BACKPORT source4/libcli/ldap/ldap_bind.c from master

BACKPORT source4/auth/gensec/gensec_gssapi.c from master

BACKPORT source3/librpc/crypto/gse.c from master

BACKPORT auth/ntlmssp: from master

s4:lib/tls: include a TLS server name indication in the client handshake

This is not strictly needed, but it might be useful
for load balancers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 15fb8fcc7b98c3eba8eab79b227127b4b71b096c)

ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid

Without a valid loadparm_context we can't connect.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2435ab1ad7092c004df72c2cb033eb94e5bf8274)

s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx

Otherwise we'll crash in a lot of places later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8007569e9f7d374456a3fbd172a905173462eb5f)

wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG

See https://github.com/heimdal/heimdal/pull/1234 and
https://github.com/krb5/krb5/pull/1329.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 546e39a6fa122e6a40d1e62724e1712882ce3bce)

third_party/heimdal: import lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15603
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

See also:
https://github.com/heimdal/heimdal/pull/1234
https://github.com/heimdal/heimdal/pull/1238
https://github.com/heimdal/heimdal/pull/1240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9b92cbacac11fb64cca2c4770cbdce789525b87a)

s4:selftest: also test samba4.ldb.simple.ldap with starttls and SASL-BIND

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}

Review with: git show --patience

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}

Signed-off-by: Stefan Metzmacher <metze@samba.org>

smbdotconf: add client ldap sasl wrapping = {starttls,ldaps}

In order to use SASL authentitation within a TLS connection
we now provide "client ldap sasl wrapping = starttls" or
"client ldap sasl wrapping = ldaps".

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: call gensec_set_channel_bindings() for tls connections

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: call ldap_set_option(LDAP_OPT_PROTOCOL_VERSION) as soon as possible

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: add tls_wrapping into openldap

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:lib/tls: add tstream_tls_sync_setup()

This operates in a non-async fashion and may block
in the push and pull function.

It will be used to plug into openldap transport
layer, this is needed in order to have access
to the channel bindings. And also use the same
configuration for all our gnutls based tls code.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:tldap: add support for [START]TLS

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:tldap: make tldap_gensec_bind_send/recv public

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:tldap: add tldap_extended*

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:tldap: store plain and gensec tstream

Also allow resetting to plain.

We now have ld->active as the currently active
tstream, which will allow us to add tls support
soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:tldap: let tldap_gensec_bind_send/recv use gensec_update_send/recv

We should not use the sync gensec_update() in async code!

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:tldap: don't use 'supportedSASLMechanisms' and force 'GSS-SPNEGO' instead

All active directory dcs support 'GSS-SPNEGO'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:tldap: simplify tldap_gensec_bind.h

We don't need any includes...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:tldap: simplify read_ldap_more() by using asn1_peek_full_tag()

An LDAP pdu is at least 7 bytes long, so we read at least 7 bytes,
then it's easy to use asn1_peek_full_tag() in order to find out the
whole length of the pdu on one go.

As a side effect it's now possible that wireshark can reassemble
the fragments in a socket_wrapper generated pcap file.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:selftest: also test samba4.ldb.simple.ldaps with ldap_testing:tls_channel_bindings=no

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl()

We still allow 'ldap_testing:tls_channel_bindings = no' for testing
the old behavior in order to have expected failures in our tests.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:ldap_server: add support for tls channel bindings

ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:lib/tls: add tstream_tls_channel_bindings()

This is based on GNUTLS_CB_TLS_SERVER_END_POINT
and is the value that is required for channel bindings
in LDAP of active directory domain controllers.

For gnutls versions before 3.7.2 we basically
copied the code from the GNUTLS_CB_TLS_SERVER_END_POINT
implementation as it only uses public gnutls functions
and it's easy to re-implement.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:crypto/gse: implement channel binding support

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:gensec_gssapi: implement channel binding support

Signed-off-by: Stefan Metzmacher <metze@samba.org>

auth/ntlmssp: implement channel binding support

Signed-off-by: Stefan Metzmacher <metze@samba.org>

auth/gensec: add gensec_set_channel_bindings() function

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:lib/tls: add support for gnutls_certificate_set_x509_{system_trust,trust_dir}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

docs-xml: add 'tls trust system cas' and 'tls ca directories' options

This will make it easier to support trusting more than one CA.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:lib/tls: add tstream_tls_params_client_lpcfg()

This will be able simplify the callers a lot...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:lib/tls: split out tstream_tls_verify_peer() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:lib/tls: split out tstream_tls_prepare_gnutls()

Review with: git show --patience

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:lib/tls: assert that event contexts are not mixed

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed

Before the handshare or disconnect is over we need to wait until
we delivered the lowlevel messages to the transport/kernel socket.

Otherwise we'll have a problem if another tevent_context is used
after the handshake.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:lib/tls: remove tstream_tls_push_trigger_write step

At the time of https://bugzilla.samba.org/show_bug.cgi?id=7218,
we tested this versions:
    2.4.1 -> broken
    2.4.2 -> broken
    2.6.0 -> broken
    2.8.0 -> broken
    2.8.1 -> broken
    2.8.2 -> OK
    2.8.3 -> OK
    2.8.4 -> OK
    2.8.5 -> OK
    2.8.6 -> OK
    2.10.0 -> broken
    2.10.1 -> broken
    2.10.2 -> OK

These seemed to be the fixes in gnutls upstream.

