sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-19 18:50:24 +03:00
Code

samba: tag release samba-4.3.8

Browse Source 
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iD8DBQBXC2bnbzORW2Vot+oRAiYAAKC4rM1pUHsIfbckQXtS0ZCmyAnGKwCfRmF/
 lHnUYxf3dzXuc0fGfoWgcfM=
 =JLuc
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.3.8' into v4-3-test

samba: tag release samba-4.3.8

Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Stefan Metzmacher 2016-04-12 21:12:44 +02:00
commit 5bd1f11c6b
238 changed files with 15114 additions and 4878 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=3
SAMBA_VERSION_RELEASE=7
SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #

561
WHATSNEW.txt
View File

@ -1,3 +1,564 @@
=============================
Release Notes for Samba 4.3.8
April 12, 2016
=============================
This is a security release containing one additional
regression fix for the security release 4.3.7.
This fixes a regression that prevents things like 'net ads join'
from working against a Windows 2003 domain.
Changes since 4.3.7:
====================
o Stefan Metzmacher <metze@samba.org>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016
Release notes for the original 4.3.7 release follows:
-----------------------------------------------------
=============================
Release Notes for Samba 4.3.7
April 12, 2016
=============================
This is a security release in order to address the following CVEs:
o CVE-2015-5370 (Multiple errors in DCE-RPC code)
o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
o CVE-2016-2112 (LDAP client and server don't enforce integrity)
o CVE-2016-2113 (Missing TLS certificate validation)
o CVE-2016-2114 ("server signing = mandatory" not enforced)
o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
The number of changes are rather huge for a security release,
compared to typical security releases.
Given the number of problems and the fact that they are all related
to man in the middle attacks we decided to fix them all at once
instead of splitting them.
In order to prevent the man in the middle attacks it was required
to change the (default) behavior for some protocols. Please see the
"New smb.conf options" and "Behavior changes" sections below.
=======
Details
=======
o CVE-2015-5370
Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
denial of service attacks (crashes and high cpu consumption)
in the DCE-RPC client and server implementations. In addition,
errors in validation of the DCE-RPC packets can lead to a downgrade
of a secure connection to an insecure one.
While we think it is unlikely, there's a nonzero chance for
a remote code execution attack against the client components,
which are used by smbd, winbindd and tools like net, rpcclient and
others. This may gain root access to the attacker.
The above applies all possible server roles Samba can operate in.
Note that versions before 3.6.0 had completely different marshalling
functions for the generic DCE-RPC layer. It's quite possible that
that code has similar problems!
The downgrade of a secure connection to an insecure one may
allow an attacker to take control of Active Directory object
handles created on a connection created from an Administrator
account and re-use them on the now non-privileged connection,
compromising the security of the Samba AD-DC.
o CVE-2016-2110:
There are several man in the middle attacks possible with
NTLMSSP authentication.
E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
can be cleared by a man in the middle.
This was by protocol design in earlier Windows versions.
Windows Server 2003 RTM and Vista RTM introduced a way
to protect against the trivial downgrade.
See MsvAvFlags and flag 0x00000002 in
https://msdn.microsoft.com/en-us/library/cc236646.aspx
This new feature also implies support for a mechlistMIC
when used within SPNEGO, which may prevent downgrades
from other SPNEGO mechs, e.g. Kerberos, if sign or
seal is finally negotiated.
The Samba implementation doesn't enforce the existence of
required flags, which were requested by the application layer,
e.g. LDAP or SMB1 encryption (via the unix extensions).
As a result a man in the middle can take over the connection.
It is also possible to misguide client and/or
server to send unencrypted traffic even if encryption
was explicitly requested.
LDAP (with NTLMSSP authentication) is used as a client
by various admin tools of the Samba project,
e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
As an active directory member server LDAP is also used
by the winbindd service when connecting to domain controllers.
Samba also offers an LDAP server when running as
active directory domain controller.
The NTLMSSP authentication used by the SMB1 encryption
is protected by smb signing, see CVE-2015-5296.
o CVE-2016-2111:
It's basically the same as CVE-2015-0005 for Windows:
The NETLOGON service in Microsoft Windows Server 2003 SP2,
Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
and R2, when a Domain Controller is configured, allows remote
attackers to spoof the computer name of a secure channel's
endpoint, and obtain sensitive session information, by running a
crafted application and leveraging the ability to sniff network
traffic, aka "NETLOGON Spoofing Vulnerability".
The vulnerability in Samba is worse as it doesn't require
credentials of a computer account in the domain.
This only applies to Samba running as classic primary domain controller,
classic backup domain controller or active directory domain controller.
The security patches introduce a new option called "raw NTLMv2 auth"
("yes" or "no") for the [global] section in smb.conf.
Samba (the smbd process) will reject client using raw NTLMv2
without using NTLMSSP.
Note that this option also applies to Samba running as
standalone server and member server.
You should also consider using "lanman auth = no" (which is already the default)
and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
as they might impact compatibility with older clients. These also
apply for all server roles.
o CVE-2016-2112:
Samba uses various LDAP client libraries, a builtin one and/or the system
ldap libraries (typically openldap).
As active directory domain controller Samba also provides an LDAP server.
Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
for LDAP connections, including possible integrity (sign) and privacy (seal)
protection.
Samba has support for an option called "client ldap sasl wrapping" since version
3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
Tools using the builtin LDAP client library do not obey the
"client ldap sasl wrapping" option. This applies to tools like:
"samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
options like "--sign" and "--encrypt". With the security update they will
also obey the "client ldap sasl wrapping" option as default.
In all cases, even if explicitly request via "client ldap sasl wrapping",
"--sign" or "--encrypt", the protection can be downgraded by a man in the
middle.
The LDAP server doesn't have an option to enforce strong authentication
yet. The security patches will introduce a new option called
"ldap server require strong auth", possible values are "no",
"allow_sasl_over_tls" and "yes".
As the default behavior was as "no" before, you may
have to explicitly change this option until all clients have
been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
Windows clients and Samba member servers already use
integrity protection.
o CVE-2016-2113:
Samba has support for TLS/SSL for some protocols:
ldap and http, but currently certificates are not
validated at all. While we have a "tls cafile" option,
the configured certificate is not used to validate
the server certificate.
This applies to ldaps:// connections triggered by tools like:
"ldbsearch", "ldbedit" and more. Note that it only applies
to the ldb tools when they are built as part of Samba or with Samba
extensions installed, which means the Samba builtin LDAP client library is
used.
It also applies to dcerpc client connections using ncacn_http (with https://),
which are only used by the openchange project. Support for ncacn_http
was introduced in version 4.2.0.
The security patches will introduce a new option called
"tls verify peer". Possible values are "no_check", "ca_only",
"ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
If you use the self-signed certificates which are auto-generated
by Samba, you won't have a crl file and need to explicitly
set "tls verify peer = ca_and_name".
o CVE-2016-2114
Due to a regression introduced in Samba 4.0.0,
an explicit "server signing = mandatory" in the [global] section
of the smb.conf was not enforced for clients using the SMB1 protocol.
As a result it does not enforce smb signing and allows man in the middle attacks.
This problem applies to all possible server roles:
standalone server, member server, classic primary domain controller,
classic backup domain controller and active directory domain controller.
In addition, when Samba is configured with "server role = active directory domain controller"
the effective default for the "server signing" option should be "mandatory".
During the early development of Samba 4 we had a new experimental
file server located under source4/smb_server. But before
the final 4.0.0 release we switched back to the file server
under source3/smbd.
But the logic for the correct default of "server signing" was not
ported correctly ported.
Note that the default for server roles other than active directory domain
controller, is "off" because of performance reasons.
o CVE-2016-2115:
Samba has an option called "client signing", this is turned off by default
for performance reasons on file transfers.
This option is also used when using DCERPC with ncacn_np.
In order to get integrity protection for ipc related communication
by default the "client ipc signing" option is introduced.
The effective default for this new option is "mandatory".
In order to be compatible with more SMB server implementations,
the following additional options are introduced:
"client ipc min protocol" ("NT1" by default) and
"client ipc max protocol" (the highest support SMB2/3 dialect by default).
These options overwrite the "client min protocol" and "client max protocol"
options, because the default for "client max protocol" is still "NT1".
The reason for this is the fact that all SMB2/3 support SMB signing,
while there are still SMB1 implementations which don't offer SMB signing
by default (this includes Samba versions before 4.0.0).
Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
against active directory domain controllers despite of the
"client signing" and "client ipc signing" options.
o CVE-2016-2118 (a.k.a. BADLOCK):
The Security Account Manager Remote Protocol [MS-SAMR] and the
Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
are both vulnerable to man in the middle attacks. Both are application level
protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
These protocols are typically available on all Windows installations
as well as every Samba server. They are used to maintain
the Security Account Manager Database. This applies to all
roles, e.g. standalone, domain member, domain controller.
Any authenticated DCERPC connection a client initiates against a server
can be used by a man in the middle to impersonate the authenticated user
against the SAMR or LSAD service on the server.
The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
in this case. A man in the middle can change auth level to CONNECT
(which means authentication without message protection) and take over
the connection.
As a result, a man in the middle is able to get read/write access to the
Security Account Manager Database, which reveals all passwords
and any other potential sensitive information.
Samba running as an active directory domain controller is additionally
missing checks to enforce PKT_PRIVACY for the
Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
is not enforcing at least PKT_INTEGRITY.
====================
New smb.conf options
====================
allow dcerpc auth level connect (G)
This option controls whether DCERPC services are allowed to be used with
DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
message integrity nor privacy protection.
Some interfaces like samr, lsarpc and netlogon have a hard-coded default
of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
The behavior can be overwritten per interface name (e.g. lsarpc,
netlogon, samr, srvsvc, winreg, wkssvc ...) by using
'allow dcerpc auth level connect:interface = yes' as option.
This option yields precedence to the implementation specific restrictions.
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
Default: allow dcerpc auth level connect = no
Example: allow dcerpc auth level connect = yes
client ipc signing (G)
This controls whether the client is allowed or required to use
SMB signing for IPC$ connections as DCERPC transport. Possible
values are auto, mandatory and disabled.
When set to mandatory or default, SMB signing is required.
When set to auto, SMB signing is offered, but not enforced and
if set to disabled, SMB signing is not offered either.
Connections from winbindd to Active Directory Domain Controllers
always enforce signing.
Default: client ipc signing = default
client ipc max protocol (G)
The value of the parameter (a string) is the highest protocol level that will
be supported for IPC$ connections as DCERPC transport.
Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate protocol.
The value default refers to the latest supported protocol, currently SMB3_11.
See client max protocol for a full list of available protocols.
The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
Default: client ipc max protocol = default
Example: client ipc max protocol = SMB2_10
client ipc min protocol (G)
This setting controls the minimum protocol version that the will be
attempted to use for IPC$ connections as DCERPC transport.
Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate protocol.
The value default refers to the higher value of NT1 and the
effective value of "client min protocol".
See client max protocol for a full list of available protocols.
The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
Default: client ipc min protocol = default
Example: client ipc min protocol = SMB3_11
ldap server require strong auth (G)
The ldap server require strong auth defines whether the
ldap server requires ldap traffic to be signed or
signed and encrypted (sealed). Possible values are no,
allow_sasl_over_tls and yes.
A value of no allows simple and sasl binds over all transports.
A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
over TLS encrypted connections. Unencrypted connections only
allow sasl binds with sign or seal.
A value of yes allows only simple binds over TLS encrypted connections.
Unencrypted connections only allow sasl binds with sign or seal.
Default: ldap server require strong auth = yes
raw NTLMv2 auth (G)
This parameter determines whether or not smbd(8) will allow SMB1 clients
without extended security (without SPNEGO) to use NTLMv2 authentication.
If this option, lanman auth and ntlm auth are all disabled, then only
clients with SPNEGO support will be permitted. That means NTLMv2 is only
supported within NTLMSSP.
Default: raw NTLMv2 auth = no
tls verify peer (G)
This controls if and how strict the client will verify the peer's
certificate and name. Possible values are (in increasing order): no_check,
ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
When set to no_check the certificate is not verified at all,
which allows trivial man in the middle attacks.
When set to ca_only the certificate is verified to be signed from a ca
specified in the "tls ca file" option. Setting "tls ca file" to a valid file
is required. The certificate lifetime is also verified. If the "tls crl file"
option is configured, the certificate is also verified against
the ca crl.
When set to ca_and_name_if_available all checks from ca_only are performed.
In addition, the peer hostname is verified against the certificate's
name, if it is provided by the application layer and not given as
an ip address string.
When set to ca_and_name all checks from ca_and_name_if_available are performed.
In addition the peer hostname needs to be provided and even an ip
address is checked against the certificate's name.
When set to as_strict_as_possible all checks from ca_and_name are performed.
In addition the "tls crl file" needs to be configured. Future versions
of Samba may implement additional checks.
Default: tls verify peer = as_strict_as_possible
tls priority (G) (backported from Samba 4.3 to Samba 4.2)
This option can be set to a string describing the TLS protocols to be
supported in the parts of Samba that use GnuTLS, specifically the AD DC.
The default turns off SSLv3, as this protocol is no longer considered
secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
in HTTPS applications.
The valid options are described in the GNUTLS Priority-Strings
documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
Default: tls priority = NORMAL:-VERS-SSL3.0
================
Behavior changes
================
o The default auth level for authenticated binds has changed from
DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
That means ncacn_ip_tcp:server is now implicitly the same
as ncacn_ip_tcp:server[sign] and offers a similar protection
as ncacn_np:server, which relies on smb signing.
o The following constraints are applied to SMB1 connections:
- "client lanman auth = yes" is now consistently
required for authenticated connections using the
SMB1 LANMAN2 dialect.
- "client ntlmv2 auth = yes" and "client use spnego = yes"
(both the default values), require extended security (SPNEGO)
support from the server. That means NTLMv2 is only used within
NTLMSSP.
o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
default of "client ldap sasl wrapping = sign". Even with
"client ldap sasl wrapping = plain" they will automatically upgrade
to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
server.
Changes since 4.3.6:
====================
o Jeremy Allison <jra@samba.org>
* Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Christian Ambach <ambi@samba.org>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Ralph Boehme <slow@samba.org>
* Bug 11644 - CVE-2016-2112: The LDAP client and server don't enforce
integrity protection.
o Günther Deschner <gd@samba.org>
* Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Björn Jacke <bj@sernet.de>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Volker Lendecke <vl@samba.org>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Stefan Metzmacher <metze@samba.org>
* Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
* Bug 11616 - CVE-2016-2118: SAMR and LSA man in the middle attacks possible.
* Bug 11644 - CVE-2016-2112: The LDAP client and server doesn't enforce
integrity protection.
* Bug 11687 - CVE-2016-2114: "server signing = mandatory" not enforced.
* Bug 11688 - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP.
* Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
* Bug 11752 - CVE-2016-2113: Missing TLS certificate validation allows man in
the middle attacks.
* Bug 11756 - CVE-2016-2115: SMB client connections for IPC traffic are not
integrity protected.
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Richard Sharpe <rsharpe@samba.org>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
=============================
Release Notes for Samba 4.3.6
March 8, 2016

5
auth/credentials/credentials.h
View File

@ -22,6 +22,7 @@
#ifndef __CREDENTIALS_H__
#define __CREDENTIALS_H__
#include "../lib/util/time.h"
#include "../lib/util/data_blob.h"
#include "librpc/gen_ndr/misc.h"
@ -80,7 +81,9 @@ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALL
const char **domain);
NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
int *flags,
DATA_BLOB challenge, DATA_BLOB target_info,
DATA_BLOB challenge,
const NTTIME *server_timestamp,
DATA_BLOB target_info,
DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
const char *cli_credentials_get_realm(struct cli_credentials *cred);

12
auth/credentials/credentials_ntlm.c
View File

@ -30,7 +30,9 @@
_PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
int *flags,
DATA_BLOB challenge, DATA_BLOB target_info,
DATA_BLOB challenge,
const NTTIME *server_timestamp,
DATA_BLOB target_info,
DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key)
{
@ -102,7 +104,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
user,
domain,
nt_hash->hash, &challenge,
&target_info,
server_timestamp, &target_info,
&lm_response, &nt_response,
NULL, &session_key)) {
return NT_STATUS_NO_MEMORY;
@ -110,6 +112,12 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
/* LM Key is incompatible... */
*flags &= ~CLI_CRED_LANMAN_AUTH;
if (lm_response.length != 0) {
/*
* We should not expose the lm key.
*/
memset(lm_response.data, 0, lm_response.length);
}
} else if (*flags & CLI_CRED_NTLM2) {
MD5_CTX md5_session_nonce_ctx;
uint8_t session_nonce[16];

113
auth/gensec/gensec.c
View File

@ -30,6 +30,16 @@
#include "auth/gensec/gensec_internal.h"
#include "librpc/gen_ndr/dcerpc.h"
_PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
bool full_reset)
{
if (!gensec_security->ops->may_reset_crypto) {
return NT_STATUS_OK;
}
return gensec_security->ops->may_reset_crypto(gensec_security, full_reset);
}
/*
wrappers for the gensec function pointers
*/
@ -217,6 +227,50 @@ _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
return gensec_security->max_update_size;
}
static NTSTATUS gensec_verify_dcerpc_auth_level(struct gensec_security *gensec_security)
{
if (gensec_security->dcerpc_auth_level == 0) {
return NT_STATUS_OK;
}
/*
* Because callers using the
* gensec_start_mech_by_auth_type() never call
* gensec_want_feature(), it isn't sensible for them
* to have to call gensec_have_feature() manually, and
* these are not points of negotiation, but are
* asserted by the client
*/
switch (gensec_security->dcerpc_auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
DEBUG(0,("Did not manage to negotiate mandetory feature "
"SIGN for dcerpc auth_level %u\n",
gensec_security->dcerpc_auth_level));
return NT_STATUS_ACCESS_DENIED;
}
break;
case DCERPC_AUTH_LEVEL_PRIVACY:
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
DEBUG(0,("Did not manage to negotiate mandetory feature "
"SIGN for dcerpc auth_level %u\n",
gensec_security->dcerpc_auth_level));
return NT_STATUS_ACCESS_DENIED;
}
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
DEBUG(0,("Did not manage to negotiate mandetory feature "
"SEAL for dcerpc auth_level %u\n",
gensec_security->dcerpc_auth_level));
return NT_STATUS_ACCESS_DENIED;
}
break;
default:
break;
}
return NT_STATUS_OK;
}
_PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
@ -261,31 +315,9 @@ _PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
* these are not points of negotiation, but are
* asserted by the client
*/
switch (gensec_security->dcerpc_auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
DEBUG(0,("Did not manage to negotiate mandetory feature "
"SIGN for dcerpc auth_level %u\n",
gensec_security->dcerpc_auth_level));
return NT_STATUS_ACCESS_DENIED;
}
break;
case DCERPC_AUTH_LEVEL_PRIVACY:
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
DEBUG(0,("Did not manage to negotiate mandetory feature "
"SIGN for dcerpc auth_level %u\n",
gensec_security->dcerpc_auth_level));
return NT_STATUS_ACCESS_DENIED;
}
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
DEBUG(0,("Did not manage to negotiate mandetory feature "
"SEAL for dcerpc auth_level %u\n",
gensec_security->dcerpc_auth_level));
return NT_STATUS_ACCESS_DENIED;
}
break;
default:
break;
status = gensec_verify_dcerpc_auth_level(gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
@ -458,34 +490,9 @@ static void gensec_update_subreq_done(struct tevent_req *subreq)
* these are not points of negotiation, but are
* asserted by the client
*/
switch (state->gensec_security->dcerpc_auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
DEBUG(0,("Did not manage to negotiate mandetory feature "
"SIGN for dcerpc auth_level %u\n",
state->gensec_security->dcerpc_auth_level));
tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
return;
}
break;
case DCERPC_AUTH_LEVEL_PRIVACY:
if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
DEBUG(0,("Did not manage to negotiate mandetory feature "
"SIGN for dcerpc auth_level %u\n",
state->gensec_security->dcerpc_auth_level));
tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
return;
}
if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
DEBUG(0,("Did not manage to negotiate mandetory feature "
"SEAL for dcerpc auth_level %u\n",
state->gensec_security->dcerpc_auth_level));
tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
return;
}
break;
default:
break;
status = gensec_verify_dcerpc_auth_level(state->gensec_security);
if (tevent_req_nterror(req, status)) {
return;
}
tevent_req_done(req);

4
auth/gensec/gensec.h
View File

@ -61,6 +61,8 @@ struct gensec_target {
#define GENSEC_FEATURE_SIGN_PKT_HEADER 0x00000040
#define GENSEC_FEATURE_NEW_SPNEGO 0x00000080
#define GENSEC_FEATURE_UNIX_TOKEN 0x00000100
#define GENSEC_FEATURE_NTLM_CCACHE 0x00000200
#define GENSEC_FEATURE_LDAP_STYLE 0x00000400
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
@ -163,6 +165,8 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
const struct gensec_security_ops *gensec_security_by_auth_type(
struct gensec_security *gensec_security,
uint32_t auth_type);
const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
const char *name);
const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx);
const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(

7
auth/gensec/gensec_internal.h
View File

@ -47,6 +47,8 @@ struct gensec_security_ops {
NTSTATUS (*update_recv)(struct tevent_req *req,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out);
NTSTATUS (*may_reset_crypto)(struct gensec_security *gensec_security,
bool full_reset);
NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
@ -110,6 +112,8 @@ struct gensec_security {
* NTLM authentication backend, and user lookup (such as if no
* PAC is found) */
struct auth4_context *auth_context;
struct gensec_security *child_security;
};
/* this structure is used by backends to determine the size of some critical types */
@ -119,4 +123,7 @@ struct gensec_critical_sizes {
int sizeof_gensec_security;
};
NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
bool full_reset);
#endif /* __GENSEC_H__ */

18
auth/gensec/gensec_start.c
View File

@ -211,8 +211,10 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
if (!gensec_security_ops_enabled(backends[i], gensec_security))
continue;
if (gensec_security != NULL &&
!gensec_security_ops_enabled(backends[i], gensec_security)) {
continue;
}
if (backends[i]->sasl_name
&& (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
backend = backends[i];
@ -232,7 +234,13 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
int i;
const struct gensec_security_ops **backends;
const struct gensec_security_ops *backend;
TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
TALLOC_CTX *mem_ctx;
if (auth_type == DCERPC_AUTH_TYPE_NONE) {
return NULL;
}
mem_ctx = talloc_new(gensec_security);
if (!mem_ctx) {
return NULL;
}
@ -253,8 +261,8 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
return NULL;
}
static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
const char *name)
const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
const char *name)
{
int i;
const struct gensec_security_ops **backends;

2
auth/gensec/gensec_util.c
View File

@ -81,7 +81,7 @@ static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err;
if (!asn1_check_OID(data, oid)) goto err;
ret = !data->has_error;
ret = !asn1_has_error(data);
err:

22
auth/gensec/schannel.c
View File

@ -467,6 +467,16 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
*out = data_blob(NULL, 0);
if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
return NT_STATUS_INVALID_PARAMETER_MIX;
case GENSEC_SERVER:
return NT_STATUS_INVALID_PARAMETER;
}
return NT_STATUS_INTERNAL_ERROR;
}
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
if (state != NULL) {
@ -662,9 +672,15 @@ static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
static bool schannel_have_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
if (feature & (GENSEC_FEATURE_SIGN |
GENSEC_FEATURE_SEAL)) {
return true;
if (gensec_security->dcerpc_auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
if (feature & GENSEC_FEATURE_SIGN) {
return true;
}
}
if (gensec_security->dcerpc_auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
if (feature & GENSEC_FEATURE_SEAL) {
return true;
}
}
if (feature & GENSEC_FEATURE_DCE_STYLE) {
return true;

309
auth/gensec/spnego.c
View File

@ -53,6 +53,11 @@ struct spnego_state {
const char *neg_oid;
DATA_BLOB mech_types;
size_t num_targs;
bool mic_requested;
bool needs_mic_sign;
bool needs_mic_check;
bool done_mic_check;
/*
* The following is used to implement
@ -416,6 +421,11 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
spnego_state->neg_oid = all_sec[i].oid;
*unwrapped_out = data_blob_null;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
/*
* Indicate the downgrade and request a
* mic.
*/
spnego_state->mic_requested = true;
break;
}
@ -674,22 +684,27 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct spnego_state *spnego_st
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.responseToken = unwrapped_out;
spnego_out.negTokenTarg.mechListMIC = null_data_blob;
spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
spnego_out.negTokenTarg.supportedMech = NULL;
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
if (spnego_state->mic_requested) {
spnego_out.negTokenTarg.negResult = SPNEGO_REQUEST_MIC;
spnego_state->mic_requested = false;
} else {
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
}
spnego_state->state_position = SPNEGO_SERVER_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
if (unwrapped_out.data) {
spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
}
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
spnego_state->state_position = SPNEGO_DONE;
} else {
spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
spnego_out.negTokenTarg.mechListMIC = null_data_blob;
DEBUG(2, ("SPNEGO login failed: %s\n", nt_errstr(nt_status)));
spnego_state->state_position = SPNEGO_DONE;
}
@ -700,6 +715,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct spnego_state *spnego_st
}
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->num_targs++;
return nt_status;
}
@ -784,6 +800,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
const char *my_mechs[] = {NULL, NULL};
NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
bool ok;
if (!in.length) {
/* client to produce negTokenInit */
@ -846,6 +863,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
return NT_STATUS_INVALID_PARAMETER;
}
ok = spnego_write_mech_types(spnego_state,
my_mechs,
&spnego_state->mech_types);
if (!ok) {
DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
return NT_STATUS_NO_MEMORY;
}
/* set next state */
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
@ -883,18 +908,57 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
return NT_STATUS_INVALID_PARAMETER;
}
spnego_state->num_targs++;
if (!spnego_state->sub_sec_security) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego_state->needs_mic_check) {
if (spnego.negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&spnego.negTokenTarg.mechListMIC);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
} else {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
}
goto server_response;
}
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
out_mem_ctx, ev,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
if (!NT_STATUS_IS_OK(nt_status)) {
goto server_response;
}
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
if (new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@ -904,9 +968,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
goto server_response;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
}
if (NT_STATUS_IS_OK(nt_status) && new_spnego) {
if (spnego_state->needs_mic_sign) {
nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
out_mem_ctx,
spnego_state->mech_types.data,
@ -917,9 +986,16 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
nt_errstr(nt_status)));
goto server_response;
}
spnego_state->needs_mic_sign = false;
}
if (spnego_state->needs_mic_check) {
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
}
server_response:
nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
out_mem_ctx,
nt_status,
@ -933,7 +1009,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
case SPNEGO_CLIENT_TARG:
{
NTSTATUS nt_status;
NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
if (!in.length) {
return NT_STATUS_INVALID_PARAMETER;
}
@ -955,19 +1032,27 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
return NT_STATUS_INVALID_PARAMETER;
}
spnego_state->num_targs++;
if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
spnego_free_data(&spnego);
return NT_STATUS_LOGON_FAILURE;
}
if (spnego.negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
spnego_state->mic_requested = true;
}
/* Server didn't like our choice of mech, and chose something else */
if ((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) &&
if (((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
(spnego.negTokenTarg.negResult == SPNEGO_REQUEST_MIC)) &&
spnego.negTokenTarg.supportedMech &&
strcmp(spnego.negTokenTarg.supportedMech, spnego_state->neg_oid) != 0) {
DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech),
gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid)));
gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
spnego_state->no_response_expected = false;
talloc_free(spnego_state->sub_sec_security);
nt_status = gensec_subcontext_start(spnego_state,
gensec_security,
@ -984,64 +1069,143 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
return nt_status;
}
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
spnego_state->neg_oid = talloc_strdup(spnego_state, spnego.negTokenTarg.supportedMech);
} else if (spnego_state->no_response_expected) {
if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
DEBUG(3,("GENSEC SPNEGO: client GENSEC accepted, but server rejected (bad password?)\n"));
nt_status = NT_STATUS_INVALID_PARAMETER;
} else if (spnego.negTokenTarg.responseToken.length) {
DEBUG(2,("GENSEC SPNEGO: client GENSEC accepted, but server continued negotiation!\n"));
nt_status = NT_STATUS_INVALID_PARAMETER;
} else {
nt_status = NT_STATUS_OK;
}
if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&spnego.negTokenTarg.mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
}
}
} else {
bool new_spnego = false;
spnego_state->neg_oid = talloc_strdup(spnego_state,
spnego.negTokenTarg.supportedMech);
if (spnego_state->neg_oid == NULL) {
spnego_free_data(&spnego);
return NT_STATUS_NO_MEMORY;
};
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->no_response_expected) {
spnego_state->needs_mic_check = true;
}
}
if (spnego_state->needs_mic_check) {
if (spnego.negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&spnego.negTokenTarg.mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
goto client_response;
}
if (!spnego_state->no_response_expected) {
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)
&& spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (!NT_STATUS_IS_OK(nt_status)) {
goto client_response;
}
if (NT_STATUS_IS_OK(nt_status) && new_spnego) {
nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
out_mem_ctx,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&mech_list_mic);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
nt_errstr(nt_status)));
spnego_state->no_response_expected = true;
} else {
nt_status = NT_STATUS_OK;
}
if (spnego_state->no_response_expected &&
!spnego_state->done_mic_check)
{
bool new_spnego = false;
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
switch (spnego.negTokenTarg.negResult) {
case SPNEGO_ACCEPT_COMPLETED:
case SPNEGO_NONE_RESULT:
if (spnego_state->num_targs == 1) {
/*
* the first exchange doesn't require
* verification
*/
new_spnego = false;
}
break;
case SPNEGO_ACCEPT_INCOMPLETE:
case SPNEGO_REQUEST_MIC:
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
break;
default:
break;
}
if (spnego_state->mic_requested) {
bool sign;
sign = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_SIGN);
if (sign) {
new_spnego = true;
}
}
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->no_response_expected = true;
}
}
if (new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&spnego.negTokenTarg.mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
}
if (spnego_state->needs_mic_sign) {
nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
out_mem_ctx,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&mech_list_mic);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
nt_errstr(nt_status)));
spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_sign = false;
}
if (spnego_state->needs_mic_check) {
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
}
client_response:
spnego_free_data(&spnego);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
@ -1065,6 +1229,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
return NT_STATUS_INVALID_PARAMETER;
}
spnego_state->num_targs++;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
@ -1095,26 +1260,24 @@ static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
size_t expected;
NTSTATUS status;
bool ok;
*full_in = data_blob_null;
if (spnego_state->in_needed == 0) {
size_t size = 0;
int ret;
/*
* try to work out the size of the full
* input token, it might be fragmented
*/
status = asn1_peek_full_tag(in, ASN1_APPLICATION(0), &size);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
status = asn1_peek_full_tag(in, ASN1_CONTEXT(1), &size);
ret = asn1_peek_full_tag(in, ASN1_APPLICATION(0), &size);
if ((ret != 0) && (ret != EAGAIN)) {
ret = asn1_peek_full_tag(in, ASN1_CONTEXT(1), &size);
}
if (NT_STATUS_IS_OK(status) ||
NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
if ((ret == 0) || (ret == EAGAIN)) {
spnego_state->in_needed = size;
} else {
/*
@ -1262,6 +1425,16 @@ static NTSTATUS gensec_spnego_update_wrapper(struct gensec_security *gensec_secu
&spnego_state->out_frag);
data_blob_free(&spnego_state->in_frag);
spnego_state->in_needed = 0;
if (NT_STATUS_IS_OK(status)) {
bool reset_full = true;
gensec_security->child_security = spnego_state->sub_sec_security;
reset_full = !spnego_state->done_mic_check;
status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
reset_full);
}
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
return status;

