libsmbclient.)
o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
server.)
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Sat, 11 Aug 2018 20:01:50 +0000 (22:01 +0200)]
WHATSNEW: Add release notes for Samba 4.7.9.
o CVE-2018-1139 (Weak authentication protocol allowed.)
o CVE-2018-10858 (Insufficient input validation on client directory
listing in libsmbclient.)
o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
server.)
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Günther Deschner [Tue, 13 Mar 2018 15:56:20 +0000 (16:56 +0100)]
CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
This fixes a regression that came in via
00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
Found by Vivek Das <vdas@redhat.com> (Red Hat QE).
In order to demonstrate simply run:
smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no
against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Fri, 16 Mar 2018 16:25:12 +0000 (17:25 +0100)]
CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
Right now, this test will succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 14 Mar 2018 14:35:01 +0000 (15:35 +0100)]
CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 14 Mar 2018 14:36:05 +0000 (15:36 +0100)]
CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andrew Bartlett [Thu, 26 Jul 2018 20:44:24 +0000 (08:44 +1200)]
CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 21 Feb 2018 22:54:45 +0000 (11:54 +1300)]
selftest/tests.py: remove always-needed, never-set with_cmocka flag
We have cmocka in third_party, so we are never without it.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Backported from commit
33ef0e57a4f08eae5ea06f482374fbc0a1014de6
by Andrew Bartlett)
Tim Beale [Wed, 1 Aug 2018 01:51:42 +0000 (13:51 +1200)]
CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
The acl_read.c code contains a special case to allow dirsync to
work-around having insufficient access rights. We had a concern that
the dirsync module could leak sensitive information for deleted objects.
This patch adds a test-case to prove whether or not this is happening.
The new test case is similar to the existing dirsync test except:
- We make the confidential attribute also preserve-on-delete, so it
hangs around for deleted objcts. Because the attributes now persist
across test case runs, I've used a different attribute to normal.
(Technically, the dirsync search expressions are now specific enough
that the regular attribute could be used, but it would make things
quite fragile if someone tried to add a new test case).
- To handle searching for deleted objects, the search expressions are
now more complicated. Currently dirsync adds an extra-filter to the
'!' searches to exclude deleted objects, i.e. samaccountname matches
the test-objects AND the object is not deleted. We now extend this to
include deleted objects with lastKnownParent equal to the test OU.
The search expression matches either case so that we can use the same
expression throughout the test (regardless of whether the object is
deleted yet or not).
This test proves that the dirsync corner-case does not actually leak
sensitive information on Samba. This is due to a bug in the dirsync
code - when the buggy line is removed, this new test promptly fails.
Test also passes against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Fri, 20 Jul 2018 03:42:36 +0000 (15:42 +1200)]
CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
A user that doesn't have access to view an attribute can still guess the
attribute's value via repeated LDAP searches. This affects confidential
attributes, as well as ACLs applied to an object/attribute to deny
access.
Currently the code will hide objects if the attribute filter contains an
attribute they are not authorized to see. However, the code still
returns objects as results if confidential attribute is in the search
expression itself, but not in the attribute filter.
To fix this problem we have to check the access rights on the attributes
in the search-tree, as well as the attributes returned in the message.
Points of note:
- I've preserved the existing dirsync logic (the dirsync module code
suppresses the result as long as the replPropertyMetaData attribute is
removed). However, there doesn't appear to be any test that highlights
that this functionality is required for dirsync.
- To avoid this fix breaking the acl.py tests, we need to still permit
searches like 'objectClass=*', even though we don't have Read Property
access rights for the objectClass attribute. The logic that Windows
uses does not appear to be clearly documented, so I've made a best
guess that seems to mirror Windows behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Mon, 30 Jul 2018 04:00:15 +0000 (16:00 +1200)]
CVE-2018-10919 acl_read: Flip the logic in the dirsync check
This better reflects the special case we're making for dirsync, and gets
rid of a 'if-else' clause.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Thu, 26 Jul 2018 00:20:49 +0000 (12:20 +1200)]
CVE-2018-10919 acl_read: Small refactor to aclread_callback()
Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Fri, 20 Jul 2018 01:52:24 +0000 (13:52 +1200)]
CVE-2018-10919 acl_read: Split access_mask logic out into helper function
So we can re-use the same logic laster for checking the search-ops.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Gary Lockyer [Fri, 3 Aug 2018 03:51:28 +0000 (15:51 +1200)]
CVE-2018-10919 tests: test ldap searches for non-existent attributes.
It is perfectly legal to search LDAP for an attribute that is not part
of the schema. That part of the query should simply not match.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Tim Beale [Fri, 20 Jul 2018 01:01:00 +0000 (13:01 +1200)]
CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.
What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.
Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.
One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Tue, 31 Jul 2018 02:14:20 +0000 (14:14 +1200)]
CVE-2018-10919 tests: Add test case for object visibility with limited rights
Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e.
attribute=*) searches compared to Windows.
All the acl.py tests are based on objectClass=* searches, where Windows
will happily tell a user about objects they have List Contents rights,
but not Read Property rights for. However, if you change the attribute
being searched for, suddenly the objects are no longer visible on
Windows (whereas they are on Samba).
This is a problem, because Samba can tell you about which objects have
confidential attributes, which in itself could be disclosive.
This patch adds a acl.py test-case that highlights this behaviour. The
test passes against Windows but fails against Samba.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Mon, 9 Jul 2018 03:57:59 +0000 (15:57 +1200)]
CVE-2018-10919 tests: Add tests for guessing confidential attributes
Adds tests that assert that a confidential attribute cannot be guessed
by an unprivileged user through wildcard DB searches.
The tests basically consist of a set of DB searches/assertions that
get run for:
- basic searches against a confidential attribute
- confidential attributes that get overridden by giving access to the
user via an ACE (run against a variety of ACEs)
- protecting a non-confidential attribute via an ACL that denies read-
access (run against a variety of ACEs)
- querying confidential attributes via the dirsync controls
These tests all pass when run against a Windows Dc and all fail against
a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Fri, 20 Jul 2018 01:13:50 +0000 (13:13 +1200)]
CVE-2018-10919 security: Add more comments to the object-specific access checks
Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Thu, 19 Jul 2018 04:03:36 +0000 (16:03 +1200)]
CVE-2018-10919 security: Move object-specific access checks into separate function
Object-specific access checks refer to a specific section of the
MS-ADTS, and the code closely matches the spec. We need to extend this
logic to properly handle the Control-Access Right (CR), so it makes
sense to split the logic out into its own function.
This patch just moves the code, and should not alter the logic (apart
from ading in the boolean grant_access return variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>