]> git.ipfire.org Git - thirdparty/samba.git/log
thirdparty/samba.git
4 years agos3: smbd: Use state->short_case_preserve instead of state->conn->short_case_preserve.
Jeremy Allison [Fri, 15 Oct 2021 19:08:25 +0000 (12:08 -0700)] 
s3: smbd: Use state->short_case_preserve instead of state->conn->short_case_preserve.

No logic changes.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Use state->case_preserve instead of state->conn->case_preserve.
Jeremy Allison [Fri, 15 Oct 2021 19:07:05 +0000 (12:07 -0700)] 
s3: smbd: Use state->case_preserve instead of state->conn->case_preserve.

No logic change.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Use state->case_sensitive instead of state->conn->case_sensitive.
Jeremy Allison [Fri, 15 Oct 2021 19:02:33 +0000 (12:02 -0700)] 
s3: smbd: Use state->case_sensitive instead of state->conn->case_sensitive.

No logic change.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Add case_sensitive, case_preserve, short_case_preserve to state struct.
Jeremy Allison [Fri, 15 Oct 2021 18:59:56 +0000 (11:59 -0700)] 
s3: smbd: Add case_sensitive, case_preserve, short_case_preserve to state struct.

Not yet used.

This allows them to be independent of conn settings on
a handle-basis for posix.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Ensure normalize_filename_case() doesn't modify posix names.
Jeremy Allison [Fri, 15 Oct 2021 18:54:38 +0000 (11:54 -0700)] 
s3: smbd: Ensure normalize_filename_case() doesn't modify posix names.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Add ucf_flags parameter to normalize_filename_case().
Jeremy Allison [Sat, 18 Sep 2021 00:02:06 +0000 (17:02 -0700)] 
s3: smbd: Add ucf_flags parameter to normalize_filename_case().

Not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: get_real_filename() is actually static to filename.c
Jeremy Allison [Fri, 15 Oct 2021 21:04:07 +0000 (14:04 -0700)] 
s3: smbd: get_real_filename() is actually static to filename.c

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agosmbd: get rid of get_file_handle_for_metadata()
Ralph Boehme [Mon, 15 Nov 2021 17:04:30 +0000 (18:04 +0100)] 
smbd: get rid of get_file_handle_for_metadata()

This also avoids triggering an assert in get_share_mode_lock(). We already have
a handle, use that one, no need to call get_file_handle_for_metadata().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14907
RN: set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 16 18:51:15 UTC 2021 on sn-devel-184

4 years agoCVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based looku...
Andrew Bartlett [Fri, 12 Nov 2021 03:10:31 +0000 (16:10 +1300)] 
CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails

Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.

Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.

This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.

In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org moved the new logic into the fallback codepath only
 in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184

4 years agoCVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
Joseph Sutton [Fri, 12 Nov 2021 01:22:47 +0000 (14:22 +1300)] 
CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org removed unused tests for a feature that
 was removed before merging]
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agoCVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
Joseph Sutton [Fri, 12 Nov 2021 01:20:45 +0000 (14:20 +1300)] 
CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss

In reality environments without 'nss_winbind' make use of 'idmap_nss'.

For testing, DOMAIN/bob is mapped to the local 'bob',
while DOMAIN/jane gets the uid based on the local 'jane'
vis idmap_nss.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org avoid to create a new ad_member_idmap_nss environment
and merge it with ad_member_no_nss_wb instead]
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agoCVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new...
Joseph Sutton [Fri, 12 Nov 2021 07:53:30 +0000 (20:53 +1300)] 
CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agoCVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials
Joseph Sutton [Fri, 12 Nov 2021 01:14:55 +0000 (14:14 +1300)] 
CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agoCVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured...
Stefan Metzmacher [Fri, 12 Nov 2021 14:27:58 +0000 (15:27 +0100)] 
CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain

We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agoIPA DC: add missing checks
Alexander Bokovoy [Fri, 12 Nov 2021 17:06:01 +0000 (19:06 +0200)] 
IPA DC: add missing checks

When introducing FreeIPA support, two places were forgotten:

 - schannel gensec module needs to be aware of IPA DC
 - _lsa_QueryInfoPolicy should treat IPA DC as PDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184