9
auth/ntlmssp/gensec_ntlmssp.c
View File

@ -105,6 +105,15 @@ bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
return true;
}
if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
if (!ntlmssp_state->session_key.length) {
return false;
}
if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
return false;
}
return ntlmssp_state->new_spnego;
}
return false;
}

44
auth/ntlmssp/gensec_ntlmssp_server.c
View File

@ -34,7 +34,7 @@
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
#include "param/param.h"
#include "param/loadparm.h"
/**
* Return the credentials of a logged on user, including session keys
@ -98,6 +98,9 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
const char *netbios_domain;
const char *dns_name;
const char *dns_domain;
enum server_role role;
role = lpcfg_server_role(gensec_security->settings->lp_ctx);
nt_status = gensec_ntlmssp_start(gensec_security);
NT_STATUS_NOT_OK_RETURN(nt_status);
@ -117,13 +120,32 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
if (lpcfg_lanman_auth(gensec_security->settings->lp_ctx) &&
ntlmssp_state->allow_lm_response =
lpcfg_lanman_auth(gensec_security->settings->lp_ctx);
if (ntlmssp_state->allow_lm_response &&
gensec_setting_bool(gensec_security->settings,
"ntlmssp_server", "allow_lm_key", false))
{
ntlmssp_state->allow_lm_key = true;
}
if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
/*
* map to guest is not secure anyway, so
* try to make it work and don't try to
* negotiate new_spnego and MIC checking
*/
ntlmssp_state->force_old_spnego = true;
}
if (role == ROLE_ACTIVE_DIRECTORY_DC) {
/*
* map to guest is not supported on an AD DC.
*/
ntlmssp_state->force_old_spnego = false;
}
ntlmssp_state->neg_flags =
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
@ -147,18 +169,31 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
}
if (ntlmssp_state->allow_lm_key) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
}
if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
/*
* We need to handle NTLMSSP_NEGOTIATE_SIGN as
* NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
* is requested.
*/
ntlmssp_state->force_wrap_seal = true;
}
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (lpcfg_server_role(gensec_security->settings->lp_ctx) == ROLE_STANDALONE) {
if (role == ROLE_STANDALONE) {
ntlmssp_state->server.is_standalone = true;
} else {
ntlmssp_state->server.is_standalone = false;
@ -215,6 +250,9 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state, dns_domain);
NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain);
ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
return NT_STATUS_OK;
}

91
auth/ntlmssp/ntlmssp.c
View File

@ -47,6 +47,10 @@ static const struct ntlmssp_callbacks {
.role = NTLMSSP_CLIENT,
.command = NTLMSSP_INITIAL,
.sync_fn = ntlmssp_client_initial,
},{
.role = NTLMSSP_CLIENT,
.command = NTLMSSP_NEGOTIATE,
.sync_fn = gensec_ntlmssp_resume_ccache,
},{
.role = NTLMSSP_SERVER,
.command = NTLMSSP_NEGOTIATE,
@ -82,6 +86,15 @@ static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_securi
if (!input.length) {
switch (gensec_ntlmssp->ntlmssp_state->role) {
case NTLMSSP_CLIENT:
if (gensec_ntlmssp->ntlmssp_state->resume_ccache) {
/*
* make sure gensec_ntlmssp_resume_ccache()
* will be called
*/
ntlmssp_command = NTLMSSP_NEGOTIATE;
break;
}
ntlmssp_command = NTLMSSP_INITIAL;
break;
case NTLMSSP_SERVER:
@ -166,6 +179,30 @@ NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
return NT_STATUS_OK;
}
static NTSTATUS gensec_ntlmssp_may_reset_crypto(struct gensec_security *gensec_security,
bool full_reset)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
NTSTATUS status;
bool reset_seqnums = full_reset;
if (!gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
return NT_STATUS_OK;
}
status = ntlmssp_sign_reset(ntlmssp_state, reset_seqnums);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not reset NTLMSSP signing/sealing system (error was: %s)\n",
nt_errstr(status)));
return status;
}
return NT_STATUS_OK;
}
static const char *gensec_ntlmssp_oids[] = {
GENSEC_OID_NTLMSSP,
NULL
@ -180,6 +217,7 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = {
.server_start = gensec_ntlmssp_server_start,
.magic = gensec_ntlmssp_magic,
.update = gensec_ntlmssp_update,
.may_reset_crypto= gensec_ntlmssp_may_reset_crypto,
.sig_size = gensec_ntlmssp_sig_size,
.sign_packet = gensec_ntlmssp_sign_packet,
.check_packet = gensec_ntlmssp_check_packet,
@ -194,6 +232,15 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = {
.priority = GENSEC_NTLMSSP
};
static const struct gensec_security_ops gensec_ntlmssp_resume_ccache_ops = {
.name = "ntlmssp_resume_ccache",
.client_start = gensec_ntlmssp_resume_ccache_start,
.update = gensec_ntlmssp_update,
.session_key = gensec_ntlmssp_session_key,
.have_feature = gensec_ntlmssp_have_feature,
.enabled = true,
.priority = GENSEC_NTLMSSP
};
_PUBLIC_ NTSTATUS gensec_ntlmssp_init(void)
{
@ -206,16 +253,58 @@ _PUBLIC_ NTSTATUS gensec_ntlmssp_init(void)
return ret;
}
ret = gensec_register(&gensec_ntlmssp_resume_ccache_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_ntlmssp_resume_ccache_ops.name));
return ret;
}
return ret;
}
static struct gensec_security *gensec_find_child_by_ops(struct gensec_security *gensec_security,
const struct gensec_security_ops *ops)
{
struct gensec_security *current = gensec_security;
while (current != NULL) {
if (current->ops == ops) {
return current;
}
current = current->child_security;
}
return NULL;
}
uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security)
{
struct gensec_ntlmssp_context *gensec_ntlmssp;
if (gensec_security->ops != &gensec_ntlmssp_security_ops) {
gensec_security = gensec_find_child_by_ops(gensec_security,
&gensec_ntlmssp_security_ops);
if (gensec_security == NULL) {
return 0;
}
gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
return gensec_ntlmssp->ntlmssp_state->neg_flags;
}
const char *gensec_ntlmssp_server_domain(struct gensec_security *gensec_security)
{
struct gensec_ntlmssp_context *gensec_ntlmssp;
gensec_security = gensec_find_child_by_ops(gensec_security,
&gensec_ntlmssp_security_ops);
if (gensec_security == NULL) {
return NULL;
}
gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
return gensec_ntlmssp->ntlmssp_state->server.netbios_domain;
}

17
auth/ntlmssp/ntlmssp.h
View File

@ -62,7 +62,9 @@ struct ntlmssp_state
bool unicode;
bool use_ntlmv2;
bool use_ccache;
bool resume_ccache;
bool use_nt_response; /* Set to 'False' to debug what happens when the NT response is omited */
bool allow_lm_response;/* The LM_RESPONSE code is not very secure... */
bool allow_lm_key; /* The LM_KEY code is not very secure... */
const char *user;
@ -70,9 +72,15 @@ struct ntlmssp_state
uint8_t *nt_hash;
uint8_t *lm_hash;
DATA_BLOB negotiate_blob;
DATA_BLOB challenge_blob;
bool new_spnego;
bool force_old_spnego;
struct {
const char *netbios_name;
const char *netbios_domain;
struct AV_PAIR_LIST av_pair_list;
} client;
struct {
@ -81,6 +89,8 @@ struct ntlmssp_state
const char *netbios_domain;
const char *dns_name;
const char *dns_domain;
NTTIME challenge_endtime;
struct AV_PAIR_LIST av_pair_list;
} server;
DATA_BLOB internal_chal; /* Random challenge as supplied to the client for NTLM authentication */
@ -90,8 +100,12 @@ struct ntlmssp_state
DATA_BLOB nt_resp;
DATA_BLOB session_key;
uint32_t conf_flags;
uint32_t required_flags;
uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
bool force_wrap_seal;
union ntlmssp_crypt_state *crypt;
};
@ -123,6 +137,8 @@ NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_stae,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB *in,
DATA_BLOB *out);
NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
bool reset_seqnums);
NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state);
bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob);
@ -132,3 +148,4 @@ bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob);
NTSTATUS gensec_ntlmssp_init(void);
uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security);
const char *gensec_ntlmssp_server_domain(struct gensec_security *gensec_security);

534
auth/ntlmssp/ntlmssp_client.c
View File

@ -34,6 +34,7 @@ struct auth_session_info;
#include "auth/ntlmssp/ntlmssp_private.h"
#include "../librpc/gen_ndr/ndr_ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp_ndr.h"
#include "../nsswitch/libwbclient/wbclient.h"
/*********************************************************************
Client side NTLMSSP
@ -57,38 +58,18 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
const char *domain = ntlmssp_state->client.netbios_domain;
const char *workstation = ntlmssp_state->client.netbios_name;
NTSTATUS status;
/* These don't really matter in the initial packet, so don't panic if they are not set */
if (!domain) {
domain = "";
}
if (!workstation) {
workstation = "";
}
if (ntlmssp_state->unicode) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
} else {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
}
if (ntlmssp_state->use_ntlmv2) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
}
const DATA_BLOB version_blob = ntlmssp_version_blob();
/* generate the ntlmssp negotiate packet */
status = msrpc_gen(out_mem_ctx,
out, "CddAA",
out, "CddAAb",
"NTLMSSP",
NTLMSSP_NEGOTIATE,
ntlmssp_state->neg_flags,
domain,
workstation);
"", /* domain */
"", /* workstation */
version_blob.data, version_blob.length);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("ntlmssp_client_initial: failed to generate "
"ntlmssp negotiate packet\n"));
@ -109,6 +90,122 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
}
}
ntlmssp_state->negotiate_blob = data_blob_dup_talloc(ntlmssp_state,
*out);
if (ntlmssp_state->negotiate_blob.length != out->length) {
return NT_STATUS_NO_MEMORY;
}
ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
uint32_t neg_flags = 0;
uint32_t ntlmssp_command;
NTSTATUS status;
bool ok;
*out = data_blob_null;
if (in.length == 0) {
/*
* This is compat code for older callers
* which were missing the "initial_blob"/"negotiate_blob".
*
* That means we can't calculate the NTLMSSP_MIC
* field correctly and need to force the
* old_spnego behaviour.
*/
DEBUG(10, ("%s: in.length==%u force_old_spnego!\n",
__func__, (unsigned int)in.length));
ntlmssp_state->force_old_spnego = true;
ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->required_flags = 0;
ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
/* parse the NTLMSSP packet */
if (in.length > UINT16_MAX) {
DEBUG(1, ("%s: reject large request of length %u\n",
__func__, (unsigned int)in.length));
return NT_STATUS_INVALID_PARAMETER;
}
ok = msrpc_parse(ntlmssp_state, &in, "Cdd",
"NTLMSSP",
&ntlmssp_command,
&neg_flags);
if (!ok) {
DEBUG(1, ("%s: failed to parse NTLMSSP Negotiate of length %u\n",
__func__, (unsigned int)in.length));
dump_data(2, in.data, in.length);
return NT_STATUS_INVALID_PARAMETER;
}
if (ntlmssp_command != NTLMSSP_NEGOTIATE) {
DEBUG(1, ("%s: no NTLMSSP Negotiate message (length %u)\n",
__func__, (unsigned int)in.length));
dump_data(2, in.data, in.length);
return NT_STATUS_INVALID_PARAMETER;
}
ntlmssp_state->neg_flags = neg_flags;
DEBUG(3, ("Imported Negotiate flags:\n"));
debug_ntlmssp_flags(neg_flags);
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
ntlmssp_state->unicode = true;
} else {
ntlmssp_state->unicode = false;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
gensec_security->want_features |= GENSEC_FEATURE_SIGN;
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
gensec_security->want_features |= GENSEC_FEATURE_SEAL;
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
if (DEBUGLEVEL >= 10) {
struct NEGOTIATE_MESSAGE *negotiate = talloc(
ntlmssp_state, struct NEGOTIATE_MESSAGE);
if (negotiate != NULL) {
status = ntlmssp_pull_NEGOTIATE_MESSAGE(
&in, negotiate, negotiate);
if (NT_STATUS_IS_OK(status)) {
NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
negotiate);
}
TALLOC_FREE(negotiate);
}
}
ntlmssp_state->negotiate_blob = data_blob_dup_talloc(ntlmssp_state,
in);
if (ntlmssp_state->negotiate_blob.length != in.length) {
return NT_STATUS_NO_MEMORY;
}
ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
@ -147,7 +244,13 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
NTSTATUS nt_status;
int flags = 0;
const char *user, *domain;
const char *user = NULL, *domain = NULL, *workstation = NULL;
bool is_anonymous = false;
const DATA_BLOB version_blob = ntlmssp_version_blob();
const NTTIME *server_timestamp = NULL;
uint8_t mic_buffer[NTLMSSP_MIC_SIZE] = { 0, };
DATA_BLOB mic_blob = data_blob_const(mic_buffer, sizeof(mic_buffer));
HMACMD5Context ctx;
TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
if (!mem_ctx) {
@ -172,7 +275,11 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
DEBUG(3, ("Got challenge flags:\n"));
debug_ntlmssp_flags(chal_flags);
ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, ntlmssp_state->allow_lm_key);
nt_status = ntlmssp_handle_neg_flags(ntlmssp_state,
chal_flags, "challenge");
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
if (ntlmssp_state->unicode) {
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
@ -181,7 +288,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
chal_parse_string = "CdUdbdd";
chal_parse_string_short = "CdUdb";
}
auth_gen_string = "CdBBUUUBd";
auth_gen_string = "CdBBUUUBdbb";
} else {
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
chal_parse_string = "CdAdbddB";
@ -190,7 +297,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
chal_parse_string_short = "CdAdb";
}
auth_gen_string = "CdBBAAABd";
auth_gen_string = "CdBBAAABdbb";
}
if (!msrpc_parse(mem_ctx,
@ -244,7 +351,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
/* TODO: parse struct_blob and fill in the rest */
ntlmssp_state->server.netbios_name = "";
ntlmssp_state->server.netbios_domain = server_domain;
ntlmssp_state->server.netbios_domain = talloc_move(ntlmssp_state, &server_domain);
ntlmssp_state->server.dns_name = "";
ntlmssp_state->server.dns_domain = "";
@ -253,9 +360,118 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
return NT_STATUS_INVALID_PARAMETER;
}
is_anonymous = cli_credentials_is_anonymous(gensec_security->credentials);
cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx,
&user, &domain);
workstation = cli_credentials_get_workstation(gensec_security->credentials);
if (user == NULL) {
DEBUG(10, ("User is NULL, returning INVALID_PARAMETER\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (domain == NULL) {
DEBUG(10, ("Domain is NULL, returning INVALID_PARAMETER\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (workstation == NULL) {
DEBUG(10, ("Workstation is NULL, returning INVALID_PARAMETER\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (is_anonymous) {
ntlmssp_state->neg_flags |= NTLMSSP_ANONYMOUS;
/*
* don't use the ccache for anonymous auth
*/
ntlmssp_state->use_ccache = false;
}
if (ntlmssp_state->use_ccache) {
struct samr_Password *nt_hash = NULL;
/*
* If we have a password given we don't
* use the ccache
*/
nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials,
mem_ctx);
if (nt_hash != NULL) {
ZERO_STRUCTP(nt_hash);
TALLOC_FREE(nt_hash);
ntlmssp_state->use_ccache = false;
}
}
if (ntlmssp_state->use_ccache) {
struct wbcCredentialCacheParams params;
struct wbcCredentialCacheInfo *info = NULL;
struct wbcAuthErrorInfo *error = NULL;
struct wbcNamedBlob auth_blobs[2];
const struct wbcBlob *wbc_auth_blob = NULL;
const struct wbcBlob *wbc_session_key = NULL;
wbcErr wbc_status;
int i;
bool new_spnego = false;
params.account_name = user;
params.domain_name = domain;
params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP;
auth_blobs[0].name = "challenge_blob";
auth_blobs[0].flags = 0;
auth_blobs[0].blob.data = in.data;
auth_blobs[0].blob.length = in.length;
auth_blobs[1].name = "negotiate_blob";
auth_blobs[1].flags = 0;
auth_blobs[1].blob.data = ntlmssp_state->negotiate_blob.data;
auth_blobs[1].blob.length = ntlmssp_state->negotiate_blob.length;
params.num_blobs = ARRAY_SIZE(auth_blobs);
params.blobs = auth_blobs;
wbc_status = wbcCredentialCache(&params, &info, &error);
wbcFreeMemory(error);
if (!WBC_ERROR_IS_OK(wbc_status)) {
return NT_STATUS_WRONG_CREDENTIAL_HANDLE;
}
for (i=0; i<info->num_blobs; i++) {
if (strequal(info->blobs[i].name, "auth_blob")) {
wbc_auth_blob = &info->blobs[i].blob;
}
if (strequal(info->blobs[i].name, "session_key")) {
wbc_session_key = &info->blobs[i].blob;
}
if (strequal(info->blobs[i].name, "new_spnego")) {
new_spnego = true;
}
}
if ((wbc_auth_blob == NULL) || (wbc_session_key == NULL)) {
wbcFreeMemory(info);
return NT_STATUS_WRONG_CREDENTIAL_HANDLE;
}
session_key = data_blob_talloc(mem_ctx,
wbc_session_key->data,
wbc_session_key->length);
if (session_key.length != wbc_session_key->length) {
wbcFreeMemory(info);
return NT_STATUS_NO_MEMORY;
}
*out = data_blob_talloc(mem_ctx,
wbc_auth_blob->data,
wbc_auth_blob->length);
if (out->length != wbc_auth_blob->length) {
wbcFreeMemory(info);
return NT_STATUS_NO_MEMORY;
}
ntlmssp_state->new_spnego = new_spnego;
wbcFreeMemory(info);
goto done;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
flags |= CLI_CRED_NTLM2;
}
@ -265,15 +481,159 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
if (ntlmssp_state->use_nt_response) {
flags |= CLI_CRED_NTLM_AUTH;
}
if (lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx)) {
if (ntlmssp_state->allow_lm_response) {
flags |= CLI_CRED_LANMAN_AUTH;
}
if (target_info.length != 0 && !is_anonymous) {
struct AV_PAIR *pairs = NULL;
uint32_t count = 0;
enum ndr_err_code err;
struct AV_PAIR *timestamp = NULL;
struct AV_PAIR *eol = NULL;
uint32_t i = 0;
const char *service = NULL;
const char *hostname = NULL;
err = ndr_pull_struct_blob(&target_info,
ntlmssp_state,
&ntlmssp_state->server.av_pair_list,
(ndr_pull_flags_fn_t)ndr_pull_AV_PAIR_LIST);
if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
return ndr_map_error2ntstatus(err);
}
count = ntlmssp_state->server.av_pair_list.count;
/*
* We need room for Flags, SingleHost,
* ChannelBindings and Target
*/
pairs = talloc_zero_array(ntlmssp_state, struct AV_PAIR,
count + 4);
if (pairs == NULL) {
return NT_STATUS_NO_MEMORY;
}
for (i = 0; i < count; i++) {
pairs[i] = ntlmssp_state->server.av_pair_list.pair[i];
}
ntlmssp_state->client.av_pair_list.count = count;
ntlmssp_state->client.av_pair_list.pair = pairs;
eol = ndr_ntlmssp_find_av(&ntlmssp_state->client.av_pair_list,
MsvAvEOL);
if (eol == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
timestamp = ndr_ntlmssp_find_av(&ntlmssp_state->client.av_pair_list,
MsvAvTimestamp);
if (timestamp != NULL) {
uint32_t sign_features =
GENSEC_FEATURE_SESSION_KEY |
GENSEC_FEATURE_SIGN |
GENSEC_FEATURE_SEAL;
server_timestamp = &timestamp->Value.AvTimestamp;
if (ntlmssp_state->force_old_spnego) {
sign_features = 0;
}
if (gensec_security->want_features & sign_features) {
struct AV_PAIR *av_flags = NULL;
av_flags = ndr_ntlmssp_find_av(&ntlmssp_state->client.av_pair_list,
MsvAvFlags);
if (av_flags == NULL) {
av_flags = eol;
eol++;
count++;
*eol = *av_flags;
av_flags->AvId = MsvAvFlags;
av_flags->Value.AvFlags = 0;
}
av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
ntlmssp_state->new_spnego = true;
}
}
{
struct AV_PAIR *SingleHost = NULL;
SingleHost = eol;
eol++;
count++;
*eol = *SingleHost;
/*
* This is not really used, but we want to
* add some more random bytes and match
* Windows.
*/
SingleHost->AvId = MsvAvSingleHost;
SingleHost->Value.AvSingleHost.token_info.Flags = 0;
SingleHost->Value.AvSingleHost.token_info.TokenIL = 0;
generate_random_buffer(SingleHost->Value.AvSingleHost.token_info.MachineId,
sizeof(SingleHost->Value.AvSingleHost.token_info.MachineId));
SingleHost->Value.AvSingleHost.remaining = data_blob_null;
}
{
struct AV_PAIR *ChannelBindings = NULL;
ChannelBindings = eol;
eol++;
count++;
*eol = *ChannelBindings;
/*
* gensec doesn't support channel bindings yet,
* but we want to match Windows on the wire
*/
ChannelBindings->AvId = MsvChannelBindings;
memset(ChannelBindings->Value.ChannelBindings, 0,
sizeof(ChannelBindings->Value.ChannelBindings));
}
service = gensec_get_target_service(gensec_security);
hostname = gensec_get_target_hostname(gensec_security);
if (service != NULL && hostname != NULL) {
struct AV_PAIR *target = NULL;
target = eol;
eol++;
count++;
*eol = *target;
target->AvId = MsvAvTargetName;
target->Value.AvTargetName = talloc_asprintf(pairs, "%s/%s",
service,
hostname);
if (target->Value.AvTargetName == NULL) {
return NT_STATUS_NO_MEMORY;
}
}
ntlmssp_state->client.av_pair_list.count = count;
ntlmssp_state->client.av_pair_list.pair = pairs;
err = ndr_push_struct_blob(&target_info,
ntlmssp_state,
&ntlmssp_state->client.av_pair_list,
(ndr_push_flags_fn_t)ndr_push_AV_PAIR_LIST);
if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
return NT_STATUS_NO_MEMORY;
}
}
nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
&flags, challenge_blob, target_info,
&flags, challenge_blob,
server_timestamp, target_info,
&lm_response, &nt_response,
&lm_session_key, &session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
@ -292,7 +652,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
&& lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx) && lm_session_key.length == 16) {
&& ntlmssp_state->allow_lm_key && lm_session_key.length == 16) {
DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
if (lm_response.length == 24) {
SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
@ -325,9 +685,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
}
DEBUG(3, ("NTLMSSP: Set final flags:\n"));
debug_ntlmssp_flags(ntlmssp_state->neg_flags);
/* this generates the actual auth packet */
nt_status = msrpc_gen(mem_ctx,
out, auth_gen_string,
@ -337,22 +694,48 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
nt_response.data, nt_response.length,
domain,
user,
cli_credentials_get_workstation(gensec_security->credentials),
workstation,
encrypted_session_key.data, encrypted_session_key.length,
ntlmssp_state->neg_flags);
ntlmssp_state->neg_flags,
version_blob.data, version_blob.length,
mic_blob.data, mic_blob.length);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
/*
* We always include the MIC, even without:
* av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
* ntlmssp_state->new_spnego = true;
*
* This matches a Windows client.
*/
hmac_md5_init_limK_to_64(session_key.data,
session_key.length,
&ctx);
hmac_md5_update(ntlmssp_state->negotiate_blob.data,
ntlmssp_state->negotiate_blob.length,
&ctx);
hmac_md5_update(in.data, in.length, &ctx);
hmac_md5_update(out->data, out->length, &ctx);
hmac_md5_final(mic_buffer, &ctx);
memcpy(out->data + NTLMSSP_MIC_OFFSET, mic_buffer, NTLMSSP_MIC_SIZE);
done:
data_blob_free(&ntlmssp_state->negotiate_blob);
ntlmssp_state->session_key = session_key;
talloc_steal(ntlmssp_state, session_key.data);
DEBUG(3, ("NTLMSSP: Set final flags:\n"));
debug_ntlmssp_flags(ntlmssp_state->neg_flags);
talloc_steal(out_mem_ctx, out->data);
ntlmssp_state->expected_state = NTLMSSP_DONE;
if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
nt_status = ntlmssp_sign_init(ntlmssp_state);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
@ -398,7 +781,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
ntlmssp_state->allow_lm_key = (lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx)
ntlmssp_state->allow_lm_response = lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx);
ntlmssp_state->allow_lm_key = (ntlmssp_state->allow_lm_response
&& (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false)
|| gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)));
@ -408,8 +793,15 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
ntlmssp_state->neg_flags =
NTLMSSP_NEGOTIATE_NTLM |
NTLMSSP_NEGOTIATE_VERSION |
NTLMSSP_REQUEST_TARGET;
if (ntlmssp_state->unicode) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
} else {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
}
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
}
@ -437,6 +829,16 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
ntlmssp_state->use_ntlmv2 = false;
}
if (ntlmssp_state->use_ntlmv2) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
ntlmssp_state->allow_lm_response = false;
ntlmssp_state->allow_lm_key = false;
}
if (ntlmssp_state->allow_lm_key) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
}
if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
/*
* We need to set this to allow a later SetPassword
@ -447,15 +849,57 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
* that it thinks is only used for NTLMSSP signing and
* sealing. (It is actually pulled out and used directly)
*/
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
/*
* We need to handle NTLMSSP_NEGOTIATE_SIGN as
* NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
* is requested.
*/
ntlmssp_state->force_wrap_seal = true;
/*
* We want also work against old Samba servers
* which didn't had GENSEC_FEATURE_LDAP_STYLE
* we negotiate SEAL too. We may remove this
* in a few years. As all servers should have
* GENSEC_FEATURE_LDAP_STYLE by then.
*/
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (gensec_security->want_features & GENSEC_FEATURE_NTLM_CCACHE) {
ntlmssp_state->use_ccache = true;
}
ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
return NT_STATUS_OK;
}
NTSTATUS gensec_ntlmssp_resume_ccache_start(struct gensec_security *gensec_security)
{
struct gensec_ntlmssp_context *gensec_ntlmssp = NULL;
NTSTATUS status;
status = gensec_ntlmssp_client_start(gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
gensec_ntlmssp->ntlmssp_state->use_ccache = false;
gensec_ntlmssp->ntlmssp_state->resume_ccache = true;
gensec_ntlmssp->ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
return NT_STATUS_OK;
}

1
auth/ntlmssp/ntlmssp_ndr.c
View File

@ -25,6 +25,7 @@
#define NTLMSSP_PULL_MESSAGE(type, blob, mem_ctx, r) \
do { \
enum ndr_err_code __ndr_err; \
ZERO_STRUCTP(r); /* in order to deal with unset neg flags */\
__ndr_err = ndr_pull_struct_blob(blob, mem_ctx, r, \
(ndr_pull_flags_fn_t)ndr_pull_ ##type); \
if (!NDR_ERR_CODE_IS_SUCCESS(__ndr_err)) { \

10
auth/ntlmssp/ntlmssp_private.h
View File

@ -59,8 +59,9 @@ NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
/* The following definitions come from auth/ntlmssp_util.c */
void debug_ntlmssp_flags(uint32_t neg_flags);
void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
uint32_t neg_flags, bool allow_lm);
NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
uint32_t neg_flags, const char *name);
const DATA_BLOB ntlmssp_version_blob(void);
/* The following definitions come from auth/ntlmssp_server.c */
@ -88,6 +89,10 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB in, DATA_BLOB *out) ;
NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB in, DATA_BLOB *out);
/**
* Next state function for the Challenge Packet. Generate an auth packet.
*
@ -101,6 +106,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out) ;
NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security);
NTSTATUS gensec_ntlmssp_resume_ccache_start(struct gensec_security *gensec_security);
/* The following definitions come from auth/ntlmssp/gensec_ntlmssp_server.c */

