git.ipfire.org Git - thirdparty/samba.git/log

]> git.ipfire.org Git - thirdparty/samba.git/log

Stefan Metzmacher [Sat, 27 Feb 2016 02:45:43 +0000 (03:45 +0100)]

CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 15 Jul 2015 08:57:03 +0000 (10:57 +0200)]

CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Ralph Boehme [Tue, 22 Mar 2016 15:30:42 +0000 (16:30 +0100)]

CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"

This fixes a regression that was introduced by commit
abb24bf8e874d525382e994af7ae432212775153
("s3:smbd: make use of better SMB signing negotiation").

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Ralph Boehme [Tue, 22 Mar 2016 15:25:32 +0000 (16:25 +0100)]

CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 15 Jul 2015 08:57:03 +0000 (10:57 +0200)]

CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"

This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.

The main logic for this hides in lpcfg_server_signing_allowed().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Thu, 16 Jul 2015 02:45:16 +0000 (04:45 +0200)]

CVE-2016-2114: s4:smb2_server: fix session setup with required signing

The client can't sign the session setup request...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 16 Mar 2016 12:03:08 +0000 (13:03 +0100)]

CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 26 Mar 2016 07:38:46 +0000 (08:38 +0100)]

CVE-2016-2113: selftest: use "tls verify peer = no_check"

Individual tests will check the more secure values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 16 Mar 2016 14:07:36 +0000 (15:07 +0100)]

CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 23 Dec 2015 15:17:04 +0000 (16:17 +0100)]

CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 23 Dec 2015 15:17:04 +0000 (16:17 +0100)]

CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Mon, 21 Mar 2016 02:56:22 +0000 (03:56 +0100)]

CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Ralph Boehme [Fri, 18 Mar 2016 08:37:06 +0000 (09:37 +0100)]

CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 23 Dec 2015 21:12:56 +0000 (22:12 +0100)]

CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 23 Dec 2015 15:17:04 +0000 (16:17 +0100)]

CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 23 Dec 2015 14:39:48 +0000 (15:39 +0100)]

CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert

The generated ca cert (in ca.pem) was completely useless,
it could be replaced by cert.pem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 25 Mar 2016 18:24:20 +0000 (19:24 +0100)]

CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Mon, 21 Dec 2015 09:04:48 +0000 (10:04 +0100)]

CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc

We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Mon, 21 Dec 2015 09:27:33 +0000 (10:27 +0100)]

CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options

The default is "ldap server require strong auth = yes",
ad_dc_ntvfs uses "ldap server require strong auth = allow_sasl_over_tls",
fl2008r2dc uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 26 Mar 2016 17:07:02 +0000 (18:07 +0100)]

CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc

This uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 28 Aug 2015 10:19:37 +0000 (12:19 +0200)]

CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Ralph Boehme [Fri, 18 Mar 2016 08:09:46 +0000 (09:09 +0100)]

CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Mon, 21 Dec 2015 11:03:56 +0000 (12:03 +0100)]

CVE-2016-2112: docs-xml: add "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 18 Dec 2015 11:45:56 +0000 (12:45 +0100)]

CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 18 Dec 2015 10:56:29 +0000 (11:56 +0100)]

CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]

CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]

CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]

CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Thu, 24 Mar 2016 14:50:49 +0000 (15:50 +0100)]

CVE-2016-2112: s3:libads: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 15 Mar 2016 20:59:42 +0000 (21:59 +0100)]

CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 26 Mar 2016 21:08:38 +0000 (22:08 +0100)]

CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 1 Mar 2016 09:25:54 +0000 (10:25 +0100)]

CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 1 Mar 2016 09:25:54 +0000 (10:25 +0100)]

CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 15 Mar 2016 20:02:34 +0000 (21:02 +0100)]

CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 15 Mar 2016 20:02:34 +0000 (21:02 +0100)]

CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sun, 27 Mar 2016 00:09:05 +0000 (01:09 +0100)]

CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]

CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]

CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]

CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]

CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 26 Mar 2016 21:24:23 +0000 (22:24 +0100)]

CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 26 Mar 2016 21:24:23 +0000 (22:24 +0100)]

CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 9 Dec 2015 12:12:43 +0000 (13:12 +0100)]

CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 9 Dec 2015 12:12:43 +0000 (13:12 +0100)]

CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 23 Feb 2016 18:08:31 +0000 (19:08 +0100)]

CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function

This is the function that prevents spoofing like
Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 12 Dec 2015 21:23:18 +0000 (22:23 +0100)]

CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test

The computer name of the NTLMv2 blob needs to match
the schannel connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Sat, 12 Dec 2015 21:23:18 +0000 (22:23 +0100)]

CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test

The computer name of the NTLMv2 blob needs to match
the schannel connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 7 Aug 2015 11:33:17 +0000 (13:33 +0200)]

CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 7 Aug 2015 11:33:17 +0000 (13:33 +0200)]

CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Günther Deschner [Fri, 25 Sep 2015 23:29:10 +0000 (01:29 +0200)]

CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()

The ensures we apply the "server schannel = yes" restrictions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Wed, 9 Mar 2016 14:31:23 +0000 (15:31 +0100)]

CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 15 Dec 2015 14:10:20 +0000 (15:10 +0100)]

CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()

This depends on the DCERPC auth level.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 15 Dec 2015 14:11:32 +0000 (15:11 +0100)]

CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()

It doesn't make any sense to allow other auth levels.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Thu, 19 Nov 2015 15:26:49 +0000 (16:26 +0100)]

CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)

We now detect a MsvAvTimestamp in target info as indication
of the server to support NTLMSSP_MIC in the AUTH_MESSAGE.

