]>
git.ipfire.org Git - thirdparty/samba.git/log
Stefan Metzmacher [Mon, 21 Dec 2015 09:27:33 +0000 (10:27 +0100)]
CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" optionsSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Sat, 26 Mar 2016 17:07:02 +0000 (18:07 +0100)]
CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dcSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Fri, 28 Aug 2015 10:19:37 +0000 (12:19 +0200)]
CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" optionSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Ralph Boehme [Fri, 18 Mar 2016 08:09:46 +0000 (09:09 +0100)]
CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" optionSigned-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 21 Dec 2015 11:03:56 +0000 (12:03 +0100)]
CVE-2016-2112: docs-xml: add "ldap server require strong auth" optionSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 11:45:56 +0000 (12:45 +0100)]
CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variableSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 10:56:29 +0000 (11:56 +0100)]
CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connectionsSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]
CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIREDSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]
CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacksSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]
CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" optionSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 24 Mar 2016 14:50:49 +0000 (15:50 +0100)]
CVE-2016-2112: s3:libads: make sure we detect downgrade attacksSigned-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 15 Mar 2016 20:59:42 +0000 (21:59 +0100)]
CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Sat, 26 Mar 2016 21:08:38 +0000 (22:08 +0100)]
CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dcSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 1 Mar 2016 09:25:54 +0000 (10:25 +0100)]
CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checksSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Mar 2016 09:25:54 +0000 (10:25 +0100)]
CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checksSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 15 Mar 2016 20:02:34 +0000 (21:02 +0100)]
CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 15 Mar 2016 20:02:34 +0000 (21:02 +0100)]
CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sun, 27 Mar 2016 00:09:05 +0000 (01:09 +0100)]
CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interactionSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnegoSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnegoSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnegoSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Sat, 26 Mar 2016 21:24:23 +0000 (22:24 +0100)]
CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3errorSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Sat, 26 Mar 2016 21:24:23 +0000 (22:24 +0100)]
CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpathSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 12:12:43 +0000 (13:12 +0100)]
CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTASigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 12:12:43 +0000 (13:12 +0100)]
CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTASigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 23 Feb 2016 18:08:31 +0000 (19:08 +0100)]
CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper functionSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 12 Dec 2015 21:23:18 +0000 (22:23 +0100)]
CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 testSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 12 Dec 2015 21:23:18 +0000 (22:23 +0100)]
CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 testSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 7 Aug 2015 11:33:17 +0000 (13:33 +0200)]
CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 7 Aug 2015 11:33:17 +0000 (13:33 +0200)]
CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Günther Deschner [Fri, 25 Sep 2015 23:29:10 +0000 (01:29 +0200)]
CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 9 Mar 2016 14:31:23 +0000 (15:31 +0100)]
CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restrictionSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 15 Dec 2015 14:10:20 +0000 (15:10 +0100)]
CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 15 Dec 2015 14:11:32 +0000 (15:11 +0100)]
CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 19 Nov 2015 15:26:49 +0000 (16:26 +0100)]
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 19 Nov 2015 15:02:58 +0000 (16:02 +0100)]
CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support including MIC checking (as server)Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 19 Nov 2015 15:02:58 +0000 (16:02 +0100)]
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 30 Nov 2015 08:13:14 +0000 (09:13 +0100)]
CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 20 Nov 2015 08:31:35 +0000 (09:31 +0100)]
CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 20 Nov 2015 08:29:11 +0000 (09:29 +0100)]
CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 20 Nov 2015 08:29:11 +0000 (09:29 +0100)]
CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 24 Nov 2015 20:24:47 +0000 (21:24 +0100)]
CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 17 Dec 2013 10:49:31 +0000 (11:49 +0100)]
CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 16 Dec 2013 10:27:27 +0000 (11:27 +0100)]
CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGNSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 17 Dec 2013 10:49:31 +0000 (11:49 +0100)]
CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructureSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 24 Nov 2015 19:13:24 +0000 (20:13 +0100)]
CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backendsSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 20 Nov 2015 10:42:55 +0000 (11:42 +0100)]
CVE-2016-2110: auth/gensec: fix the client side of a spnego downgradeSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 20 Nov 2015 10:42:55 +0000 (11:42 +0100)]
CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchangeSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 17 Dec 2013 11:42:35 +0000 (12:42 +0100)]
CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResultSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 17 Dec 2013 11:42:06 +0000 (12:42 +0100)]
CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_tSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 20 Nov 2015 13:06:18 +0000 (14:06 +0100)]
CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH responseSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Dec 2015 13:54:13 +0000 (14:54 +0100)]
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Dec 2015 13:54:13 +0000 (14:54 +0100)]