424
auth/ntlmssp/ntlmssp_server.c
View File

@ -21,6 +21,7 @@
*/
#include "includes.h"
#include "lib/util/time_basic.h"
#include "auth/ntlmssp/ntlmssp.h"
#include "auth/ntlmssp/ntlmssp_private.h"
#include "../librpc/gen_ndr/ndr_ntlmssp.h"
@ -84,6 +85,27 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
uint8_t cryptkey[8];
const char *target_name;
NTSTATUS status;
struct timeval tv_now = timeval_current();
/*
* See [MS-NLMP]
*
* Windows NT 4.0, windows_2000: use 30 minutes,
* Windows XP, Windows Server 2003, Windows Vista,
* Windows Server 2008, Windows 7, and Windows Server 2008 R2
* use 36 hours.
*
* Newer systems doesn't check this, likely because the
* connectionless NTLMSSP is no longer supported.
*
* As we expect the AUTHENTICATION_MESSAGE to arrive
* directly after the NEGOTIATE_MESSAGE (typically less than
* as 1 second later). We use a hard timeout of 30 Minutes.
*
* We don't look at AUTHENTICATE_MESSAGE.NtChallengeResponse.TimeStamp
* instead we just remember our own time.
*/
uint32_t max_lifetime = 30 * 60;
struct timeval tv_end = timeval_add(&tv_now, max_lifetime, 0);
/* parse the NTLMSSP packet */
#if 0
@ -91,6 +113,12 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
#endif
if (request.length) {
if (request.length > UINT16_MAX) {
DEBUG(1, ("ntlmssp_server_negotiate: reject large request of length %u\n",
(unsigned int)request.length));
return NT_STATUS_INVALID_PARAMETER;
}
if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
"NTLMSSP",
&ntlmssp_command,
@ -117,7 +145,10 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
}
}
ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, ntlmssp_state->allow_lm_key);
status = ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, "negotiate");
if (!NT_STATUS_IS_OK(status)){
return status;
}
/* Ask our caller what challenge they would like in the packet */
if (auth_context->get_ntlm_challenge) {
@ -138,6 +169,7 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
*/
chal_flags = ntlmssp_state->neg_flags;
ntlmssp_state->server.challenge_endtime = timeval_to_nttime(&tv_end);
/* get the right name to fill in as 'target' */
target_name = ntlmssp_target_name(ntlmssp_state,
@ -150,16 +182,48 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
cryptkey, 8);
/* This creates the 'blob' of names that appears at the end of the packet */
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO)
{
status = msrpc_gen(ntlmssp_state, &struct_blob, "aaaaa",
MsvAvNbDomainName, target_name,
MsvAvNbComputerName, ntlmssp_state->server.netbios_name,
MsvAvDnsDomainName, ntlmssp_state->server.dns_domain,
MsvAvDnsComputerName, ntlmssp_state->server.dns_name,
MsvAvEOL, "");
if (!NT_STATUS_IS_OK(status)) {
return status;
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
enum ndr_err_code err;
struct AV_PAIR *pairs = NULL;
uint32_t count = 5;
pairs = talloc_zero_array(ntlmssp_state, struct AV_PAIR, count + 1);
if (pairs == NULL) {
return NT_STATUS_NO_MEMORY;
}
pairs[0].AvId = MsvAvNbDomainName;
pairs[0].Value.AvNbDomainName = target_name;
pairs[1].AvId = MsvAvNbComputerName;
pairs[1].Value.AvNbComputerName = ntlmssp_state->server.netbios_name;
pairs[2].AvId = MsvAvDnsDomainName;
pairs[2].Value.AvDnsDomainName = ntlmssp_state->server.dns_domain;
pairs[3].AvId = MsvAvDnsComputerName;
pairs[3].Value.AvDnsComputerName= ntlmssp_state->server.dns_name;
if (!ntlmssp_state->force_old_spnego) {
pairs[4].AvId = MsvAvTimestamp;
pairs[4].Value.AvTimestamp =
timeval_to_nttime(&tv_now);
count += 1;
pairs[5].AvId = MsvAvEOL;
} else {
pairs[4].AvId = MsvAvEOL;
}
ntlmssp_state->server.av_pair_list.count = count;
ntlmssp_state->server.av_pair_list.pair = pairs;
err = ndr_push_struct_blob(&struct_blob,
ntlmssp_state,
&ntlmssp_state->server.av_pair_list,
(ndr_push_flags_fn_t)ndr_push_AV_PAIR_LIST);
if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
return NT_STATUS_NO_MEMORY;
}
} else {
struct_blob = data_blob_null;
@ -168,29 +232,7 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
{
/* Marshal the packet in the right format, be it unicode or ASCII */
const char *gen_string;
DATA_BLOB version_blob = data_blob_null;
if (chal_flags & NTLMSSP_NEGOTIATE_VERSION) {
enum ndr_err_code err;
struct ntlmssp_VERSION vers;
/* "What Windows returns" as a version number. */
ZERO_STRUCT(vers);
vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6;
vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1;
vers.ProductBuild = 0;
vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
err = ndr_push_struct_blob(&version_blob,
ntlmssp_state,
&vers,
(ndr_push_flags_fn_t)ndr_push_ntlmssp_VERSION);
if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
data_blob_free(&struct_blob);
return NT_STATUS_NO_MEMORY;
}
}
const DATA_BLOB version_blob = ntlmssp_version_blob();
if (ntlmssp_state->unicode) {
gen_string = "CdUdbddBb";
@ -209,13 +251,10 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
version_blob.data, version_blob.length);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&version_blob);
data_blob_free(&struct_blob);
return status;
}
data_blob_free(&version_blob);
if (DEBUGLEVEL >= 10) {
struct CHALLENGE_MESSAGE *challenge = talloc(
ntlmssp_state, struct CHALLENGE_MESSAGE);
@ -234,6 +273,18 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
data_blob_free(&struct_blob);
ntlmssp_state->negotiate_blob = data_blob_dup_talloc(ntlmssp_state,
request);
if (ntlmssp_state->negotiate_blob.length != request.length) {
return NT_STATUS_NO_MEMORY;
}
ntlmssp_state->challenge_blob = data_blob_dup_talloc(ntlmssp_state,
*reply);
if (ntlmssp_state->challenge_blob.length != reply->length) {
return NT_STATUS_NO_MEMORY;
}
ntlmssp_state->expected_state = NTLMSSP_AUTH;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
@ -266,19 +317,24 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
struct auth4_context *auth_context = gensec_security->auth_context;
uint32_t ntlmssp_command, auth_flags;
NTSTATUS nt_status;
const unsigned int version_len = 8;
DATA_BLOB version_blob = data_blob_null;
const unsigned int mic_len = NTLMSSP_MIC_SIZE;
DATA_BLOB mic_blob = data_blob_null;
uint8_t session_nonce_hash[16];
const char *parse_string;
bool ok;
struct timeval endtime;
bool expired = false;
#if 0
file_save("ntlmssp_auth.dat", request.data, request.length);
#endif
if (ntlmssp_state->unicode) {
parse_string = "CdBBUUUBd";
parse_string = "CdBBUUUBdbb";
} else {
parse_string = "CdBBAAABd";
parse_string = "CdBBAAABdbb";
}
/* zero these out */
@ -291,7 +347,7 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
ntlmssp_state->client.netbios_name = NULL;
/* now the NTLMSSP encoded auth hashes */
if (!msrpc_parse(ntlmssp_state, &request, parse_string,
ok = msrpc_parse(ntlmssp_state, &request, parse_string,
"NTLMSSP",
&ntlmssp_command,
&ntlmssp_state->lm_resp,
@ -300,7 +356,35 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
&ntlmssp_state->user,
&ntlmssp_state->client.netbios_name,
&state->encrypted_session_key,
&auth_flags)) {
&auth_flags,
&version_blob, version_len,
&mic_blob, mic_len);
if (!ok) {
DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
dump_data(10, request.data, request.length);
data_blob_free(&version_blob);
data_blob_free(&mic_blob);
if (ntlmssp_state->unicode) {
parse_string = "CdBBUUUBd";
} else {
parse_string = "CdBBAAABd";
}
ok = msrpc_parse(ntlmssp_state, &request, parse_string,
"NTLMSSP",
&ntlmssp_command,
&ntlmssp_state->lm_resp,
&ntlmssp_state->nt_resp,
&ntlmssp_state->domain,
&ntlmssp_state->user,
&ntlmssp_state->client.netbios_name,
&state->encrypted_session_key,
&auth_flags);
}
if (!ok) {
DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
dump_data(10, request.data, request.length);
@ -333,8 +417,14 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
talloc_steal(state, state->encrypted_session_key.data);
if (auth_flags)
ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, ntlmssp_state->allow_lm_key);
if (auth_flags != 0) {
nt_status = ntlmssp_handle_neg_flags(ntlmssp_state,
auth_flags,
"authenticate");
if (!NT_STATUS_IS_OK(nt_status)){
return nt_status;
}
}
if (DEBUGLEVEL >= 10) {
struct AUTHENTICATE_MESSAGE *authenticate = talloc(
@ -363,6 +453,194 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
#endif
if (ntlmssp_state->nt_resp.length > 24) {
struct NTLMv2_RESPONSE v2_resp;
enum ndr_err_code err;
uint32_t i = 0;
uint32_t count = 0;
const struct AV_PAIR *flags = NULL;
const struct AV_PAIR *eol = NULL;
uint32_t av_flags = 0;
err = ndr_pull_struct_blob(&ntlmssp_state->nt_resp,
ntlmssp_state,
&v2_resp,
(ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
nt_status = ndr_map_error2ntstatus(err);
DEBUG(1,("%s: failed to parse NTLMv2_RESPONSE of length %zu for "
"user=[%s] domain=[%s] workstation=[%s] - %s %s\n",
__func__, ntlmssp_state->nt_resp.length,
ntlmssp_state->user, ntlmssp_state->domain,
ntlmssp_state->client.netbios_name,
ndr_errstr(err), nt_errstr(nt_status)));
return nt_status;
}
if (DEBUGLVL(10)) {
NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
}
eol = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
MsvAvEOL);
if (eol == NULL) {
DEBUG(1,("%s: missing MsvAvEOL for "
"user=[%s] domain=[%s] workstation=[%s]\n",
__func__, ntlmssp_state->user, ntlmssp_state->domain,
ntlmssp_state->client.netbios_name));
return NT_STATUS_INVALID_PARAMETER;
}
flags = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
MsvAvFlags);
if (flags != NULL) {
av_flags = flags->Value.AvFlags;
}
if (av_flags & NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE) {
if (mic_blob.length != NTLMSSP_MIC_SIZE) {
DEBUG(1,("%s: mic_blob.length[%u] for "
"user=[%s] domain=[%s] workstation=[%s]\n",
__func__,
(unsigned)mic_blob.length,
ntlmssp_state->user,
ntlmssp_state->domain,
ntlmssp_state->client.netbios_name));
return NT_STATUS_INVALID_PARAMETER;
}
if (request.length <
(NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE))
{
DEBUG(1,("%s: missing MIC "
"request.length[%u] for "
"user=[%s] domain=[%s] workstation=[%s]\n",
__func__,
(unsigned)request.length,
ntlmssp_state->user,
ntlmssp_state->domain,
ntlmssp_state->client.netbios_name));
return NT_STATUS_INVALID_PARAMETER;
}
ntlmssp_state->new_spnego = true;
}
count = ntlmssp_state->server.av_pair_list.count;
if (v2_resp.Challenge.AvPairs.count < count) {
return NT_STATUS_INVALID_PARAMETER;
}
for (i = 0; i < count; i++) {
const struct AV_PAIR *sp =
&ntlmssp_state->server.av_pair_list.pair[i];
const struct AV_PAIR *cp = NULL;
if (sp->AvId == MsvAvEOL) {
continue;
}
cp = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
sp->AvId);
if (cp == NULL) {
DEBUG(1,("%s: AvId 0x%x missing for"
"user=[%s] domain=[%s] "
"workstation=[%s]\n",
__func__,
(unsigned)sp->AvId,
ntlmssp_state->user,
ntlmssp_state->domain,
ntlmssp_state->client.netbios_name));
return NT_STATUS_INVALID_PARAMETER;
}
switch (cp->AvId) {
#define CASE_STRING(v) case Msv ## v: do { \
int cmp; \
if (sp->Value.v == NULL) { \
return NT_STATUS_INTERNAL_ERROR; \
} \
if (cp->Value.v == NULL) { \
DEBUG(1,("%s: invalid %s " \
"got[%s] expect[%s] for " \
"user=[%s] domain=[%s] workstation=[%s]\n", \
__func__, #v, \
cp->Value.v, \
sp->Value.v, \
ntlmssp_state->user, \
ntlmssp_state->domain, \
ntlmssp_state->client.netbios_name)); \
return NT_STATUS_INVALID_PARAMETER; \
} \
cmp = strcmp(cp->Value.v, sp->Value.v); \
if (cmp != 0) { \
DEBUG(1,("%s: invalid %s " \
"got[%s] expect[%s] for " \
"user=[%s] domain=[%s] workstation=[%s]\n", \
__func__, #v, \
cp->Value.v, \
sp->Value.v, \
ntlmssp_state->user, \
ntlmssp_state->domain, \
ntlmssp_state->client.netbios_name)); \
return NT_STATUS_INVALID_PARAMETER; \
} \
} while(0); break
CASE_STRING(AvNbComputerName);
CASE_STRING(AvNbDomainName);
CASE_STRING(AvDnsComputerName);
CASE_STRING(AvDnsDomainName);
CASE_STRING(AvDnsTreeName);
case MsvAvTimestamp:
if (cp->Value.AvTimestamp != sp->Value.AvTimestamp) {
struct timeval ct;
struct timeval st;
struct timeval_buf tmp1;
struct timeval_buf tmp2;
nttime_to_timeval(&ct,
cp->Value.AvTimestamp);
nttime_to_timeval(&st,
sp->Value.AvTimestamp);
DEBUG(1,("%s: invalid AvTimestamp "
"got[%s] expect[%s] for "
"user=[%s] domain=[%s] "
"workstation=[%s]\n",
__func__,
timeval_str_buf(&ct, false,
true, &tmp1),
timeval_str_buf(&st, false,
true, &tmp2),
ntlmssp_state->user,
ntlmssp_state->domain,
ntlmssp_state->client.netbios_name));
return NT_STATUS_INVALID_PARAMETER;
}
break;
default:
/*
* This can't happen as we control
* ntlmssp_state->server.av_pair_list
*/
return NT_STATUS_INTERNAL_ERROR;
}
}
}
nttime_to_timeval(&endtime, ntlmssp_state->server.challenge_endtime);
expired = timeval_expired(&endtime);
if (expired) {
struct timeval_buf tmp;
DEBUG(1,("%s: challenge invalid (expired %s) for "
"user=[%s] domain=[%s] workstation=[%s]\n",
__func__,
timeval_str_buf(&endtime, false, true, &tmp),
ntlmssp_state->user, ntlmssp_state->domain,
ntlmssp_state->client.netbios_name));
return NT_STATUS_INVALID_PARAMETER;
}
/* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
client challenge
@ -474,7 +752,8 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
struct gensec_ntlmssp_context *gensec_ntlmssp,
struct ntlmssp_server_auth_state *state)
struct ntlmssp_server_auth_state *state,
DATA_BLOB request)
{
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
DATA_BLOB user_session_key = state->user_session_key;
@ -591,7 +870,56 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
talloc_steal(ntlmssp_state, session_key.data);
}
if (ntlmssp_state->session_key.length) {
if (ntlmssp_state->new_spnego) {
HMACMD5Context ctx;
uint8_t mic_buffer[NTLMSSP_MIC_SIZE] = { 0, };
int cmp;
hmac_md5_init_limK_to_64(ntlmssp_state->session_key.data,
ntlmssp_state->session_key.length,
&ctx);
hmac_md5_update(ntlmssp_state->negotiate_blob.data,
ntlmssp_state->negotiate_blob.length,
&ctx);
hmac_md5_update(ntlmssp_state->challenge_blob.data,
ntlmssp_state->challenge_blob.length,
&ctx);
/* checked were we set ntlmssp_state->new_spnego */
SMB_ASSERT(request.length >
(NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE));
hmac_md5_update(request.data, NTLMSSP_MIC_OFFSET, &ctx);
hmac_md5_update(mic_buffer, NTLMSSP_MIC_SIZE, &ctx);
hmac_md5_update(request.data +
(NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE),
request.length -
(NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE),
&ctx);
hmac_md5_final(mic_buffer, &ctx);
cmp = memcmp(request.data + NTLMSSP_MIC_OFFSET,
mic_buffer, NTLMSSP_MIC_SIZE);
if (cmp != 0) {
DEBUG(1,("%s: invalid NTLMSSP_MIC for "
"user=[%s] domain=[%s] workstation=[%s]\n",
__func__,
ntlmssp_state->user,
ntlmssp_state->domain,
ntlmssp_state->client.netbios_name));
dump_data(1, request.data + NTLMSSP_MIC_OFFSET,
NTLMSSP_MIC_SIZE);
dump_data(1, mic_buffer,
NTLMSSP_MIC_SIZE);
return NT_STATUS_INVALID_PARAMETER;
}
}
data_blob_free(&ntlmssp_state->negotiate_blob);
data_blob_free(&ntlmssp_state->challenge_blob);
if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
nt_status = ntlmssp_sign_init(ntlmssp_state);
}
@ -656,7 +984,7 @@ NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
ntlmssp_state->check_password, the ntlmssp_server_postpath
can be done in a callback */
nt_status = ntlmssp_server_postauth(gensec_security, gensec_ntlmssp, state);
nt_status = ntlmssp_server_postauth(gensec_security, gensec_ntlmssp, state, in);
TALLOC_FREE(state);
return nt_status;
}

103
auth/ntlmssp/ntlmssp_sign.c
View File

@ -479,57 +479,18 @@ NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
&sig);
} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
NTSTATUS status;
struct ntlmssp_crypt_direction save_direction;
if (in->length < NTLMSSP_SIG_SIZE) {
return NT_STATUS_INVALID_PARAMETER;
}
sig.data = in->data;
sig.length = NTLMSSP_SIG_SIZE;
*out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
save_direction = ntlmssp_state->crypt->ntlm2.receiving;
} else {
save_direction = ntlmssp_state->crypt->ntlm;
}
status = ntlmssp_check_packet(ntlmssp_state,
out->data, out->length,
out->data, out->length,
&sig);
if (!NT_STATUS_IS_OK(status)) {
NTSTATUS check_status = status;
/*
* The Windows LDAP libraries seems to have a bug
* and always use sealing even if only signing was
* negotiated. So we need to fallback.
*/
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
ntlmssp_state->crypt->ntlm2.receiving = save_direction;
} else {
ntlmssp_state->crypt->ntlm = save_direction;
}
status = ntlmssp_unseal_packet(ntlmssp_state,
out->data,
out->length,
out->data,
out->length,
&sig);
if (NT_STATUS_IS_OK(status)) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
} else {
status = check_status;
}
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("NTLMSSP packet check for unwrap failed due to invalid signature\n"));
}
return status;
return ntlmssp_check_packet(ntlmssp_state,
out->data, out->length,
out->data, out->length,
&sig);
} else {
*out = data_blob_talloc(out_mem_ctx, in->data, in->length);
if (!out->data) {
@ -542,20 +503,30 @@ NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
/**
Initialise the state for NTLMSSP signing.
*/
NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
bool reset_seqnums)
{
DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
debug_ntlmssp_flags(ntlmssp_state->neg_flags);
if (ntlmssp_state->session_key.length < 8) {
DEBUG(3, ("NO session key, cannot intialise signing\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
if (ntlmssp_state->crypt == NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
ntlmssp_state->crypt = talloc_zero(ntlmssp_state,
union ntlmssp_crypt_state);
if (ntlmssp_state->crypt == NULL) {
return NT_STATUS_NO_MEMORY;
if (ntlmssp_state->force_wrap_seal &&
(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN))
{
/*
* We need to handle NTLMSSP_NEGOTIATE_SIGN as
* NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
* is requested.
*
* The negotiation of flags (and authentication)
* is completed when ntlmssp_sign_init() is called
* so we can safely pretent NTLMSSP_NEGOTIATE_SEAL
* was negotiated.
*/
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
@ -629,7 +600,9 @@ NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
&ntlmssp_state->crypt->ntlm2.sending.seal_state);
/* SEND: seq num */
ntlmssp_state->crypt->ntlm2.sending.seq_num = 0;
if (reset_seqnums) {
ntlmssp_state->crypt->ntlm2.sending.seq_num = 0;
}
/* RECV: sign key */
calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key,
@ -649,7 +622,9 @@ NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
&ntlmssp_state->crypt->ntlm2.receiving.seal_state);
/* RECV: seq num */
ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
if (reset_seqnums) {
ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
}
} else {
uint8_t weak_session_key[8];
DATA_BLOB seal_session_key = ntlmssp_state->session_key;
@ -699,8 +674,26 @@ NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
dump_arc4_state("NTLMv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
ntlmssp_state->crypt->ntlm.seq_num = 0;
if (reset_seqnums) {
ntlmssp_state->crypt->ntlm.seq_num = 0;
}
}
return NT_STATUS_OK;
}
NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
{
if (ntlmssp_state->session_key.length < 8) {
DEBUG(3, ("NO session key, cannot intialise signing\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
}
ntlmssp_state->crypt = talloc_zero(ntlmssp_state,
union ntlmssp_crypt_state);
if (ntlmssp_state->crypt == NULL) {
return NT_STATUS_NO_MEMORY;
}
return ntlmssp_sign_reset(ntlmssp_state, true);
}

186
auth/ntlmssp/ntlmssp_util.c
View File

@ -25,6 +25,41 @@
#include "../auth/ntlmssp/ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp_private.h"
static void debug_ntlmssp_flags_raw(int level, uint32_t flags)
{
#define _PRINT_FLAG_LINE(v) do { \
if (flags & (v)) { \
DEBUGADD(level, (" " #v "\n")); \
} \
} while (0)
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_UNICODE);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM);
_PRINT_FLAG_LINE(NTLMSSP_REQUEST_TARGET);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_SIGN);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_SEAL);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_DATAGRAM);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_LM_KEY);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NETWARE);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NTLM);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NT_ONLY);
_PRINT_FLAG_LINE(NTLMSSP_ANONYMOUS);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_ALWAYS_SIGN);
_PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_DOMAIN);
_PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_SERVER);
_PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_SHARE);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_IDENTIFY);
_PRINT_FLAG_LINE(NTLMSSP_REQUEST_NON_NT_SESSION_KEY);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_TARGET_INFO);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_VERSION);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_128);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_KEY_EXCH);
_PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_56);
}
/**
* Print out the NTLMSSP flags for debugging
* @param neg_flags The flags from the packet
@ -32,53 +67,15 @@
void debug_ntlmssp_flags(uint32_t neg_flags)
{
DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags));
if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_UNICODE\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_OEM)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM\n"));
if (neg_flags & NTLMSSP_REQUEST_TARGET)
DEBUGADD(4, (" NTLMSSP_REQUEST_TARGET\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_SIGN)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SIGN\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_SEAL)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SEAL\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DATAGRAM\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_LM_KEY\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_NETWARE)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NETWARE\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_NTLM)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_ALWAYS_SIGN\n"));
if (neg_flags & NTLMSSP_REQUEST_NON_NT_SESSION_KEY)
DEBUGADD(4, (" NTLMSSP_REQUEST_NON_NT_SESSION_KEY\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM2\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_TARGET_INFO)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_TARGET_INFO\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_VERSION)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_VERSION\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_128)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_128\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_KEY_EXCH\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_56)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_56\n"));
debug_ntlmssp_flags_raw(4, neg_flags);
}
void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
uint32_t neg_flags, bool allow_lm)
NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
uint32_t flags, const char *name)
{
if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
uint32_t missing_flags = ntlmssp_state->required_flags;
if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
ntlmssp_state->unicode = true;
@ -88,49 +85,69 @@ void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->unicode = false;
}
if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
/* other end forcing us to use LM */
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
ntlmssp_state->use_ntlmv2 = false;
} else {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
}
if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
}
if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
/*
* NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
* has priority over NTLMSSP_NEGOTIATE_LM_KEY
*/
if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
}
if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
}
if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
}
if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
}
if (!(flags & NTLMSSP_NEGOTIATE_128)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
}
if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
if (!(flags & NTLMSSP_NEGOTIATE_56)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
}
if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
}
if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
}
if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
}
if (!(neg_flags & NTLMSSP_NEGOTIATE_VERSION)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_VERSION;
}
if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
if ((flags & NTLMSSP_REQUEST_TARGET)) {
ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
}
missing_flags &= ~ntlmssp_state->neg_flags;
if (missing_flags != 0) {
HRESULT hres = HRES_SEC_E_UNSUPPORTED_FUNCTION;
NTSTATUS status = NT_STATUS(HRES_ERROR_V(hres));
DEBUG(1, ("%s: Got %s flags[0x%08x] "
"- possible downgrade detected! "
"missing_flags[0x%08x] - %s\n",
__func__, name,
(unsigned)flags,
(unsigned)missing_flags,
nt_errstr(status)));
debug_ntlmssp_flags_raw(1, missing_flags);
DEBUGADD(4, ("neg_flags[0x%08x]\n",
(unsigned)ntlmssp_state->neg_flags));
debug_ntlmssp_flags_raw(4, ntlmssp_state->neg_flags);
return status;
}
return NT_STATUS_OK;
}
/* Does this blob looks like it could be NTLMSSP? */
@ -142,3 +159,38 @@ bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob)
return false;
}
}
const DATA_BLOB ntlmssp_version_blob(void)
{
/*
* This is a simplified version of
*
* enum ndr_err_code err;
* struct ntlmssp_VERSION vers;
*
* ZERO_STRUCT(vers);
* vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6;
* vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1;
* vers.ProductBuild = 0;
* vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
*
* err = ndr_push_struct_blob(&version_blob,
* ntlmssp_state,
* &vers,
* (ndr_push_flags_fn_t)ndr_push_ntlmssp_VERSION);
*
* if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
* data_blob_free(&struct_blob);
* return NT_STATUS_NO_MEMORY;
* }
*/
static const uint8_t version_buffer[8] = {
NTLMSSP_WINDOWS_MAJOR_VERSION_6,
NTLMSSP_WINDOWS_MINOR_VERSION_1,
0x00, 0x00, /* product build */
0x00, 0x00, 0x00, /* reserved */
NTLMSSP_REVISION_W2K3
};
return data_blob_const(version_buffer, ARRAY_SIZE(version_buffer));
}

2
auth/ntlmssp/wscript_build
View File

@ -7,7 +7,7 @@ bld.SAMBA_SUBSYSTEM('NTLMSSP_COMMON',
ntlmssp_server.c
ntlmssp_sign.c
gensec_ntlmssp_server.c''',
deps='samba-util NDR_NTLMSSP MSRPC_PARSE NTLM_CHECK samba-credentials')
deps='samba-util NDR_NTLMSSP MSRPC_PARSE NTLM_CHECK samba-credentials wbclient')
bld.SAMBA_MODULE('gensec_ntlmssp',
source='''''',

26
docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml Normal file
View File

@ -0,0 +1,26 @@
<samba:parameter name="ldap server require strong auth"
context="G"
type="enum"
enumlist="enum_ldap_server_require_strong_auth_vals"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
The <smbconfoption name="ldap server require strong auth"/> defines whether
the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
and <emphasis>yes</emphasis>.
</para>
<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
all transports.</para>
<para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
(without sign or seal) over TLS encrypted connections. Unencrypted connections only
allow sasl binds with sign or seal.</para>
<para>A value of <emphasis>yes</emphasis> allows only simple binds
over TLS encrypted connections. Unencrypted connections only
allow sasl binds with sign or seal.</para>
</description>
<value type="default">yes</value>
</samba:parameter>

29
docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml Normal file
View File

@ -0,0 +1,29 @@
<samba:parameter name="client ipc max protocol"
context="G"
type="enum"
function="_client_ipc_max_protocol"
enumlist="enum_protocol"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>The value of the parameter (a string) is the highest
protocol level that will be supported for IPC$ connections as DCERPC transport.</para>
<para>Normally this option should not be set as the automatic
negotiation phase in the SMB protocol takes care of choosing
the appropriate protocol.</para>
<para>The value <constant>default</constant> refers to the latest
supported protocol, currently <constant>SMB3_11</constant>.</para>
<para>See <smbconfoption name="client max protocol"/> for a full list
of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2
are silently upgraded to NT1.</para>
</description>
<related>client ipc min protocol</related>
<related>client min protocol</related>
<related>client max protocol</related>
<value type="default">default</value>
<value type="example">SMB2_10</value>
</samba:parameter>

29
docs-xml/smbdotconf/protocol/clientipcminprotocol.xml Normal file
View File

@ -0,0 +1,29 @@
<samba:parameter name="client ipc min protocol"
context="G"
type="enum"
function="_client_ipc_min_protocol"
enumlist="enum_protocol"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This setting controls the minimum protocol version that the
will be attempted to use for IPC$ connections as DCERPC transport.</para>
<para>Normally this option should not be set as the automatic
negotiation phase in the SMB protocol takes care of choosing
the appropriate protocol.</para>
<para>The value <constant>default</constant> refers to the higher value
of <constant>NT1</constant> and the effective value of
<smbconfoption name="client min protocol"/>.</para>
<para>See <smbconfoption name="client max protocol"/> for a full list
of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2
are silently upgraded to NT1.</para>
</description>
<related>client ipc max protocol</related>
<related>client min protocol</related>
<related>client max protocol</related>
<value type="default">default</value>
<value type="example">SMB3_11</value>
</samba:parameter>

9
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
View File

@ -78,13 +78,16 @@
negotiation phase in the SMB protocol takes care of choosing
the appropriate protocol.</para>
<para>The value <constant>default</constant> refers to the default protocol in each
part of the code, currently <constant>NT1</constant> in the client tools and
<constant>SMB3_02</constant> in winbindd.</para>
<para>The value <constant>default</constant> refers to <constant>NT1</constant>.</para>
<para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
<smbconfoption name="client ipc max protocol"/> option.</para>
</description>
<related>server max protocol</related>
<related>client min protocol</related>
<related>client ipc min protocol</related>
<related>client ipc max protocol</related>
<value type="default">default</value>
<value type="example">LANMAN1</value>

6
docs-xml/smbdotconf/protocol/clientminprotocol.xml
View File

@ -12,10 +12,16 @@
<para>See <related>client max protocol</related> for a full list
of available protocols.</para>
<para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
<smbconfoption name="client ipc min protocol"/> option.</para>
</description>
<related>client max protocol</related>
<related>server min protocol</related>
<related>client ipc min protocol</related>
<related>client ipc max protocol</related>
<value type="default">CORE</value>
<value type="example">NT1</value>
</samba:parameter>

5
docs-xml/smbdotconf/protocol/clientusespnego.xml
View File

@ -8,6 +8,11 @@
supporting servers (including WindowsXP, Windows2000 and Samba
3.0) to agree upon an authentication
mechanism. This enables Kerberos authentication in particular.</para>
<para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
<constant>yes</constant> extended security (SPNEGO) is required
in order to use NTLMv2 only within NTLMSSP. This behavior was
introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>

27
docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml Normal file
View File

@ -0,0 +1,27 @@
<samba:parameter name="allow dcerpc auth level connect"
context="G"
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option controls whether DCERPC services are allowed to
be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
but no per message integrity nor privacy protection.</para>
<para>Some interfaces like samr, lsarpc and netlogon have a hard-coded default of
<constant>no</constant> and epmapper, mgmt and rpcecho have a hard-coded default of
<constant>yes</constant>.
</para>
<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
<para>This option yields precedence to the implementation specific restrictions.
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
</para>
</description>
<value type="default">no</value>
<value type="example">yes</value>
</samba:parameter>

26
docs-xml/smbdotconf/security/clientipcsigning.xml Normal file
View File

@ -0,0 +1,26 @@
<samba:parameter name="client ipc signing"
context="G"
type="enum"
function="_client_ipc_signing"
enumlist="enum_smb_signing_vals"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This controls whether the client is allowed or required to use SMB signing for IPC$
connections as DCERPC transport. Possible values
are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
and <emphasis>disabled</emphasis>.
</para>
<para>When set to mandatory or default, SMB signing is required.</para>
<para>When set to auto, SMB signing is offered, but not enforced and if set
to disabled, SMB signing is not offered either.</para>
<para>Connections from winbindd to Active Directory Domain Controllers
always enforce signing.</para>
</description>
<related>client signing</related>
<value type="default">default</value>
</samba:parameter>

5
docs-xml/smbdotconf/security/clientntlmv2auth.xml
View File

@ -27,6 +27,11 @@
NTLMv2 by default, and some sites (particularly those following
'best practice' security polices) only allow NTLMv2 responses, and
not the weaker LM or NTLM.</para>
<para>When <smbconfoption name="client use spnego"/> is also set to
<constant>yes</constant> extended security (SPNEGO) is required
in order to use NTLMv2 only within NTLMSSP. This behavior was
introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
</samba:parameter>

12
docs-xml/smbdotconf/security/clientsigning.xml
View File

@ -8,14 +8,16 @@
and <emphasis>disabled</emphasis>.
</para>
<para>When set to auto or default, SMB signing is offered, but not
enforced, except in winbindd, where it is enforced to Active
Directory Domain Controllers. </para>
<para>When set to auto or default, SMB signing is offered, but not enforced.</para>
<para>When set to mandatory, SMB signing is required and if set
to disabled, SMB signing is not offered either.
</para>
to disabled, SMB signing is not offered either.</para>
<para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
<smbconfoption name="client ipc signing"/> option.</para>
</description>
<related>client ipc signing</related>
<value type="default">default</value>
</samba:parameter>

19
docs-xml/smbdotconf/security/rawntlmv2auth.xml Normal file
View File

@ -0,0 +1,19 @@
<samba:parameter name="raw NTLMv2 auth"
context="G"
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
extended security (without SPNEGO) to use NTLMv2 authentication.</para>
<para>If this option, <command moreinfo="none">lanman auth</command>
and <command moreinfo="none">ntlm auth</command> are all disabled,
then only clients with SPNEGO support will be permitted.
That means NTLMv2 is only supported within NTLMSSP.</para>
</description>
<related>lanman auth</related>
<related>ntlm auth</related>
<value type="default">no</value>
</samba:parameter>

