CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4ca48ee4d060f773dcdf9f78a5e4c1b1263b61f4)
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Saxl <mike@mwsys.mine.bz> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a9780a2eaa9cba4ab87cc3371d97fa494fa0198c)
s3:smb2_create: avoid reusing the 'tevent_req' within smbd_smb2_create_send()
As the caller ("smbd_smb2_request_process_create()") already sets the callback,
the first time, it's not safe to reuse the tevent_req structure.
The typical 'tevent_req_nterror(); return tevent_req_post()' will
crash as the tevent_req_nterror() already triggered the former callback,
which calls smbd_smb2_create_recv(), were tevent_req_received() invalidates
the tevent_req structure, so that tevent_req_post() will crash.
We just remember the required values from the old state
and move them to the new state.
We tried to write reproducers for this, but sadly weren't able to trigger
the backtrace we had from a create a customer (using recent code)
with commit 6beba782f1bf951236813e0b46115b8102212c03
included. And this patch fixed the situation for the
customer.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit bd31d538a26bb21cbb53986a6105204da4392e2d)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit 50f50256aa8805921c42d0f9f2f8f89d06d9bd93)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit c9178ed9cc69b9089292db28ac1a0b7a0519bc2c)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit 93fa0c8660e47cb2605d70dac1156576ab719d64)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit 5c0efc9a5ef8ddf96dc394110063bebd5f057415)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit 39026f1c5dbb83120b70b3d9131138a9c2344ba6)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit e726b60226105d0f52a66dac47bfc5797cfc18e7)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit 655e10685840fd5ebfde24396853b74020a1dc85)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 31691963b3d9ac460df0c56d36f81ec815db0225)
s3:smbd: unimplement FSCTL_VALIDATE_NEGOTIATE_INFO with "server max protocol = SMB2_02"
A client that supports SMB3 will do a signed FSCTL_VALIDATE_NEGOTIATE_INFO
after a tree connect. This FSCTL_VALIDATE_NEGOTIATE_INFO call contains
the client capabilities, client guid, security mode and the array of supported
dialects. But if SMB 2.02 is negotiated the doesn't send these values to the
server in the first connection attempt (when the client starts with a SMB1 Negotiate).
Windows servers that only support SMB2 just return NT_STATUS_FILE_CLOSED
as answer to FSCTL_VALIDATE_NEGOTIATE_INFO.
We should do the same if we just pretend to support SMB 2.02,
as SMB 2.10 always include an SMB2 Negotiate request we can leave it as is.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 295c9f7b322e6377d0df1b49cb26597d66e80eda)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri May 5 01:37:45 CEST 2017 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 8ee4f8236830eb3fa1b273fa6927792a800f86bd)
Autobuild-User(v4-5-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-5-test): Wed Jun 28 15:32:51 CEST 2017 on sn-devel-144
Daniel Kobras [Fri, 23 Jun 2017 13:39:21 +0000 (15:39 +0200)]
s3: smbd: fix regression with non-wide symlinks to directories over SMB3.
The errno returned by open() is ambiguous when called with flags O_NOFOLLOW and
O_DIRECTORY on a symlink. With ELOOP, we know for certain that we've tried to
open a symlink. With ENOTDIR, we might have hit a symlink, and need to perform
further checks to be sure. Adjust non_widelink_open() accordingly. This fixes
a regression where symlinks to directories within the same share were no
longer followed for some call paths on systems returning ENOTDIR in the above
case.
Also remove the knownfail added in previous commit.
Signed-off-by: Daniel Kobras <d.kobras@science-computing.de> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit acc16592b451905dabc093f1d261e93cd3b59520)
Jeremy Allison [Tue, 20 Jun 2017 18:20:38 +0000 (11:20 -0700)]
s3: smbd: When deleting an fsp pointer ensure we don't keep any references to it around.
Based on a suggestion from <lev@zadarastorage.com>
https://bugzilla.samba.org/show_bug.cgi?id=12818
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 22 00:12:49 CEST 2017 on sn-devel-144
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Sat Jun 24 14:37:48 CEST 2017 on sn-devel-144
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 22 23:16:46 CEST 2017 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jun 17 10:55:25 CEST 2017 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f8974bcdbf8abe3803340dcd20206ff4de9d5079)
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit bd43939ec07a2fc6858d1265fc75a68a7cd96f58)
Autobuild-User(v4-5-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-5-test): Fri Jun 2 14:07:53 CEST 2017 on sn-devel-144
Ralph Boehme [Fri, 26 May 2017 09:57:08 +0000 (11:57 +0200)]
s3/smbd: fix exclusive lease optimisation
We need to expect any amount of "stat" opens on the file without
triggering an assert.
This is the correct fix for bug #11844. I guess we haven't seens this
very often before bug #12766 got fixed, because most clients were using
LEASES instead of OPLOCKS.
See also:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11844
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12766
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 19b938e1fa9822ac417a3b3a34519087470d7a18)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9d7739e819d5699209b5eacad4a0e2a8b8da0a86)
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri May 26 05:24:34 CEST 2017 on sn-devel-144
During revoking readonly delegations, if one of the nodes disappears,
then there is no point re-trying revoking readonly delegation immedately.
The database needs to be recovered before the revoke operation can
succeed.
However, if the revoke is successful, then all the write requests need
to be processed immediately before the read-only requests. This avoids
starving write requests, in case there are read-only requests coming
from other nodes.
