CVE-2020-25717 wb_sids2xids: directly use state->all_ids to collect results
In order to translate the indexes from state->lookup_sids[]
for wb_lookupsids_send/recv() and state->map_ids.ids[]
for dcerpc_wbint_Sids2UnixIDs_send/recv() back to
state->all_ids.ids[] or state->sids[] we have state->tmp_idx[].
This simplifies wb_sids2xids_recv() a lot and make further
restructuring much easier.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
CVE-2020-25717 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix()
Instead of re-creating the dom_ids element,
we just use a pre-allocated map_ids_in array.
This is a bit tricky as we need to use map_ids_out as a copy of
map_ids_in, because the _ids argument of dcerpc_wbint_Sids2UnixIDs_send()
in [in,out], which means that _ids->ids is changed between
dcerpc_wbint_Sids2UnixIDs_send() and dcerpc_wbint_Sids2UnixIDs_recv()!
If the domain doesn't need any mappings, we'll move to the next domain
early, for now this can't happend but it will in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Backport all C code changes from ldb-2.4.1
to be available for Samba 4.13.x
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(v4-13-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-13-test): Tue Nov 2 22:41:39 UTC 2021 on sn-devel-184
Douglas Bagnall [Fri, 24 Jul 2020 00:41:29 +0000 (12:41 +1200)]
ldb_controls: control_to_string avoids crash
Otherwise a malformed control with unexpected NULL data will segfault
ldb_control_to_string(), though this is not very likely to affect
anyone in practice as converting controls to strings is rarely
necessary. If it happens at all in Samba it is in Python code.
Found by Honggfuzz using fuzz_ldb_parse_control.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jul 29 04:43:23 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c2c7c1f50a8acb3169e19ba4329aa78839b66def)
lib:ldb: Use C99 initializers for builtin_popt_options[]
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a593065c7f22e17434f33d0132cc6a7073acf414)
Douglas Bagnall [Fri, 29 Jan 2021 00:49:02 +0000 (13:49 +1300)]
ldb: improve comments for ldb_module_connect_backend()
There is no flags argument.
There are more URI forms.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 48068a58df0313cd904f27e2c918ee10275ae373)
Douglas Bagnall [Fri, 5 Mar 2021 20:57:44 +0000 (09:57 +1300)]
ldb: correct comments in attrib_handers val_to_int64
c.f. the identical static function in lib/ldb-samba/ldif_handlers.c
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 46e6f6ef8436df7e083f34556c25f66f65ea1ce5)
Douglas Bagnall [Fri, 18 Dec 2020 22:43:56 +0000 (11:43 +1300)]
ldb.h: remove undefined async_ctx function signatures
These functions do not exist.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 1a05b58edaf96e7da707f9ad0a237551dbe13eb5)
error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough]
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 1ffacac547a8ce29c6696dda73991a8db7e34dfd)
Joseph Sutton [Fri, 28 May 2021 02:15:43 +0000 (14:15 +1200)]
pyldb: Fix Message.items() for a message containing elements
Previously, message elements were being freed before the call to
Py_BuildValue(), resulting in an exception being raised. Additionally,
only the first element of the returned list was ever assigned to.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3e4ec0a90a222c1cff4a91912afc703ca4cbbb0e)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa93339978040eab52b2722c1716028b48d8d084)
pyldb: catch potential overflow error in py_timestring
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 71e8b24b8a031de26b21539e36a60f459257d2fd)
Douglas Bagnall [Sat, 6 Mar 2021 03:05:15 +0000 (16:05 +1300)]
ldb: fix ldb_comparison_fold off-by-one overrun
We run one character over in comparing all the bytes in two ldb_vals.
In almost all circumstances both ldb_vals would have an allocated '\0'
in the overrun position, but it is best not to rely on that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b2f4f519454beb6f2a46705675a62274019fc09)
Douglas Bagnall [Wed, 3 Mar 2021 06:17:36 +0000 (19:17 +1300)]
ldb_match: trailing chunk must match end of string
A wildcard search is divided into chunks by the asterisks. While most
chunks match the first suitable string, the last chunk matches the
last possible string (unless there is a trailing asterisk, in which
case this distinction is moot).
We always knew this in our hearts, but we tried to do it in a funny
complicated way that stepped through the string, comparing here and
there, leading to CVE-2019-3824 and missed matches (bug 14044).
With this patch, we just jump to the end of the string and compare it.
As well as being correct, this should also improve performance, as the
previous algorithm involved a quadratic loop of erroneous memmem()s.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cc098f1cad04b2cfec4ddd6b2511cd5a600f31c6)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 7 03:16:39 UTC 2021 on sn-devel-184
(cherry picked from commit 24ddc1ca9cad95673bdd8023d99867707b37085f)
Andrew Bartlett [Mon, 4 Oct 2021 08:57:25 +0000 (21:57 +1300)]
ldb: Release ldb 2.2.1
* Corrected python behaviour for 'in' for LDAP attributes
contained as part of ldb.Message (bug 14845)
* Fix memory handling in ldb.msg_diff (bug 14836)
* Corrected python docstrings
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184
Autobuild-User(v4-13-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-13-test): Thu Oct 28 09:49:45 UTC 2021 on sn-devel-184
Joseph Sutton [Sat, 25 Sep 2021 02:39:59 +0000 (14:39 +1200)]
pyldb: Make ldb.Message containment testing consistent with indexing
Previously, containment testing using the 'in' operator was handled by
performing an equality comparison between the chosen object and each of
the message's keys in turn. This behaviour was prone to errors due to
not considering differences in case between otherwise equal elements, as
the indexing operations do.