4 years agosmbd: Convert ret==false into !ret
Volker Lendecke [Tue, 2 Nov 2021 09:35:35 +0000 (10:35 +0100)] 
smbd: Convert ret==false into !ret

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 11 19:59:03 UTC 2021 on sn-devel-184

4 years agolib: Use a direct struct initialization
Volker Lendecke [Fri, 5 Nov 2021 10:48:25 +0000 (11:48 +0100)] 
lib: Use a direct struct initialization

Don't init with 0 just to overwrite again. Probably the compiler will
figure that out anyway, but to me this looks cleaner.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Make sure we don't overwrite tmp_buf
Volker Lendecke [Sun, 7 Nov 2021 18:33:31 +0000 (19:33 +0100)] 
smbd: Make sure we don't overwrite tmp_buf

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Avoid casts
Volker Lendecke [Fri, 5 Nov 2021 17:52:56 +0000 (18:52 +0100)] 
smbd: Avoid casts

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Fix typos
Volker Lendecke [Fri, 5 Nov 2021 17:52:40 +0000 (18:52 +0100)] 
smbd: Fix typos

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agovfs: Use cp_smb_filename_nostream() in vfswrap_parent_pathname()
Volker Lendecke [Fri, 5 Nov 2021 11:58:58 +0000 (12:58 +0100)] 
vfs: Use cp_smb_filename_nostream() in vfswrap_parent_pathname()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Move "struct fd_handle" into fd_handle.c
Volker Lendecke [Fri, 5 Nov 2021 11:03:02 +0000 (12:03 +0100)] 
smbd: Move "struct fd_handle" into fd_handle.c

A separate header file is not required here, everything goes through
the API published by fd_handle.c. This makes it harder to include the
fd_handle definition and violate the guarantees.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolib: Slightly tune cp_smb_filename_nostream()
Volker Lendecke [Fri, 5 Nov 2021 10:51:33 +0000 (11:51 +0100)] 
lib: Slightly tune cp_smb_filename_nostream()

Don't talloc_strdup() the stream_name, just to free it again.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli4: Remove outdated README file
Volker Lendecke [Sat, 30 Oct 2021 09:45:20 +0000 (11:45 +0200)] 
libcli4: Remove outdated README file

This has not materialized since 2005. We can easily add it once we
create libsmbclient4.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agovfs: Fix a few typos
Volker Lendecke [Tue, 2 Nov 2021 10:16:57 +0000 (11:16 +0100)] 
vfs: Fix a few typos

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Fix a typo
Volker Lendecke [Tue, 2 Nov 2021 10:06:18 +0000 (11:06 +0100)] 
smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmb.conf.5: Fix a typo for "username map script"
Volker Lendecke [Wed, 10 Nov 2021 15:19:40 +0000 (16:19 +0100)] 
smb.conf.5: Fix a typo for "username map script"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibsmb: Move cli_qfilename() to its only user in torture.c
Volker Lendecke [Fri, 29 Oct 2021 12:18:02 +0000 (14:18 +0200)] 
libsmb: Move cli_qfilename() to its only user in torture.c

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agodbwrap: Remove unused dbwrap_watched_wakeup()
Volker Lendecke [Fri, 22 Oct 2021 11:32:36 +0000 (13:32 +0200)] 
dbwrap: Remove unused dbwrap_watched_wakeup()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolib: Fix a debug typo in g_lock.c
Volker Lendecke [Fri, 22 Oct 2021 15:30:46 +0000 (17:30 +0200)] 
lib: Fix a debug typo in g_lock.c

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli: Remove NT_STATUS_INACCESSIBLE_SYSTEM_SHORTCUT error code
Volker Lendecke [Thu, 14 Oct 2021 13:08:55 +0000 (15:08 +0200)] 
libcli: Remove NT_STATUS_INACCESSIBLE_SYSTEM_SHORTCUT error code

This is the same as STATUS_STOPPED_ON_SYMLINK, and this is what also
wireshark displays. Avoid some confusion.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoVFS: Fix a typo
Volker Lendecke [Tue, 12 Oct 2021 10:36:16 +0000 (12:36 +0200)] 
VFS: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibsmb: move reparse_symlink to libcli/smb/
Volker Lendecke [Sun, 24 Oct 2021 18:38:19 +0000 (20:38 +0200)] 
libsmb: move reparse_symlink to libcli/smb/