In deferred_call_destructor, the result of revoke is not available and
deferred calls cannot be correctly ordered. To correctly order the
deferred calls, process them in revokechild_destructor where the result
of revoke is known.
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit f5f05a644dadc0b1858c99c5f1f5af1ef80f3a28)
Jeremy Allison [Tue, 16 May 2017 23:12:19 +0000 (16:12 -0700)]
s3: smbd: Fix open_files.idl to correctly ignore share_mode_lease *lease in share_mode_entry.
This is currently marked 'skip', which means it isn't stored in the
db, but printed out in ndr dump. However, this pointer can be invalid
if the lease_idx is set to 0xFFFFFFFF (invalid).
This is fixed up inside parse_share_modes(), but not until after
ndr_pull_share_mode_data() is called. If lease_idx == 0xFFFFFFFF
then ndr_print_share_mode_lease() prints an invalid value and
crashes.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 18 03:01:40 CEST 2017 on sn-devel-144
Volker Lendecke [Fri, 31 Mar 2017 15:20:07 +0000 (15:20 +0000)]
idmap_rfc2307: Don't stop after 30 entries
We start over again and again, so we need to search in the whole list.
This is a quick hack generating a bad O(n^2). The real fix is to
call idmap_rfc2307_find_map with "maps" starting at the right offset,
but that's an optimization for later when it's restructured
Volker Lendecke [Fri, 31 Mar 2017 15:20:07 +0000 (15:20 +0000)]
idmap_rfc2307: Don't stop after 30 entries
We start over again and again, so we need to search in the whole list.
This is a quick hack generating a bad O(n^2). The real fix is to
call idmap_rfc2307_find_map with "maps" starting at the right offset,
but that's an optimization for later when it's restructured
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit afa15e6128473d3e4006f7cdc3762ab4c1cba05a)
Autobuild-User(v4-5-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-5-test): Tue May 9 14:34:10 CEST 2017 on sn-devel-144
Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat May 6 22:58:47 CEST 2017 on sn-devel-144
Ralph Boehme [Wed, 19 Apr 2017 11:12:55 +0000 (13:12 +0200)]
vfs_fruit: lp_case_sensitive() does not return a bool
lp_case_sensitive() returns an int, not a bool, so with the default
setting of "Auto" by default we set the AAPL flag
SMB2_CRTCTX_AAPL_CASE_SENSITIVE.
This caused the client to believe the volume is case sensitive where it
wasn't, leading to an error when trying to rename files changing only
the case of the name.
Also fix the existing torture test that verifies AAPL context
negotiation and actually expected the server to return "case sensitive",
while the Samba default is really "case insensitive".
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Apr 20 20:50:10 CEST 2017 on sn-devel-144
In notifyd_trigger_parser() while initializing notify_event_msg values from
notify_trigger_msg, 'when' value is ignored. So the smbd process does not get
correct 'when' value and this is causing issues during qsort in
notify_marshall_changes(). Because of this issue, smb2.notify.dir test was
failing.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12756 Signed-off-by: Shilpa Krishnareddy <skrishnareddy@panzura.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr 26 17:02:58 CEST 2017 on sn-devel-144
The last 3 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12743
vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend
pam_winbind: no longer use wbcUserPasswordPolicyInfo when authenticating
The expiry time for the specific user comes from
info->pass_must_change_time and nothing else.
The authenticating DC knows which password policy applies
to the user, that's nothing the client can do, as
domain trusts and fine-grained password policies makes
this a very complex task.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 18 15:43:02 CEST 2017 on sn-devel-144
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 60af864f751706c48b8af448700bf06e33e45946)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 600f8787e3b605c9f3e8f724c726e63157ee9efc)
Uri Simchoni [Thu, 13 Apr 2017 09:44:58 +0000 (12:44 +0300)]
vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr()
When obtaining the security descriptor via getxattr(), first try
optimistically to supply a buffer of 4K, and if that turns out
to be too small, determine the correct buffer size.
The previous behavior of falling back to a 64K buffer encountered
problem with Linux prior to version 3.6, due to pyisical memory
fragmentation. With those kernels, as long as the buffer is 8K or
smaller, getting the xattr is much less prone to failure due to
memory fragmentation.
Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 18 04:41:16 CEST 2017 on sn-devel-144
Ralph Boehme [Wed, 29 Mar 2017 09:13:46 +0000 (11:13 +0200)]
winbindd: trigger possible passdb_dsdb initialisation
If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.
The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 1 21:18:59 CEST 2017 on sn-devel-144
Ralph Boehme [Fri, 31 Mar 2017 14:06:18 +0000 (16:06 +0200)]
selftest: fix for wbinfo -s tests for wellknown SIDs
Rework while loop to not use a pipe as that uses a subshell for the loop
which means assigning to the variable failed is not visible in the
main script.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d8fd56a8244a3010469c27eaa3b73a2c5fbbc41f)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 167bb5ead8c7193d173fdba8a453279d422fa7ea)
Ralph Boehme [Fri, 31 Mar 2017 14:24:05 +0000 (16:24 +0200)]
selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
This test passes even without the fix, as in sids2xids we use the
lookupnames just to determine the mapping domain, using the default
idmap domain as fallback if that fails.
Ralph Boehme [Thu, 30 Mar 2017 21:41:59 +0000 (23:41 +0200)]
winbindd: use passdb backend for well-known SIDs
On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:
$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1
localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0
On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.
projects / thirdparty / samba.git / log