If the client uses NTLMv2 we provide
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE and valid MIC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Thu, 19 Nov 2015 15:02:58 +0000 (16:02 +0100)]

CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support including MIC checking (as server)

This fixes the build in 4.2 and older versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Thu, 19 Nov 2015 15:02:58 +0000 (16:02 +0100)]

CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)

We now include a MsvAvTimestamp in our target info as indication
for the client to include a NTLMSSP_MIC in the AUTH_MESSAGE.
If the client uses NTLMv2 we check NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE
and require a valid MIC.

This is still disabled if the "map to guest" feature is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Mon, 30 Nov 2015 08:13:14 +0000 (09:13 +0100)]

CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 20 Nov 2015 08:31:35 +0000 (09:31 +0100)]

CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 20 Nov 2015 08:29:11 +0000 (09:29 +0100)]

CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()

This fixes the build in 4.2 and older versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 20 Nov 2015 08:29:11 +0000 (09:29 +0100)]

CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 24 Nov 2015 20:24:47 +0000 (21:24 +0100)]

CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()

If we clear CLI_CRED_LANMAN_AUTH and we should also clear the lm_response buffer
and don't send it over the net.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 17 Dec 2013 10:49:31 +0000 (11:49 +0100)]

CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()

[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).

The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Mon, 16 Dec 2013 10:27:27 +0000 (11:27 +0100)]

CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN

It's important to check if got the GENSEC_FEATURE_SIGN and if the caller
wanted it.

The caller may only asked for GENSEC_FEATURE_SESSION_KEY which implicitly
negotiates NTLMSSP_NEGOTIATE_SIGN, which might indicate GENSEC_FEATURE_SIGN
to the SPNEGO glue code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 17 Dec 2013 10:49:31 +0000 (11:49 +0100)]

CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure

[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).

This provides the infrastructure for this feature.

The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 24 Nov 2015 19:13:24 +0000 (20:13 +0100)]

CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends

This used to work more or less before, but only for krb5 with the
server finishing first.

With NTLMSSP and new_spnego the client will finish first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 20 Nov 2015 10:42:55 +0000 (11:42 +0100)]

CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade

New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.

With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 20 Nov 2015 10:42:55 +0000 (11:42 +0100)]

CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange

Even for SMB where the server provides its mech list,
the client needs to remember its own mech list for the
mechListMIC calculation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 17 Dec 2013 11:42:35 +0000 (12:42 +0100)]

CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult

This is defined in http://www.ietf.org/rfc/rfc4178.txt.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 17 Dec 2013 11:42:06 +0000 (12:42 +0100)]

CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Fri, 20 Nov 2015 13:06:18 +0000 (14:06 +0100)]

CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response

We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 1 Dec 2015 13:54:13 +0000 (14:54 +0100)]

CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 1 Dec 2015 13:54:13 +0000 (14:54 +0100)]

CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 1 Dec 2015 14:06:09 +0000 (15:06 +0100)]

CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2

ntlmssp_handle_neg_flags() can only disable flags, but not
set them. All supported flags are set at start time.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 1 Dec 2015 14:01:09 +0000 (15:01 +0100)]

CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH

man smb.conf says "client ntlmv2 auth = yes" the default disables,
"client lanman auth = yes":

  ...
  Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
  logins will be attempted.
  ...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 1 Dec 2015 13:58:19 +0000 (14:58 +0100)]

CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 1 Dec 2015 10:01:24 +0000 (11:01 +0100)]

CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables

We now give an error when required flags are missing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Tue, 1 Dec 2015 07:46:45 +0000 (08:46 +0100)]

CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS

In future we can do a more fine granted negotiation
and assert specific security features.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Mon, 21 Mar 2016 22:07:12 +0000 (23:07 +0100)]

CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flag

NTLMv2 blobs can become large...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Mon, 21 Mar 2016 18:41:53 +0000 (19:41 +0100)]

s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 22 19:20:38 CET 2016 on sn-devel-144

(cherry picked from commit ef1ad0e122659b5ff9097f0f7046f10fc2f3ec30)

commit | commitdiff | tree

Stefan Metzmacher [Sun, 28 Feb 2016 22:32:50 +0000 (23:32 +0100)]

s3:rpc_server/samr: correctly handle session_extract_session_key() failures

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0906d61bb2f3446483d82928b55f5b797bac4804)

commit | commitdiff | tree

Stefan Metzmacher [Fri, 18 Dec 2015 14:30:00 +0000 (15:30 +0100)]

s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 18 12:39:51 CET 2016 on sn-devel-144