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested featuresSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Dec 2015 14:06:09 +0000 (15:06 +0100)]
CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Dec 2015 14:01:09 +0000 (15:01 +0100)]
CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTHSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Dec 2015 13:58:19 +0000 (14:58 +0100)]
CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_keySigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Dec 2015 10:01:24 +0000 (11:01 +0100)]
CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variablesSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Dec 2015 07:46:45 +0000 (08:46 +0100)]
CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUSSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 21 Mar 2016 22:07:12 +0000 (23:07 +0100)]
CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flagSigned-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 21 Mar 2016 18:41:53 +0000 (19:41 +0100)]
s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 22 19:20:38 CET 2016 on sn-devel-144
(cherry picked from commit
ef1ad0e122659b5ff9097f0f7046f10fc2f3ec30 )
Stefan Metzmacher [Sun, 28 Feb 2016 22:32:50 +0000 (23:32 +0100)]
s3:rpc_server/samr: correctly handle session_extract_session_key() failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
0906d61bb2f3446483d82928b55f5b797bac4804 )
Stefan Metzmacher [Fri, 18 Dec 2015 14:30:00 +0000 (15:30 +0100)]
s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 18 12:39:51 CET 2016 on sn-devel-144
(cherry picked from commit
e8e2386bf6bd05c60a0f897587a9a676c86dee76 )
Volker Lendecke [Tue, 15 Mar 2016 19:34:27 +0000 (20:34 +0100)]
libads: Fix CID
1356316 Uninitialized pointer read
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
dcaa88158e6f0a9964ad051b4062d82e9f279b8c )
Volker Lendecke [Tue, 15 Mar 2016 20:00:30 +0000 (21:00 +0100)]
libsmb: Fix CID
1356312 Explicit null dereferenced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
f50c3fb1c58700522f1b742539dab9bd9ae7fd39 )
Günther Deschner [Sat, 26 Sep 2015 00:20:50 +0000 (02:20 +0200)]
s3-auth: check for return code of cli_credentials_set_machine_account().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144
(cherry picked from commit
c06058a99be4cf3ad3431dc263d4595ffc226fcf )
Günther Deschner [Sat, 26 Sep 2015 00:18:44 +0000 (02:18 +0200)]
s4-smb_server: check for return code of cli_credentials_set_machine_account().
We keep anonymous server_credentials structure in order to let
the rpc.spoolss.notify start it's test server.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
fe93a09889a854d7c93f9b349d5794bdbb9403ba )
Stefan Metzmacher [Fri, 26 Jun 2015 06:10:46 +0000 (08:10 +0200)]
s4:rpc_server: require access to the machine account credentials
Even a standalone server should be selfjoined.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
31f07d05629bc05ef99edc86ad2a3e95ec8599f1 )
Stefan Metzmacher [Tue, 15 Dec 2015 14:08:43 +0000 (15:08 +0100)]
auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
We only need this logic once.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
57946ac7c19c4e9bd8893c3acb9daf7c4bd02159 )
Stefan Metzmacher [Fri, 10 Jul 2015 11:01:47 +0000 (13:01 +0200)]
auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
ops->auth_type == 0, means the backend doesn't support DCERPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
cc3dea5a8104eef2cfd1f8c05e25da186c334320 )
Stefan Metzmacher [Fri, 11 Mar 2016 01:55:30 +0000 (02:55 +0100)]
s4:torture/rpc/schannel: don't use validation level 6 without privacy
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
733ccd13209c20f8e76ae7b47e1741791c1cd6ba )
Stefan Metzmacher [Fri, 11 Mar 2016 17:09:26 +0000 (18:09 +0100)]
s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
50581689d924032de1765ec884dbd160652888be )
Stefan Metzmacher [Mon, 14 Mar 2016 00:56:07 +0000 (01:56 +0100)]
s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
050a1d0653716fd7c166d35a7236a014bf1d1516 )
Stefan Metzmacher [Thu, 10 Mar 2016 16:24:03 +0000 (17:24 +0100)]
s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
26e5ef68188d2e44d42f75ed6aabf2557c9ce5ce )
Stefan Metzmacher [Tue, 22 Dec 2015 11:10:12 +0000 (12:10 +0100)]
s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
This create a schannel connection to netlogon, this makes the tests
more realistic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit
1a7d8b8602a687ff6eef45f15f597694e94e14b1 )
Stefan Metzmacher [Tue, 22 Dec 2015 08:13:46 +0000 (09:13 +0100)]
s3:test_rpcclient_samlogon.sh: test samlogon with schannel
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
f9a1915238dc7a573c58dd8c7bac3637689af265 )
Stefan Metzmacher [Fri, 18 Dec 2015 06:10:06 +0000 (07:10 +0100)]
s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit
2c36501640207604a5c66fb582c2d5981619147e )
Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]
selftest: setup information of new samba.example.com CA in the client environment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
b00c38afc6203f1e1f566db31a63cedba632dfab )
Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]
selftest: set tls crlfile if it exist
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
b2c0f71db026353060ad47fd0a85241a3df8c703 )
Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]
selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit
c321a59f267d1a997eff6f864a79437ef759adeb )
Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]
selftest: add Samba::prepare_keyblobs() helper function
This copies the certificates from the samba.example.com CA if they
exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
a6447fd6d010b525d235b894d5be62c807922cb5 )
Stefan Metzmacher [Sat, 9 Jan 2016 00:06:05 +0000 (01:06 +0100)]
selftest: mark commands in manage-CA-samba.example.com.sh as DONE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit
2a96885ac706ae3e7c6fd7aaff0215f3f171bc27 )
Stefan Metzmacher [Sat, 9 Jan 2016 00:09:31 +0000 (01:09 +0100)]
selftest: add CA-samba.example.com (non-binary) files
The binary files will follow in the next, this allows the next
commit to be skipped as the binary files are not used by samba yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit
520c85a15fa1f4718e2e793303327abea22db149 )
Stefan Metzmacher [Sat, 9 Jan 2016 00:08:02 +0000 (01:08 +0100)]
selftest: add config and script to create a samba.example.com CA
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
bdc1f036a8a66256afe8dc88f8a9dc47655640bd )
Stefan Metzmacher [Sat, 9 Jan 2016 00:06:05 +0000 (01:06 +0100)]
selftest: add some helper scripts to mange a CA
This is partly based on the SmartCard HowTo from:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
b0bdbeeef44259782c9941b5cfff7d4925e1f2f2 )
Stefan Metzmacher [Sat, 16 Jan 2016 12:57:47 +0000 (13:57 +0100)]
selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!
