git.samba.org - samba.git/log

smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids

smbd_smb2_request_process_ioctl() already detailed checks for file_ids,
which not reached before.

.allow_invalid_fileid = true was only used for SMB2_OP_IOCTL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1744dd8c5bc342a74e397951506468636275fe45)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Mon Dec 13 09:44:15 UTC 2021 on sn-devel-184

smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()

We should not send more data than the client requested.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit aab540503434817cc6b2de1d9c507f9d0b3ad980)

smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO

We should not fail this just because the user doesn't have permissions
on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c850ce96fd32ea91d8a31223bb09dd5b8b98d99e)

smb2_server: decouple IOCTL check from signing/encryption states

There's no reason to handle FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT
differently if signing/encryption is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bd3ba3c96e6ba811afd5898ff5470188557a6e33)

smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1cd948d8520fd41a4e2f0cc6ee787c1e20211e33)

s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE

Demonstrate that smbd fails FSCTL_VALIDATE_NEGOTIATE_INFO
only because the user doesn't have permissions on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 735fc34682c541056fd912d07c69f299f961983c)

libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*

This will be used in tests in order to separate the tcon from
validate_negotiate_info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 04a79139a42cfd1b607317dec041618cbf629584)

s3:smbd: remove dead code from smbd_smb2_request_dispatch()

We have '} else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {'
before...

Use 'git show -U52' to see the whole story...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f8f4a9faf099eb768eaa25f1e1a7d126b75291d0)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

smbd: s3-dsgetdcname: handle num_ips == 0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184

(cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44)

Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-14-test): Wed Dec 8 14:36:05 UTC 2021 on sn-devel-184

dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object

This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7)

CVE-2020-25717: s3-auth: fix MIT Realm regression

This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.

As a quick solution it might be possible to use the username map script based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
sure this behaves identical, but it might work in the standalone server case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922

Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)

s3: docs-xml: Clarify the "delete veto files" paramter.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 29 14:57:14 UTC 2021 on sn-devel-184

(cherry picked from commit 0b818c6b77e972626d0b071bebcf4ce55619fb84)
(cherry picked from commit a549dc219cba5bd61969e4919ae4142f52c133ea)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Thu Dec 2 11:52:33 UTC 2021 on sn-devel-184

s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling symlinks.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e9ef970eee5eca8ab3720279c54098e91d2dfda9)
(backported from commit 5023dbc04bfad7cc39e8c4de96f40c82e7a0288e)
[pfilipen@redhat.com: can_delete_directory_fsp() got refactored in 4.15]

s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks.

Still need to add the same logic in can_delete_directory_fsp()
before we can delete the knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 26fecad2e66e91a3913d88ee2e0889f266e91d89)
(backported from commit 4793c4d5307472f0eb72f70f7dbf7324744e3f91)
[pfilipen@redhat.com: rmdir_internals() got refactored in 4.15]

s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set.

Fix the comments to match what the code actually does. The
exit at the end of the scan directory loop if we find a client
visible filename is a change in behavior, but the previous
behavior (not exist on visible filename, but delete it) was
a bug and in non-tested code. Now it's testd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a37d16e7c55f85e3f2c9c8614755ea6307092d5f)
(backported from commit e00fe095e8cf7ab54bc82870b913762d2fdddbad)
[pfilipen@redhat.com: rmdir_internals() got refactored in 4.15]

s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f254be19d6501a4f573843af97963e350a9ee2ed)
(backported from commit 0dba0917fd97e975d1daab5b0828644d026c2bc5)
[pfilipen@redhat.com: code in 4.15 uses different variable name]

s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 295d7d026babe3cd5123d0f53adcb16868907f05)
(backported from commit 7a4173809a87350bc3580240232978042ec2ceca)
[pfilipen@redhat.com: code in 4.15 uses different variable name]

s3: smbd: Add two tests showing the ability to delete a directory containing a dangling symlink over SMB2 depends on "delete veto files" setting.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 942123b95923f35a32df4196a072a3ed3468396a)
(cherry picked from commit 359517877d6462ff4398401748f921c8b79357a6)

s3: smbd: Add two tests showing recursive directory delete of a directory containing veto file and msdfs links over SMB2.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ad0082d79a681b981154747dcde5713e1933b88f)
(cherry picked from commit dab3fa1d8c27e696afa15e071331f646e06d9706)

CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts

This puts all the detail on one line so it can be searched
by IP address and connecting SID.

