Andrew Bartlett [Thu, 12 Dec 2019 01:44:57 +0000 (14:44 +1300)]
CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs
We can not process on the basis of a DN, as the DN may have changed in a rename,
not only that this module can see, but also from repl_meta_data below.
Therefore remove all the complex tree-based change processing, leaving only
a tree-based sort of the possible objects to be changed, and a single
stopped_dn variable containing the DN to stop processing below (after
a no-op change).
Andrew Bartlett [Sun, 15 Dec 2019 22:29:27 +0000 (11:29 +1300)]
selftest: Add test to confirm ACL inheritence really happens
While we have a seperate test (sec_descriptor.py) that confirms inheritance in
general we want to lock in these specific patterns as this test covers
rename.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Karolin Seeger [Tue, 3 Dec 2019 11:54:00 +0000 (12:54 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.10.11 release.
o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
on Samba AD DC.
Karolin Seeger [Tue, 3 Dec 2019 11:52:58 +0000 (12:52 +0100)]
WHATSNEW: Add release notes for Samba 4.10.11.
o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
on Samba AD DC.
Andrew Bartlett [Thu, 31 Oct 2019 17:53:56 +0000 (06:53 +1300)]
s4-torture: Reduce flapping in SambaToolDrsTests.test_samba_tool_replicate_local
This test often flaps in Samba 4.9 (where more tests and DCs run in the environment)
with obj_1 being 3. This is quite OK, we just need to see some changes get
replicated, not 0 changes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 4ae0f9ce0f5ada99cf1d236377e5a1234c879ae3)
Andrew Bartlett [Tue, 29 Oct 2019 22:50:57 +0000 (11:50 +1300)]
CVE-2019-14861: Test to demonstrate the bug
This test does not fail every time, but when it does it casues a segfault which
takes out the rpc_server master process, as this hosts the dnsserver pipe.
Andrew Bartlett [Tue, 29 Oct 2019 01:15:36 +0000 (14:15 +1300)]
CVE-2019-14861: s4-rpc/dnsserver: Avoid crash in ldb_qsort() via dcesrv_DnssrvEnumRecords)
dns_name_compare() had logic to put @ and the top record in the tree being
enumerated first, but if a domain had both then this would break the
older qsort() implementation in ldb_qsort() and cause a read of memory
before the base pointer.
By removing this special case (not required as the base pointer
is already seperatly located, no matter were it is in the
returned records) the crash is avoided.
Karolin Seeger [Thu, 24 Oct 2019 10:13:36 +0000 (12:13 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.10.10 release.
* Bug 14071: CVE-2019-10218: Client code can return filenames containing path
separators.
* Bug 12438: CVE-2019-14833: Samba AD DC check password script does not receive
the full password.
* Bug 14040: CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP
server via dirsync.
Karolin Seeger [Thu, 24 Oct 2019 10:11:30 +0000 (12:11 +0200)]
WHATSNEW: Add release notes for Samba 4.10.10.
* Bug 14071: CVE-2019-10218: Client code can return filenames containing path
separators.
* Bug 12438: CVE-2019-14833: Samba AD DC check password script does not receive
the full password.
* Bug 14040: CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP
server via dirsync.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry picked from commit 23f72c4d712f8d1fec3d67a66d477709d5b0abe2)
Björn Baumbach [Tue, 6 Aug 2019 14:32:32 +0000 (16:32 +0200)]
CVE-2019-14833 dsdb: send full password to check password script
utf8_len represents the number of characters (not bytes) of the
password. If the password includes multi-byte characters it is required
to write the total number of bytes to the check password script.
Otherwise the last bytes of the password string would be ignored.
Therefore we rename utf8_len to be clear what it does and does
not represent.
Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25)
Autobuild-User(v4-10-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-10-test): Wed Oct 16 16:43:59 UTC 2019 on sn-devel-144
lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs
The autobuild cleanup script fails with:
The tree has 3 new uncommitted files!!!
git clean -n
Would remove MEMORY:tmp_smb_creds_SK98Lv
Would remove MEMORY:tmp_smb_creds_kornU6
Would remove MEMORY:tmp_smb_creds_ljR828
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de)
Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Thu, 3 Oct 2019 10:09:29 +0000 (13:09 +0300)]
spnego: ignore server mech_types list
We should not use the mech list sent by the server in the last
'negotiate' packet in CIFS protocol, as it is not protected and
may be subject to downgrade attacks.
Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
testprogs: Add test for 'net ads join createcomputer='
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94)
s3:libads: Don't set supported encryption types during account creation
This is already handled by libnet_join_post_processing_ads_modify()
which calls libnet_join_set_etypes() if encrytion types should be set.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38)
s3:libads: Fix detection if acount already exists in ads_find_machine_count()
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d)
s3:libads: Use a talloc_asprintf in ads_find_machine_acct()
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357)
s3:libads: Cleanup error code paths in ads_create_machine_acct()
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a)
s3:libnet: Require sealed LDAP SASL connections for joining
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37)
Jeremy Allison [Thu, 3 Oct 2019 21:02:13 +0000 (14:02 -0700)]
s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls.
Fix in the same way this was done in SMBC_opendir_ctx() for libsmbclient.
This fix means the admin no longer has to remember to set 'min client protocol ='
when connecting to an SMB2-only server (MacOSX for example) and trying to
list shares.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ea82bca8cef0d736305a7a40b3198fc55ea66af8)
Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 7259197bf716f8b81dea74beefe6ee3b1239f172)
Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d473f1e38c2822746030516269b4d70032cf9b2e)
waf:replace: Do not link against libpthread if not necessary
On Linux we should avoid linking everything against libpthread. Symbols
used my most application are provided by glibc and code which deals with
threads has to explicitly link against libpthread. This avoids setting
LDFLAGS=-pthread globally.
pthreadpool: Only link pthreadpool against librt if we have to
This calls clock_gettime() which is available in glibc on Linux. If the
wscript in libreplace detected that librt is needed for clock_gettime()
we have to link against it.
fdatasync() and clock_gettime() are provided by glibc on Linux, so there
is no need to link against librt. Checks have been added so if there are
platforms which require it are still functional.
This functionality was undone as part of "winbind: Restructure get_pwsid"
https://git.samba.org/?p=samba.git;a=commitdiff;h=bce19a6efe11980933531f0349c8f5212419366a
I think that this semantic change was accidential.
This patch undoes the semantic change and re-establishes the
functionality.
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Fri Sep 27 17:25:29 UTC 2019 on sn-devel-184
ID_TYPE_BOTH means that each user and group has two mappings, a uid and
gid. In addition the calls to getpwent, getpwuid, getgrent and getgrgid
always return some information, so that uid and gid can be mapped to a
name. Establish a test to verify that the expected information is
returned.
s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
s4:auth: kinit_to_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
s4:auth: use the correct client realm in gensec_gssapi_update_internal()
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last@example.com'
but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background.
It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM
Noel Power [Thu, 8 Aug 2019 14:06:28 +0000 (15:06 +0100)]
s3/libads: clang: Fix Value stored to 'canon_princ' is never read
Fixes:
source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
canon_princ = me;
^ ~~
1 warning generated.
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry picked from commit 52d20087f620704549f5a5cdcbec79cb08a36290)
Signed-off-by: Bryan Mason <bmason@redhat.com> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184
Jeremy Allison [Mon, 26 Aug 2019 18:22:35 +0000 (11:22 -0700)]
s3/4: libsmbclient test. Test using smbc_telldir/smbc_lseekdir with smbc_readdir/smbc_readdirplus/smbc_getdents.
Ensure that for file access you can mix any of these
three access methods for directory entries and the
returned names/structs stay in sync across telldir/seekdir
changes.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep 3 17:31:29 UTC 2019 on sn-devel-184
projects / thirdparty / samba.git / log