Change 2.8.1 -> 2.8.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=28fb34099edaf62e5472cc6e5e2749fed369ea01

Change 2.10.1 -> 2.10.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=0d07d8432d57805a8354ebd6c1e7829f3ab159cb

This shouldn't be a problem with recent (>= 3.6) versions of gnutls.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()

There's no point in asking the server for supportedSASLMechanisms,
every server (we care about) supports GSS-SPNEGO.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: no longer pass "GSS-SPNEGO" to ads_sasl_spnego_gensec_bind()

That's the only thing we use...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: remove dead code in ads_sasl_spnego_{gensec}_bind()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: directly use kerberos without asking the server

Every AD DC supports kerberos so we can just use it without
asking the server (in an untrusted way) if kerberos is supported.
So remove another useless roundtrip.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: use GSS-SPNEGO directly without asking for supportedSASLMechanisms

Every AD DC supports 'GSS-SPNEGO' and that's the only one we use anyway,
so remove an unused roundtrip.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libsmb: libcli/auth/spnego.h is not needed in cliconnect.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:winbindd: use better debug messages than 'talloc_strdup failed'

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages

Otherwise it's completely unclear where the messages come from

Signed-off-by: Stefan Metzmacher <metze@samba.org>

selftest: add an expectedfail directory

We have some tests that are not only known to fail, but which are
intended to fail.

For example, to quote selftest/knownfail.d/dns:

> # These tests are expected to fail because we want to ensure that
> # unauthenticated updates are not permitted against the default
> # configuration, nor against an RODC

In contrast to selftest/knownfail.d/uac_objectclass_restrict, which
says:

> # All these tests need to be fixed and the entries here removed

That one should stay in selftest/knownfail.d.

Some files are mixed. For example, there are lines in
selftest/knownfail.d/smb1-tests which were added in *commits* that say

> We also need to add a knownfail (which will not be removed) for the
> new test which will fail in smb1 envs

but it is not clear to me that the whole file is expected to always
fail.

By moving some knownfails here, we allow selftest/knownfail.d to be a
bit more like a TODO list, containing things that actually constitute
failure.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:lib: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c73456d7bd48b2293f63d44e0ed6b2a563bbb2b8)

s4:tls_tstream: create tstream_tls_params_internal

The following commits will implement the reloading of tls certificates.
Therefore we need to overwrite the interal memory.

Note we need to make sure x509_cred and dh_params from
tstream_tls_params_internal stay alive for the whole lifetime
of this session!

See 'man gnutls_credentials_set' and
'man gnutls_certificate_set_dh_params'.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7804bf55ad036336c357be117a3282d15d633a84)

s4:lib:tls: Don't negotiate session resumption with session tickets

tls_tstream can't properly handle 'New Session Ticket' messages
sent 'after' the client sends the 'Finished' message.

This is needed because some servers (at least elasticsearch) wait till
they get 'Finished' messgage from the client before sending the
"New Ticket" message.

Without this patch what typcially happens is when the application code
sends data it then tries to read the response, but, instead of the
response to the request it actually recieves the "New Session Ticket"
instead. The "New Session Ticket" message gets processed by the upper layer
logic e.g.
   tstream_tls_readv_send
       ->tstream_tls_readv_crypt_next
           ->tstream_tls_retry_read
               ->gnutls_record_recv

instead of the core gnutls routines.

This results in the response processing failing due to the
currently 'unexpected' New Ticket message.

In order to avoid this scenario we can ensure the client doesn't
negotiate resumption with session tickets.

Signed-off-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 09:58:45 UTC 2022 on sn-devel-184

(cherry picked from commit 0fd7b13ebc38779a18ba4a22f7b17dc2628907cc)

VERSION: Bump version up to Samba 4.17.13...

Signed-off-by: Jule Anger <janger@samba.org>

Merge branch 'v4-17-stable' into v4-17-test

Merge tag 'samba-4.17.12' into v4-17-stable

samba: tag release samba-4.17.12

VERSION: Disable GIT_SNAPSHOT for the 4.17.12 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.17.12.

Signed-off-by: Jule Anger <janger@samba.org>

CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup

We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.

This means that any duplicates will be noticed early not just
in a race condition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC

The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact.  Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default

The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY

This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests

The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour

SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication.  Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once

When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start

Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()

Thie helps ensure this test is reliable even in spite of errors while
running.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice

To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2c02378029fff6636b8f19e45af78b265f2210ed)

CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position

Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada)

CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b)

CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper

This uses ndr_pack/unpack in order to create a deep copy
of the given object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 4627997ddae44265ad35b3234232eb74458c6c34)

CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74)

CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers

They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.

In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a1109a9bf12e020636b8d66fc54984aac58bfe6b)

CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper

This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8411e6d302e25d10f1035ebbdcbde7308566e930)

CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG

It's no longer used anywhere.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf)

CVE-2023-4154 s4:dsdb:tests: Fix code spelling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)

CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test

Use more specific unittest methods, and remove unused code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2e5d08c908b3fa48b9b374279a331061cb77bce3)

CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL

The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 82d2ec786f7e75ff6f34eb3357964345b10de091)

CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python

Exported security_descriptor_sacl_del and security_descriptor_dacl_del as new methods of the
security descriptor class to python.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 84a54d2fa2b1590fdb4e2ea986ded9c39a82cf78)

CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor

Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 7efe673fbdcd27ddd23f36281c5f5338681a68fe)

CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>

CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>

CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.

We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).

Remove knowfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.

The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.

Add the knownfail.

BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>
[abartlet@samba.org backported to Samba 4.17 due to conflicts from
 context of other new torture tests missing in this version and
 changes in smb2cli_create() arguments]

CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>

VERSION: Bump version up to Samba 4.17.12...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>
(cherry picked from commit b0b25f067ba3a6ef0e1e76ea7d18a67c0d5b6edd)

CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup

We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.

This means that any duplicates will be noticed early not just
in a race condition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC

The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact.  Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default

The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY

This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests

The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>