This will be useful for smbXcli_create to parse the symlink error

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibsmb: Avoid a talloc_stackframe.c dependency
Volker Lendecke [Sun, 24 Oct 2021 13:28:35 +0000 (15:28 +0200)] 
libsmb: Avoid a talloc_stackframe.c dependency

This is simple enough for explicit TALLOC_FREE()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibsmb: Introduce "struct symlink_reparse_struct"
Volker Lendecke [Sun, 24 Oct 2021 13:24:42 +0000 (15:24 +0200)] 
libsmb: Introduce "struct symlink_reparse_struct"

Simplify symlink_reparse_buffer_parse() slightly, failure cleanup
becomes simpler with that, and this struct will be useful elsewhere

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibsmb: Give reparse_symlink.c its own header
Volker Lendecke [Sun, 24 Oct 2021 10:45:23 +0000 (12:45 +0200)] 
libsmb: Give reparse_symlink.c its own header

While there, avoid an "includes.h"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli: "smb_util.h" needs "ntstatus.h"
Volker Lendecke [Sun, 24 Oct 2021 10:44:56 +0000 (12:44 +0200)] 
libcli: "smb_util.h" needs "ntstatus.h"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibsmb: Remove "trans_oob()" macro
Volker Lendecke [Sun, 24 Oct 2021 10:38:21 +0000 (12:38 +0200)] 
libsmb: Remove "trans_oob()" macro

It was just a 1:1 substitution for smb_buffer_oob()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbclient: Use cli_checkpath in "cd" command
Volker Lendecke [Tue, 26 Oct 2021 08:14:28 +0000 (10:14 +0200)] 
smbclient: Use cli_checkpath in "cd" command

No need for special qpathinfo_basic code

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibsmb: Use cli_ntcreate in cli_chkpath
Volker Lendecke [Tue, 26 Oct 2021 06:51:16 +0000 (08:51 +0200)] 
libsmb: Use cli_ntcreate in cli_chkpath

cli_ntcreate handles smb2, thus remove cli_smb2_chkpath.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Remove unused "struct connections_key"
Volker Lendecke [Tue, 26 Oct 2021 11:56:54 +0000 (13:56 +0200)] 
smbd: Remove unused "struct connections_key"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Give smbXsrv_open.c its own header file
Volker Lendecke [Tue, 26 Oct 2021 11:48:28 +0000 (13:48 +0200)] 
smbd: Give smbXsrv_open.c its own header file

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agodocs-xml: Fix smbget manpage
Andreas Schneider [Thu, 11 Nov 2021 13:46:15 +0000 (14:46 +0100)] 
docs-xml: Fix smbget manpage

There is no &stdarg.encrypt anymore.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Nov 11 16:27:12 UTC 2021 on sn-devel-184

4 years agosmbd: reopen logs on SIGHUP for notifyd and cleanupd
Volker Lendecke [Tue, 7 Jul 2020 09:32:46 +0000 (11:32 +0200)] 
smbd: reopen logs on SIGHUP for notifyd and cleanupd

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Nov 11 15:34:28 UTC 2021 on sn-devel-184

4 years agolib/cmdline: setup default file logging for servers
Ralph Boehme [Mon, 8 Nov 2021 11:09:43 +0000 (12:09 +0100)] 
lib/cmdline: setup default file logging for servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897
RN: samba process doesn't log to logfile

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Nov 11 14:42:13 UTC 2021 on sn-devel-184

4 years agolib/cmdline: remember config_type in samba_cmdline_init()
Ralph Boehme [Mon, 8 Nov 2021 11:09:16 +0000 (12:09 +0100)] 
lib/cmdline: remember config_type in samba_cmdline_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agolib/cmdline: fix indentation
Ralph Boehme [Mon, 8 Nov 2021 11:08:47 +0000 (12:08 +0100)] 
lib/cmdline: fix indentation

s/whitespace/tab/

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agolib/debug: in debug_set_logfile() call reopen_logs_internal()
Ralph Boehme [Mon, 8 Nov 2021 18:41:50 +0000 (19:41 +0100)] 
lib/debug: in debug_set_logfile() call reopen_logs_internal()

This simplifies the logging API for callers that typically would want to set
logging by just setup_logging() once without bothering that typically
configuration is loaded (via some lpcfg_load*() or lp_load*() varient) which
will only then pick up the configured logfile from smb.conf without actually
applying the new logifle to the logging subsytem.