This relies on the anr handling as otherwise this log
becomes the expanded query, not the original one.

RN: Provide clear logs of the LDAP search and who made it, including
a warning (at log level 3) for queries that are 1/4 of the hard timeout.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 25 02:30:42 UTC 2021 on sn-devel-184

(cherry picked from commit 3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393)

CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it

RN: Do not modify the caller-supplied memory in the anr=* handling to
allow clear logging of the actual caller request after it has been processed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 5f0590362c5c0c5ee20503a67467f9be2d50e73b)

CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2b3af3b560c9617a233c131376c870fce146c002)

CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing

The LDB filter processing is where the time is spent in the LDB stack
but the timeout event will not get run while this is ongoing, so we
must confirm we have not yet timed out manually.

RN: Ensure that the LDB request has not timed out during filter processing
as the LDAP server MaxQueryDuration is otherwise not honoured.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1d5b155619bc532c46932965b215bd73a920e56f)

CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)

CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 86fe9d48883f87c928bf31ccbd275db420386803)

CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts

We allow a timeout of 2x over to avoid this being a flapping test.
Samba is not very accurate on the timeout, which is not otherwise an
issue but makes this test fail sometimes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit dcfcafdbf756e12d9077ad7920eea25478c29f81)

CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails

Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.

Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.

This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.

In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org moved the new logic into the fallback codepath only
in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184

(cherry picked from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Thu Nov 18 07:39:38 UTC 2021 on sn-devel-184

CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org removed unused tests for a feature that
was removed before merging]
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 494bf7de6ff3e9abeb3753df0635737b80ce5bb7)

CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss

In reality environments without 'nss_winbind' make use of 'idmap_nss'.

For testing, DOMAIN/bob is mapped to the local 'bob',
while DOMAIN/jane gets the uid based on the local 'jane'
vis idmap_nss.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org avoid to create a new ad_member_idmap_nss environment
and merge it with ad_member_no_nss_wb instead]
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8a9f2aa2c1cdfa72ad50d7c4f879220fe37654cd)

CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a)

CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 5ea347d3673e35891613c90ca837d1ce4833c1b0)

CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain

We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bfd093648b4af51d104096c0cb3535e8706671e5)

IPA DC: add missing checks

When introducing FreeIPA support, two places were forgotten:

- schannel gensec module needs to be aware of IPA DC
- _lsa_QueryInfoPolicy should treat IPA DC as PDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184

(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)

s3:winbindd: fix "allow trusted domains = no" regression

add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).

We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184

(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)

Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-14-test): Wed Nov 10 23:45:06 UTC 2021 on sn-devel-184

lib: handle NTTIME_THAW in nt_time_to_full_timespec()

Preliminary handling of NTTIME_THAW to avoid NTTIME_THAW is passed as some
mangled value down to the VFS set timestamps function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
RN: Avoid storing NTTIME_THAW (-2) as value on disk

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6ed71ad7e6aa98a34cfde95d7d62c46694d58469)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Nov 10 15:54:35 UTC 2021 on sn-devel-184

torture: add a test for NTTIME_FREEZE and NTTIME_THAW

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 0659069f8292996be475d407b53d161aa3f35554)

lib: add a test for null_nttime(NTTIME_THAW)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 194faa76161a12ae1eae2b471d6f159d97ef75a8)

lib: update null_nttime() of -1: -1 is NTTIME_FREEZE

NTTIME_FREEZE is not a nil sentinel value, instead it implies special, yet
unimplemented semantics. Callers must deal with those values specifically and
null_nttime() must not lie about their nature.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 5503bde93bddf3634b183e665773399c110251d4)

lib: use NTTIME_FREEZE in a null_nttime() test

No change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e2740e4868f2a49877a86a8666d26226b5657317)

lib: fix null_nttime() tests

The test was checking -1 twice:

torture_assert(tctx, null_nttime(-1), "-1");
torture_assert(tctx, null_nttime(-1), "-1");

The first line was likely supposed to test the value "0".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit d84779302cc54a7b84c05ccc458e04b27fd142f4)

lib: add NTTIME_THAW

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f73aff502cadabb7fe6b94a697f0a2256d1d4aca)

VERSION: Bump version up to Samba 4.14.11...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.14.10 release.