Containment testing should now be more consistent with the indexing
operations and with the get() method of ldb.Message.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69)
Joseph Sutton [Sat, 25 Sep 2021 01:48:57 +0000 (13:48 +1200)]
pyldb: Add tests for ldb.Message containment testing
These tests verify that the 'in' operator on ldb.Message is consistent
with indexing and the get() method. This means that the 'dn' element
should always be present, lookups should be case-insensitive, and use of
an invalid type should result in a TypeError.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fb758c32e7633178f42dc2c031667b10c2ca6e90)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9d25a21d6024c6c2f8e4634f45e3944d8acbf8b8)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit b1adaa517c1237a473bdcf818523f5107df3d6b0
as @no_gdb_backtrace is not in Samba 4.14]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit d7af772de88885f46708329ff7bb5798da91d2c7
due to conflicts in knownfail.d/python-segfaults]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit 6a041f6a99c39632d5c32e9d53b06719c20bef2c
as other segfaulting tests are listed in knownfail.d/python-segfaults
and @no_gdb_backtrace is not in 4.14]
Joseph Sutton [Wed, 28 Apr 2021 04:48:55 +0000 (16:48 +1200)]
Fix Python docstrings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep 4 00:55:32 UTC 2021 on sn-devel-184
Joseph Sutton [Sun, 12 Sep 2021 23:15:17 +0000 (11:15 +1200)]
pyldb: Avoid use-after-free in msg_diff()
Make a deep copy of the message elements in msg_diff() so that if either
of the input messages are deallocated early, the result does not refer
to non-existing elements.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org backported from commit 19a2af02f57d99db8ed3c6b028c3abdf4b553700 due to conflicts in
the knownfail.d/python-segfaults file]
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Sep 29 13:14:22 UTC 2021 on sn-devel-184
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c2bbe774ce03661666a1f48922a9ab681ef4f64b)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org backported form from commit a99a76722d6046a5d63032e3d2bb3f791da948a6 due to conflicts
with other new segfault tests]
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org backported from commit 46039baa81377df10e5b134e4bb064ed246795e4
as the no_preauth side of the testsuite shows differences in enctypes
in Samba 4.14. The change is only in salt calculation so this is
not vital]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 889476d1754f8ce2a41557ed3bf5242c1293584e)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f4785ccfefe7c89f84ad847ca3c12f604172b321)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7e39994ed341883ac4c8c257220c19dbf70c7bc5)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a5a6296e57cab2b53617d997c37b4e92d4124cc7)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit d998f7f8df215866ab32e05be772e24fc0b2131c
as offline login tests are not in Samba 4.14]
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5d8e794551b5df835f07e2bd8348fef746144601)
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 459200caba04fd83ed650b9cdfe5b158cf9a149f)
Andrew Bartlett [Mon, 18 Oct 2021 07:44:54 +0000 (20:44 +1300)]
selftest: Remove duplicate setup of $base_dn and $ldbmodify
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 2c0658d408f17af2abc223b0cb18d8d33e0ecd1a)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 49306f74eb29a2192019fab9260f9d242f9d5fd9)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit aacb18f920349e13b562c7c97901a0be7b273137)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6292f0597f208d7953382341380921cf0fd0a8a8)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a169e013e66bab15e594ce49b805edebfcd503cf)
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf)
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 031a8287642e3c4b9d0b7c6b51f3b1d79b227542)
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org backported from commit 92e8ce18a79e88c9b961dc20e39436c4cf653013
as there was a knownfail conflict with the test_remove_pac case
which succeeds on this branch]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
[abartlet@samba.org backported from commit 9d3a691920205f8a9dc05d0e173e25e6a335f139
as the MIT KDC 1.16 seen on the reference Ubuntu 18.04 does not fail
test_remove_pac]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 288355896a2b6f460c42559ec46ff980ab57782e)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0dc69c1327f72384628a869a00482f6528b8671b)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d23d8e859357b0fac4d1f4a49f1dce6cf60d6216)
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f6adfefbbb41b9100736134d0f975f1ec0c33c42)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 02fa69c6c73c01d82807be4370e838f3e7c66f35)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3bdce12789af1e7a7aba56691f184625a432410d)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1)
Luke Howard [Thu, 23 Sep 2021 07:51:51 +0000 (17:51 +1000)]
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
[jsutton@samba.org Backported from Heimdal commit e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 91e684f5dcb48b76e6a322c15acb53cbce5c275a)
Luke Howard [Thu, 23 Sep 2021 04:39:35 +0000 (14:39 +1000)]
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 75d1a7cd14b134506061ed64ddb9b99856231d2c)
[jsutton@samba.org Backported from Heimdal commit f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit db30b71f79864a20b38a1f812a5df833f3a92de8)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d6a472e953545ec3858ca969c1a4191e4f27ba63)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2773379603a5a625c5d1c6e62f29c442942ff570)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2d09de5c41e729bccc2d7949d8a3568a95e80e76)
Isaac Boukris [Fri, 13 Aug 2021 09:44:37 +0000 (12:44 +0300)]
kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
[jsutton@samba.org Backported from Heimdal commit 2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit d7b03394a9012960d71489e775d40d10fd6f5232
due to conflicts in knownfail due to missing tests that crash the
MIT KDC]
Isaac Boukris [Mon, 28 Dec 2020 20:07:10 +0000 (22:07 +0200)]
kdc: remove KRB5SignedPath, to be replaced with PAC
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ccabc7f16cca5b0dcb46233e934e708167f1071b)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit d5002c34ce1ffef795dc83af3175ca0e04d17dfd
due to missing tests in Samba 4.14 that crashed the MIT KDC]
projects / thirdparty / samba.git / log