Therefor our daemons will additionally call reopen_logs() explicitly in their
startup code after config is loaded, eg

setup_logging(getprogname(), DEBUG_FILE);
...
lpcfg_load(lp_ctx, config_file);
...
reopen_logs();

By calling reopen_logs_internal() implicitly from debug_set_logfile() there's no
need to call reopen_logs() explicitly anymore to apply the logfile.

As reopen_logs() will also apply other logging configuration options, we have to
keep the explicit calls in the daemon code. But at least this allows consistent
logging setup wrt to the logfile in the new cmdline library.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agolib/debug: fix fd check before dup'ing to stderr
Ralph Boehme [Wed, 10 Nov 2021 13:13:11 +0000 (14:13 +0100)] 
lib/debug: fix fd check before dup'ing to stderr

Before I added per-class logfile and we had only one fd for the logfile the code
looked like this:

        /* Take over stderr to catch output into logs */
        if (state.fd > 0) {
                if (dup2(state.fd, 2) == -1) {
                        /* Close stderr too, if dup2 can't point it -
                           at the logfile.  There really isn't much
                           that can be done on such a fundamental
                           failure... */
                        close_low_fd(2);
                }
        }

In the current code the equivalent to state.fd is dbgc_config[DBGC_ALL].fd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agowinbindd: remove is_default_dyn_LOGFILEBASE() logic
Ralph Boehme [Wed, 10 Nov 2021 17:27:08 +0000 (18:27 +0100)] 
winbindd: remove is_default_dyn_LOGFILEBASE() logic

Handling of -l commandline parameter is already implemented by lib/cmdline/.

is_default_dyn_LOGFILEBASE() == true is the default case and this causes us to
temporarily overwrite the configured logfile with LOGFILEBASE/log.winbindd until
winbindd_reload_services_file() restores it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agosamba-bgqd: fix startup and logging
Ralph Boehme [Thu, 11 Nov 2021 04:23:09 +0000 (05:23 +0100)] 
samba-bgqd: fix startup and logging

Let samba-bgqd use the new POPT_COMMON_DAEMON infrastructure.

The calls to setup_logging() can safely be removed as this is already taken care
of by samba_cmdline_init().

To avoid a logfile basename of ".log" when using "%m", we add a call to
set_remote_machine_name().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agosource3: move lib/substitute.c functions out of proto.h
Ralph Boehme [Wed, 10 Nov 2021 19:18:07 +0000 (20:18 +0100)] 
source3: move lib/substitute.c functions out of proto.h

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agoauth:creds: Guess the username first via getpwuid(my_id)
Andreas Schneider [Wed, 10 Nov 2021 11:06:51 +0000 (12:06 +0100)] 
auth:creds: Guess the username first via getpwuid(my_id)

If we have a container, we often don't have USER or LOGNAME set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14883

Tested-by: Anoop C S <anoopcs@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 10 19:11:53 UTC 2021 on sn-devel-184

4 years agoauth:creds: Remove trailing spaces
Andreas Schneider [Wed, 10 Nov 2021 11:01:20 +0000 (12:01 +0100)] 
auth:creds: Remove trailing spaces

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos3:winbindd: fix "allow trusted domains = no" regression
Stefan Metzmacher [Tue, 9 Nov 2021 19:50:20 +0000 (20:50 +0100)] 
s3:winbindd: fix "allow trusted domains = no" regression

add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).

We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184

4 years agoCVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
Stefan Metzmacher [Thu, 5 Aug 2021 12:24:40 +0000 (14:24 +0200)] 
CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper

This avoids a crash that's triggered by windows clients using
handles from samr_Connect*() on across multiple connections within
an association group.

