CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.
This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.
As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.
As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
on the service account, which can only be explicitly configured,
but that's an invalid configuration!
We still try to support standalone servers in an MIT realm,
as legacy setup.
CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.
It means that role won't result in ROLE_STANDALONE.
CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.
Ralph Boehme [Fri, 8 Oct 2021 10:33:16 +0000 (12:33 +0200)]
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!
As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!
For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().
The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).
This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Removed knownfail on advice from metze]
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Fixed knowfail per instruction from metze]
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 22 Oct 2021 10:41:23 +0000 (23:41 +1300)]
CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
This new restriction breaks a large number of assumptions in the tests, like
that you can remove some UF_ flags, because it turns out doing so will
make the 'computer' a 'user' again, and this will fail.
Andrew Bartlett [Fri, 22 Oct 2021 03:07:46 +0000 (16:07 +1300)]
CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
The restriction is not applied to users with administrator rights,
as this breaks a lot of tests and provides no security benefit.
Andrew Bartlett [Wed, 15 Sep 2021 20:46:42 +0000 (08:46 +1200)]
CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
This default applies even to users with administrator rights,
as changing the default based on permissions would break
to many assumptions.
Andrew Bartlett [Mon, 13 Sep 2021 08:34:54 +0000 (20:34 +1200)]
CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
Andrew Bartlett [Fri, 13 Aug 2021 05:42:23 +0000 (17:42 +1200)]
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
The remaining failures in the priv_attrs (not the strict one) test are
due to missing objectclass constraints on the administrator which should
be addressed, but are not a security issue.
A better test for confirming constraints between objectclass and
userAccountControl UF_NORMAL_ACCONT/UF_WORKSTATION_TRUST values would
be user_account_control.py.
Andrew Bartlett [Wed, 11 Aug 2021 23:10:09 +0000 (11:10 +1200)]
CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
This allows the add of an RODC, before setting the password, to avoid
this module, which helps isolate testing of security around the
msDS-SecondaryKrbTgtNumber attribute.
smbd: check lp_load_printers before reload via NetShareEnum
api_RNetShareEnum() unconditionally attempts to reload printers via
delete_and_reload_printers(). Add a lp_load_printers() check to
obey smb.conf "load printers = off" settings.
Reported-by: Nate Stuyvesant <nstuyvesant@gmail.com> Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Nov 8 13:27:40 UTC 2021 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 5 12:36:55 UTC 2021 on sn-devel-184
With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
anymore. The res_* symbols have been moved from libresolv to libc. We are not
able to intercept any traffic inside of libc.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
David Mulder [Thu, 4 Nov 2021 14:42:06 +0000 (08:42 -0600)]
samba-tool: Add domain member leave
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Thu Nov 4 20:43:32 UTC 2021 on sn-devel-184
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 4 19:49:47 UTC 2021 on sn-devel-184
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Nov 4 09:10:27 UTC 2021 on sn-devel-184
Ralph Boehme [Wed, 3 Nov 2021 13:40:01 +0000 (14:40 +0100)]
smbd: early out in is_visible_fsp()
This is used in a hot codepath (directory enumeration) so we should avoiding the
string comparisions by adding an early exit.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 3 17:33:00 UTC 2021 on sn-devel-184
Ralph Boehme [Tue, 2 Nov 2021 04:34:59 +0000 (05:34 +0100)]
vfs_fruit: remove a fsp check from ad_fset()
This comes from times before we had pathref fsps. Back then if you wanted to
check if fsp->fh->fd contained a valid value != -1, you'd also first check that
the passed in fsp and fsp->fh are non NULL. With pathref fsps we don't need this
anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14890
RN: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 3 14:33:49 UTC 2021 on sn-devel-184
Pavel Filipenský [Thu, 21 Oct 2021 13:01:48 +0000 (15:01 +0200)]
s3:librpc: Improve calling of krb5_kt_end_seq_get()
Remove indentation with early return, best reviewed with
git show -b
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 3 08:36:00 UTC 2021 on sn-devel-184
David Mulder [Thu, 14 Oct 2021 21:36:52 +0000 (15:36 -0600)]
gp: Apply Firewalld Policy
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 1 21:16:43 UTC 2021 on sn-devel-184
Martin Schwenke [Sun, 31 Oct 2021 00:59:30 +0000 (11:59 +1100)]
debug: Add new smb.conf option "debug syslog format"
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 1 07:29:47 UTC 2021 on sn-devel-184
Martin Schwenke [Thu, 28 Oct 2021 08:05:19 +0000 (19:05 +1100)]
debug: Add debug_syslog_format setting
Without debug_hires_timestamp this produces a syslog style header
containing:
"MON DD HH:MM:SS HOSTNAME PROGNAME[PID] "
With debug_hires_timestamp this produces a syslog style header
containing:
"RFC5424-TIMESTAMP HOSTNAME PROGNAME[PID] "
All other settings are ignored.
This will be made visible via smb.conf in a subsequent commit.
This commit adds some simple hostname handling. It avoids using
get_myname() from util.c because using that potentially pulls in all
manner of dependencies. No real error handling is done. In the worst
case debug_set_hostname() sets the hostname to a truncated version of
the given string. Similarly, in an even weirder world,
ensure_hostname() sets the hostname to a truncation of "unknown".
Both of these are unlikely in all reasonable cases.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Ralph Boehme <slow@samba.org>
Andrew Walker [Thu, 28 Oct 2021 20:01:42 +0000 (16:01 -0400)]
s3:modules:recycle - fix crash in recycle_unlink_internal
Original logic for separating path from base name assumed
that we were using same string to determine offset when
getting the parent dir name (smb_fname->base_name).
Simplify by using parent_dirname() to split the path
from base name.
Signed-off-by: Andrew Walker <awalker@ixsystems.com> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct 30 04:34:53 UTC 2021 on sn-devel-184
eaglegai [Thu, 28 Oct 2021 13:51:13 +0000 (21:51 +0800)]
fix undefined-shift in put_res_rec fuzz error: ../../source3/libsmb/nmblib.c:451:4: runtime error: left shift of 65312 by 16 places cannot be represented in type 'int'
Author: eaglegai <eaglegai@163.com>
Signed-off-by: eaglegai <eaglegai@163.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 29 20:29:26 UTC 2021 on sn-devel-184
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 29 14:57:14 UTC 2021 on sn-devel-184
projects / thirdparty / samba.git / log