It's confusing to have plugindc.samba.example.com as domain name
and plugindc.plugindc.samba.example.com as hostname.
We now have plugindom.samba.example.com as domain name
and plugindc.plugindom.samba.example.com as hostname.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit
c561a42ff68bc4561147839e3a65951924f6af21 )
Stefan Metzmacher [Tue, 10 Nov 2015 09:25:10 +0000 (10:25 +0100)]
s4:rpc_server: dcesrv_generic_session_key should only work on local transports
This matches modern Windows servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 10 10:15:21 CET 2016 on sn-devel-144
(cherry picked from commit
645e777b0aca7d997867e0b3f0b48bfb138cc25c )
Stefan Metzmacher [Fri, 26 Feb 2016 15:41:10 +0000 (16:41 +0100)]
s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
Windows servers doesn't return the raw NT_STATUS_NO_USER_SESSION_KEY
error, but return WRONG_PASSWORD or even hide the error by using a random
session key, that results in an invalid, unknown, random NTHASH.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
58b33896b65c5b51486eaf01f5f935ace2369fd0 )
Stefan Metzmacher [Tue, 10 Nov 2015 09:25:10 +0000 (10:25 +0100)]
s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
5a397216d40ff18fd1c0980cd9b7b7c0a970bbbb )
Stefan Metzmacher [Tue, 15 Dec 2015 21:44:24 +0000 (22:44 +0100)]
s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
This is the only way to get a reliable transport session key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
af8c4ebf9be314ddd13ef9ca17a0237927dd2ede )
Stefan Metzmacher [Fri, 18 Dec 2015 19:18:42 +0000 (20:18 +0100)]
s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
It requires a transport session key, which is only reliable available
over SMB.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f699eb3b1a0660ace3ca99d3f3b5d79ed5537c80 )
Stefan Metzmacher [Mon, 29 Feb 2016 06:47:39 +0000 (07:47 +0100)]
s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
c793b23ddb7c048110bc4718574e5b99d5bbcfae )
Stefan Metzmacher [Thu, 17 Dec 2015 07:55:03 +0000 (08:55 +0100)]
s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0400f301e3bcf495748cff009755426a040596fa )
Stefan Metzmacher [Wed, 2 Mar 2016 06:27:41 +0000 (07:27 +0100)]
s3:libsmb: remove unused functions in clispnego.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
14335018229801dd6d2b18f8d19ab5b45b8394fc )
Stefan Metzmacher [Wed, 2 Mar 2016 06:27:16 +0000 (07:27 +0100)]
s3:libsmb: remove unused cli_session_setup_kerberos*() functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
95b953950d1fd454121ff23a43a8b13a34385ef1 )
Stefan Metzmacher [Wed, 2 Mar 2016 13:58:30 +0000 (14:58 +0100)]
s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0e1b2ebf884c6f2033b3b9aa7b6f72af54a716b2 )
Stefan Metzmacher [Wed, 2 Mar 2016 13:35:21 +0000 (14:35 +0100)]
s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
907e2b1f665cdafc863f4702ede5dcf16e6cc269 )
Stefan Metzmacher [Tue, 1 Mar 2016 14:47:11 +0000 (15:47 +0100)]
s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
It will be possible to use this for more than just NTLMSSP in future.
This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
285c342f01a6e9a892f03360f8d2d0097e7a41cb )
Stefan Metzmacher [Tue, 1 Mar 2016 17:31:50 +0000 (18:31 +0100)]
s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
576257f6e1488a623306dc368c806e218b1fcdf2 )
Stefan Metzmacher [Wed, 9 Dec 2015 10:49:37 +0000 (11:49 +0100)]
s3:libsmb: unused ntlmssp.c
Everything uses the top level ntlmssp code via gensec now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
afffe797547a97ec839913e1ca89045989bbea49 )
projects / thirdparty / samba.git / log