In other cases is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and also
improves the auditing for the dcesrv_samdb_connect_as_system() case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Tue Nov  9 20:37:30 UTC 2021 on sn-devel-184

4 years agoCVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
Stefan Metzmacher [Thu, 5 Aug 2021 13:09:04 +0000 (15:09 +0200)] 
CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper

This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and
also improves auditing for the dcesrv_samdb_connect_as_system() case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
Stefan Metzmacher [Thu, 5 Aug 2021 12:24:25 +0000 (14:24 +0200)] 
CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper

This avoids a crash that's triggered by windows clients using
handles from OpenPolicy[2]() on across multiple connections within
an association group.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user(...
Stefan Metzmacher [Thu, 5 Aug 2021 12:22:47 +0000 (14:22 +0200)] 
CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper

This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_conne...
Stefan Metzmacher [Thu, 5 Aug 2021 11:31:29 +0000 (13:31 +0200)] 
CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers

This avoids a crash that's triggered by windows clients using
DsCrackNames across multiple connections within an association group
on the same DsBind context(policy) handle.

It also improves the auditing for the dcesrv_samdb_connect_as_system() case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as...
Stefan Metzmacher [Thu, 5 Aug 2021 12:22:32 +0000 (14:22 +0200)] 
CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers

We already had dcesrv_samdb_connect_as_system(), but it uses the per
connection memory of auth_session_info and remote_address.

But in order to use the samdb connection on a per association group
context/policy handle, we need to make copies, which last for the
whole lifetime of the 'samdb' context.

We need the same logic also for all cases we make use of
the almost same logic where we want to create a samdb context
on behalf of the authenticated user (without allowing system access),
so we introduce dcesrv_samdb_connect_as_user().

In the end we need to replace all direct callers to samdb_connect()
from source4/rpc_server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
Stefan Metzmacher [Thu, 5 Aug 2021 11:30:41 +0000 (13:30 +0200)] 
CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()

We want to use this also in code without existing
stackframe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
Stefan Metzmacher [Thu, 5 Aug 2021 09:26:16 +0000 (11:26 +0200)] 
CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests

This adds a reproducer for an invalid memory access, when
using the context handle from DsBind across multiple connections
within an association group.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
Stefan Metzmacher [Thu, 5 Aug 2021 08:34:06 +0000 (10:34 +0200)] 
CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials

This will be used in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
Stefan Metzmacher [Thu, 5 Aug 2021 07:58:37 +0000 (09:58 +0200)] 
CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials

We want to use the credentials of the joined dc account
in future tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
Stefan Metzmacher [Thu, 5 Aug 2021 09:24:26 +0000 (11:24 +0200)] 
CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()

This will make it easier to reuse.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require...
Stefan Metzmacher [Thu, 27 Oct 2016 08:40:28 +0000 (10:40 +0200)] 
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos

We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>
4 years agoCVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if...
Stefan Metzmacher [Thu, 24 Nov 2016 08:12:59 +0000 (09:12 +0100)] 
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos

We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>
4 years agoCVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
Stefan Metzmacher [Mon, 16 Nov 2020 13:15:06 +0000 (14:15 +0100)] 
CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts

All other fragments blindly inherit it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
4 years agoCVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate...
Stefan Metzmacher [Tue, 17 Nov 2020 17:14:46 +0000 (18:14 +0100)] 
CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
4 years agoCVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
Stefan Metzmacher [Tue, 17 Nov 2020 16:43:06 +0000 (17:43 +0100)] 
CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
4 years agoCVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level...
Stefan Metzmacher [Tue, 17 Nov 2020 08:50:58 +0000 (09:50 +0100)] 
CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
4 years agoCVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
Stefan Metzmacher [Wed, 11 Nov 2020 15:59:06 +0000 (16:59 +0100)] 
CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
4 years agoCVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLA...
Stefan Metzmacher [Fri, 13 Nov 2020 10:27:19 +0000 (11:27 +0100)] 
CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE

That makes the callers much simpler and allow better debugging.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
4 years agoCVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
Stefan Metzmacher [Fri, 13 Nov 2020 10:25:41 +0000 (11:25 +0100)] 
CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()

It's better to see the location that triggered the fault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
4 years agoCVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not...
Joseph Sutton [Tue, 2 Nov 2021 08:00:00 +0000 (21:00 +1300)] 
CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

