s3:rpc_server: Implement the rpcd_* helper-end of the samba-dcerpc protocol
This is the generic code that becomes the
template that all rpcd_* instances that
serve DCERPC can use to provide services to samba-dcerpcd.
The external entry point is:
rpc_worker_main() which takes an argc/argv list
and two functions:
get_interfaces() - List all interfaces that this server provides
get_servers() - Provide the RPC server implementations
Each rpcd_* service needs only to provide
the implementations of get_interfaces() and get_servers()
and call rpc_worker_main() from their main() function
to provide services that can be connected to from samba-dcerpcd.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This will be used for internal pipe connects. It starts samba_dcerpc
on demand if it's not there yet, so long as smb.conf [global]
has "rpc start on demand helpers = true" (the default setting).
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Wed, 9 Jun 2021 06:37:06 +0000 (08:37 +0200)]
s3:rpc_server: Add samba-dcerpcd
Central dispatcher for incoming RPC requests, supported by helpers
that implement RPC services.
Upon startup, it asks all helpers which interfaces and endpoints to
listen on so it doesn't interfere with the samba binary when we're
configured as an Active Directory Domain Controller, then samba-dcerpcd
opens the relevant sockets. Once clients connect, start required helpers
and tell them to shut down once idle for a while.
Can be started as a full standalone daemon without smbd involved or as
a helper daemon started on demand by smbd or winbind or other local
processes trying to connect to a named pipe based RPC service.
NB. To start as a standalone daemon the smb.conf [global] option
"rpc start on demand helpers = false" must be set.
By default "rpc start on demand helpers = true"
in order to allow upgrades without needing an smb.conf change.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Mon, 4 Oct 2021 21:39:03 +0000 (14:39 -0700)]
docs-xml: Add "rpc start on demand helpers", true by default.
If "true" allow smbd and winbindd to spawn samba-dcerpcd
as a named pipe helper. Allows upgrade without any change
to smb.conf. If samba-dcerpcd is run as a daemon this
must be set to "false".
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Thu, 21 Jan 2021 14:28:31 +0000 (15:28 +0100)]
dcesrv_core: Add dcesrv_loop_next_packet()
This is used by the helpers of samba-dcerpcd: When accepting a DCERPC
client, normally the server engine would read the initial bind
packet. In case of samba-dcerpcd the bind packet will already be read
from the socket, so we need to inject it into the rpc server engine
externally.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Thu, 4 Mar 2021 17:53:37 +0000 (18:53 +0100)]
backupkey.idl: Don't listen on \\pipe\ntsvcs
[MS-BKRP] says it SHOULD listen here. In the ad dc, this conflicts
with smbd's srv_ntsvcs_nt.c listening also on nt ntsvcs unix domain
socket. Because "samba" starts smbd after itself, smbd takes over the
socket anyway, backupkey can't have been reached over this transport.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 2 Feb 2021 14:10:38 +0000 (15:10 +0100)]
dcesrv_core: Add dcesrv_context_set_callbacks()
We'll need to set custom callbacks on source3's global_dcesrv_ctx,
which right now is deeply embedded. Once we have everything more
nicely layered, this can go again.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sun, 13 Jun 2021 05:48:01 +0000 (07:48 +0200)]
s3:rpc_server: Remove direct registry access from svcctl_init_winreg
Once we do registry access via a pipe into a different process, a
registry client won't be able to directly do registry transactions
anymore. In this case, I argue that doing this in a transactioned way
is overkill anyway. svcctl_init_winreg() just sets up some registry
keys, and if that leaves behind some stale entries if it fails
somewhere in the middle, it does not really matter because the only
one looking at these registry keys is the svcctl service, and that
only starts up if the init function was successfully run.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Mon, 14 Jun 2021 05:54:55 +0000 (07:54 +0200)]
s3:services: Disable rcinit-based service control code
This is a become_root user callout that I have never seen in use in
more than 20 years of Samba. Why disable now? In the next commit I
need to make a change to initializing the registry values for
services, the svcctl service won't be able to do registry transactions
anymore. I'm not sure that going without transactions is 100% safe in
all failure cases, so I decided to propose disabling the problematic
code that might lead to security issues.
One fix might be to add a lot more validation code to
_svcctl_OpenServiceW() to see whether the registry values underlying
the service are sane.