2
docs-xml/smbdotconf/security/serversigning.xml
View File

@ -10,7 +10,7 @@
</para>
<para>By default, and when smb signing is set to
<emphasis>default</emphasis>, smb signing enabled when
<emphasis>default</emphasis>, smb signing is required when
<smbconfoption name="server role"/> is <emphasis>active directory
domain controller</emphasis> and disabled otherwise.</para>

47
docs-xml/smbdotconf/security/tlsverifypeer.xml Normal file
View File

@ -0,0 +1,47 @@
<samba:parameter name="tls verify peer"
context="G"
type="enum"
enumlist="enum_tls_verify_peer_vals"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This controls if and how strict the client will verify the peer's certificate and name.
Possible values are (in increasing order):
<constant>no_check</constant>,
<constant>ca_only</constant>,
<constant>ca_and_name_if_available</constant>,
<constant>ca_and_name</constant>
and
<constant>as_strict_as_possible</constant>.</para>
<para>When set to <constant>no_check</constant> the certificate is not verified at
all, which allows trivial man in the middle attacks.
</para>
<para>When set to <constant>ca_only</constant> the certificate is verified to
be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
Setting <smbconfoption name="tls ca file"/> to a valid file is required.
The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
option is configured, the certificate is also verified against the ca crl.
</para>
<para>When set to <constant>ca_and_name_if_available</constant> all checks from
<constant>ca_only</constant> are performed. In addition, the peer hostname is verified
against the certificate's name, if it is provided by the application layer and
not given as an ip address string.
</para>
<para>When set to <constant>ca_and_name</constant> all checks from
<constant>ca_and_name_if_available</constant> are performed.
In addition the peer hostname needs to be provided and even an ip
address is checked against the certificate's name.
</para>
<para>When set to <constant>as_strict_as_possible</constant> all checks from
<constant>ca_and_name</constant> are performed. In addition the
<smbconfoption name="tls crl file"/> needs to be configured.
Future versions of Samba may implement additional checks.
</para>
</description>
<value type="default">as_strict_as_possible</value>
</samba:parameter>

47
lib/param/loadparm.c
View File

@ -2514,6 +2514,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "server max protocol", "SMB3");
lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE");
lpcfg_do_global_parameter(lp_ctx, "client max protocol", "default");
lpcfg_do_global_parameter(lp_ctx, "client ipc min protocol", "default");
lpcfg_do_global_parameter(lp_ctx, "client ipc max protocol", "default");
lpcfg_do_global_parameter(lp_ctx, "security", "AUTO");
lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True");
lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
@ -2529,8 +2531,11 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
lpcfg_do_global_parameter(lp_ctx, "allow dcerpc auth level connect", "False");
lpcfg_do_global_parameter(lp_ctx, "UnixExtensions", "True");
lpcfg_do_global_parameter(lp_ctx, "PreferredMaster", "Auto");
@ -2553,6 +2558,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "template homedir", "/home/%D/%U");
lpcfg_do_global_parameter(lp_ctx, "client signing", "default");
lpcfg_do_global_parameter(lp_ctx, "client ipc signing", "default");
lpcfg_do_global_parameter(lp_ctx, "server signing", "default");
lpcfg_do_global_parameter(lp_ctx, "use spnego", "True");
@ -2573,6 +2579,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600");
lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True");
lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "as_strict_as_possible");
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
@ -2709,6 +2716,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "yes");
lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800");
@ -3212,6 +3221,39 @@ int lpcfg_client_max_protocol(struct loadparm_context *lp_ctx)
return client_max_protocol;
}
int lpcfg_client_ipc_min_protocol(struct loadparm_context *lp_ctx)
{
int client_ipc_min_protocol = lpcfg__client_ipc_min_protocol(lp_ctx);
if (client_ipc_min_protocol == PROTOCOL_DEFAULT) {
client_ipc_min_protocol = lpcfg_client_min_protocol(lp_ctx);
}
if (client_ipc_min_protocol < PROTOCOL_NT1) {
return PROTOCOL_NT1;
}
return client_ipc_min_protocol;
}
int lpcfg_client_ipc_max_protocol(struct loadparm_context *lp_ctx)
{
int client_ipc_max_protocol = lpcfg__client_ipc_max_protocol(lp_ctx);
if (client_ipc_max_protocol == PROTOCOL_DEFAULT) {
return PROTOCOL_LATEST;
}
if (client_ipc_max_protocol < PROTOCOL_NT1) {
return PROTOCOL_NT1;
}
return client_ipc_max_protocol;
}
int lpcfg_client_ipc_signing(struct loadparm_context *lp_ctx)
{
int client_ipc_signing = lpcfg__client_ipc_signing(lp_ctx);
if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
return SMB_SIGNING_REQUIRED;
}
return client_ipc_signing;
}
bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
{
bool allowed = true;
@ -3246,10 +3288,13 @@ bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandato
case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED:
break;
case SMB_SIGNING_DEFAULT:
case SMB_SIGNING_OFF:
allowed = false;
break;
case SMB_SIGNING_DEFAULT:
case SMB_SIGNING_IPC_DEFAULT:
smb_panic(__location__);
break;
}
return allowed;

6
lib/param/loadparm.h
View File

@ -193,6 +193,12 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
#define ADS_AUTH_SASL_FORCE 0x0080
#define ADS_AUTH_USER_CREDS 0x0100
enum ldap_server_require_strong_auth {
LDAP_SERVER_REQUIRE_STRONG_AUTH_NO,
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES,
};
/* DNS update settings */
enum dns_update_settings {DNS_UPDATE_OFF, DNS_UPDATE_ON, DNS_UPDATE_SIGNED};

83
lib/param/param_table.c
View File

@ -32,6 +32,7 @@
#include "lib/param/loadparm.h"
#include "lib/param/param_global.h"
#include "libcli/smb/smb_constants.h"
#include "source4/lib/tls/tls.h"
#ifndef N_
#define N_(x) x
@ -124,6 +125,20 @@ static const struct enum_list enum_smb_signing_vals[] = {
{-1, NULL}
};
static const struct enum_list enum_tls_verify_peer_vals[] = {
{TLS_VERIFY_PEER_NO_CHECK,
TLS_VERIFY_PEER_NO_CHECK_STRING},
{TLS_VERIFY_PEER_CA_ONLY,
TLS_VERIFY_PEER_CA_ONLY_STRING},
{TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE,
TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE_STRING},
{TLS_VERIFY_PEER_CA_AND_NAME,
TLS_VERIFY_PEER_CA_AND_NAME_STRING},
{TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE,
TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE_STRING},
{-1, NULL}
};
/* DNS update options. */
static const struct enum_list enum_dns_update_settings[] = {
{DNS_UPDATE_OFF, "disabled"},
@ -222,6 +237,18 @@ static const struct enum_list enum_ldap_sasl_wrapping[] = {
{-1, NULL}
};
static const struct enum_list enum_ldap_server_require_strong_auth_vals[] = {
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "No" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "False" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
"allow_sasl_over_tls" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" },
{-1, NULL}
};
static const struct enum_list enum_ldap_ssl[] = {
{LDAP_SSL_OFF, "no"},
{LDAP_SSL_OFF, "off"},
@ -675,6 +702,14 @@ struct parm_struct parm_table[] = {
.special = NULL,
.enum_list = NULL,
},
{
.label = "raw NTLMv2 auth",
.type = P_BOOL,
.p_class = P_GLOBAL,
.offset = GLOBAL_VAR(raw_ntlmv2_auth),
.special = NULL,
.enum_list = NULL,
},
{
.label = "client NTLMv2 auth",
.type = P_BOOL,
@ -1543,6 +1578,14 @@ struct parm_struct parm_table[] = {
.special = NULL,
.enum_list = enum_ldap_sasl_wrapping,
},
{
.label = "ldap server require strong auth",
.type = P_ENUM,
.p_class = P_GLOBAL,
.offset = GLOBAL_VAR(ldap_server_require_strong_auth),
.special = NULL,
.enum_list = enum_ldap_server_require_strong_auth_vals
},
{
.label = "enable asu support",
.type = P_BOOL,
@ -4005,6 +4048,46 @@ struct parm_struct parm_table[] = {
.special = NULL,
.enum_list = NULL
},
{
.label = "tls verify peer",
.type = P_ENUM,
.p_class = P_GLOBAL,
.offset = GLOBAL_VAR(tls_verify_peer),
.special = NULL,
.enum_list = enum_tls_verify_peer_vals,
},
{
.label = "client ipc max protocol",
.type = P_ENUM,
.p_class = P_GLOBAL,
.offset = GLOBAL_VAR(_client_ipc_max_protocol),
.special = NULL,
.enum_list = enum_protocol,
},
{
.label = "client ipc min protocol",
.type = P_ENUM,
.p_class = P_GLOBAL,
.offset = GLOBAL_VAR(_client_ipc_min_protocol),
.special = NULL,
.enum_list = enum_protocol,
},
{
.label = "client ipc signing",
.type = P_ENUM,
.p_class = P_GLOBAL,
.offset = GLOBAL_VAR(_client_ipc_signing),
.special = NULL,
.enum_list = enum_smb_signing_vals,
},
{
.label = "allow dcerpc auth level connect",
.type = P_BOOL,
.p_class = P_GLOBAL,
.offset = GLOBAL_VAR(allow_dcerpc_auth_level_connect),
.special = NULL,
.enum_list = NULL
},
{NULL, P_BOOL, P_NONE, 0, NULL, NULL, 0}
};

109
lib/util/asn1.c
View File

@ -20,6 +20,21 @@
#include "includes.h"
#include "../lib/util/asn1.h"
struct nesting {
off_t start;
size_t taglen; /* for parsing */
struct nesting *next;
};
struct asn1_data {
uint8_t *data;
size_t length;
off_t ofs;
struct nesting *nesting;
bool has_error;
};
/* allocate an asn1 structure */
struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx)
{
@ -36,10 +51,36 @@ void asn1_free(struct asn1_data *data)
talloc_free(data);
}
bool asn1_has_error(const struct asn1_data *data)
{
return data->has_error;
}
void asn1_set_error(struct asn1_data *data)
{
data->has_error = true;
}
bool asn1_has_nesting(const struct asn1_data *data)
{
return data->nesting != NULL;
}
off_t asn1_current_ofs(const struct asn1_data *data)
{
return data->ofs;
}
/* write to the ASN1 buffer, advancing the buffer pointer */
bool asn1_write(struct asn1_data *data, const void *p, int len)
{
if (data->has_error) return false;
if ((len < 0) || (data->ofs + (size_t)len < data->ofs)) {
data->has_error = true;
return false;
}
if (data->length < data->ofs+len) {
uint8_t *newp;
newp = talloc_realloc(data, data->data, uint8_t, data->ofs+len);
@ -66,7 +107,9 @@ bool asn1_push_tag(struct asn1_data *data, uint8_t tag)
{
struct nesting *nesting;
asn1_write_uint8(data, tag);
if (!asn1_write_uint8(data, tag)) {
return false;
}
nesting = talloc(data, struct nesting);
if (!nesting) {
data->has_error = true;
@ -85,6 +128,10 @@ bool asn1_pop_tag(struct asn1_data *data)
struct nesting *nesting;
size_t len;
if (data->has_error) {
return false;
}
nesting = data->nesting;
if (!nesting) {
@ -184,6 +231,10 @@ static bool push_int_bigendian(struct asn1_data *data, unsigned int i, bool nega
bool asn1_write_implicit_Integer(struct asn1_data *data, int i)
{
if (data->has_error) {
return false;
}
if (i == -1) {
/* -1 is special as it consists of all-0xff bytes. In
push_int_bigendian this is the only case that is not
@ -986,6 +1037,26 @@ bool asn1_blob(const struct asn1_data *asn1, DATA_BLOB *blob)
return true;
}
bool asn1_extract_blob(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
DATA_BLOB *pblob)
{
DATA_BLOB blob;
if (!asn1_blob(asn1, &blob)) {
return false;
}
*pblob = (DATA_BLOB) { .length = blob.length };
pblob->data = talloc_move(mem_ctx, &blob.data);
/*
* Stop access from here on
*/
asn1->has_error = true;
return true;
}
/*
Fill in an asn1 struct without making a copy
*/
@ -996,35 +1067,7 @@ void asn1_load_nocopy(struct asn1_data *data, uint8_t *buf, size_t len)
data->length = len;
}
/*
check if a ASN.1 blob is a full tag
*/
NTSTATUS asn1_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
{
struct asn1_data *asn1 = asn1_init(NULL);
int size;
NT_STATUS_HAVE_NO_MEMORY(asn1);
asn1->data = blob.data;
asn1->length = blob.length;
if (!asn1_start_tag(asn1, tag)) {
talloc_free(asn1);
return STATUS_MORE_ENTRIES;
}
size = asn1_tag_remaining(asn1) + asn1->ofs;
talloc_free(asn1);
if (size > blob.length) {
return STATUS_MORE_ENTRIES;
}
*packet_size = size;
return NT_STATUS_OK;
}
NTSTATUS asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
{
struct asn1_data asn1;
size_t size;
@ -1036,14 +1079,14 @@ NTSTATUS asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
ok = asn1_peek_tag_needed_size(&asn1, tag, &size);
if (!ok) {
return NT_STATUS_INVALID_BUFFER_SIZE;
return EMSGSIZE;
}
if (size > blob.length) {
*packet_size = size;
return STATUS_MORE_ENTRIES;
return EAGAIN;
}
*packet_size = size;
return NT_STATUS_OK;
return 0;
}

25
lib/util/asn1.h
View File

@ -20,20 +20,8 @@
#ifndef _ASN_1_H
#define _ASN_1_H
struct nesting {
off_t start;
size_t taglen; /* for parsing */
struct nesting *next;
};
struct asn1_data {
uint8_t *data;
size_t length;
off_t ofs;
struct nesting *nesting;
bool has_error;
};
struct nesting;
struct asn1_data;
typedef struct asn1_data ASN1_DATA;
#define ASN1_APPLICATION(x) ((x)+0x60)
@ -54,6 +42,10 @@ typedef struct asn1_data ASN1_DATA;
struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx);
void asn1_free(struct asn1_data *data);
bool asn1_has_error(const struct asn1_data *data);
void asn1_set_error(struct asn1_data *data);
bool asn1_has_nesting(const struct asn1_data *data);
off_t asn1_current_ofs(const struct asn1_data *data);
bool asn1_write(struct asn1_data *data, const void *p, int len);
bool asn1_write_uint8(struct asn1_data *data, uint8_t v);
bool asn1_push_tag(struct asn1_data *data, uint8_t tag);
@ -99,8 +91,9 @@ bool asn1_read_enumerated(struct asn1_data *data, int *v);
bool asn1_check_enumerated(struct asn1_data *data, int v);
bool asn1_write_enumerated(struct asn1_data *data, uint8_t v);
bool asn1_blob(const struct asn1_data *asn1, DATA_BLOB *blob);
bool asn1_extract_blob(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
DATA_BLOB *pblob);
void asn1_load_nocopy(struct asn1_data *data, uint8_t *buf, size_t len);
NTSTATUS asn1_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size);
NTSTATUS asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size);
int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size);
#endif /* _ASN_1_H */

6
lib/util/tests/asn1_tests.c
View File

@ -337,8 +337,10 @@ static bool test_asn1_Integer(struct torture_context *tctx)
if (!asn1_write_Integer(data, integer_tests[i].value)) goto err;
blob.data = data->data;
blob.length = data->length;
if (!asn1_blob(data, &blob)) {
goto err;
}
torture_assert_data_blob_equal(tctx, blob, integer_tests[i].blob, "asn1_write_Integer gave incorrect result");
if (!asn1_load(data, blob)) goto err;

247
lib/util/util_net.c
View File

@ -41,6 +41,115 @@ void zero_sockaddr(struct sockaddr_storage *pss)
pss->ss_family = AF_INET;
}
static char *normalize_ipv6_literal(const char *str, char *buf, size_t *_len)
{
#define IPv6_LITERAL_NET ".ipv6-literal.net"
static const size_t llen = sizeof(IPv6_LITERAL_NET) - 1;
size_t len = *_len;
int cmp;
size_t i;
size_t idx_chars = 0;
size_t cnt_delimiter = 0;
size_t cnt_chars = 0;
if (len <= llen) {
return false;
}
/* ignore a trailing '.' */
if (str[len - 1] == '.') {
len -= 1;
}
len -= llen;
if (len >= INET6_ADDRSTRLEN) {
return NULL;
}
if (len < 2) {
return NULL;
}
cmp = strncasecmp(&str[len], IPv6_LITERAL_NET, llen);
if (cmp != 0) {
return NULL;
}
for (i = 0; i < len; i++) {
if (idx_chars != 0) {
break;
}
switch (str[i]) {
case '-':
buf[i] = ':';
cnt_chars = 0;
cnt_delimiter += 1;
break;
case 's':
buf[i] = '%';
idx_chars += 1;
break;
case '0':
case '1':
case '2':
case '3':
case '4':
case '5':
case '6':
case '7':
case '8':
case '9':
case 'a':
case 'A':
case 'b':
case 'B':
case 'c':
case 'C':
case 'd':
case 'D':
case 'e':
case 'E':
case 'f':
case 'F':
buf[i] = str[i];
cnt_chars += 1;
break;
default:
return NULL;
}
if (cnt_chars > 4) {
return NULL;
}
if (cnt_delimiter > 7) {
return NULL;
}
}
if (cnt_delimiter < 2) {
return NULL;
}
for (; idx_chars != 0 && i < len; i++) {
switch (str[i]) {
case '%':
case ':':
return NULL;
default:
buf[i] = str[i];
idx_chars += 1;
break;
}
}
if (idx_chars == 1) {
return NULL;
}
buf[i] = '\0';
*_len = len;
return buf;
}
/**
* Wrap getaddrinfo...
*/
@ -49,6 +158,11 @@ bool interpret_string_addr_internal(struct addrinfo **ppres,
{
int ret;
struct addrinfo hints;
#if defined(HAVE_IPV6)
char addr[INET6_ADDRSTRLEN*2] = { 0, };
unsigned int scope_id = 0;
size_t len = strlen(str);
#endif
ZERO_STRUCT(hints);
@ -58,8 +172,72 @@ bool interpret_string_addr_internal(struct addrinfo **ppres,
/* always try as a numeric host first. This prevents unnecessary name
* lookups, and also ensures we accept IPv6 addresses */
hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
#if defined(HAVE_IPV6)
if (len < sizeof(addr)) {
char *p = NULL;
p = normalize_ipv6_literal(str, addr, &len);
if (p != NULL) {
hints.ai_family = AF_INET6;
str = p;
}
}
if (strchr_m(str, ':')) {
char *p = strchr_m(str, '%');
/*
* Cope with link-local.
* This is IP:v6:addr%ifname.
*/
if (p && (p > str) && ((scope_id = if_nametoindex(p+1)) != 0)) {
/* Length of string we want to copy.
This is IP:v6:addr (removing the %ifname).
*/
len = PTR_DIFF(p,str);
if (len+1 > sizeof(addr)) {
/* string+nul too long for array. */
return false;
}
if (str != addr) {
memcpy(addr, str, len);
}
addr[len] = '\0';
str = addr;
}
}
#endif
ret = getaddrinfo(str, NULL, &hints, ppres);
if (ret == 0) {
#if defined(HAVE_IPV6)
struct sockaddr_in6 *ps6 = NULL;
if (scope_id == 0) {
return true;
}
if (ppres == NULL) {
return true;
}
if ((*ppres) == NULL) {
return true;
}
if ((*ppres)->ai_addr->sa_family != AF_INET6) {
return true;
}
ps6 = (struct sockaddr_in6 *)(*ppres)->ai_addr;
if (IN6_IS_ADDR_LINKLOCAL(&ps6->sin6_addr) &&
ps6->sin6_scope_id == 0) {
ps6->sin6_scope_id = scope_id;
}
#endif
return true;
}
@ -94,35 +272,6 @@ static bool interpret_string_addr_pref(struct sockaddr_storage *pss,
{
struct addrinfo *res = NULL;
int int_flags;
#if defined(HAVE_IPV6)
char addr[INET6_ADDRSTRLEN];
unsigned int scope_id = 0;
if (strchr_m(str, ':')) {
char *p = strchr_m(str, '%');
/*
* Cope with link-local.
* This is IP:v6:addr%ifname.
*/
if (p && (p > str) && ((scope_id = if_nametoindex(p+1)) != 0)) {
/* Length of string we want to copy.
This is IP:v6:addr (removing the %ifname).
*/
size_t len = PTR_DIFF(p,str);
if (len+1 > sizeof(addr)) {
/* string+nul too long for array. */
return false;
}
memcpy(addr, str, len);
addr[len] = '\0';
str = addr;
}
}
#endif
zero_sockaddr(pss);
@ -157,16 +306,6 @@ static bool interpret_string_addr_pref(struct sockaddr_storage *pss,
memcpy(pss, res->ai_addr, res->ai_addrlen);
}
#if defined(HAVE_IPV6)
if (pss->ss_family == AF_INET6 && scope_id) {
struct sockaddr_in6 *ps6 = (struct sockaddr_in6 *)pss;
if (IN6_IS_ADDR_LINKLOCAL(&ps6->sin6_addr) &&
ps6->sin6_scope_id == 0) {
ps6->sin6_scope_id = scope_id;
}
}
#endif
freeaddrinfo(res);
return true;
}
@ -320,6 +459,28 @@ bool is_ipaddress_v4(const char *str)
return false;
}
bool is_ipv6_literal(const char *str)
{
#if defined(HAVE_IPV6)
char buf[INET6_ADDRSTRLEN*2] = { 0, };
size_t len = strlen(str);
char *p = NULL;
if (len >= sizeof(buf)) {
return false;
}
p = normalize_ipv6_literal(str, buf, &len);
if (p == NULL) {
return false;
}
return true;
#else
return false;
#endif
}
/**
* Return true if a string could be a IPv6 address.
*/
@ -328,16 +489,20 @@ bool is_ipaddress_v6(const char *str)
{
#if defined(HAVE_IPV6)
int ret = -1;
char *p = NULL;
if (strchr_m(str, ':')) {
p = strchr_m(str, ':');
if (p == NULL) {
return is_ipv6_literal(str);
} else {
char buf[INET6_ADDRSTRLEN] = { 0, };
size_t len;
const char *addr = str;
const char *idxs = NULL;
unsigned int idx = 0;
struct in6_addr ip6;
char *p = strchr_m(str, '%');
p = strchr_m(str, '%');
if (p && (p > str)) {
len = PTR_DIFF(p, str);
idxs = p + 1;

1
lib/util/util_net.h
View File

@ -86,6 +86,7 @@ _PUBLIC_ uint32_t interpret_addr(const char *str);
_PUBLIC_ struct in_addr interpret_addr2(const char *str);
_PUBLIC_ bool is_ipaddress_v4(const char *str);
_PUBLIC_ bool is_ipv6_literal(const char *str);
_PUBLIC_ bool is_ipaddress_v6(const char *str);
bool is_address_any(const struct sockaddr *psa);

6
libcli/auth/proto.h
View File

@ -144,6 +144,7 @@ DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx,
bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx,
const char *user, const char *domain, const uint8_t nt_hash[16],
const DATA_BLOB *server_chal,
const NTTIME *server_timestamp,
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
@ -154,6 +155,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
const char *account_domain,
const DATA_BLOB response,
const struct netlogon_creds_CredentialState *creds,
const char *workgroup);
/***********************************************************
encode a password buffer with a unicode password. The buffer

170
libcli/auth/smbencrypt.c
View File

@ -26,7 +26,7 @@
#include "../libcli/auth/msrpc_parse.h"
#include "../lib/crypto/crypto.h"
#include "../libcli/auth/libcli_auth.h"
#include "../librpc/gen_ndr/ntlmssp.h"
#include "../librpc/gen_ndr/ndr_ntlmssp.h"
void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
{
@ -387,14 +387,13 @@ DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx,
return names_blob;
}
static DATA_BLOB NTLMv2_generate_client_data(TALLOC_CTX *mem_ctx, const DATA_BLOB *names_blob)
static DATA_BLOB NTLMv2_generate_client_data(TALLOC_CTX *mem_ctx,
NTTIME nttime,
const DATA_BLOB *names_blob)
{
uint8_t client_chal[8];
DATA_BLOB response = data_blob(NULL, 0);
uint8_t long_date[8];
NTTIME nttime;
unix_to_nt_time(&nttime, time(NULL));
generate_random_buffer(client_chal, sizeof(client_chal));
@ -417,6 +416,7 @@ static DATA_BLOB NTLMv2_generate_client_data(TALLOC_CTX *mem_ctx, const DATA_BLO
static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx,
const uint8_t ntlm_v2_hash[16],
const DATA_BLOB *server_chal,
NTTIME nttime,
const DATA_BLOB *names_blob)
{
uint8_t ntlmv2_response[16];
@ -433,7 +433,7 @@ static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx,
/* NTLMv2 */
/* generate some data to pass into the response function - including
the hostname and domain name of the server */
ntlmv2_client_data = NTLMv2_generate_client_data(mem_ctx, names_blob);
ntlmv2_client_data = NTLMv2_generate_client_data(mem_ctx, nttime, names_blob);
/* Given that data, and the challenge from the server, generate a response */
SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response);
@ -479,6 +479,7 @@ static DATA_BLOB LMv2_generate_response(TALLOC_CTX *mem_ctx,
bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx,
const char *user, const char *domain, const uint8_t nt_hash[16],
const DATA_BLOB *server_chal,
const NTTIME *server_timestamp,
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key)
@ -494,8 +495,19 @@ bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx,
}
if (nt_response) {
const NTTIME *nttime = server_timestamp;
NTTIME _now = 0;
if (nttime == NULL) {
struct timeval tv_now = timeval_current();
_now = timeval_to_nttime(&tv_now);
nttime = &_now;
}
*nt_response = NTLMv2_generate_response(mem_ctx,
ntlm_v2_hash, server_chal,
ntlm_v2_hash,
server_chal,
*nttime,
names_blob);
if (user_session_key) {
*user_session_key = data_blob_talloc(mem_ctx, NULL, 16);
@ -509,8 +521,13 @@ bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx,
/* LMv2 */
if (lm_response) {
*lm_response = LMv2_generate_response(mem_ctx,
ntlm_v2_hash, server_chal);
if (server_timestamp != NULL) {
*lm_response = data_blob_talloc_zero(mem_ctx, 24);
} else {
*lm_response = LMv2_generate_response(mem_ctx,
ntlm_v2_hash,
server_chal);
}
if (lm_session_key) {
*lm_session_key = data_blob_talloc(mem_ctx, NULL, 16);
@ -535,10 +552,143 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
E_md4hash(password, nt_hash);
return SMBNTLMv2encrypt_hash(mem_ctx,
user, domain, nt_hash, server_chal, names_blob,
user, domain, nt_hash,
server_chal, NULL, names_blob,
lm_response, nt_response, lm_session_key, user_session_key);
}
NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
const char *account_domain,
const DATA_BLOB response,
const struct netlogon_creds_CredentialState *creds,
const char *workgroup)
{
TALLOC_CTX *frame = NULL;
/* RespType + HiRespType */
static const char *magic = "\x01\x01";
int cmp;
struct NTLMv2_RESPONSE v2_resp;
enum ndr_err_code err;
const struct AV_PAIR *av_nb_cn = NULL;
const struct AV_PAIR *av_nb_dn = NULL;
if (response.length < 48) {
/*
* NTLMv2_RESPONSE has at least 48 bytes.
*/
return NT_STATUS_OK;
}
cmp = memcmp(response.data + 16, magic, 2);
if (cmp != 0) {
/*
* It doesn't look like a valid NTLMv2_RESPONSE
*/
return NT_STATUS_OK;
}
frame = talloc_stackframe();
err = ndr_pull_struct_blob(&response, frame, &v2_resp,
(ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
NTSTATUS status;
status = ndr_map_error2ntstatus(err);
DEBUG(2,("Failed to parse NTLMv2_RESPONSE "
"length %u - %s - %s\n",
(unsigned)response.length,
ndr_map_error2string(err),
nt_errstr(status)));
dump_data(2, response.data, response.length);
TALLOC_FREE(frame);
return status;
}
if (DEBUGLVL(10)) {
NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
}
/*
* Make sure the netbios computer name in the
* NTLMv2_RESPONSE matches the computer name
* in the secure channel credentials for workstation
* trusts.
*
* And the netbios domain name matches our
* workgroup.
*
* This prevents workstations from requesting
* the session key of NTLMSSP sessions of clients
* to other hosts.
*/
if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
MsvAvNbComputerName);
av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
MsvAvNbDomainName);
}
if (av_nb_cn != NULL) {
const char *v = NULL;
char *a = NULL;
size_t len;
v = av_nb_cn->Value.AvNbComputerName;
a = talloc_strdup(frame, creds->account_name);
if (a == NULL) {
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
len = strlen(a);
if (len > 0 && a[len - 1] == '$') {
a[len - 1] = '\0';
}
cmp = strcasecmp_m(a, v);
if (cmp != 0) {
DEBUG(2,("%s: NTLMv2_RESPONSE with "
"NbComputerName[%s] rejected "
"for user[%s\\%s] "
"against SEC_CHAN_WKSTA[%s/%s] "
"in workgroup[%s]\n",
__func__, v,
account_domain,
account_name,
creds->computer_name,
creds->account_name,
workgroup));
TALLOC_FREE(frame);
return NT_STATUS_LOGON_FAILURE;
}
}
if (av_nb_dn != NULL) {
const char *v = NULL;
v = av_nb_dn->Value.AvNbDomainName;
cmp = strcasecmp_m(workgroup, v);
if (cmp != 0) {
DEBUG(2,("%s: NTLMv2_RESPONSE with "
"NbDomainName[%s] rejected "
"for user[%s\\%s] "
"against SEC_CHAN_WKSTA[%s/%s] "
"in workgroup[%s]\n",
__func__, v,
account_domain,
account_name,
creds->computer_name,
creds->account_name,
workgroup));
TALLOC_FREE(frame);
return NT_STATUS_LOGON_FAILURE;
}
}
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
/***********************************************************
encode a password buffer with a unicode password. The buffer
is filled with random data to make it harder to attack.