If one of the objectClass checks passed, samldb_add() could return
through one of the samldb_fill_*() functions and skip the
servicePrincipalName uniqueness checking.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
Joseph Sutton [Tue, 2 Nov 2021 08:21:17 +0000 (21:21 +1300)] 
CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames...
Stefan Metzmacher [Tue, 2 Nov 2021 13:11:27 +0000 (14:11 +0100)] 
CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Stefan Metzmacher <metze@samba.org>
4 years agoCVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
Andrew Bartlett [Tue, 2 Nov 2021 01:02:14 +0000 (14:02 +1300)] 
CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal

This is tested in other places already, but this ensures a global
check that a TGS-REP has a PAC, regardless.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoRevert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
Andrew Bartlett [Tue, 2 Nov 2021 01:52:22 +0000 (14:52 +1300)] 
Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"

This reverts an earlier commit that was incorrect.

It is not Samba practice to include a revert, but at this point in
the patch preperation the ripple though the knownfail files is
more trouble than can be justified.

It is not correct to refuse to parse all tickets with no authorization
data, only for the KDC to require that a PAC is found, which is done
in "heimdal:kdc: Require PAC to be present"

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed...
Joseph Sutton [Fri, 29 Oct 2021 02:53:33 +0000 (15:53 +1300)] 
CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
Joseph Sutton [Fri, 29 Oct 2021 02:07:07 +0000 (15:07 +1300)] 
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
Joseph Sutton [Fri, 29 Oct 2021 02:43:28 +0000 (15:43 +1300)] 
CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25719 heimdal:kdc: Require PAC to be present
Joseph Sutton [Fri, 29 Oct 2021 01:35:52 +0000 (14:35 +1300)] 
CVE-2020-25719 heimdal:kdc: Require PAC to be present

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain...
Andrew Bartlett [Mon, 4 Oct 2021 02:18:34 +0000 (15:18 +1300)] 
CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
Joseph Sutton [Wed, 27 Oct 2021 02:52:06 +0000 (15:52 +1300)] 
CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
Joseph Sutton [Wed, 27 Oct 2021 02:51:58 +0000 (15:51 +1300)] 
CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT clien...
Joseph Sutton [Wed, 27 Oct 2021 00:50:03 +0000 (13:50 +1300)] 
CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
Joseph Sutton [Tue, 26 Oct 2021 07:34:44 +0000 (20:34 +1300)] 
CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection

This allows us to use it when validating user-to-user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25719 heimdal:kdc: Check return code
Joseph Sutton [Wed, 27 Oct 2021 00:53:25 +0000 (13:53 +1300)] 
CVE-2020-25719 heimdal:kdc: Check return code

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
Joseph Sutton [Tue, 26 Oct 2021 07:42:41 +0000 (20:42 +1300)] 
CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25722 Ensure the structural objectclass cannot be changed
Andrew Bartlett [Tue, 19 Oct 2021 22:36:58 +0000 (11:36 +1300)] 
CVE-2020-25722 Ensure the structural objectclass cannot be changed

If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.

Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
Andrew Bartlett [Sun, 26 Sep 2021 23:10:02 +0000 (12:10 +1300)] 
CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
Andrew Bartlett [Thu, 7 Oct 2021 19:29:51 +0000 (08:29 +1300)] 
CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check

Looking up the DB twice is subject to a race and is a poor
use of resources, so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.

The client record has already been bound to the the
original client by the SID check in the PAC.

Likewise by looking up server only once we ensure
that the keys looked up originally are in the record
we confirm the SID for here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
Joseph Sutton [Sun, 3 Oct 2021 23:43:13 +0000 (12:43 +1300)] 
CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoCVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
Andrew Bartlett [Fri, 1 Oct 2021 03:14:37 +0000 (16:14 +1300)] 
CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
Andrew Bartlett [Fri, 1 Oct 2021 02:59:28 +0000 (15:59 +1300)] 
CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c

These common routines will assist the KDC to do the same access
checking as the RPC servers need to do regarding which accounts
a RODC can act with regard to.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
Andrew Bartlett [Fri, 1 Oct 2021 02:57:41 +0000 (15:57 +1300)] 
CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing

These are added for the uncommon cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in...
Andrew Bartlett [Fri, 1 Oct 2021 01:31:00 +0000 (14:31 +1300)] 
CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoCVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
Andrew Bartlett [Thu, 30 Sep 2021 23:29:49 +0000 (12:29 +1300)] 
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check

In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>