Yes, this is technical debt, but I would question that starting unix
daemons via DCERPC used at all out there.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
[102(815)/143 at 10m59s] samba4.blackbox.net_ads_dns(ad_member:local)(ad_member:local)
UNEXPECTED(failure): samba4.blackbox.net_ads_dns(ad_member:local).Adding an unprivileged user(ad_member:local)
REASON: Exception: Exception: Could not add user unprivuser. Error setting password Incorrect net address
My preliminary analysis shows that the KRB5KRB_AP_ERR_BADADDR error
message is triggered by the libkrb5 client code. I have not yet shown
this to happen with pure libkrb5, but my theory is the following:
k5_privsafe_check_addrs() fails under the following circumstances: The
kpasswd server is contacted on IPv4 and is slow to reply. After
waiting a bit, libkrb5 also tries to contact kpasswd on
IPv6. kpasswd_sendto_msg_callback() for the IPv6 request changes the
authentication context's local_addr to IPv6. Then the IPv4 request is
replied to, and then k5_privsafe_check_addrs() bails on the address
family in ac->local_addr (IPv6) vs the one received and via the IPv4
connection.
libkrb5's src/lib/krb5/os/changepw.c has this comment:
/*
* TBD: Does this tamper w/ the auth context in such a way
* to break us? Yes - provide 1 per conn-state / host...
*/
I think we're hit by this.
This patch hacks around the situation by priming the kpasswd server
without error checking. If the initial v4 request is quick enough
because the kpasswd server is already started up properly, everything
works flawlessly.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sun, 28 Nov 2021 15:19:56 +0000 (16:19 +0100)]
rpc_server: Check info5->transport
Eventually, this new mechanism might replace the ncalrpc_as_system mechanism: I
think with this we're much more flexible and even more secure: We rely on the
direct permissions on "np/" and don't have to pretend that the local client
came from a file on /root. We are more flexible because with this mechanism we
can easily fake arbitrary tokens and play with session keys.
However, this would require that the source4 librpc code needs to learn about
this mechanism, which I was not able to complete.
The source3 rpc_server side of this will go away soon, so for now only
allow NCACN_NP there. The check in source4 will stay with us for a
while, so allow NCACN_NP and NCALRPC to be set remotely here. With
NCACN_NP (the case for a client to connect on a named pipe), protect
against accidentially connecting as system.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 27 Nov 2021 15:38:38 +0000 (16:38 +0100)]
librpc: Add named_pipe_auth_req_info5->transport
This will serve as a check to make sure that in particular a SAMR
client is really root. This is for example used in get_user_info_18()
handing out a machine password.
The unix domain sockets for NCACN_NP can only be contacted by root,
the "np\" subdirectory for those sockets is root/root 0700.
Connecting to such a socket is done in two situations: First, local
real root processes connecting and smbd on behalf of SMB clients
connecting to \\pipe\name, smbd does become_root() there. Via the
named_pipe_auth_req_info4 smbd hands over the SMB session information
that the RPC server blindly trusts. The session information (i.e. the
NT token) is heavily influenced by external sources like the KDC. It
is highly unlikely that we get a system token via SMB, but who knows,
this is information not fully controlled by smbd.
This is where this additional field in named_pipe_auth_req_info5 makes
a difference: This field is set to NCACN_NP by smbd's code, not
directly controlled by the clients. Other clients directly connecting
to a socket in "np\" is root anyway (only smbd can do become_root())
and can set this field to NCALRPC.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Wed, 9 Jun 2021 04:09:37 +0000 (06:09 +0200)]
named_pipe_auth.idl: Add "need_idle_server"
Once RPC services are done by individual processes, we need to avoid
recursion between processes:
Any RPC server process will be able to serve multiple client requests
simultaneously, but each request is served in a single-threaded
blocking manner.
For example the netlogon RPC service needs to ask samr for
something. The netlogon->samr connection will initially be handled by
a central dispatcher assigning clients to processes. This dispatcher
needs to know that this connection can't end up in the same process
that originated the request.
With this flag an RPC client can request a samr server process that
exclusively serves its own requests and that will not serve anybody
else while serving netlogon.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 18:25:38 +0000 (10:25 -0800)]
Update WHATSNEW.txt with removal of wildcard copy, rename and unlink.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Dec 9 18:57:15 UTC 2021 on sn-devel-184
Jeremy Allison [Thu, 2 Dec 2021 00:29:43 +0000 (16:29 -0800)]
s3: smbd: Remove all wildcard code from rename_internals().