8
libcli/auth/spnego.h
View File

@ -45,7 +45,11 @@ enum spnego_negResult {
SPNEGO_ACCEPT_COMPLETED = 0,
SPNEGO_ACCEPT_INCOMPLETE = 1,
SPNEGO_REJECT = 2,
SPNEGO_NONE_RESULT = 3
SPNEGO_REQUEST_MIC = 3,
/*
* The max value is 0xff (255) on the wire
*/
SPNEGO_NONE_RESULT = 256
};
struct spnego_negTokenInit {
@ -58,7 +62,7 @@ struct spnego_negTokenInit {
};
struct spnego_negTokenTarg {
uint8_t negResult;
enum spnego_negResult negResult;
const char *supportedMech;
DATA_BLOB responseToken;
DATA_BLOB mechListMIC;

55
libcli/auth/spnego_parse.c
View File

@ -32,12 +32,12 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
if (!asn1_start_tag(asn1, ASN1_CONTEXT(0))) return false;
if (!asn1_start_tag(asn1, ASN1_SEQUENCE(0))) return false;
while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
while (!asn1_has_error(asn1) && 0 < asn1_tag_remaining(asn1)) {
int i;
uint8_t context;
if (!asn1_peek_uint8(asn1, &context)) {
asn1->has_error = true;
asn1_set_error(asn1);
break;
}
@ -51,10 +51,10 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
mechTypes = talloc(mem_ctx, const char *);
if (mechTypes == NULL) {
asn1->has_error = true;
asn1_set_error(asn1);
return false;
}
for (i = 0; !asn1->has_error &&
for (i = 0; !asn1_has_error(asn1) &&
0 < asn1_tag_remaining(asn1); i++) {
char *oid;
const char **p;
@ -63,7 +63,7 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
const char *, i+2);
if (p == NULL) {
talloc_free(mechTypes);
asn1->has_error = true;
asn1_set_error(asn1);
return false;
}
mechTypes = p;
@ -97,7 +97,7 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
uint8_t type_peek;
if (!asn1_start_tag(asn1, ASN1_CONTEXT(3))) return false;
if (!asn1_peek_uint8(asn1, &type_peek)) {
asn1->has_error = true;
asn1_set_error(asn1);
break;
}
if (type_peek == ASN1_OCTET_STRING) {
@ -119,7 +119,7 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
break;
}
default:
asn1->has_error = true;
asn1_set_error(asn1);
break;
}
}
@ -127,7 +127,7 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
if (!asn1_end_tag(asn1)) return false;
if (!asn1_end_tag(asn1)) return false;
return !asn1->has_error;
return !asn1_has_error(asn1);
}
static bool write_negTokenInit(struct asn1_data *asn1, struct spnego_negTokenInit *token)
@ -190,7 +190,7 @@ static bool write_negTokenInit(struct asn1_data *asn1, struct spnego_negTokenIni
if (!asn1_pop_tag(asn1)) return false;
if (!asn1_pop_tag(asn1)) return false;
return !asn1->has_error;
return !asn1_has_error(asn1);
}
static bool read_negTokenTarg(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
@ -201,11 +201,13 @@ static bool read_negTokenTarg(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
if (!asn1_start_tag(asn1, ASN1_CONTEXT(1))) return false;
if (!asn1_start_tag(asn1, ASN1_SEQUENCE(0))) return false;
while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
while (!asn1_has_error(asn1) && 0 < asn1_tag_remaining(asn1)) {
uint8_t context;
uint8_t neg_result;
char *oid;
if (!asn1_peek_uint8(asn1, &context)) {
asn1->has_error = true;
asn1_set_error(asn1);
break;
}
@ -213,7 +215,8 @@ static bool read_negTokenTarg(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
case ASN1_CONTEXT(0):
if (!asn1_start_tag(asn1, ASN1_CONTEXT(0))) return false;
if (!asn1_start_tag(asn1, ASN1_ENUMERATED)) return false;
if (!asn1_read_uint8(asn1, &token->negResult)) return false;
if (!asn1_read_uint8(asn1, &neg_result)) return false;
token->negResult = neg_result;
if (!asn1_end_tag(asn1)) return false;
if (!asn1_end_tag(asn1)) return false;
break;
@ -234,7 +237,7 @@ static bool read_negTokenTarg(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
if (!asn1_end_tag(asn1)) return false;
break;
default:
asn1->has_error = true;
asn1_set_error(asn1);
break;
}
}
@ -242,7 +245,7 @@ static bool read_negTokenTarg(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
if (!asn1_end_tag(asn1)) return false;
if (!asn1_end_tag(asn1)) return false;
return !asn1->has_error;
return !asn1_has_error(asn1);
}
static bool write_negTokenTarg(struct asn1_data *asn1, struct spnego_negTokenTarg *token)
@ -279,7 +282,7 @@ static bool write_negTokenTarg(struct asn1_data *asn1, struct spnego_negTokenTar
if (!asn1_pop_tag(asn1)) return false;
if (!asn1_pop_tag(asn1)) return false;
return !asn1->has_error;
return !asn1_has_error(asn1);
}
ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data *token)
@ -302,7 +305,7 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
if (!asn1_load(asn1, data)) goto err;
if (!asn1_peek_uint8(asn1, &context)) {
asn1->has_error = true;
asn1_set_error(asn1);
} else {
switch (context) {
case ASN1_APPLICATION(0):
@ -319,12 +322,14 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
}
break;
default:
asn1->has_error = true;
asn1_set_error(asn1);
break;
}
}
if (!asn1->has_error) ret = asn1->ofs;
if (!asn1_has_error(asn1)) {
ret = asn1_current_ofs(asn1);
}
err:
@ -353,15 +358,16 @@ ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_da
write_negTokenTarg(asn1, &spnego->negTokenTarg);
break;
default:
asn1->has_error = true;
asn1_set_error(asn1);
break;
}
if (!asn1->has_error) {
*blob = data_blob_talloc(mem_ctx, asn1->data, asn1->length);
ret = asn1->ofs;
if (!asn1_extract_blob(asn1, mem_ctx, blob)) {
goto err;
}
ret = asn1_current_ofs(asn1);
err:
asn1_free(asn1);
@ -423,12 +429,11 @@ bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
if (!asn1_pop_tag(asn1)) goto err;
}
if (asn1->has_error) {
if (asn1_has_error(asn1)) {
goto err;
}
*blob = data_blob_talloc(mem_ctx, asn1->data, asn1->length);
if (blob->length != asn1->length) {
if (!asn1_extract_blob(asn1, mem_ctx, blob)) {
goto err;
}

12
libcli/cldap/cldap.c
View File

@ -220,7 +220,6 @@ nomem:
static bool cldap_socket_recv_dgram(struct cldap_socket *c,
struct cldap_incoming *in)
{
DATA_BLOB blob;
struct asn1_data *asn1;
void *p;
struct cldap_search_state *search;
@ -230,16 +229,12 @@ static bool cldap_socket_recv_dgram(struct cldap_socket *c,
goto error;
}
blob = data_blob_const(in->buf, in->len);
asn1 = asn1_init(in);
if (!asn1) {
goto nomem;
}
if (!asn1_load(asn1, blob)) {
goto nomem;
}
asn1_load_nocopy(asn1, in->buf, in->len);
in->ldap_msg = talloc(in, struct ldap_message);
if (in->ldap_msg == NULL) {
@ -267,8 +262,11 @@ static bool cldap_socket_recv_dgram(struct cldap_socket *c,
search = talloc_get_type_abort(p, struct cldap_search_state);
search->response.in = talloc_move(search, &in);
search->response.asn1 = asn1;
search->response.asn1->ofs = 0;
asn1_load_nocopy(search->response.asn1,
search->response.in->buf, search->response.in->len);
DLIST_REMOVE(c->searches.list, search);

32
libcli/ldap/ldap_message.c
View File

@ -322,7 +322,7 @@ static bool ldap_push_filter(struct asn1_data *data, struct ldb_parse_tree *tree
if (!asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(7))) return false;
if (!asn1_write_LDAPString(data, tree->u.present.attr)) return false;
if (!asn1_pop_tag(data)) return false;
return !data->has_error;
return !asn1_has_error(data);
case LDB_OP_APPROX:
/* approx test */
@ -366,7 +366,7 @@ static bool ldap_push_filter(struct asn1_data *data, struct ldb_parse_tree *tree
default:
return false;
}
return !data->has_error;
return !asn1_has_error(data);
}
static bool ldap_encode_response(struct asn1_data *data, struct ldap_Result *result)
@ -691,7 +691,10 @@ _PUBLIC_ bool ldap_encode(struct ldap_message *msg,
if (!asn1_pop_tag(data)) goto err;
*result = data_blob_talloc(mem_ctx, data->data, data->length);
if (!asn1_extract_blob(data, mem_ctx, result)) {
goto err;
}
asn1_free(data);
return true;
@ -845,7 +848,8 @@ static struct ldb_parse_tree *ldap_decode_filter_tree(TALLOC_CTX *mem_ctx,
if (!asn1_read_OctetString_talloc(mem_ctx, data, &attrib)) goto failed;
if (!asn1_read_OctetString(data, mem_ctx, &value)) goto failed;
if (!asn1_end_tag(data)) goto failed;
if ((data->has_error) || (attrib == NULL) || (value.data == NULL)) {
if (asn1_has_error(data) || (attrib == NULL) ||
(value.data == NULL)) {
goto failed;
}
@ -960,7 +964,8 @@ static struct ldb_parse_tree *ldap_decode_filter_tree(TALLOC_CTX *mem_ctx,
if (!asn1_read_OctetString_talloc(mem_ctx, data, &attrib)) goto failed;
if (!asn1_read_OctetString(data, mem_ctx, &value)) goto failed;
if (!asn1_end_tag(data)) goto failed;
if ((data->has_error) || (attrib == NULL) || (value.data == NULL)) {
if (asn1_has_error(data) || (attrib == NULL) ||
(value.data == NULL)) {
goto failed;
}
@ -979,7 +984,8 @@ static struct ldb_parse_tree *ldap_decode_filter_tree(TALLOC_CTX *mem_ctx,
if (!asn1_read_OctetString_talloc(mem_ctx, data, &attrib)) goto failed;
if (!asn1_read_OctetString(data, mem_ctx, &value)) goto failed;
if (!asn1_end_tag(data)) goto failed;
if ((data->has_error) || (attrib == NULL) || (value.data == NULL)) {
if (asn1_has_error(data) || (attrib == NULL) ||
(value.data == NULL)) {
goto failed;
}
@ -1017,7 +1023,8 @@ static struct ldb_parse_tree *ldap_decode_filter_tree(TALLOC_CTX *mem_ctx,
if (!asn1_read_OctetString_talloc(mem_ctx, data, &attrib)) goto failed;
if (!asn1_read_OctetString(data, mem_ctx, &value)) goto failed;
if (!asn1_end_tag(data)) goto failed;
if ((data->has_error) || (attrib == NULL) || (value.data == NULL)) {
if (asn1_has_error(data) || (attrib == NULL) ||
(value.data == NULL)) {
goto failed;
}
@ -1618,7 +1625,7 @@ _PUBLIC_ NTSTATUS ldap_decode(struct asn1_data *data,
}
if (!asn1_end_tag(data)) goto prot_err;
if ((data->has_error) || (data->nesting != NULL)) {
if (asn1_has_error(data) || asn1_has_nesting(data)) {
return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
}
return NT_STATUS_OK;
@ -1635,6 +1642,8 @@ _PUBLIC_ NTSTATUS ldap_decode(struct asn1_data *data,
*/
NTSTATUS ldap_full_packet(void *private_data, DATA_BLOB blob, size_t *packet_size)
{
int ret;
if (blob.length < 6) {
/*
* We need at least 6 bytes to workout the length
@ -1642,5 +1651,10 @@ NTSTATUS ldap_full_packet(void *private_data, DATA_BLOB blob, size_t *packet_siz
*/
return STATUS_MORE_ENTRIES;
}
return asn1_peek_full_tag(blob, ASN1_SEQUENCE(0), packet_size);
ret = asn1_peek_full_tag(blob, ASN1_SEQUENCE(0), packet_size);
if (ret != 0) {
return map_nt_error_from_unix_common(ret);
}
return NT_STATUS_OK;
}

1
libcli/smb/smbXcli_base.c
View File

@ -382,6 +382,7 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
conn->desire_signing = true;
conn->mandatory_signing = false;
break;
case SMB_SIGNING_IPC_DEFAULT:
case SMB_SIGNING_REQUIRED:
/* always */
conn->allow_signing = true;

1
libcli/smb/smb_constants.h
View File

@ -95,6 +95,7 @@ enum protocol_types {
#define PROTOCOL_LATEST PROTOCOL_SMB3_11
enum smb_signing_setting {
SMB_SIGNING_IPC_DEFAULT = -2, /* Only used in C code */
SMB_SIGNING_DEFAULT = -1,
SMB_SIGNING_OFF = 0,
SMB_SIGNING_IF_REQUIRED = 1,

4
libcli/smb/smb_signing.c
View File

@ -424,6 +424,10 @@ bool smb_signing_set_negotiated(struct smb_signing_state *si,
return true;
}
if (mandatory) {
allowed = true;
}
if (!si->allowed && mandatory) {
return false;
}

4
libcli/smb/tstream_smbXcli_np.c
View File

@ -111,7 +111,11 @@ static int tstream_smbXcli_np_destructor(struct tstream_smbXcli_np *cli_nps)
* Once we've fixed all callers to call
* tstream_disconnect_send()/_recv(), this will
* never be called.
*
* We use a maximun timeout of 1 second == 1000 msec.
*/
cli_nps->timeout = MIN(cli_nps->timeout, 1000);
if (cli_nps->is_smb1) {
status = smb1cli_close(cli_nps->conn,
cli_nps->timeout,

15
librpc/idl/dcerpc.idl
View File

@ -197,18 +197,21 @@ interface dcerpc
DCERPC_NCA_S_FAULT_TX_OPEN_FAILED = 0x1C000022,
DCERPC_NCA_S_FAULT_CODESET_CONV_ERROR = 0x1C000023,
DCERPC_NCA_S_FAULT_OBJECT_NOT_FOUND = 0x1C000024,
DCERPC_NCA_S_FAULT_NO_CLIENT_STUB = 0x1C000025
DCERPC_NCA_S_FAULT_NO_CLIENT_STUB = 0x1C000025,
DCERPC_FAULT_ACCESS_DENIED = 0x00000005,
DCERPC_FAULT_NO_CALL_ACTIVE = 0x000006bd,
DCERPC_FAULT_CANT_PERFORM = 0x000006d8,
DCERPC_FAULT_OUT_OF_RESOURCES = 0x000006d9,
DCERPC_FAULT_BAD_STUB_DATA = 0x000006f7,
DCERPC_FAULT_SEC_PKG_ERROR = 0x00000721
} dcerpc_nca_status;
const int DCERPC_FAULT_OP_RNG_ERROR = DCERPC_NCA_S_OP_RNG_ERROR;
const int DCERPC_FAULT_UNK_IF = DCERPC_NCA_S_UNKNOWN_IF;
const int DCERPC_FAULT_NDR = 0x000006f7;
const int DCERPC_FAULT_NDR = DCERPC_FAULT_BAD_STUB_DATA;
const int DCERPC_FAULT_INVALID_TAG = DCERPC_NCA_S_FAULT_INVALID_TAG;
const int DCERPC_FAULT_CONTEXT_MISMATCH = DCERPC_NCA_S_FAULT_CONTEXT_MISMATCH;
const int DCERPC_FAULT_OTHER = 0x00000001;
const int DCERPC_FAULT_ACCESS_DENIED = 0x00000005;
const int DCERPC_FAULT_CANT_PERFORM = 0x000006d8;
const int DCERPC_FAULT_SEC_PKG_ERROR = 0x00000721;
/* we return this fault when we haven't yet run the test
to see what fault w2k3 returns in this case */
@ -529,8 +532,10 @@ interface dcerpc
const uint8 DCERPC_PFC_OFFSET = 3;
const uint8 DCERPC_DREP_OFFSET = 4;
const uint8 DCERPC_FRAG_LEN_OFFSET = 8;
const uint32 DCERPC_FRAG_MAX_SIZE = 5840;
const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16;
const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
/* little-endian flag */
const uint8 DCERPC_DREP_LE = 0x10;

2
librpc/idl/epmapper.idl
View File

@ -214,7 +214,7 @@ interface epmapper
epm_floor floors[num_floors];
} epm_tower;
typedef struct {
typedef [public] struct {
[value(ndr_size_epm_tower(&tower, ndr->flags))] uint32 tower_length;
[subcontext(4)] epm_tower tower;
} epm_twr_t;

48
librpc/idl/ntlmssp.idl
View File

@ -1,5 +1,7 @@
#include "idl_types.h"
import "security.idl";
/*
ntlmssp interface definition
*/
@ -54,18 +56,21 @@ interface ntlmssp
/*
NTLMSSP_WINDOWS_MAJOR_VERSION_5: Windows XP SP2 and Server 2003
NTLMSSP_WINDOWS_MAJOR_VERSION_6: Windows Vista, Server 2008, 7 and Server 2008 R2
NTLMSSP_WINDOWS_MAJOR_VERSION_6: Windows Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, 8.1, Server 2012 R2
NTLMSSP_WINDOWS_MAJOR_VERSION_10: Windows 10, Windows Server 2016 Technical Preview
*/
typedef [enum8bit] enum {
NTLMSSP_WINDOWS_MAJOR_VERSION_5 = 0x05,
NTLMSSP_WINDOWS_MAJOR_VERSION_6 = 0x06
NTLMSSP_WINDOWS_MAJOR_VERSION_6 = 0x06,
NTLMSSP_WINDOWS_MAJOR_VERSION_10 = 0x0A
} ntlmssp_WindowsMajorVersion;
/*
NTLMSSP_WINDOWS_MINOR_VERSION_0: Windows Vista, Server 2008, 7, Server 2008 R2
NTLMSSP_WINDOWS_MINOR_VERSION_1: Windows XP SP2
NTLMSSP_WINDOWS_MINOR_VERSION_2: Windows Server 2003
NTLMSSP_WINDOWS_MINOR_VERSION_0: Windows Vista, 10, Server 2016 Technical Preview
NTLMSSP_WINDOWS_MINOR_VERSION_1: Windows XP SP2, 7, Server 2008 R2
NTLMSSP_WINDOWS_MINOR_VERSION_2: Windows Server 2003, 8, Server 2012
NTLMSSP_WINDOWS_MINOR_VERSION_3: Windows 8.1, Server 2012 R2
*/
typedef [enum8bit] enum {
@ -124,24 +129,24 @@ interface ntlmssp
MsvAvDnsTreeName = 5,
MsvAvFlags = 6,
MsvAvTimestamp = 7,
MsAvRestrictions = 8,
MsvAvSingleHost = 8,
MsvAvTargetName = 9,
MsvChannelBindings = 10
} ntlmssp_AvId;
/* [MS-NLMP] 2.2.2.2 Restriction_Encoding */
/* [MS-NLMP] 2.2.2.2 SingleHostData */
typedef struct {
uint32 Size;
typedef [flag(NDR_PAHEX)] struct {
[value(8+ndr_size_LSAP_TOKEN_INFO_INTEGRITY(&r->token_info, 0)+r->remaining.length)] uint32 Size;
[value(0)] uint32 Z4;
boolean32 IntegrityLevel;
uint32 SubjectIntegrityLevel;
uint8 MachineId[32];
} Restriction_Encoding;
LSAP_TOKEN_INFO_INTEGRITY token_info;
[flag(NDR_REMAINING)] DATA_BLOB remaining;
} ntlmssp_SingleHostData;
typedef [bitmap32bit] bitmap {
NTLMSSP_AVFLAG_CONSTRAINTED_ACCOUNT = 0x00000001,
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE = 0x00000002
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE = 0x00000002,
NTLMSSP_AVFLAG_TARGET_SPN_FROM_UNTRUSTED_SOURCE = 0x00000004
} ntlmssp_AvFlags;
typedef [gensize,nodiscriminant,flag(NDR_NOALIGN)] union {
@ -153,7 +158,7 @@ interface ntlmssp
[case(MsvAvDnsTreeName)] [flag(ndr_ntlmssp_negotiated_string_flags(NTLMSSP_NEGOTIATE_UNICODE))] string AvDnsTreeName;
[case(MsvAvFlags)] ntlmssp_AvFlags AvFlags;
[case(MsvAvTimestamp)] NTTIME AvTimestamp;
[case(MsAvRestrictions)] Restriction_Encoding AvRestrictions;
[case(MsvAvSingleHost)] ntlmssp_SingleHostData AvSingleHost;
[case(MsvAvTargetName)] [flag(ndr_ntlmssp_negotiated_string_flags(NTLMSSP_NEGOTIATE_UNICODE))] string AvTargetName;
[case(MsvChannelBindings)] uint8 ChannelBindings[16];
[default] [flag(NDR_REMAINING)] DATA_BLOB blob;
@ -167,7 +172,7 @@ interface ntlmssp
[subcontext(0),subcontext_size(AvLen),switch_is(AvId)] ntlmssp_AvValue Value;
} AV_PAIR;
typedef [gensize,nopush,nopull,flag(NDR_NOALIGN)] struct {
typedef [public,gensize,nopush,nopull,flag(NDR_NOALIGN)] struct {
uint32 count;
AV_PAIR pair[count];
} AV_PAIR_LIST;
@ -184,7 +189,7 @@ interface ntlmssp
uint8 ServerChallenge[8];
uint8 Reserved[8];
[value(ndr_size_AV_PAIR_LIST(TargetInfo, ndr->flags))] uint16 TargetInfoLen;
[value(TargetInfoLen)] uint16 TargetNameInfoMaxLen;
[value(TargetInfoLen)] uint16 TargetInfoMaxLen;
[relative] [subcontext(0),subcontext_size(TargetInfoLen)] AV_PAIR_LIST *TargetInfo;
[switch_is(NegotiateFlags & NTLMSSP_NEGOTIATE_VERSION)] ntlmssp_Version Version;
} CHALLENGE_MESSAGE;
@ -239,9 +244,12 @@ interface ntlmssp
[default] NTLMv2_RESPONSE v2;
} ntlmssp_NTLM_RESPONSE;
const int NTLMSSP_MIC_OFFSET = 72;
const int NTLMSSP_MIC_SIZE = 16;
typedef [flag(NDR_PAHEX)] struct {
uint8 MIC[16];
} MIC;
uint8 MIC[NTLMSSP_MIC_SIZE];
} ntlmssp_MIC;
/* [MS-NLMP] 2.2.1.3 AUTHENTICATE_MESSAGE */
@ -270,7 +278,7 @@ interface ntlmssp
[switch_is(NegotiateFlags & NTLMSSP_NEGOTIATE_VERSION)] ntlmssp_Version Version;
/* MIC (Message Integrity) is only included when the client has
* sent a timestap Av struct in the CHALLENGE_MESSAGE AvPair */
/* [flag(NDR_REMAINING)] MIC mic; */
/* [flag(NDR_REMAINING)] ntlmssp_MIC mic; */
} AUTHENTICATE_MESSAGE;
/* NTLMSSP signature version */

9
librpc/idl/security.idl
View File

@ -648,6 +648,15 @@ interface security
SECINFO_BACKUP |
0);
/*
* See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY
*/
typedef [public,gensize,flag(NDR_PAHEX)] struct {
uint32 Flags;
uint32 TokenIL;
uint8 MachineId[32];
} LSAP_TOKEN_INFO_INTEGRITY;
/*
* See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags
*/

16
librpc/ndr/ndr_ntlmssp.c
View File

@ -176,4 +176,20 @@ _PUBLIC_ void ndr_print_ntlmssp_Version(struct ndr_print *ndr, const char *name,
}
}
_PUBLIC_ struct AV_PAIR *ndr_ntlmssp_find_av(const struct AV_PAIR_LIST *av_list,
enum ntlmssp_AvId AvId)
{
struct AV_PAIR *res = NULL;
uint32_t i = 0;
for (i = 0; i < av_list->count; i++) {
if (av_list->pair[i].AvId != AvId) {
continue;
}
res = discard_const_p(struct AV_PAIR, &av_list->pair[i]);
break;
}
return res;
}

2
librpc/ndr/ndr_ntlmssp.h
View File

@ -31,3 +31,5 @@ _PUBLIC_ void ndr_print_ntlmssp_lm_response(TALLOC_CTX *mem_ctx,
bool ntlmv2);
_PUBLIC_ void ndr_print_ntlmssp_Version(struct ndr_print *ndr, const char *name, const union ntlmssp_Version *r);
_PUBLIC_ struct AV_PAIR *ndr_ntlmssp_find_av(const struct AV_PAIR_LIST *av_list,
enum ntlmssp_AvId AvId);

2
librpc/rpc/binding.c
View File

@ -591,7 +591,7 @@ _PUBLIC_ void dcerpc_binding_get_auth_info(const struct dcerpc_binding *b,
} else if (b->flags & DCERPC_CONNECT) {
auth_level = DCERPC_AUTH_LEVEL_CONNECT;
} else if (auth_type != DCERPC_AUTH_TYPE_NONE) {
auth_level = DCERPC_AUTH_LEVEL_CONNECT;
auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
} else {
auth_level = DCERPC_AUTH_LEVEL_NONE;
}

6
librpc/rpc/dcerpc_error.c
View File

@ -88,9 +88,11 @@ static const struct dcerpc_fault_table dcerpc_faults[] =
_FAULT_STR_NO_NT_MAPPING(DCERPC_NCA_S_FAULT_OBJECT_NOT_FOUND),
_FAULT_STR_NO_NT_MAPPING(DCERPC_NCA_S_FAULT_NO_CLIENT_STUB),
_FAULT_STR(DCERPC_FAULT_OTHER, NT_STATUS_RPC_CALL_FAILED),
_FAULT_STR(DCERPC_FAULT_CANT_PERFORM, NT_STATUS_EPT_CANT_PERFORM_OP),
_FAULT_STR(DCERPC_FAULT_NDR, NT_STATUS_RPC_BAD_STUB_DATA),
_FAULT_STR(DCERPC_FAULT_ACCESS_DENIED, NT_STATUS_ACCESS_DENIED),
_FAULT_STR(DCERPC_FAULT_NO_CALL_ACTIVE, NT_STATUS_RPC_NO_CALL_ACTIVE),
_FAULT_STR(DCERPC_FAULT_CANT_PERFORM, NT_STATUS_EPT_CANT_PERFORM_OP),
_FAULT_STR(DCERPC_FAULT_OUT_OF_RESOURCES, NT_STATUS_RPC_OUT_OF_RESOURCES),
_FAULT_STR(DCERPC_FAULT_BAD_STUB_DATA, NT_STATUS_RPC_BAD_STUB_DATA),
_FAULT_STR(DCERPC_FAULT_SEC_PKG_ERROR, NT_STATUS_RPC_SEC_PKG_ERROR),
{ NULL, 0 }
#undef _FAULT_STR

145
librpc/rpc/dcerpc_util.c
View File

@ -83,31 +83,49 @@ uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
*
* @return - A NTSTATUS error code.
*/
NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
TALLOC_CTX *mem_ctx,
DATA_BLOB *pkt_trailer,
const DATA_BLOB *pkt_trailer,
struct dcerpc_auth *auth,
uint32_t *auth_length,
uint32_t *_auth_length,
bool auth_data_only)
{
struct ndr_pull *ndr;
enum ndr_err_code ndr_err;
uint32_t data_and_pad;
uint16_t data_and_pad;
uint16_t auth_length;
uint32_t tmp_length;
data_and_pad = pkt_trailer->length
- (DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length);
/* paranoia check for pad size. This would be caught anyway by
the ndr_pull_advance() a few lines down, but it scared
Jeremy enough for him to call me, so we might as well check
it now, just to prevent someone posting a bogus YouTube
video in the future.
*/
if (data_and_pad > pkt_trailer->length) {
return NT_STATUS_INFO_LENGTH_MISMATCH;
ZERO_STRUCTP(auth);
if (_auth_length != NULL) {
*_auth_length = 0;
}
*auth_length = pkt_trailer->length - data_and_pad;
/* Paranoia checks for auth_length. The caller should check this... */
if (pkt->auth_length == 0) {
return NT_STATUS_INTERNAL_ERROR;
}
/* Paranoia checks for auth_length. The caller should check this... */
if (pkt->auth_length > pkt->frag_length) {
return NT_STATUS_INTERNAL_ERROR;
}
tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
tmp_length += pkt->auth_length;
if (tmp_length > pkt->frag_length) {
return NT_STATUS_INTERNAL_ERROR;
}
if (pkt_trailer->length > UINT16_MAX) {
return NT_STATUS_INTERNAL_ERROR;
}
auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
if (pkt_trailer->length < auth_length) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
data_and_pad = pkt_trailer->length - auth_length;
ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
if (!ndr) {
@ -127,14 +145,28 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
talloc_free(ndr);
ZERO_STRUCTP(auth);
return ndr_map_error2ntstatus(ndr_err);
}
if (auth_data_only && data_and_pad != auth->auth_pad_length) {
DEBUG(1, (__location__ ": WARNING: pad length mismatch. "
if (data_and_pad < auth->auth_pad_length) {
DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
"Calculated %u got %u\n",
(unsigned)data_and_pad,
(unsigned)auth->auth_pad_length));
talloc_free(ndr);
ZERO_STRUCTP(auth);
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (auth_data_only && data_and_pad != auth->auth_pad_length) {
DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
"Calculated %u got %u\n",
(unsigned)data_and_pad,
(unsigned)auth->auth_pad_length));
talloc_free(ndr);
ZERO_STRUCTP(auth);
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
DEBUG(6,(__location__ ": auth_pad_length %u\n",
@ -143,6 +175,83 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
talloc_steal(mem_ctx, auth->credentials.data);
talloc_free(ndr);
if (_auth_length != NULL) {
*_auth_length = auth_length;
}
return NT_STATUS_OK;
}
/**
* @brief Verify the fields in ncacn_packet header.
*
* @param pkt - The ncacn_packet strcuture
* @param ptype - The expected PDU type
* @param max_auth_info - The maximum size of a possible auth trailer
* @param required_flags - The required flags for the pdu.
* @param optional_flags - The possible optional flags for the pdu.
*
* @return - A NTSTATUS error code.
*/
NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
enum dcerpc_pkt_type ptype,
size_t max_auth_info,
uint8_t required_flags,
uint8_t optional_flags)
{
if (pkt->rpc_vers != 5) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (pkt->rpc_vers_minor != 0) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (pkt->auth_length > pkt->frag_length) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (pkt->ptype != ptype) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (max_auth_info > UINT16_MAX) {
return NT_STATUS_INTERNAL_ERROR;
}
if (pkt->auth_length > 0) {
size_t max_auth_length;
if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
if (pkt->auth_length > max_auth_length) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
}
if ((pkt->pfc_flags & required_flags) != required_flags) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (pkt->drep[0] & ~DCERPC_DREP_LE) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (pkt->drep[1] != 0) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (pkt->drep[2] != 0) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
if (pkt->drep[3] != 0) {
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
return NT_STATUS_OK;
}

9
librpc/rpc/rpc_common.h
View File

@ -186,12 +186,17 @@ const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
*
* @return - A NTSTATUS error code.
*/
NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
TALLOC_CTX *mem_ctx,
DATA_BLOB *pkt_trailer,
const DATA_BLOB *pkt_trailer,
struct dcerpc_auth *auth,
uint32_t *auth_length,
bool auth_data_only);
NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
enum dcerpc_pkt_type ptype,
size_t max_auth_info,
uint8_t required_flags,
uint8_t optional_flags);
struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct tstream_context *stream);