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.14.10.

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Karolin Seeger <kseeger@samba.org>

CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper

This avoids a crash that's triggered by windows clients using
handles from samr_Connect*() on across multiple connections within
an association group.

In other cases is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and also
improves the auditing for the dcesrv_samdb_connect_as_system() case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper

This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and
also improves auditing for the dcesrv_samdb_connect_as_system() case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper

This avoids a crash that's triggered by windows clients using
handles from OpenPolicy[2]() on across multiple connections within
an association group.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper

This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers

This avoids a crash that's triggered by windows clients using
DsCrackNames across multiple connections within an association group
on the same DsBind context(policy) handle.

It also improves the auditing for the dcesrv_samdb_connect_as_system() case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers

We already had dcesrv_samdb_connect_as_system(), but it uses the per
connection memory of auth_session_info and remote_address.

But in order to use the samdb connection on a per association group
context/policy handle, we need to make copies, which last for the
whole lifetime of the 'samdb' context.

We need the same logic also for all cases we make use of
the almost same logic where we want to create a samdb context
on behalf of the authenticated user (without allowing system access),
so we introduce dcesrv_samdb_connect_as_user().

In the end we need to replace all direct callers to samdb_connect()
from source4/rpc_server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()

We want to use this also in code without existing
stackframe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests

This adds a reproducer for an invalid memory access, when
using the context handle from DsBind across multiple connections
within an association group.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials

This will be used in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Backported from patch for master to use
the older popt functions as master has the new common command
line handling]

CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials

We want to use the credentials of the joined dc account
in future tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()

This will make it easier to reuse.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos

We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>

CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos

We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>

CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts

All other fragments blindly inherit it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE

That makes the callers much simpler and allow better debugging.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()

It's better to see the location that triggered the fault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

CVE-2021-23192 librpc: Remove the gensec dependency from library dcerpc-binding

This means yet another library, but having to depend on gensec just
for dcerpc_parse_binding() and basic packet parsing seems like a bit
overkill to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 6 23:33:14 UTC 2021 on sn-devel-184

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

(cherry picked from commit 4d3b6506d30e4bf302f832493dad00a83b73d370)

CVE-2021-23192 rpc: Give dcerpc_util.c its own header

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

(cherry picked from commit 8945d99758d8bedd374f1c51304b87a6cf10498c)

CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

If one of the objectClass checks passed, samldb_add() could return
through one of the samldb_fill_*() functions and skip the
servicePrincipalName uniqueness checking.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Stefan Metzmacher <metze@samba.org>

CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal

This is tested in other places already, but this ensures a global
check that a TGS-REP has a PAC, regardless.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"

This reverts an earlier commit that was incorrect.

It is not Samba practice to include a revert, but at this point in
the patch preperation the ripple though the knownfail files is
more trouble than can be justified.

It is not correct to refuse to parse all tickets with no authorization
data, only for the KDC to require that a PAC is found, which is done
in "heimdal:kdc: Require PAC to be present"

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25719 heimdal:kdc: Require PAC to be present

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection

This allows us to use it when validating user-to-user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25719 heimdal:kdc: Check return code

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25722 Ensure the structural objectclass cannot be changed

If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.

Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check

Looking up the DB twice is subject to a race and is a poor
use of resources, so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.

The client record has already been bound to the the
original client by the SID check in the PAC.

Likewise by looking up server only once we ensure
that the keys looked up originally are in the record
we confirm the SID for here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c

These common routines will assist the KDC to do the same access
checking as the RPC servers need to do regarding which accounts
a RODC can act with regard to.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing

These are added for the uncommon cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check

In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()

This shares the lookup of the tokenGroups attribute.

There will be a new caller that does not want to do this step,
so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list()
rather than part of it

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common

While these checks were not in the NETLOGON case, there is no sense where
an RODC should be resetting a bad password count on either a
UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier

This will allow the creation of a common helper routine that
takes the token SID list (from tokenGroups or struct auth_user_info_dc)
and returns the allowed/denied result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid

This is instead of an array of struct dom_sid *.

The reason is that auth_user_info_dc has an array of struct dom_sid
(the user token) and for checking if an RODC should be allowed
to print a particular ticket, we want to reuse that a rather
then reconstruct it via tokenGroups.

This also avoids a lot of memory allocation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>