We no longer use resolve_wildcards() so comment it out
for later removal. Keep the '{ ... }' block around the
singleton rename for now, to keep the diff small.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Wed, 1 Dec 2021 20:24:07 +0000 (12:24 -0800)]
s3: smbd: Remove support for SMBcopy SMB_COM_COPY (0x29)
It's not used in our client code or tested.
From MS-CIFS.
This command was introduced in the LAN Manager 1.0 dialect
It was rendered obsolete in the NT LAN Manager dialect.
This command was used to perform server-side file copies, but
is no longer used. Clients SHOULD
NOT send requests using this command code.
Servers receiving requests with this command code
SHOULD return STATUS_NOT_IMPLEMENTED (ERRDOS/ERRbadfunc).
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Thu, 2 Dec 2021 20:05:51 +0000 (12:05 -0800)]
s4: libcli: Add smbcli_unlink_wcard().
We will use this in place of smbcli_unlink() when we
know we are using a wildcard pattern. If can be used
to generally replace smbcli_unlink() as it calls down
to smbcli_unlink() is no wildcard is detected.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Andrew Bartlett [Wed, 8 Dec 2021 02:30:02 +0000 (15:30 +1300)]
s4-auth: Remove unused headers
These changes were submitted in a patch by
Stefan Metzmacher <metze@samba.org> in his lorikeet-heimdal
import branch of patches to upgrade to a modern Heimdal.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 9 14:14:12 UTC 2021 on sn-devel-184
Andrew Bartlett [Tue, 26 Sep 2017 02:10:12 +0000 (15:10 +1300)]
librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal
This is needed to ensure Heimdal does not attempt to use nss to canonicalize the name.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 9 07:42:38 UTC 2021 on sn-devel-184
Joseph Sutton [Wed, 8 Dec 2021 03:42:32 +0000 (16:42 +1300)]
hdb: Initialise HDB structure
Additional fields may be added to this structure without us explicitly
initialising them. This could cause Heimdal to crash upon reading
garbage data, so we should zero-initialise the structure.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 9 02:47:27 UTC 2021 on sn-devel-184
Joseph Sutton [Mon, 6 Dec 2021 01:54:31 +0000 (14:54 +1300)]
tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors
A skew error means the client just tried using PADATA-ENC-TIMESTAMP or
PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce
them in that case.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 7 08:32:42 UTC 2021 on sn-devel-184
Joseph Sutton [Tue, 7 Dec 2021 00:15:38 +0000 (13:15 +1300)]
kdc: Canonicalize realm for enterprise principals
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 7 04:54:35 UTC 2021 on sn-devel-184
Joseph Sutton [Thu, 2 Dec 2021 22:58:53 +0000 (11:58 +1300)]
s4:torture: Remove pre-send and post-receive callbacks
The client-side testing done by these callbacks is no longer needed, and
the server-side testing is covered by Python-based tests. Removing these
leaves us with a more manageable test of the Kerberos API.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 2 Dec 2021 22:58:40 +0000 (11:58 +1300)]
s4:torture: Remove test combination with enterprise principal without canonicalize flag
This test combination is not needed. Removing it allows us to avoid
modifying requests prior to sending them, which can cause problems with
an upgraded Heimdal version.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 6 22:57:54 UTC 2021 on sn-devel-184
Joseph Sutton [Thu, 2 Dec 2021 22:57:49 +0000 (11:57 +1300)]
s4:torture: Remove AS_REQ_SELF test stage
This behaviour is already covered by existing Python tests. This test
stage also modifies the request prior to sending it, which can cause
problems with an upgraded Heimdal version.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 2 Dec 2021 00:25:07 +0000 (13:25 +1300)]
heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed.
This will otherwise break the system-heimdal build.
This is correct regardless.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 6 21:48:30 UTC 2021 on sn-devel-184
Andrew Bartlett [Wed, 1 Dec 2021 22:47:35 +0000 (11:47 +1300)]
build: Remove kdc_include except where needed
This include was being set on too many subsystems, including some MIT-related.
This was a problem because it would then trigger the mixing of MIT and Heimdal
krb5.h files. It is now only set on the plugins and services that use the
embedded Heimdal KDC.