21
nsswitch/libwbclient/wbc_pam.c
View File

@ -1286,7 +1286,17 @@ wbcErr wbcCtxCredentialCache(struct wbcContext *ctx,
}
for (i=0; i<params->num_blobs; i++) {
if (strcasecmp(params->blobs[i].name, "initial_blob") == 0) {
/*
* Older callers may used to provide the NEGOTIATE request
* as "initial_blob", but it was completely ignored by winbindd.
*
* So we keep ignoring it.
*
* A new callers that is capable to support "new_spnego",
* will provide the NEGOTIATE request as "negotiate_blob"
* instead.
*/
if (strcasecmp(params->blobs[i].name, "negotiate_blob") == 0) {
if (initial_blob != NULL) {
status = WBC_ERR_INVALID_PARAM;
goto fail;
@ -1384,6 +1394,15 @@ wbcErr wbcCtxCredentialCache(struct wbcContext *ctx,
if (!WBC_ERROR_IS_OK(status)) {
goto fail;
}
if (response.data.ccache_ntlm_auth.new_spnego) {
status = wbcAddNamedBlob(
&result->num_blobs, &result->blobs, "new_spnego", 0,
&response.data.ccache_ntlm_auth.new_spnego,
sizeof(response.data.ccache_ntlm_auth.new_spnego));
if (!WBC_ERROR_IS_OK(status)) {
goto fail;
}
}
*info = result;
result = NULL;

1
nsswitch/winbind_struct_protocol.h
View File

@ -486,6 +486,7 @@ struct winbindd_response {
struct {
uint8_t session_key[16];
uint32_t auth_blob_len; /* blob in extra_data */
uint8_t new_spnego;
} ccache_ntlm_auth;
struct {
fstring dc_unc;

525
python/samba/tests/__init__.py
View File

@ -1,5 +1,6 @@
# Unix SMB/CIFS implementation.
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010
# Copyright (C) Stefan Metzmacher 2014,2015
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -24,6 +25,12 @@ import samba.auth
from samba import param
from samba.samdb import SamDB
from samba import credentials
import samba.ndr
import samba.dcerpc.dcerpc
import samba.dcerpc.base
import samba.dcerpc.epmapper
import socket
import struct
import subprocess
import sys
import tempfile
@ -222,6 +229,524 @@ cmdline_credentials = None
class RpcInterfaceTestCase(TestCase):
"""DCE/RPC Test case."""
class RawDCERPCTest(TestCase):
"""A raw DCE/RPC Test case."""
def _disconnect(self, reason):
if self.s is None:
return
self.s.close()
self.s = None
if self.do_hexdump:
sys.stderr.write("disconnect[%s]\n" % reason)
def connect(self):
try:
self.a = socket.getaddrinfo(self.host, self.tcp_port, socket.AF_UNSPEC,
socket.SOCK_STREAM, socket.SOL_TCP,
0)
self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2])
self.s.settimeout(10)
self.s.connect(self.a[0][4])
except socket.error as e:
self.s.close()
raise
except IOError as e:
self.s.close()
raise
except Exception as e:
raise
finally:
pass
def setUp(self):
super(RawDCERPCTest, self).setUp()
self.do_ndr_print = False
self.do_hexdump = False
self.host = samba.tests.env_get_var_value('SERVER')
self.tcp_port = 135
self.settings = {}
self.settings["lp_ctx"] = self.lp_ctx = samba.tests.env_loadparm()
self.settings["target_hostname"] = self.host
self.connect()
def epmap_reconnect(self, abstract):
ndr32 = samba.dcerpc.base.transfer_syntax_ndr()
tsf0_list = [ndr32]
ctx0 = samba.dcerpc.dcerpc.ctx_list()
ctx0.context_id = 1
ctx0.num_transfer_syntaxes = len(tsf0_list)
ctx0.abstract_syntax = samba.dcerpc.epmapper.abstract_syntax()
ctx0.transfer_syntaxes = tsf0_list
req = self.generate_bind(call_id=0, ctx_list=[ctx0])
self.send_pdu(req)
rep = self.recv_pdu()
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_BIND_ACK,
req.call_id, auth_length=0)
self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id)
self.assertEqual(rep.u.secondary_address_size, 4)
self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
self.assertEqual(len(rep.u._pad1), 2)
self.assertEqual(rep.u._pad1, '\0' * 2)
self.assertEqual(rep.u.num_results, 1)
self.assertEqual(rep.u.ctx_list[0].result,
samba.dcerpc.dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
self.assertEqual(rep.u.ctx_list[0].reason,
samba.dcerpc.dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
self.assertEqual(rep.u.auth_info, '\0' * 0)
# And now try a request
data1 = samba.ndr.ndr_pack(abstract)
lhs1 = samba.dcerpc.epmapper.epm_lhs()
lhs1.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_UUID
lhs1.lhs_data = data1[:18]
rhs1 = samba.dcerpc.epmapper.epm_rhs_uuid()
rhs1.unknown = data1[18:]
floor1 = samba.dcerpc.epmapper.epm_floor()
floor1.lhs = lhs1
floor1.rhs = rhs1
data2 = samba.ndr.ndr_pack(ndr32)
lhs2 = samba.dcerpc.epmapper.epm_lhs()
lhs2.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_UUID
lhs2.lhs_data = data2[:18]
rhs2 = samba.dcerpc.epmapper.epm_rhs_uuid()
rhs2.unknown = data1[18:]
floor2 = samba.dcerpc.epmapper.epm_floor()
floor2.lhs = lhs2
floor2.rhs = rhs2
lhs3 = samba.dcerpc.epmapper.epm_lhs()
lhs3.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_NCACN
lhs3.lhs_data = ""
floor3 = samba.dcerpc.epmapper.epm_floor()
floor3.lhs = lhs3
floor3.rhs.minor_version = 0
lhs4 = samba.dcerpc.epmapper.epm_lhs()
lhs4.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_TCP
lhs4.lhs_data = ""
floor4 = samba.dcerpc.epmapper.epm_floor()
floor4.lhs = lhs4
floor4.rhs.port = self.tcp_port
lhs5 = samba.dcerpc.epmapper.epm_lhs()
lhs5.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_IP
lhs5.lhs_data = ""
floor5 = samba.dcerpc.epmapper.epm_floor()
floor5.lhs = lhs5
floor5.rhs.ipaddr = "0.0.0.0"
floors = [floor1,floor2,floor3,floor4,floor5]
req_tower = samba.dcerpc.epmapper.epm_tower()
req_tower.num_floors = len(floors)
req_tower.floors = floors
req_twr = samba.dcerpc.epmapper.epm_twr_t()
req_twr.tower = req_tower
pack_twr = samba.ndr.ndr_pack(req_twr)
# object
stub = "\x01\x00\x00\x00"
stub += "\x00" * 16
# tower
stub += "\x02\x00\x00\x00"
stub += pack_twr
# padding?
stub += "\x00" * 1
# handle
stub += "\x00" * 20
# max_towers
stub += "\x04\x00\x00\x00"
# we do an epm_Map() request
req = self.generate_request(call_id = 1,
context_id=ctx0.context_id,
opnum=3,
stub=stub)
self.send_pdu(req)
rep = self.recv_pdu()
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_RESPONSE,
req.call_id, auth_length=0)
self.assertNotEqual(rep.u.alloc_hint, 0)
self.assertEqual(rep.u.context_id, req.u.context_id)
self.assertEqual(rep.u.cancel_count, 0)
self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
num_towers = struct.unpack_from("<I", rep.u.stub_and_verifier, 20)
(array_max, array_ofs, array_cnt) = struct.unpack_from("<III", rep.u.stub_and_verifier, 24)
status = struct.unpack_from("<I", rep.u.stub_and_verifier, len(rep.u.stub_and_verifier) - 4)
self.assertEqual(status[0], 0)
self.assertGreaterEqual(num_towers[0], 1)
self.assertEqual(array_max, 4)
self.assertEqual(array_ofs, 0)
self.assertGreaterEqual(array_cnt, 1)
unpack_twr = rep.u.stub_and_verifier[(36 + 4 * array_cnt):-4]
rep_twr = samba.ndr.ndr_unpack(samba.dcerpc.epmapper.epm_twr_t, unpack_twr, allow_remaining=True)
self.assertEqual(rep_twr.tower_length, 75)
self.assertEqual(rep_twr.tower.num_floors, 5)
self.assertEqual(len(rep_twr.tower.floors), 5)
self.assertEqual(rep_twr.tower.floors[3].lhs.protocol,
samba.dcerpc.epmapper.EPM_PROTOCOL_TCP)
self.assertEqual(rep_twr.tower.floors[3].lhs.protocol,
samba.dcerpc.epmapper.EPM_PROTOCOL_TCP)
# reconnect to the given port
self._disconnect("epmap_reconnect")
self.tcp_port = rep_twr.tower.floors[3].rhs.port
self.connect()
def send_pdu(self, req, ndr_print=None, hexdump=None):
if ndr_print is None:
ndr_print = self.do_ndr_print
if hexdump is None:
hexdump = self.do_hexdump
try:
req_pdu = samba.ndr.ndr_pack(req)
if ndr_print:
sys.stderr.write("send_pdu: %s" % samba.ndr.ndr_print(req))
if hexdump:
sys.stderr.write("send_pdu: %d\n%s" % (len(req_pdu), self.hexdump(req_pdu)))
while True:
sent = self.s.send(req_pdu, 0)
if sent == len(req_pdu):
break
req_pdu = req_pdu[sent:]
except socket.error as e:
self._disconnect("send_pdu: %s" % e)
raise
except IOError as e:
self._disconnect("send_pdu: %s" % e)
raise
finally:
pass
def recv_raw(self, hexdump=None, timeout=None):
rep_pdu = None
if hexdump is None:
hexdump = self.do_hexdump
try:
if timeout is not None:
self.s.settimeout(timeout)
rep_pdu = self.s.recv(0xffff, 0)
self.s.settimeout(10)
if len(rep_pdu) == 0:
self._disconnect("recv_raw: EOF")
return None
if hexdump:
sys.stderr.write("recv_raw: %d\n%s" % (len(rep_pdu), self.hexdump(rep_pdu)))
except socket.timeout as e:
self.s.settimeout(10)
sys.stderr.write("recv_raw: TIMEOUT\n")
pass
except socket.error as e:
self._disconnect("recv_raw: %s" % e)
raise
except IOError as e:
self._disconnect("recv_raw: %s" % e)
raise
finally:
pass
return rep_pdu
def recv_pdu(self, ndr_print=None, hexdump=None, timeout=None):
rep = None
if ndr_print is None:
ndr_print = self.do_ndr_print
if hexdump is None:
hexdump = self.do_hexdump
try:
rep_pdu = self.recv_raw(hexdump=hexdump, timeout=timeout)
if rep_pdu is None:
return None
rep = samba.ndr.ndr_unpack(samba.dcerpc.dcerpc.ncacn_packet, rep_pdu, allow_remaining=True)
if ndr_print:
sys.stderr.write("recv_pdu: %s" % samba.ndr.ndr_print(rep))
self.assertEqual(rep.frag_length, len(rep_pdu))
finally:
pass
return rep
def generate_auth(self,
auth_type=None,
auth_level=None,
auth_pad_length=0,
auth_context_id=None,
auth_blob=None,
ndr_print=None, hexdump=None):
if ndr_print is None:
ndr_print = self.do_ndr_print
if hexdump is None:
hexdump = self.do_hexdump
if auth_type is not None:
a = samba.dcerpc.dcerpc.auth()
a.auth_type = auth_type
a.auth_level = auth_level
a.auth_pad_length = auth_pad_length
a.auth_context_id= auth_context_id
a.credentials = auth_blob
ai = samba.ndr.ndr_pack(a)
if ndr_print:
sys.stderr.write("generate_auth: %s" % samba.ndr.ndr_print(a))
if hexdump:
sys.stderr.write("generate_auth: %d\n%s" % (len(ai), self.hexdump(ai)))
else:
ai = ""
return ai
def parse_auth(self, auth_info, ndr_print=None, hexdump=None):
if ndr_print is None:
ndr_print = self.do_ndr_print
if hexdump is None:
hexdump = self.do_hexdump
if (len(auth_info) <= samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH):
return None
if hexdump:
sys.stderr.write("parse_auth: %d\n%s" % (len(auth_info), self.hexdump(auth_info)))
a = samba.ndr.ndr_unpack(samba.dcerpc.dcerpc.auth, auth_info, allow_remaining=True)
if ndr_print:
sys.stderr.write("parse_auth: %s" % samba.ndr.ndr_print(a))
return a
def generate_pdu(self, ptype, call_id, payload,
rpc_vers=5,
rpc_vers_minor=0,
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
drep = [samba.dcerpc.dcerpc.DCERPC_DREP_LE, 0, 0, 0],
ndr_print=None, hexdump=None):
if getattr(payload, 'auth_info', None):
ai = payload.auth_info
else:
ai = ""
p = samba.dcerpc.dcerpc.ncacn_packet()
p.rpc_vers = rpc_vers
p.rpc_vers_minor = rpc_vers_minor
p.ptype = ptype
p.pfc_flags = pfc_flags
p.drep = drep
p.frag_length = 0
if len(ai) > samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH:
p.auth_length = len(ai) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH
else:
p.auth_length = 0
p.call_id = call_id
p.u = payload
pdu = samba.ndr.ndr_pack(p)
p.frag_length = len(pdu)
return p
def verify_pdu(self, p, ptype, call_id,
rpc_vers=5,
rpc_vers_minor=0,
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
drep = [samba.dcerpc.dcerpc.DCERPC_DREP_LE, 0, 0, 0],
auth_length=None):
self.assertIsNotNone(p, "No valid pdu")
if getattr(p.u, 'auth_info', None):
ai = p.u.auth_info
else:
ai = ""
self.assertEqual(p.rpc_vers, rpc_vers)
self.assertEqual(p.rpc_vers_minor, rpc_vers_minor)
self.assertEqual(p.ptype, ptype)
self.assertEqual(p.pfc_flags, pfc_flags)
self.assertEqual(p.drep, drep)
self.assertGreaterEqual(p.frag_length,
samba.dcerpc.dcerpc.DCERPC_NCACN_PAYLOAD_OFFSET)
if len(ai) > samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH:
self.assertEqual(p.auth_length,
len(ai) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH)
elif auth_length is not None:
self.assertEqual(p.auth_length, auth_length)
else:
self.assertEqual(p.auth_length, 0)
self.assertEqual(p.call_id, call_id)
return
def generate_bind(self, call_id,
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
max_xmit_frag=5840,
max_recv_frag=5840,
assoc_group_id=0,
ctx_list=[],
auth_info="",
ndr_print=None, hexdump=None):
b = samba.dcerpc.dcerpc.bind()
b.max_xmit_frag = max_xmit_frag
b.max_recv_frag = max_recv_frag
b.assoc_group_id = assoc_group_id
b.num_contexts = len(ctx_list)
b.ctx_list = ctx_list
b.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_BIND,
pfc_flags=pfc_flags,
call_id=call_id,
payload=b,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_alter(self, call_id,
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
max_xmit_frag=5840,
max_recv_frag=5840,
assoc_group_id=0,
ctx_list=[],
auth_info="",
ndr_print=None, hexdump=None):
a = samba.dcerpc.dcerpc.bind()
a.max_xmit_frag = max_xmit_frag
a.max_recv_frag = max_recv_frag
a.assoc_group_id = assoc_group_id
a.num_contexts = len(ctx_list)
a.ctx_list = ctx_list
a.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_ALTER,
pfc_flags=pfc_flags,
call_id=call_id,
payload=a,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_auth3(self, call_id,
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
auth_info="",
ndr_print=None, hexdump=None):
a = samba.dcerpc.dcerpc.auth3()
a.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_AUTH3,
pfc_flags=pfc_flags,
call_id=call_id,
payload=a,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_request(self, call_id,
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
alloc_hint=None,
context_id=None,
opnum=None,
object=None,
stub=None,
auth_info="",
ndr_print=None, hexdump=None):
if alloc_hint is None:
alloc_hint = len(stub)
r = samba.dcerpc.dcerpc.request()
r.alloc_hint = alloc_hint
r.context_id = context_id
r.opnum = opnum
if object is not None:
r.object = object
r.stub_and_verifier = stub + auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_REQUEST,
pfc_flags=pfc_flags,
call_id=call_id,
payload=r,
ndr_print=ndr_print, hexdump=hexdump)
if len(auth_info) > samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH:
p.auth_length = len(auth_info) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH
return p
def generate_co_cancel(self, call_id,
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
auth_info="",
ndr_print=None, hexdump=None):
c = samba.dcerpc.dcerpc.co_cancel()
c.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_CO_CANCEL,
pfc_flags=pfc_flags,
call_id=call_id,
payload=c,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_orphaned(self, call_id,
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
auth_info="",
ndr_print=None, hexdump=None):
o = samba.dcerpc.dcerpc.orphaned()
o.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_ORPHANED,
pfc_flags=pfc_flags,
call_id=call_id,
payload=o,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_shutdown(self, call_id,
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
ndr_print=None, hexdump=None):
s = samba.dcerpc.dcerpc.shutdown()
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_SHUTDOWN,
pfc_flags=pfc_flags,
call_id=call_id,
payload=s,
ndr_print=ndr_print, hexdump=hexdump)
return p
def assertIsConnected(self):
self.assertIsNotNone(self.s, msg="Not connected")
return
def assertNotConnected(self):
self.assertIsNone(self.s, msg="Is connected")
return
def assertNDRSyntaxEquals(self, s1, s2):
self.assertEqual(s1.uuid, s2.uuid)
self.assertEqual(s1.if_version, s2.if_version)
return
class ValidNetbiosNameTests(TestCase):

2
python/samba/tests/dcerpc/dnsserver.py
View File

@ -27,7 +27,7 @@ class DnsserverTests(RpcInterfaceTestCase):
super(DnsserverTests, self).setUp()
self.server = env_get_var_value("SERVER_IP")
self.zone = env_get_var_value("REALM").lower()
self.conn = dnsserver.dnsserver("ncacn_ip_tcp:%s" % (self.server),
self.conn = dnsserver.dnsserver("ncacn_ip_tcp:%s[sign]" % (self.server),
self.get_loadparm(),
self.get_credentials())

2623
python/samba/tests/dcerpc/raw_protocol.py Executable file
View File

File diff suppressed because it is too large Load Diff

28
selftest/knownfail
View File

@ -86,6 +86,9 @@
^samba4.rpc.lsalookup with seal,padcheck
^samba4.rpc.lsalookup with validate
^samba4.rpc.lsalookup with bigendian
^samba4.rpc.lsa on ncacn_np with seal # This gives NT_STATUS_LOCAL_USER_SESSION_KEY
^samba4.rpc.lsa with seal # This gives NT_STATUS_LOCAL_USER_SESSION_KEY
^samba4.rpc.lsa.secrets.*seal # This gives NT_STATUS_LOCAL_USER_SESSION_KEY
^samba4.rpc.netlogon.*.LogonUasLogon
^samba4.rpc.netlogon.*.LogonUasLogoff
^samba4.rpc.netlogon.*.DatabaseSync
@ -94,6 +97,10 @@
^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomainsEx
^samba4.rpc.netlogon.*.GetPassword
^samba4.rpc.netlogon.*.DatabaseRedo
^samba4.rpc.drsuapi.*ncacn_ip_tcp.*validate # should only work with seal
^samba4.rpc.drsuapi.*ncacn_ip_tcp.*bigendian # should only work with seal
^samba4.rpc.samr.passwords.validate.*ncacn_ip_tcp.*with.validate # should only work with seal
^samba4.rpc.samr.passwords.validate.*ncacn_ip_tcp.*with.bigendian # should only work with seal
^samba4.base.charset.*.Testing partial surrogate
^samba4.*.base.maximum_allowed # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT
.*net.api.delshare.* # DelShare isn't implemented yet
@ -211,6 +218,7 @@
^samba3.smb2.replay.replay4
^samba3.smb2.lock.*replay
^samba3.raw.session.*reauth2 # maybe fix this?
^samba3.rpc.lsa.secrets.seal # This gives NT_STATUS_LOCAL_USER_SESSION_KEY
^samba3.rpc.samr.passwords.badpwdcount.samr.badPwdCount\(nt4_dc\) # We fail this test currently
^samba3.rpc.samr.passwords.lockout.*\(nt4_dc\)$ # We fail this test currently
^samba3.rpc.spoolss.printer.addprinter.driver_info_winreg # knownfail or flapping?
@ -312,3 +320,23 @@
# we can watch for set methods on.
#
^samba.tests.dcerpc.integer.samba.tests.dcerpc.integer.IntegerTests.test_.*_into_uint8_list
#
## We assert all "ldap server require strong auth" combinations
#
^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls
^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc # ldap server require strong auth = yes
^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc # ldap server require strong auth = yes
# These are supposed to fail as we want to verify the "tls verify peer"
# restrictions. Note that fl2008r2dc uses a self-signed certificate
# with does not have a crl file.
#
^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name_if_available\(
^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name\(
^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=as_strict_as_possible\(
^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\(
^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\(
^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc
#
# we don't allow auth_level_connect anymore...
#
^samba3.blackbox.rpcclient.*ncacn_np.*with.*connect.*rpcclient # we don't allow auth_level_connect anymore

191
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem Normal file
View File

@ -0,0 +1,191 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Validity
Not Before: Mar 16 23:29:25 2016 GMT
Not After : Mar 11 23:29:25 2036 GMT
Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:a6:c4:a9:bf:75:ea:4c:8d:3b:fd:8a:0f:b0:a2:
b6:c7:a8:1f:e4:0e:3e:41:ef:d6:10:48:77:7b:4e:
4c:59:e1:bf:6d:c7:18:7b:a8:01:a7:d5:d2:2c:21:
3e:d0:1a:da:58:03:e8:42:f1:53:0e:a7:91:b9:2c:
b9:e7:7a:c9:de:5e:ed:4c:93:6b:cc:dd:17:d0:c7:
d1:f1:7c:3d:0d:6f:df:5d:53:5a:b1:1f:a3:7b:5b:
41:65:0c:7c:ea:53:df:bb:da:41:15:da:49:e3:b9:
2d:bb:b5:af:ef:8c:b8:84:74:d0:18:16:8e:5c:e4:
c2:e7:a1:87:8f:e3:87:8b:0b:bb:90:30:e8:e0:f3:
eb:c0:50:5f:b5:7f:54:9a:1b:34:43:fd:be:5a:80:
6e:0f:63:a2:b3:79:42:4a:85:c8:07:c7:82:55:23:
88:d4:4e:03:2f:f1:95:bd:ed:15:2d:3e:16:cd:ff:
c7:9b:03:29:36:a6:5d:c9:1a:1e:89:a5:ba:66:83:
0f:96:a8:07:9f:24:b9:1b:8f:02:9a:b8:50:29:8b:
be:63:45:fa:45:c3:38:23:a0:98:3a:b4:6b:42:99:
13:36:4b:84:ef:27:89:39:34:79:f8:67:16:7b:9c:
2a:03:41:15:63:46:e4:db:2f:f2:3e:6d:fe:7c:20:
1e:9f:02:48:a4:bc:15:42:a6:f8:38:86:dc:6b:7c:
4e:67:a3:31:81:8e:b6:30:1a:eb:3d:08:25:19:5f:
42:dc:39:ec:79:1d:30:0a:fb:16:8f:3d:19:14:cc:
f5:af:d7:c6:75:cf:b3:96:a2:b2:9b:d9:03:01:a3:
ca:88:1d:72:ed:6f:d1:bf:57:56:8e:b9:07:9b:b9:
04:13:1e:0b:5a:06:6b:2b:43:a2:dc:d5:b7:f4:ba:
d3:ae:9d:ad:fd:d3:8a:7c:2f:87:32:fa:89:88:58:
00:ae:16:2b:9c:1d:58:82:4d:e5:21:da:d5:6c:f7:
a8:40:8b:c7:02:d5:36:30:ef:3f:09:9b:a6:d2:31:
a3:bf:20:d4:a2:9e:26:c4:b4:c3:0f:0b:6c:00:d1:
2c:16:b1:2a:eb:06:d9:d5:98:c3:cd:cb:20:68:ad:
0a:2c:a1:2f:27:41:5c:91:de:49:62:ed:d8:3a:ef:
68:1c:6d:fe:94:c3:28:68:32:60:08:65:cd:02:9f:
97:96:2f:0f:87:27:3d:b9:0f:85:62:e8:2b:9a:b4:
f4:d3:d7:c1:93:96:27:23:29:88:b1:39:99:53:3a:
20:aa:88:44:3b:4a:24:2a:8b:e0:b4:8d:dd:66:30:
df:a6:6e:b7:fc:21:43:16:9e:3e:12:20:c8:7a:30:
c1:3d:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
Domain Controller Certificate addc.addom.samba.example.com
X509v3 Subject Key Identifier:
3D:BC:70:0C:74:D4:B8:85:49:1D:08:84:C4:1B:27:F2:AF:72:37:D3
X509v3 Authority Key Identifier:
keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
X509v3 Subject Alternative Name:
DNS:addc.addom.samba.example.com, othername:<unsupported>
X509v3 Issuer Alternative Name:
email:ca-samba.example.com@samba.example.com
Netscape CA Revocation Url:
http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication, msKDC
Signature Algorithm: sha256WithRSAEncryption
9e:8b:bb:0a:7a:dc:c0:94:33:bc:18:a5:e6:4a:1f:ff:8e:21:
b1:8f:33:f0:3e:8b:6c:72:55:c4:47:71:5f:ce:e7:31:ef:5b:
62:04:b7:57:8f:a8:27:9f:ed:69:d2:ec:a8:0d:e2:76:33:8d:
41:3a:67:61:5c:53:60:c7:53:ed:d7:99:72:29:1d:ae:d3:ee:
c9:76:1c:6d:18:47:e9:94:dd:2e:97:3f:99:af:b5:f4:a1:7c:
92:f6:4d:b5:c1:7a:0c:38:ba:d1:b6:19:9a:9f:e2:02:84:d4:
54:01:38:7b:55:86:4a:ee:3d:85:48:01:da:34:09:69:43:25:
7e:6e:06:73:e0:b9:7c:b5:9c:4e:9c:b5:52:85:32:62:62:25:
39:fa:02:4b:51:2e:df:8e:52:17:02:50:f4:99:29:bf:7e:97:
53:91:12:85:9a:69:62:45:59:c4:5b:3f:af:18:e6:7b:e4:86:
5d:f1:9e:5a:2b:3e:14:6e:7e:d4:47:24:ef:d9:a8:ec:d9:a6:
cb:b8:4f:1a:86:d9:43:20:41:16:15:5f:81:0d:fe:6b:31:53:
c1:f6:84:4c:f3:03:64:d2:e6:44:3d:7a:60:79:d7:37:6f:33:
de:c0:a8:b9:6e:fe:b2:79:ac:b4:53:92:b8:0a:59:2b:cc:6b:
37:c4:6f:c6:44:02:f7:7c:c5:c6:a6:6f:c2:ad:de:78:1e:48:
96:cc:fe:59:2e:53:ce:34:d6:e8:f0:56:43:30:32:90:6f:f9:
47:76:ab:99:63:e3:e8:a3:f3:83:98:e9:05:2b:ea:f9:f9:9d:
66:70:c7:2c:00:c2:9e:57:3e:31:43:50:50:c8:db:a8:2d:21:
4e:6f:39:c2:bd:ef:d8:47:99:27:0d:48:b2:58:f1:be:45:bd:
fe:c4:a2:56:fc:06:02:dc:19:33:85:53:ed:38:59:01:16:bc:
aa:c5:d3:4b:37:54:83:1b:e5:c1:4b:dd:34:6b:e5:d8:35:86:
95:e6:9f:d2:22:84:b1:e2:4f:a7:2e:4d:e6:9c:eb:db:df:42:
e1:b4:66:e6:58:d3:28:10:34:97:f3:9c:6b:5f:05:2c:47:2c:
e3:75:eb:6f:74:0a:ec:d7:1d:30:80:56:44:12:26:f6:4e:5f:
ff:92:f4:62:02:36:9c:62:eb:39:98:53:68:68:95:fb:94:68:
69:b8:3c:66:1a:ce:78:c4:cf:c4:6f:21:ac:a8:a6:f4:ab:69:
2a:2e:00:5d:f7:67:06:b1:4f:97:58:88:55:d8:6e:eb:a5:98:
50:36:21:70:3d:b0:a4:f5:3b:21:b3:1c:f5:a9:dd:c6:4a:c2:
89:b8:5a:b3:bc:1f:21:ce:4c:68:5f:98:d8:39:70:d2:7e:a0:
90:df:ad:a3:13:eb:3c:93:f6:b8:f4:d9:a7:51:b3:0d:ea:ee:
d4:57:aa:db:ca:7c:8a:a0:08:c3:98:9a:3a:b7:ba:2a:50:92:
26:c2:e3:11:ba:12:60:24:b9:59:df:62:a8:d7:4d:a3:cb:ea:
46:e8:39:f9:83:14:a8:5c:44:75:71:6b:7f:99:bd:68:58:d9:
6b:d1:cd:c7:45:95:9e:44:1e:85:35:c0:30:2b:18:aa:eb:2f:
93:d5:be:66:5d:70:ed:1d:04:f2:c1:1e:b5:ec:45:0c:04:f6:
9d:88:d3:0c:20:5e:5b:23:df:34:a1:f5:ea:b4:a1:44:c0:da:
d5:ea:89:e8:b5:cb:dc:f8:92:ee:ac:8d:61:ed:bf:74:2b:28:
79:1f:f4:9a:ff:63:bd:e6:aa:79:1d:2c:26:4a:b2:26:53:57:
ba:88:0e:eb:19:57:c0:10:a0:1e:81:2a:c0:56:2e:c3:2a:81:
bf:c1:5a:e7:48:ce:c1:6a:b9:6c:41:cc:44:a6:b8:70:e2:57:
0e:6d:41:d6:61:da:bf:ac:20:2c:a7:2a:67:23:98:00:ba:ce:
8b:a8:c2:45:66:a7:08:eb:7f:0a:b5:e7:9b:d6:f4:07:d5:b3:
43:cd:27:d4:fa:c9:40:8f:af:b2:36:1c:e7:44:b4:4e:cc:5a:
2b:73:ad:8f:c4:d9:47:a6:fb:2c:7d:1a:80:2a:55:b3:80:34:
6f:8e:17:27:93:05:21:40:e9:8f:bf:47:6a:52:f5:2e:b5:18:
d1:8c:1d:83:04:80:55:fd:21:28:dc:7c:be:c8:c1:5f:e4:40:
d3:13:e4:66:bf:ad:92:4e:9b:db:c1:be:a3:42:74:da:c3:2c:
0a:da:3f:94:14:ad:7e:de:81:c6:01:6a:f7:7a:b4:25:51:b0:
ab:cd:b3:3a:77:bf:c3:6b:04:44:30:73:41:ad:93:49:67:ee:
43:d1:96:8e:36:83:2b:1b:6c:e7:cc:3e:d6:16:b9:88:4a:ab:
56:c0:76:00:f6:9a:6a:8a:e3:e0:41:75:9d:3b:47:0f:c9:0a:
8e:9f:9c:00:92:bb:ae:d8:42:56:35:64:eb:59:13:da:2c:63:
83:c3:ec:68:91:b5:f3:71:85:48:54:c3:9d:a1:c8:63:f3:de:
5d:a5:34:a9:1e:85:2c:2c:b5:d8:a9:62:8d:26:1f:b2:9e:a7:
83:4d:df:69:63:b5:b7:e5:dd:e7:3b:18:e5:b3:77:df:c5:47:
b3:f7:8c:e7:5e:87:2e:46:e3:8f:b1:2b:9b:c6:26:2d:1a:28:
30:13:10:86:5b:46:87:b1:2d:12:ce:b6:fe:1c:4e:44
-----BEGIN CERTIFICATE-----
MIIJ9DCCBdygAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
MTYyMzI5MjVaFw0zNjAzMTEyMzI5MjVaMIG4MQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
CwwSRG9tYWluIENvbnRyb2xsZXJzMSUwIwYDVQQDDBxhZGRjLmFkZG9tLnNhbWJh
LmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNv
bUBzYW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAKbEqb916kyNO/2KD7CitseoH+QOPkHv1hBId3tOTFnhv23HGHuoAafV0iwh
PtAa2lgD6ELxUw6nkbksued6yd5e7UyTa8zdF9DH0fF8PQ1v311TWrEfo3tbQWUM
fOpT37vaQRXaSeO5Lbu1r++MuIR00BgWjlzkwuehh4/jh4sLu5Aw6ODz68BQX7V/
VJobNEP9vlqAbg9jorN5QkqFyAfHglUjiNROAy/xlb3tFS0+Fs3/x5sDKTamXcka
HomlumaDD5aoB58kuRuPApq4UCmLvmNF+kXDOCOgmDq0a0KZEzZLhO8niTk0efhn
FnucKgNBFWNG5Nsv8j5t/nwgHp8CSKS8FUKm+DiG3Gt8TmejMYGOtjAa6z0IJRlf
Qtw57HkdMAr7Fo89GRTM9a/XxnXPs5aispvZAwGjyogdcu1v0b9XVo65B5u5BBMe
C1oGaytDotzVt/S6066drf3TinwvhzL6iYhYAK4WK5wdWIJN5SHa1Wz3qECLxwLV
NjDvPwmbptIxo78g1KKeJsS0ww8LbADRLBaxKusG2dWYw83LIGitCiyhLydBXJHe
SWLt2DrvaBxt/pTDKGgyYAhlzQKfl5YvD4cnPbkPhWLoK5q09NPXwZOWJyMpiLE5
mVM6IKqIRDtKJCqL4LSN3WYw36Zut/whQxaePhIgyHowwT2rAgMBAAGjggH3MIIB
8zAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEu
ZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEG
CWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwSQYJYIZIAYb4QgENBDwWOkRv
bWFpbiBDb250cm9sbGVyIENlcnRpZmljYXRlIGFkZGMuYWRkb20uc2FtYmEuZXhh
bXBsZS5jb20wHQYDVR0OBBYEFD28cAx01LiFSR0IhMQbJ/KvcjfTMB8GA1UdIwQY
MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MEAGA1UdEQQ5MDeCHGFkZGMuYWRkb20u
c2FtYmEuZXhhbXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1Ud
EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcD
AgYIKwYBBQUHAwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAJ6Luwp63MCU
M7wYpeZKH/+OIbGPM/A+i2xyVcRHcV/O5zHvW2IEt1ePqCef7WnS7KgN4nYzjUE6
Z2FcU2DHU+3XmXIpHa7T7sl2HG0YR+mU3S6XP5mvtfShfJL2TbXBegw4utG2GZqf
4gKE1FQBOHtVhkruPYVIAdo0CWlDJX5uBnPguXy1nE6ctVKFMmJiJTn6AktRLt+O
UhcCUPSZKb9+l1OREoWaaWJFWcRbP68Y5nvkhl3xnlorPhRuftRHJO/ZqOzZpsu4
TxqG2UMgQRYVX4EN/msxU8H2hEzzA2TS5kQ9emB51zdvM97AqLlu/rJ5rLRTkrgK
WSvMazfEb8ZEAvd8xcamb8Kt3ngeSJbM/lkuU8401ujwVkMwMpBv+Ud2q5lj4+ij
84OY6QUr6vn5nWZwxywAwp5XPjFDUFDI26gtIU5vOcK979hHmScNSLJY8b5Fvf7E
olb8BgLcGTOFU+04WQEWvKrF00s3VIMb5cFL3TRr5dg1hpXmn9IihLHiT6cuTeac
69vfQuG0ZuZY0ygQNJfznGtfBSxHLON16290CuzXHTCAVkQSJvZOX/+S9GICNpxi
6zmYU2holfuUaGm4PGYaznjEz8RvIayopvSraSouAF33ZwaxT5dYiFXYbuulmFA2
IXA9sKT1OyGzHPWp3cZKwom4WrO8HyHOTGhfmNg5cNJ+oJDfraMT6zyT9rj02adR
sw3q7tRXqtvKfIqgCMOYmjq3uipQkibC4xG6EmAkuVnfYqjXTaPL6kboOfmDFKhc
RHVxa3+ZvWhY2WvRzcdFlZ5EHoU1wDArGKrrL5PVvmZdcO0dBPLBHrXsRQwE9p2I
0wwgXlsj3zSh9eq0oUTA2tXqiei1y9z4ku6sjWHtv3QrKHkf9Jr/Y73mqnkdLCZK
siZTV7qIDusZV8AQoB6BKsBWLsMqgb/BWudIzsFquWxBzESmuHDiVw5tQdZh2r+s
ICynKmcjmAC6zouowkVmpwjrfwq155vW9AfVs0PNJ9T6yUCPr7I2HOdEtE7MWitz
rY/E2Uem+yx9GoAqVbOANG+OFyeTBSFA6Y+/R2pS9S61GNGMHYMEgFX9ISjcfL7I
wV/kQNMT5Ga/rZJOm9vBvqNCdNrDLAraP5QUrX7egcYBavd6tCVRsKvNszp3v8Nr
BEQwc0Gtk0ln7kPRlo42gysbbOfMPtYWuYhKq1bAdgD2mmqK4+BBdZ07Rw/JCo6f
nACSu67YQlY1ZOtZE9osY4PD7GiRtfNxhUhUw52hyGPz3l2lNKkehSwstdipYo0m
H7Kep4NN32ljtbfl3ec7GOWzd9/FR7P3jOdehy5G44+xK5vGJi0aKDATEIZbRoex
LRLOtv4cTkQ=
-----END CERTIFICATE-----