(cherry picked from commit e8e2386bf6bd05c60a0f897587a9a676c86dee76)

commit | commitdiff | tree

Volker Lendecke [Tue, 15 Mar 2016 19:34:27 +0000 (20:34 +0100)]

libads: Fix CID 1356316 Uninitialized pointer read

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit dcaa88158e6f0a9964ad051b4062d82e9f279b8c)

commit | commitdiff | tree

Volker Lendecke [Tue, 15 Mar 2016 20:00:30 +0000 (21:00 +0100)]

libsmb: Fix CID 1356312 Explicit null dereferenced

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f50c3fb1c58700522f1b742539dab9bd9ae7fd39)

commit | commitdiff | tree

Günther Deschner [Sat, 26 Sep 2015 00:20:50 +0000 (02:20 +0200)]

s3-auth: check for return code of cli_credentials_set_machine_account().

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144

(cherry picked from commit c06058a99be4cf3ad3431dc263d4595ffc226fcf)

commit | commitdiff | tree

Günther Deschner [Sat, 26 Sep 2015 00:18:44 +0000 (02:18 +0200)]

s4-smb_server: check for return code of cli_credentials_set_machine_account().

We keep anonymous server_credentials structure in order to let
the rpc.spoolss.notify start it's test server.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fe93a09889a854d7c93f9b349d5794bdbb9403ba)

commit | commitdiff | tree

Stefan Metzmacher [Fri, 26 Jun 2015 06:10:46 +0000 (08:10 +0200)]

s4:rpc_server: require access to the machine account credentials

Even a standalone server should be selfjoined.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 31f07d05629bc05ef99edc86ad2a3e95ec8599f1)

commit | commitdiff | tree

Stefan Metzmacher [Tue, 15 Dec 2015 14:08:43 +0000 (15:08 +0100)]

auth/gensec: split out a gensec_verify_dcerpc_auth_level() function

We only need this logic once.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 57946ac7c19c4e9bd8893c3acb9daf7c4bd02159)

commit | commitdiff | tree

Stefan Metzmacher [Fri, 10 Jul 2015 11:01:47 +0000 (13:01 +0200)]

auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE

ops->auth_type == 0, means the backend doesn't support DCERPC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit cc3dea5a8104eef2cfd1f8c05e25da186c334320)

commit | commitdiff | tree

Stefan Metzmacher [Fri, 11 Mar 2016 01:55:30 +0000 (02:55 +0100)]

s4:torture/rpc/schannel: don't use validation level 6 without privacy

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 733ccd13209c20f8e76ae7b47e1741791c1cd6ba)

commit | commitdiff | tree

Stefan Metzmacher [Fri, 11 Mar 2016 17:09:26 +0000 (18:09 +0100)]

s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 50581689d924032de1765ec884dbd160652888be)

commit | commitdiff | tree

Stefan Metzmacher [Mon, 14 Mar 2016 00:56:07 +0000 (01:56 +0100)]

s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 050a1d0653716fd7c166d35a7236a014bf1d1516)

commit | commitdiff | tree

Stefan Metzmacher [Thu, 10 Mar 2016 16:24:03 +0000 (17:24 +0100)]

s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 26e5ef68188d2e44d42f75ed6aabf2557c9ce5ce)

commit | commitdiff | tree

Stefan Metzmacher [Tue, 22 Dec 2015 11:10:12 +0000 (12:10 +0100)]

s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function

This create a schannel connection to netlogon, this makes the tests
more realistic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit 1a7d8b8602a687ff6eef45f15f597694e94e14b1)

commit | commitdiff | tree

Stefan Metzmacher [Tue, 22 Dec 2015 08:13:46 +0000 (09:13 +0100)]

s3:test_rpcclient_samlogon.sh: test samlogon with schannel

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit f9a1915238dc7a573c58dd8c7bac3637689af265)

commit | commitdiff | tree

Stefan Metzmacher [Fri, 18 Dec 2015 06:10:06 +0000 (07:10 +0100)]

s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit 2c36501640207604a5c66fb582c2d5981619147e)

commit | commitdiff | tree

Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]

selftest: setup information of new samba.example.com CA in the client environment

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit b00c38afc6203f1e1f566db31a63cedba632dfab)

commit | commitdiff | tree

Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]

selftest: set tls crlfile if it exist

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit b2c0f71db026353060ad47fd0a85241a3df8c703)

commit | commitdiff | tree

Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]

selftest: use Samba::prepare_keyblobs() and use the certs from the new CA

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit c321a59f267d1a997eff6f864a79437ef759adeb)

commit | commitdiff | tree

Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]

selftest: add Samba::prepare_keyblobs() helper function

This copies the certificates from the samba.example.com CA if they
exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit a6447fd6d010b525d235b894d5be62c807922cb5)

commit | commitdiff | tree

Stefan Metzmacher [Sat, 9 Jan 2016 00:06:05 +0000 (01:06 +0100)]

selftest: mark commands in manage-CA-samba.example.com.sh as DONE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit 2a96885ac706ae3e7c6fd7aaff0215f3f171bc27)

Mirror of https://github.com/samba-team/samba.git

RSS Atom