54
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem Normal file
View File

@ -0,0 +1,54 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIpUlK4cdzu/UCAggA
MBQGCCqGSIb3DQMHBAju3WkqK++BQgSCCUit3hNjGErKHafSn7CLnhKlNTzvtaAv
PwTStReWMNULMJ6Z1Rhm0jO8x5BBStEHy3A4h1GmWNSyIzOhZqGi3K2SqpBa9+TP
SSYzeNKCsv/06QeQ3GTJJF2GTKLw8I2tZOJnNy5wYprGDuz92AAncj645C8xBYb/
RgN1YyHh3B2tkPlOVZZU8z8hH9iaDwKiXfY0+EgVDSCj1pHWKEzGzhx4UtyKhCc5
1J4fyPA+8SzJ0tRAohLHdrm9KIn/tawbbS6Ce8iwLBad6A4k73WgYW4ZawMA+n1X
OIhyCR/dfIlPRPcojyN4c2O5uPmGCDErt6awUY7LyctZPRAUBbk83i69HbRvK/kq
JuyhTIWUbhVpvt6HZxCC0cFBy7tlSeOL3LXlu1JoWAEqCVm8vHQPs3WTwTTrShHP
kauortTdLstddxqPwWKmUcSLcviK+IfD54y3fJGYMr5goLdXCGfb7XZQoXANIYKP
di/jXOn6PTjKdC7/J8G0UZmRmjEvxp5CBPiNqr07YJUfu7IN4KxEKRf/aDyJ1npw
JEaMFiBvFx0Vr5nm7trQ43TdkuHbn7MY6nkPMbzC8a8KcKFGbnU/n6TIyeGYo2o5
2ICW3QmXjzhrWiDzU+cEbSEs77UAQJNrSxRVuKKuwLEnuy6/pRhlxex6Hp6nNCOd
dTZKDeqHsntRa6zTuOleh+XOMHeSuHjhJdThxEszHPFsYzH/EtE8TaKiBQE9kecy
M+nbxfMqRTYitsl8wTPiuoTgrzDjUJcAAsS/jDNYUA63NCG2BT9Gq9qY48DwfWGM
YPMYj6CfRwsyAPSeC7hV31olnGAp15kBhM2TpxE6KqUnGuxL0ET9LJsHjaRsP+r1
KMjNmibQSy948LIvHhEtdfg5/Jn5jv6JHmmSBktma4C+MUfQKBinzy6MM1IAaZlZ
hUdL14VnERFh9OGLjZGBOBlk/9FU2Yf4lfAtLgT95GezlYQIOqpG/Pkm04wH71+W
bfW+53gBQqcaSexM5QFsqRspq7yyLX0mElG6z5gOmEJN3rV+DZ2d+84dxKQ5rX++
+mLYlfQKe1K/1F8HVXH/1ZMeAkzvxk1Odlm6fhwcTHciX3CSESAtJeLSD3PNgSE1
f0Lep/CteZecOnM63T454jC4V49qXYgQBD32WuOHIbFhHd/lQ5Zj+3T5LgKlE5H3
5oTUU/+DFgqFrwHlM5f1Ha9G8rjuHucjHyQ7ix7jNjEIoG82It8ESisIOoOwb3bc
Jjkfj3v7f5Axi0wyD94KLFntBCI64uhyTk+JuvagA2KnLQ5uWEFRgqhMXRNg3kbI
STOAopjoB2bnIvQZxQ8hxOT67EjKd7iJJXh2zfBAQ7dvnVKznvdSamTcB/Uh3IQR
RjOZE3ej3lEb4XCM2NCyqZvFgoU+Og4yg+4yainCE+6Jt1jYNvms2iabxC+ZQZ3t
/vCgVDvnULX5FJvphGK/Idua5FFIeSNLOoK9qjfrBNL9kdFVMWCyMyK0cIdsZFRp
2at32a9n8OU1rRYgFn8kaWK4JQqKelm1qVCixcHLUtI/cyp+t7vvjOGRnDrbfoK0
ae+pt0De0aBsOMKmUetn3CXFXIyQa/FJ3W8X7yl82ctS3ZZmWcND0Lqhoa1JADdj
vbxxGzh1rJPsuPePwIXAVqtbVJD84i+dP0+i1oR/e5jNgRKj0tJcfZnnsvmSIldY
FvxDpIX2h/tDrTKfwQzFHBBuPA00ZuGfftGc4LD7SOVjVb6CF2GMX/0+zmKlPf56
FvxvGl+GwLPz/BaSGlT/4DApF0HJEZ1AeSvzHGhdgWecbk4s/lMAnv17vH2YWql1
uJ54FgDAT0ufzAb0aHAl3YO8pYDOOXGqHaqWRMJvtuh15FB52HYvt+Ojo2mzPu4j
lvUcOBRMzgPl8zcs0L/WgE0SggC6DpXGU+rK1/J91qlNRBJ664R6j0iyskPvdzYN
aJ8ZZSJ+yQPralfSD/Sd+RcRviP2draINoyVbFHSH2zvvhcZc0ETL24tNI/tSXpR
Cw86CajiN7T691pC3eZyQLSQJnMSY/0F0i12KU3J+1kq6eeMSoPc5EKItfH5wxjw
RPnJAU84HGIQEAhEn6Ht1XaZcMfo9xyr9WMpmyH4OoTLt1+gFGgSCfbjsusl9aNl
EDhcYmav8OFHE48qvEoYyHD7S3fwsxKFSCJpYTRweBRQaEzpq1z90tVxzhLZFpJe
A7sw/HpiOuty0hDHQ5JaiRBsQ+CiOsVdWZXzaI/H0aoaPbLbpursuTPPPG5OFqvL
WIIDfFYZ9rhy8t/YaAeTyFoLx1VU7m88ZZndyaVXhnqp7iaU14NXlelPeyKJ3ZXc
pd6gZ4l1XAJHbeyiBx+6khtZb6JTLbYpwfbjTqPmDtNw2PVb5rwF0ZSeP6LXKOEM
+WntayDMbWK67yUCBlkPTpY4k+8nV8pJ+th9sR8LlL7d9rZgbSjmxG8XgjC7HHg+
4I2O7poGQMVgtMeIsGZRIS0cTpm1dpCRfFQPR0DOB6+wjDRPIRNNiTZQYdkpfHQ1
QSpCskaWG9HzJQGSu+meN4LdaKEoXwNMMz77fCTWhXXkvy6Ujm44EpOOfaHXpg7T
AQagXzyII0xXj+rAFkqmnyygWgxpou6f3MkoWxIC/qYocC4Ci3oWMAZVssWfnhoP
T/ZormTZN3uQCZYtfwTjbjh5efFQc4I9THxkHV6eyhGE7MQO/D/5zjBzkwmNsU6b
GttZyyHto+oKlXMF9dNKxLkQbtVO8ZDIDuNP+sb/m7wj3GG2MNoklp6Cd7lckimv
PqkQP7PQa8h6EeFXmTKqi7vfgsQAEIzTfOLJDvfHhLC54pjbFPR8vY0T5Y2Dwe8w
rMPwFenW1ae6DjeGDHij3+QbQmTYZeu8Hblhs5DNhy7wtZX05IUsioVfJLC9QngN
Y5u7OuMGQLPdcPjWHBuZsl/lMdii1lOB/PrExrEIsybSGPQonDfK6x1pOeyIJsbr
fDnevcamxLpG6BU8U7AqE1QHa/sJGNO/lgsHGLrb5A2id1J+VttSxSG09sML49uw
T+vmgdVbVjsYRvMSjMfwRrVp4NARlXph5FUA2DxAKXvr1reicAleVgQDcokAHhLi
vGZ34XFIZHB+YZvHxd3tZxLcKvAMZQJTPlO6RdD9cx+84DEfevaJilUjyu6Ga4ty
HjA=
-----END ENCRYPTED PRIVATE KEY-----

250
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf Normal file
View File

@ -0,0 +1,250 @@
#
# Based on the OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
scardLogin=1.3.6.1.4.1.311.20.2.2
# Used in a smart card login certificate's subject alternative name
msUPN=1.3.6.1.4.1.311.20.2.3
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
msKDC=1.3.6.1.5.2.3.5
# Identifies the AD GUID
msADGUID=1.3.6.1.4.1.311.25.1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = CA-samba.example.com # Where everything is kept
certs = $dir/_none_certs # Where the issued certs are kept
crl_dir = $dir/_none_crl # Where the issued crl are kept
database = $dir/Private/CA-samba.example.com-index.txt # database index file.
unique_subject = yes # Set to 'no' to allow creation of
# several certificates with same subject.
new_certs_dir = $dir/NewCerts # default place for new certs.
certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
# must be commented out to leave a V1 CRL
#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
#x509_extensions = # The extensions to add to the cert
x509_extensions = template_x509_extensions
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
crl_extensions = crl_ext
default_days = 7300 # how long to certify for
default_crl_days= 7300 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = supplied
####################################################################
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SambaState
localityName = Locality Name (eg, city)
localityName_default = SambaCity
organizationName = Organization Name (eg, company)
organizationName_default = SambaSelfTesting
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Domain Controllers
commonName = Common Name (eg, YOUR name)
commonName_default = addc.addom.samba.example.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = ca-samba.example.com@samba.example.com
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
#
#unstructuredName = An optional company name
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate.
keyUsage = cRLSign, keyCertSign
crlDistributionPoints=URI:$CRLDISTPT
# Some might want this also
nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
subjectAltName=email:copy
# Copy issuer details
issuerAltName=issuer:copy
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
#[ usr_cert_mskdc ]
[ template_x509_extensions ]
# These extensions are added when 'ca' signs a request for a domain controller certificate.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
crlDistributionPoints=URI:$CRLDISTPT
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
nsCertType = server
# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Domain Controller Certificate addc.addom.samba.example.com"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
subjectAltName=@dc_subjalt
# Copy subject details
issuerAltName=issuer:copy
nsCaRevocationUrl = $CRLDISTPT
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#Extended Key requirements for our domain controller certs
# serverAuth - says cert can be used to identify an ssl/tls server
# msKDC - says cert can be used to identify a Kerberos Domain Controller.
extendedKeyUsage = clientAuth,serverAuth,msKDC
[dc_subjalt]
DNS=addc.addom.samba.example.com
otherName=msADGUID;FORMAT:HEX,OCTETSTRING:0123456789ABCDEF

51
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem Normal file
View File

@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEApsSpv3XqTI07/YoPsKK2x6gf5A4+Qe/WEEh3e05MWeG/bccY
e6gBp9XSLCE+0BraWAPoQvFTDqeRuSy553rJ3l7tTJNrzN0X0MfR8Xw9DW/fXVNa
sR+je1tBZQx86lPfu9pBFdpJ47ktu7Wv74y4hHTQGBaOXOTC56GHj+OHiwu7kDDo
4PPrwFBftX9Umhs0Q/2+WoBuD2Ois3lCSoXIB8eCVSOI1E4DL/GVve0VLT4Wzf/H
mwMpNqZdyRoeiaW6ZoMPlqgHnyS5G48CmrhQKYu+Y0X6RcM4I6CYOrRrQpkTNkuE
7yeJOTR5+GcWe5wqA0EVY0bk2y/yPm3+fCAenwJIpLwVQqb4OIbca3xOZ6MxgY62
MBrrPQglGV9C3DnseR0wCvsWjz0ZFMz1r9fGdc+zlqKym9kDAaPKiB1y7W/Rv1dW
jrkHm7kEEx4LWgZrK0Oi3NW39LrTrp2t/dOKfC+HMvqJiFgArhYrnB1Ygk3lIdrV
bPeoQIvHAtU2MO8/CZum0jGjvyDUop4mxLTDDwtsANEsFrEq6wbZ1ZjDzcsgaK0K
LKEvJ0Fckd5JYu3YOu9oHG3+lMMoaDJgCGXNAp+Xli8Phyc9uQ+FYugrmrT009fB
k5YnIymIsTmZUzogqohEO0okKovgtI3dZjDfpm63/CFDFp4+EiDIejDBPasCAwEA
AQKCAgAloAU0PyRHdS3tu/JiRbO7RAE98MC3G6dOMStT1IyBUt9foyWw8Gy/Mwyi
DDYhuY09glQqlkvI6KGGB8NBqIBW/U/IkRInPFKdNhf1xbP4jh707VNu1taJhEMy
yyh7rcSym0FH7uHw0NyylwFEqJkQuVIhvSUNbEdU/yqYmhsAkfsVQxOnfSDZWMjf
KAUsZ6rZFCyYOpWaPz58A4WjTp+csbSEBOpgC+HINVc1bIH0nSeD/otIO+RWgh5y
usPdBlkRu8wOj4Z4r05cG13ZDnB3jyG7QBSBHNRTpW3zALWaZvLgsxUg5+ib0W0b
UBbQeKE57rsmlN4ZXa3ny+U4l/6QQDSMtrWPNBCMrkt1Q/52gQk1IGeONUAQdLQT
uBx0Vdn5ZvIFRBnkQl2KWOBWTdD2v0qxIHhXlsWX7tGVU7eh3GIAPoFzQZFHpPhA
RObE8fNg/3HMVGDUwXnd4k+6c1t+Ioa17FuLJE4lr5c55Klq2lJ4Oq2Jd6AfoGjv
anA45ChI6lrg2Kt7OhUEHIIHyZmm7eNmBHoGA3r+YJyiQQIGSiNjH+Up54KWa88z
p+ZY1u3VdOiNuKVlRn79q85Th4HyMlx7wuY+t8HAj42Vt03Uy7iDaaTfuPxehMyS
MqcRWR5MhavR5ShTtsIXwvUgWj/YcqaOb9Zfe2Y1RgFURKN3YQKCAQEA0I1hTnGs
KE5l9dGowKm2io6pZr8J2B8ITjp8pdAaY46Ws1tfcTkbbpBUvyrflCIgLIP9KTP3
6cc4HrK11mf8rPD1pHNWJd7CjPTLQFMYu+h8YlBqKwrgA8owLzUWG4omS0vehCnG
6OIPi8ceUc2u6XW+TGKP4n8GXJrrKaw9hw83u6h9YQCpgfwF4QpwX8LzTMKnI7te
HxUQFlhKX3vci+dP4n29c6yGl57830E7LeQGRfjo/NAV3pAAcHk79cEzOJQCN1Wy
bNU2kcoOA3tGTI8tCfBdwpN11Sz2/tu4ytJE2weP5S7r9xOTq8t+iKQ9+NLhAvJU
8S2mIkyFAi8tWQKCAQEAzLWsJ3qxyaLHv4tOFTqenSj0CbB25OIzDQNLT++L4fYn
YAqL6/G83bRVbdYvfJ3ZdZdnseluGrR8ZcxdqioLCws66+O1vC8GkHI5aBKZt4MD
Um+SzD6ZnARYcTbtRmPUJHxIdny2dbYLe5dDlqTFIV+olWDR+1YMSzXt/VW+jx9I
tHhw8LJAxhMhDt0Gh+CxNFHQYdkdK/OuNTBufT/rxeT3E5t3TbSG29pU/F2Rce1G
CCy0nbFsTMjPusSzwFJILWHdvBAYJceOajvqZhlaTV11u/qrj9gb+nJkH+rKvJnA
pK2YyFWqomnGCZB61Y5LOfjk2b1BfVGCdqpRrBCOowKCAQBun3/NB1jlbGiDEvor
cBpmtrO+z3jeTd+u9zElFxTYWEsxyjb/LOaTKDX7zTcZMVzVoBGKaImJVOY8yljP
6QrLhWkXGSLKJbYW5MZnUWyeR/yqfbNDL5qSCA61C7i1VPtpF05p1msvHrJWV4GK
rMqqBY2yoNlnsC9ksbwpt7ZPTNAoV4BiEuLXEyLfMxVWhmdeASZ9Oqb7X8XPxHd2
3JGpGEJ0hnQWxp4CERBbMBO/DOQS+6xCZfIjw0ioYHZgrmGIEmJ2jZt+RT6T6JS0
XhB1DcE7M2fYjTWEpTxDBbOoyg5CDGnUjKYXwiejieaNfmls8hbu5DIQWEF2khY/
iVzJAoIBAENOiGgCo2oUp3CHMQkx2Oz7hiGZb74Z0Yc5yg1iSa/l61Rco1zUgrCy
llQi1EI49EMBoQqSIa2OIkimRTWp1S+wZZMhr6NMIvBjXhSl6Py5iuIT5URaYM83
bozq7mDyedH1Oy4aGzPgwy3DsmlZi6dJeHiE+QWWaTxhYvqksp8EPjd4UkoRkdKO
f5QPgBI1Ao6dR9KkPD8zQ9ghMHLmDXNnsQU1XKij7qNiygagDS5UQW52pHwk1eL5
M7PI8QEPDMQ/JVSsRgRF9MFhKdSgCVzemdNQvA/zkl9qNRl5bWdNdlWu7kkQQaZc
+Mw0QO7udjV9bGFbJKk7n5W8slXMq9kCggEAJ2yzyZKdQZtuXpf6WN6sNqRJ6CHo
k9en+acEg9Y+5lVt2CRblprQxhdUV2KyN7G8GxV0hMwmHtMTeB4j6jhdZrAAZGVW
upqCfY2vSYQ/svCeB0Fs5DMEI4iCS5Drn8gKKi/zWAbox9sb+zaYT/Ot5p2Ki/HH
YIh+p8EE6IFWE3jChabPQieXVOC7tg/qaxWVHTv7Qe2fdZTY3XifTcN7hVghf/bH
Vn+VdU2u/7hE7X3y9YNETNSin5U3F0BSm1tUQimUzU50+9Nl2UGPBI39e+15qRz7
JHocpq9h9+k3T7qWwJxX74YhcTqdb1pGsKUEmo7r6rPR4L5h5nCF3OgR9g==
-----END RSA PRIVATE KEY-----

30
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIFEjCCAvoCAQAwgcwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
GzAZBgNVBAsMEkRvbWFpbiBDb250cm9sbGVyczElMCMGA1UEAwwcYWRkYy5hZGRv
bS5zYW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJARYmY2Etc2FtYmEuZXhh
bXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQCmxKm/depMjTv9ig+worbHqB/kDj5B79YQSHd7TkxZ4b9txxh7
qAGn1dIsIT7QGtpYA+hC8VMOp5G5LLnnesneXu1Mk2vM3RfQx9HxfD0Nb99dU1qx
H6N7W0FlDHzqU9+72kEV2knjuS27ta/vjLiEdNAYFo5c5MLnoYeP44eLC7uQMOjg
8+vAUF+1f1SaGzRD/b5agG4PY6KzeUJKhcgHx4JVI4jUTgMv8ZW97RUtPhbN/8eb
Ayk2pl3JGh6Jpbpmgw+WqAefJLkbjwKauFApi75jRfpFwzgjoJg6tGtCmRM2S4Tv
J4k5NHn4ZxZ7nCoDQRVjRuTbL/I+bf58IB6fAkikvBVCpvg4htxrfE5nozGBjrYw
Gus9CCUZX0LcOex5HTAK+xaPPRkUzPWv18Z1z7OWorKb2QMBo8qIHXLtb9G/V1aO
uQebuQQTHgtaBmsrQ6Lc1bf0utOuna3904p8L4cy+omIWACuFiucHViCTeUh2tVs
96hAi8cC1TYw7z8Jm6bSMaO/INSinibEtMMPC2wA0SwWsSrrBtnVmMPNyyBorQos
oS8nQVyR3kli7dg672gcbf6UwyhoMmAIZc0Cn5eWLw+HJz25D4Vi6CuatPTT18GT
licjKYixOZlTOiCqiEQ7SiQqi+C0jd1mMN+mbrf8IUMWnj4SIMh6MME9qwIDAQAB
oAAwDQYJKoZIhvcNAQELBQADggIBADLgdZz1gvzpnZPwd5KCxjwKgiotlUGBh6t6
cLhyomCN02adMr0PPJP/n3r1Zsaq2db/zktP8J5fUYqA9vJZzYukzkKRHbl+rdHS
JVEvHmbsG3729V9cy40kuL0EAM0weBbfQZaeFxfcLxl5v14QOxvldrmYSK5GaLh8
WSEz4uljrI8ee3q8Cn08xlZ2Dr3MoHI9unEcLJFXkpCwVBALFhw5dG8od3jl8AyS
WeMVbdD9fm4jnHE/RDSPDqUqMCGIYmrB5amGO5rSLDTWxDxrcHFRM7sa359nW2IA
GoZd+r8Vf2AZ8i/KRgH7uIFB2BJm4L0QiVlajy3odW3zhQIVXNh9p58aGzOFQGkq
Gsld4WI3gZZeSvGgGIjoB2+AYRjxTzUn5qSFVev5sFLK3cNdPZo66xltuPBhfXB/
v/+/TQC80oZ8oZGdgYvBBT1IEg4pwB5Myqeps9J7kbJVmtxR2EGlq/aGN0yE/fy9
S8ners0iXBJP18suSwbjj2unZQMBYLIgHLkzztxAMGYBlfEljSAvDfFCsK5Rkmya
soxd1qHHMG8Ap+WZagpkK9tv42HwmbYKVeDArGAHr53aC4ripgrSBnzpmkiSyi4p
mb3L5K/ZSOxo3xrS0wERq3p6FalF8/AhctgzWOgMvikVoTUy0xPsG/hulXPyk2UG
rYn+WPQz
-----END CERTIFICATE REQUEST-----

1
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem Symbolic link
View File

@ -0,0 +1 @@
DC-addc.addom.samba.example.com-S02-cert.pem

1
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem Symbolic link
View File

@ -0,0 +1 @@
DC-addc.addom.samba.example.com-S02-private-key.pem

190
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem Normal file
View File

@ -0,0 +1,190 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Validity
Not Before: Mar 16 23:28:44 2016 GMT
Not After : Mar 11 23:28:44 2036 GMT
Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=localdc.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e6:a4:76:ce:e8:63:fe:57:f9:a3:ae:e0:ad:4d:
e2:15:8e:d8:27:c8:7d:7f:2b:b1:e8:aa:50:8f:94:
f9:c7:71:3f:52:32:91:d1:6d:52:22:5f:cd:8d:cc:
62:16:7a:8b:58:65:ed:07:f7:ea:24:d3:88:d8:26:
ca:eb:ec:16:a7:84:1c:7e:15:46:64:09:22:46:b9:
dd:5c:07:84:50:a7:4e:31:3f:01:23:d1:f8:36:04:
1a:bb:d4:e5:b6:d4:1b:5c:16:c9:9e:37:8a:3e:a9:
7d:30:24:40:b2:b5:44:40:fa:5c:6f:d5:3e:ff:32:
c2:e7:24:0a:e4:e4:aa:9f:ff:4c:ac:be:37:58:22:
08:16:0e:f6:a7:2f:b5:6c:4f:ac:7b:a4:82:a8:9f:
38:64:17:6e:72:b6:7c:4c:c5:44:2a:0a:b4:25:0d:
b0:0c:ab:98:4a:f9:1a:1a:c9:a6:59:f4:00:a5:0a:
6f:0a:d0:a5:34:ca:0f:f4:0e:fb:ba:d7:bb:3e:2c:
7c:0c:68:6b:26:ff:1c:29:fe:77:f9:30:85:0d:44:
8c:af:90:8a:70:93:5d:3a:b6:18:8b:a5:85:11:5c:
a3:5d:57:16:dd:c7:c8:00:f1:05:71:c2:6e:07:3c:
37:69:36:7c:12:c5:9e:1b:69:11:45:44:1e:eb:b9:
b2:96:b1:89:cd:4d:fa:89:eb:92:49:f2:46:35:f3:
9d:87:3c:be:e4:f8:b7:31:a7:36:4b:81:76:9b:b2:
04:d5:80:7d:4f:e6:02:ed:24:4c:a0:03:c4:9d:00:
9f:9d:71:93:0d:a5:b8:37:62:2b:03:c3:bd:24:25:
2c:c3:43:d4:c8:27:b0:6d:05:d4:c6:c5:d8:5b:09:
94:e8:27:6b:d9:6d:b7:bc:de:76:bf:d5:9c:36:26:
04:b9:97:1d:f0:c9:8d:91:93:82:32:0d:b7:16:97:
41:31:9a:22:0b:2e:ba:99:51:28:6b:f5:04:ba:c9:
3d:57:0c:72:e8:e1:24:1a:d4:2a:6a:e7:e3:b6:b9:
94:61:e3:4e:42:81:e5:43:e4:1e:ef:6d:c4:5d:a4:
f9:b4:ec:3a:8a:34:fe:b5:c7:a8:fe:19:8d:cf:7d:
1b:60:21:ba:25:6f:35:cd:4f:72:28:42:7d:87:08:
aa:da:33:7e:63:e6:5b:5f:e7:01:a8:e3:0b:d3:08:
5a:a6:df:ea:e7:2b:13:48:a7:83:32:96:c4:ba:d1:
ff:15:66:52:33:86:46:5f:c2:9f:59:4a:00:98:b7:
1b:a1:87:25:df:ad:68:5b:f7:26:17:2b:eb:84:62:
9d:c3:bd:99:67:6a:02:5d:70:72:3e:18:92:99:8c:
bd:d9:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
Domain Controller Certificate localdc.samba.example.com
X509v3 Subject Key Identifier:
E1:DF:73:0B:F1:3E:86:43:A4:B3:E9:8D:44:7D:3C:B2:19:C1:BC:F2
X509v3 Authority Key Identifier:
keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
X509v3 Subject Alternative Name:
DNS:localdc.samba.example.com, othername:<unsupported>
X509v3 Issuer Alternative Name:
email:ca-samba.example.com@samba.example.com
Netscape CA Revocation Url:
http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication, msKDC
Signature Algorithm: sha256WithRSAEncryption
89:2c:57:98:17:c1:73:a6:10:02:6f:a6:ac:47:1c:37:2d:1d:
a1:3c:c5:29:b6:3a:e6:e8:14:ec:3b:74:ee:da:db:2d:97:3e:
d3:8c:9d:42:7e:b0:46:e9:54:74:4f:34:df:9e:34:7f:9e:8a:
9d:4d:b2:cf:fb:71:3f:cb:32:e6:45:e7:b4:d3:9e:e8:ca:a5:
cf:16:7b:76:b5:4e:e0:b9:bb:79:b1:82:a7:d3:23:cb:3c:46:
63:63:96:b3:5b:62:9e:99:dc:02:17:f9:07:63:86:76:06:1a:
02:1b:9a:df:1d:cd:e7:46:fe:9a:13:87:47:dd:e2:77:58:50:
a2:6c:c9:a0:f8:14:1f:3b:d7:59:9c:89:bd:2e:2d:ce:60:f4:
c6:2c:e3:63:cf:34:84:61:d9:90:2e:90:fc:5b:4f:a2:00:87:
e7:40:e0:fc:d1:24:8b:d0:28:01:d3:53:ac:b1:58:7f:87:29:
38:56:93:dd:a2:14:4a:9a:94:b9:f8:94:b2:04:47:db:b8:38:
e6:85:2b:cf:d4:72:88:8b:0d:8e:a0:69:f9:9f:10:22:82:9c:
c5:ec:01:e3:07:a1:69:37:94:25:3a:cd:17:29:37:8d:24:d3:
27:0f:4d:bf:b0:31:36:b8:c6:a8:69:0b:df:28:f8:e2:dc:da:
95:3e:7f:d7:3f:a5:8f:92:6a:7d:ad:3a:ac:af:73:2b:5f:f1:
b3:22:92:ef:da:71:84:9e:4b:23:7b:69:b7:29:fc:c5:05:84:
4b:ff:06:92:ee:f5:9b:14:2a:af:be:ef:02:e1:e7:d0:e8:d0:
29:7c:48:40:f1:95:bb:08:b2:30:c5:81:80:a8:91:5b:2e:08:
3b:30:44:07:b5:c4:0b:07:74:ca:5d:37:3d:75:f9:bc:6d:21:
a6:e0:91:d8:f9:27:88:05:58:a7:f4:36:eb:ba:40:63:36:15:
42:98:0b:e2:d1:c9:11:0b:29:81:e1:c7:02:7e:fa:05:65:51:
7b:d6:1a:33:46:fc:a5:d4:fd:64:e8:c8:11:d4:d1:41:d9:39:
18:08:a3:ed:15:70:d9:14:f5:ba:c9:bb:3e:96:8d:5d:cc:c3:
5c:b6:c8:79:02:2e:e2:a1:06:ba:a5:21:1c:bf:16:7f:2d:d9:
93:07:92:b1:fa:ee:3f:e3:56:35:f3:30:aa:11:54:d3:71:cb:
29:d4:60:e1:6c:ae:c4:24:e3:00:4f:5f:52:b0:3f:f4:76:f3:
6d:db:bc:d8:65:c4:37:be:1a:87:9b:65:c4:20:dd:da:a9:4c:
9f:86:33:2b:49:a6:f7:aa:ce:da:98:3b:e3:5f:ac:b8:1b:45:
0e:56:59:fb:49:38:0f:b7:d4:49:f8:7b:ac:fa:d8:b8:1d:16:
db:b2:4c:15:d8:e7:eb:6b:38:ff:d2:69:26:a6:f6:50:15:45:
2f:12:b2:05:d4:bf:6f:53:79:64:9b:d5:8b:a1:08:3e:43:ee:
08:fe:9b:ea:83:89:8a:6a:53:98:1e:c5:91:4c:7a:99:2b:6d:
97:dc:96:1b:de:27:c5:af:0f:dd:42:5c:23:7d:bc:6b:5b:ab:
47:29:98:35:8f:9e:e6:e1:5f:96:6a:bd:cf:3c:47:89:8b:ad:
21:de:20:da:99:82:c1:0e:9b:7c:38:21:d8:b1:1c:34:c5:4e:
f7:fe:7d:5e:a4:2f:f8:7d:5c:30:2c:9e:e6:5a:4f:d3:15:90:
e6:6f:69:ea:51:93:8f:2c:dd:a7:c3:3c:50:a8:d1:ba:0b:5c:
cc:2e:4e:57:71:21:08:a1:2c:bd:a7:20:4b:ae:5c:02:7a:cd:
9a:fe:1e:db:ec:ce:3b:12:37:cb:96:20:7b:3b:b1:5a:2e:84:
03:f9:0b:32:43:c0:4e:e3:ea:79:e7:9a:13:54:e5:a8:1a:17:
c4:79:78:25:63:ab:67:39:39:a0:6c:c4:c5:94:ac:16:92:3d:
f0:1a:1a:9e:ca:7a:84:1b:c1:5a:5f:4c:65:8a:30:a6:5e:6c:
0e:ae:bf:ac:09:97:0f:83:5c:92:ce:e4:43:de:06:4b:96:f5:
46:3b:7d:a8:e3:0f:d3:fe:00:c7:d4:79:4e:5f:bd:ec:59:12:
f9:65:23:fa:e7:97:a2:a6:39:3b:a3:1e:da:47:c5:18:5b:8d:
a7:7b:29:1c:5a:7a:06:c6:92:9e:b7:3b:f0:c5:56:e8:cf:84:
cd:dd:61:0f:21:25:f4:1e:2b:40:b6:74:28:8d:41:f6:2c:1d:
ce:b4:39:d1:e1:be:15:78:c9:d7:99:a1:9d:50:43:da:ec:40:
69:6a:3b:17:af:28:22:09:e0:7d:38:9e:a7:ca:b7:f7:94:8a:
2a:1b:32:4e:28:6d:18:95:ca:42:67:c8:bb:13:24:31:43:84:
3e:95:66:08:5c:15:7f:6b:93:cc:8f:b8:76:7a:fd:74:4a:d6:
6f:64:74:df:72:f7:34:a3:50:f0:db:bf:0a:2b:1b:48:b7:c9:
c0:97:23:27:b1:56:5b:9e:10:12:5a:bf:ff:38:61:da:41:75:
15:c5:03:c2:20:fd:7f:84:c0:94:8e:11:ed:01:ba:f1:19:b5:
05:1d:bf:89:ea:c9:38:4e:d2:cf:5b:24:c6:37:a1:8e:60:89:
5c:52:ff:7d:5e:2d:c9:f8:b1:79:07:4c:2f:18:85:e8:ba:bf:
3e:da:59:43:df:29:79:7e:00:38:d2:fc:a9:8e:3b:9d
-----BEGIN CERTIFICATE-----
MIIJ6zCCBdOgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
MTYyMzI4NDRaFw0zNjAzMTEyMzI4NDRaMIG1MQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
CwwSRG9tYWluIENvbnRyb2xsZXJzMSIwIAYDVQQDDBlsb2NhbGRjLnNhbWJhLmV4
YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNvbUBz
YW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AOakds7oY/5X+aOu4K1N4hWO2CfIfX8rseiqUI+U+cdxP1IykdFtUiJfzY3MYhZ6
i1hl7Qf36iTTiNgmyuvsFqeEHH4VRmQJIka53VwHhFCnTjE/ASPR+DYEGrvU5bbU
G1wWyZ43ij6pfTAkQLK1RED6XG/VPv8ywuckCuTkqp//TKy+N1giCBYO9qcvtWxP
rHukgqifOGQXbnK2fEzFRCoKtCUNsAyrmEr5GhrJpln0AKUKbwrQpTTKD/QO+7rX
uz4sfAxoayb/HCn+d/kwhQ1EjK+QinCTXTq2GIulhRFco11XFt3HyADxBXHCbgc8
N2k2fBLFnhtpEUVEHuu5spaxic1N+onrkknyRjXznYc8vuT4tzGnNkuBdpuyBNWA
fU/mAu0kTKADxJ0An51xkw2luDdiKwPDvSQlLMND1MgnsG0F1MbF2FsJlOgna9lt
t7zedr/VnDYmBLmXHfDJjZGTgjINtxaXQTGaIgsuuplRKGv1BLrJPVcMcujhJBrU
Kmrn47a5lGHjTkKB5UPkHu9txF2k+bTsOoo0/rXHqP4Zjc99G2AhuiVvNc1PcihC
fYcIqtozfmPmW1/nAajjC9MIWqbf6ucrE0ingzKWxLrR/xVmUjOGRl/Cn1lKAJi3
G6GHJd+taFv3Jhcr64RincO9mWdqAl1wcj4YkpmMvdlPAgMBAAGjggHxMIIB7TAJ
BgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEuZXhh
bXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEGCWCG
SAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwRgYJYIZIAYb4QgENBDkWN0RvbWFp
biBDb250cm9sbGVyIENlcnRpZmljYXRlIGxvY2FsZGMuc2FtYmEuZXhhbXBsZS5j
b20wHQYDVR0OBBYEFOHfcwvxPoZDpLPpjUR9PLIZwbzyMB8GA1UdIwQYMBaAFKI+
Aiqjp005tAhNmcwMdTbqJ8M+MD0GA1UdEQQ2MDSCGWxvY2FsZGMuc2FtYmEuZXhh
bXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1UdEgQqMCiBJmNh
LXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0GCWCGSAGG+EIB
BARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEu
ZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcDAgYIKwYBBQUH
AwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAIksV5gXwXOmEAJvpqxHHDct
HaE8xSm2OuboFOw7dO7a2y2XPtOMnUJ+sEbpVHRPNN+eNH+eip1Nss/7cT/LMuZF
57TTnujKpc8We3a1TuC5u3mxgqfTI8s8RmNjlrNbYp6Z3AIX+QdjhnYGGgIbmt8d
zedG/poTh0fd4ndYUKJsyaD4FB8711mcib0uLc5g9MYs42PPNIRh2ZAukPxbT6IA
h+dA4PzRJIvQKAHTU6yxWH+HKThWk92iFEqalLn4lLIER9u4OOaFK8/UcoiLDY6g
afmfECKCnMXsAeMHoWk3lCU6zRcpN40k0ycPTb+wMTa4xqhpC98o+OLc2pU+f9c/
pY+San2tOqyvcytf8bMiku/acYSeSyN7abcp/MUFhEv/BpLu9ZsUKq++7wLh59Do
0Cl8SEDxlbsIsjDFgYCokVsuCDswRAe1xAsHdMpdNz11+bxtIabgkdj5J4gFWKf0
Nuu6QGM2FUKYC+LRyRELKYHhxwJ++gVlUXvWGjNG/KXU/WToyBHU0UHZORgIo+0V
cNkU9brJuz6WjV3Mw1y2yHkCLuKhBrqlIRy/Fn8t2ZMHkrH67j/jVjXzMKoRVNNx
yynUYOFsrsQk4wBPX1KwP/R2823bvNhlxDe+GoebZcQg3dqpTJ+GMytJpveqztqY
O+NfrLgbRQ5WWftJOA+31En4e6z62LgdFtuyTBXY5+trOP/SaSam9lAVRS8SsgXU
v29TeWSb1YuhCD5D7gj+m+qDiYpqU5gexZFMepkrbZfclhveJ8WvD91CXCN9vGtb
q0cpmDWPnubhX5Zqvc88R4mLrSHeINqZgsEOm3w4IdixHDTFTvf+fV6kL/h9XDAs
nuZaT9MVkOZvaepRk48s3afDPFCo0boLXMwuTldxIQihLL2nIEuuXAJ6zZr+Htvs
zjsSN8uWIHs7sVouhAP5CzJDwE7j6nnnmhNU5agaF8R5eCVjq2c5OaBsxMWUrBaS
PfAaGp7KeoQbwVpfTGWKMKZebA6uv6wJlw+DXJLO5EPeBkuW9UY7fajjD9P+AMfU
eU5fvexZEvllI/rnl6KmOTujHtpHxRhbjad7KRxaegbGkp63O/DFVujPhM3dYQ8h
JfQeK0C2dCiNQfYsHc60OdHhvhV4ydeZoZ1QQ9rsQGlqOxevKCIJ4H04nqfKt/eU
iiobMk4obRiVykJnyLsTJDFDhD6VZghcFX9rk8yPuHZ6/XRK1m9kdN9y9zSjUPDb
vworG0i3ycCXIyexVlueEBJav/84YdpBdRXFA8Ig/X+EwJSOEe0BuvEZtQUdv4nq
yThO0s9bJMY3oY5giVxS/31eLcn4sXkHTC8Yhei6vz7aWUPfKXl+ADjS/KmOO50=
-----END CERTIFICATE-----

54
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem Normal file
View File

@ -0,0 +1,54 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIc8U9D3UAcEQCAggA
MBQGCCqGSIb3DQMHBAiv8rBzGS//TQSCCUieV5YQyWsn3FFhKYI425pOXfnTsSUb
VEe7wO2H7D/S0RFfT5gILYv57TTH8Z9uAeX/wU5msKA4PZt16aMutNl2NWell8hy
IX5R4n6IzSP6IobZKsyFR5u/h683Eli1pBd4BbLJuYu94sxelB4HQdRp0QJIvIvO
TWqTyD7UmqqG/IVhTMQpzcepY/S4SGI6GODJtDLPRgv3x5/Z0/NsxiMKrXMi7HKc
Rzg8jm2mausukN+sSyPcvlEufQjRJgJXtCIX98FMLp0pkOq1rsVUSNg8Qza6tbyE
XhweHWbV9YZCVfmnhUalLt7CIoA7QeOQZbwTNpTo/4mSEA7lv1knvFSdMc9JvR6J
bZQOk5rPzuX2W84UQ3CkIwaRB2iFUv0gJy5Z2xbhWgAR5KZIhGTKupHBYOmD29QU
whgjXq4McdYWKquxELzSW5jXVPNwvREhEuKR1mt6g0NqXCbCeQHw7DWH1OGPz7jM
HXsCGVWpXqeWvRHhdF+NRfHa41hqGS3Onq29UJtgcMpNYpGQYY6Exq6hVVsmddwt
QU4COPfozJzeAlkUEem5AKnuh1JUxo/RieNP99sv1/8g8icc+oPXOIu/6HI3JGYB
4WTVBp1OccEcNlnUYhxcL3ODYXcLUhiLZh2DS+IDLS3Pbp0v1qz/JuzDxiYBnEYt
4Q5NWdhPF/TSS7wQHRl35LAyHHhBIu1kuDhnXjdq87h7ioNiffZ0DgSW4HFUzslk
4UZGFTKaDpepBfIp1qnYGPKCMv+MLaMWU3LOfVGT3ecntkMxUtntNMZ6qGaXhzda
65LD9xYJUrbo+qQSBiTNAhMOy6lHlwIulmML0j1YEcVc2EwgqdfbBeT9v9gh6If4
85ba1Wvy4W/FN/xo/ECflLAvozjyYND8LMcZ73eJs4ncZkMZAkjfP3sg/qvTAtbf
D6c+SRQbxRJv0ZUb9NN7wx4flsyypscKNqk78mytUN7gGf2xJIOvMS/zH/Zf9EpD
bEY+lOY2llYtXhoEj95tnRPFhKaQeGZdkISsmoU5olLsw/tRkquGdAokh+fl+NtZ
WxgJF8Ft8NT4iXhEBRfgFO5ubGq565c66ayA6R6K00pg/IvS8OXPuxT+/e8EKqUO
R9RyWR5n+W8hWw5+pQWGNvwhLFLJFfCxHw2ucSyNCvtcb6ijV5yvi4cI+UuVnh3s
WW3mMaMOYIcbh/thp8wBs/dpAOGUWX7XBfaGsQ0D+ff0ufcUobhXVZgtC0LhgfrN
ZeHQF4bUXycyaAGWvstNb6Xj2QFVDG98eNDGmYDTD+0XwpPc/6/Ge4BLPAVcBpQw
DMCKUqSkPPWCqfipbQmpBxswhYmzx+DjdfRxHExWeGk1pwyfH4GBhO5fkcpYVtU+
RyruFu0YNnQ+2Y4eg8+3IyJndxkUHmwsB1DB0P8XvJ0n/NnAnZ0sIpE0x3dOFhb+
SK0dj8fo2aEHOimrTHc2EJ2ZscpSCVNQ1BsScM36FCWxRWbTr8rBFsdUJ5CMZ2hN
qHBtf38SgNkD3qBUmiPetsYt6qTKY9Rv25D4zL5IR2ZnV99oW6MTDhc49cxYn8Dy
MKlyzV3upykqGBMSKBKbafDI3sO8gB3upUetnogi1TMaNyu4qNzq8oNRfdf+RD1R
Rg4++U14UbYNvWRQnCqjJGUXDnVc8Gp9K8Z6p5eXihsFfpol1OGu0td1e0FRi3AH
INW9UEpfRbmbEPHhYQRNAyRlcQXJ1FBnxUCk6qgfkD0ziJk2VD4oFoaSlqy7l21z
zoH0Vp6PZGZEIs/mAODvtH5jsTEMUE8uuRmPqgnFqbi/gfQ5FJLR6dfCb8MJ2iJM
Hw4791wi7tS1aCYoHneDtxNFeWuuEmw1uMoA+C5euGNv86XAH5AV2OrTIt8SLFPN
mLBLQ3J9Kkitsy1JFz9IdJ5uY3K2CvpOaP+sx3l1Q4YVuSza8r7zRfTC1wPfbsvk
64zZQzA57WvRvpaZU49HbMV9/zDOlQfLtL7TdAbqLYjlVRpO5pHHEqLRR9eGQ2UY
zhfMFfcJahH4lDbgHf6EVjHnEuoW9fU8hLRVzUcQCVDsf36Et+g5G1JMhFnlVzdv
MaKiN9tzKeIqxUSlXMHYm+oIb849pshNo+KRzZ0K+r+wExnpIfCfVOjAvSQU+6y9
1uIIQlJfk6uPFVriaooyUDrW9/83AgzJDrkpSMTnVmo/MTS8cAe8Ox5cr+mHqJko
cnHzBNI9Q0z59SpJdXucPVyk5MYPUdfyI2ouicm+nKidNvlp36O7UHMw0pJdeqDg
03vhaVif5uN8FNjBLp6xIipX6lor6XCOnkGR/zkis602sTAkE4nemOw9zy3rIBr+
hYnSY7vMFCVYIERjqSOLE0k0d5RyOsGjSYr8yQMvpTGusla34qVPjrrpJ+OuczK/
6KJeHV+WUw42g8JSs67j8YJ2ejc9gr9AVSRiES99QL+tlFnOTY28N40OjXqFJjYK
A0x0By1O6h4PMKtYchTuJAoEOB2KOP1Ta+NlL80zM4nWwv7NdO0AR/ATfUfix1GS
NiMC10C7eurYdAfxly3p9NgjQq+vaKsnSy0TbXPCgW8YTegnxKTUWJm+BEiYaE4M
A0c1CySusV+JO1catlXSeCB6ajddi/SKXsW26lJ3Q+8QqhA3EMivCE3Zh2Q5c1yp
gCV7IXtdryPdK16qmirO9LKkm6sCfBdhgBgi+IcyUhqxwHCwxrPqzEs75Sa3U/6k
kV3AqFwhHYtUj2fBNlfJ1efV8fW+WLboJkHbi2LXmL4NBvHTNjK3NprffFrQ/QJU
oYsMQdeWQZD+3p8w1fPb0sXEDL6LQgjAjyDaqOiX8XrQ8nr3n4FpTI38/OIIfS69
IHtgo5yv0CMfN+C6LAHOE0aDHRoY6+TVVgr1Z/X2VqJQJONii0dQ5ttDHYnUpzu0
vWsdvVjsyhkLa2yhUB7UyWusZo0HZRSAcf1pNlpp5rCtJad9to7OvOL3qb5GluAK
/5eZE6RzgyGOjtOx0IgQ+l4ThQCTbkoVEtB59IEeP/+Sq2RmFfdGiGgC3Wnrga8b
gkuXXbjZboptSku6N1ZO1r99wd0qIHzrtVCONGLGfVBy7X6nDO2pC9IUOXycMji7
B5J0toyDWt6UzlLQasmz8Be7NZJCkDd2jlSKorZtdynsXbRkX1H4by9kI8kEcgK7
ICE=
-----END ENCRYPTED PRIVATE KEY-----

250
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf Normal file
View File

@ -0,0 +1,250 @@
#
# Based on the OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
scardLogin=1.3.6.1.4.1.311.20.2.2
# Used in a smart card login certificate's subject alternative name
msUPN=1.3.6.1.4.1.311.20.2.3
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
msKDC=1.3.6.1.5.2.3.5
# Identifies the AD GUID
msADGUID=1.3.6.1.4.1.311.25.1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = CA-samba.example.com # Where everything is kept
certs = $dir/_none_certs # Where the issued certs are kept
crl_dir = $dir/_none_crl # Where the issued crl are kept
database = $dir/Private/CA-samba.example.com-index.txt # database index file.
unique_subject = yes # Set to 'no' to allow creation of
# several certificates with same subject.
new_certs_dir = $dir/NewCerts # default place for new certs.
certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
# must be commented out to leave a V1 CRL
#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
#x509_extensions = # The extensions to add to the cert
x509_extensions = template_x509_extensions
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
crl_extensions = crl_ext
default_days = 7300 # how long to certify for
default_crl_days= 7300 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = supplied
####################################################################
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SambaState
localityName = Locality Name (eg, city)
localityName_default = SambaCity
organizationName = Organization Name (eg, company)
organizationName_default = SambaSelfTesting
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Domain Controllers
commonName = Common Name (eg, YOUR name)
commonName_default = localdc.samba.example.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = ca-samba.example.com@samba.example.com
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
#
#unstructuredName = An optional company name
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate.
keyUsage = cRLSign, keyCertSign
crlDistributionPoints=URI:$CRLDISTPT
# Some might want this also
nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
subjectAltName=email:copy
# Copy issuer details
issuerAltName=issuer:copy
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
#[ usr_cert_mskdc ]
[ template_x509_extensions ]
# These extensions are added when 'ca' signs a request for a domain controller certificate.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
crlDistributionPoints=URI:$CRLDISTPT
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
nsCertType = server
# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Domain Controller Certificate localdc.samba.example.com"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
subjectAltName=@dc_subjalt
# Copy subject details
issuerAltName=issuer:copy
nsCaRevocationUrl = $CRLDISTPT
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#Extended Key requirements for our domain controller certs
# serverAuth - says cert can be used to identify an ssl/tls server
# msKDC - says cert can be used to identify a Kerberos Domain Controller.
extendedKeyUsage = clientAuth,serverAuth,msKDC
[dc_subjalt]
DNS=localdc.samba.example.com
otherName=msADGUID;FORMAT:HEX,OCTETSTRING:0123456789ABCDEF

51
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem Normal file
View File

@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEA5qR2zuhj/lf5o67grU3iFY7YJ8h9fyux6KpQj5T5x3E/UjKR
0W1SIl/NjcxiFnqLWGXtB/fqJNOI2CbK6+wWp4QcfhVGZAkiRrndXAeEUKdOMT8B
I9H4NgQau9TlttQbXBbJnjeKPql9MCRAsrVEQPpcb9U+/zLC5yQK5OSqn/9MrL43
WCIIFg72py+1bE+se6SCqJ84ZBducrZ8TMVEKgq0JQ2wDKuYSvkaGsmmWfQApQpv
CtClNMoP9A77ute7Pix8DGhrJv8cKf53+TCFDUSMr5CKcJNdOrYYi6WFEVyjXVcW
3cfIAPEFccJuBzw3aTZ8EsWeG2kRRUQe67mylrGJzU36ieuSSfJGNfOdhzy+5Pi3
Mac2S4F2m7IE1YB9T+YC7SRMoAPEnQCfnXGTDaW4N2IrA8O9JCUsw0PUyCewbQXU
xsXYWwmU6Cdr2W23vN52v9WcNiYEuZcd8MmNkZOCMg23FpdBMZoiCy66mVEoa/UE
usk9Vwxy6OEkGtQqaufjtrmUYeNOQoHlQ+Qe723EXaT5tOw6ijT+tceo/hmNz30b
YCG6JW81zU9yKEJ9hwiq2jN+Y+ZbX+cBqOML0whapt/q5ysTSKeDMpbEutH/FWZS
M4ZGX8KfWUoAmLcboYcl361oW/cmFyvrhGKdw72ZZ2oCXXByPhiSmYy92U8CAwEA
AQKCAgBqVMxJW64t5lU69zax70QZ+D8DKFVjObvNridx6pa1MiqlNJcxXBsPqedU
RjO6dUikumjq0Yrq63MdY9UNq0xOcoPIRPqsx+E7hhjdgsGnhVpxLcDSyMyL6pyA
mAhHn8X1ULQm8ygS94S1myEQwqzy3/mZvVBLyxU8BsvW9u0K0mKBCTjustHTiZaB
QWd8xcaZQiDSqIUQ8BSFYkgwBIoGb+TZaFQPo1SUy/8S9oBw3CMn84V6EPL5QWbV
d8rqOuciJNQTzFgKJHbRjXW2Nn5Avae2kQaiG+5RUP5D801D0denAq2SFbbJaFTA
O4kKYOKS6QGOjfj0Xh4ONveiaXxBSPpIJSvbjAV+Nq92NVkZ35jiPqGZzebhzzoD
mU6mMvRoL/FHs9PKNZF1Cd4EP1SdLhiImj+1eajfYvHAlz6kIJxTue0BFkh13uwp
amx48wB7e/W8t8lqixICf1HlCv+EQGN6aka5dHMqJobXhkt9npz53+AYdpc8Sjs9
QlFplYoOgkaHvzLv9yeZPOT5Xr32weE6KpM+SwvpVxfttbkvqrWoOoEcDARuVqiS
TRzS/ZDiEn+Kcgm7pJ3i2nTAIBzwC4z91HJbeVXNpptkZJEgjXM8XjSArHjDrkl1
EGKARlkTn576XMGWSkF/bmEBiG0KIhTu+DmwsQvR+564tjV98QKCAQEA+aS7ygjL
aRj5JZKMt3VWZRntK20m04iY0wGDNs+p+nFRJjCDAUhTTOl9++vlJYe8HO9iXzUv
O51tGnzrck9+gUVlFghrw0dJ+mY0+1bSt2aLNUmlfvv1uRpm9Pd3xbQ6e3Kpf/r1
ew6IpG8I6pvpVJXJ3FQZpSOlTP9dyRxMNzdILGzzPrb+2r0j6Oc/y3+adBiXB3Yg
QPfFJRJZA4k2Wk/qSi9NR/yWHaY0krO68l8l2zn1AKaIoVVqtxVTQ7qUBWNXzVMe
ULtAvO1Bonh+C+zYcNJjSBeYWeJ7pbp/ozDe6M2DuJMv4aW6oV6tGcMF9NOd1pFx
qiC8vIVPZ3rJ9QKCAQEA7IPf9CAaDUScu2/Ry9z1RaISU4BMi/30poc80Zy2hC18
vP8aiHVlQdkdzdKYGweaYNQpszGeBcHK51y6V11vwCNQRrCoUp9VbICp7ok2O4y8
w9r+q4GcYthHeMhEnHDo4R/uHKEJCYS012RLlLSXMa0Dfl1sOv8mVuIEaZoRJrAq
Xzxz9KX7MFv5Zb8TvVL6fHEXmdMmmoiZnyNplH+3LMj6duoNaxjtsoixCkuRTXE7
Cav118q+QWae+yhIonF+HRIa/G0doqHa+P9rl18FUnxfAf91Z70SSJ2oOtuWjd1J
37eG4d7skpAoWWdXNpCqpJnsPLlSlBqKmYrN5CM3swKCAQBAfV/Np0v00HC8Vgln
8zXoVDRCfaYEC0t/ZuqgpDDC87cE6I9PK4HpYoAbLis58MCVsPl2ouSav+ZJa2/f
Tc3eUzDz6iT8g1QHDZQuQZWZrzHTCD1qemhV8w4Zxjv4pMBe15YV65yyt2RxJgXl
pXU3VqKY+ljNolG3fFib9WVy9iL85wBHeTqJA0ddiS+fwE0EJL4PPWLDpb4V/5Fj
KnUSC4b4txN9vzCAZEk8hJWMuyuqYGR8UIkHNGum9ClYW8CVS76I2ioArP7iT2Af
OoVFS1/2dUMUgpPm1G0guPb0D1HmTgDzE4LRBeEagryw5QKK5oflwBje3ColgUKr
9rppAoIBAH9t9gXkHeU0KHXco16BaCziS5ltsNBkPaJTjvMoyjWhBGoX0EXhanL1
9dblNkqp6AVviiAgBZH4fcf17/gOQZ116VSM7cPGURIqqGP6zZt8EmA756akKIwh
FzD+Rek79F0HBRWrteDI/V5njUlLm4KKQy2cTCnlOtTo5ZO4DLGZjNrPCXKw0wuV
ImQtdQc2Y/sUO7EHUO9F1e8l90apIRoiFsBnDl+7iKX+e9SeLmVZMoPdgJGJjMRT
9ChB5hCPsXEcRinm6GataftqMp/V9Foi5FWBO9JuziENwIwlr5Izvg+pJCUiJLg6
r2KsCRM/EpGo1N1KxDFDs5VScegPCX0CggEAWCJ0+KmHbA4F+vDjYW1wNE1MBKee
4Q+nnX45oEHDM+J5da2Ov2IhblzVX/vJaVtI2rwSXCkM3x7ByAXwewNa4BA/eGG/
v2MPs21f9GcLkpLv0xz+pILkeeNk+e0yIYE4jWQGFMlYh7cNLStDSw6XNU/9IKeO
r2gQjAqS/pMGBMS3FOcd2S+/gMjJom2GaWLhGdJAGdmtGh2EbFku5+WDL76pyAaN
BHEGD91PSER5nEGS9ho81IPDrIm0LVcp6xMRD6PWput/0gcC3Zun1ZDo9oJA1AsS
NMnm6c14ASh/1KQUx9XkC1hUmBVhb4UA4EshT4oXffTHpDMlA6yWqlkReg==
-----END RSA PRIVATE KEY-----

30
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIFDzCCAvcCAQAwgckxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
GzAZBgNVBAsMEkRvbWFpbiBDb250cm9sbGVyczEiMCAGA1UEAwwZbG9jYWxkYy5z
YW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJARYmY2Etc2FtYmEuZXhhbXBs
ZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDmpHbO6GP+V/mjruCtTeIVjtgnyH1/K7HoqlCPlPnHcT9SMpHRbVIi
X82NzGIWeotYZe0H9+ok04jYJsrr7BanhBx+FUZkCSJGud1cB4RQp04xPwEj0fg2
BBq71OW21BtcFsmeN4o+qX0wJECytURA+lxv1T7/MsLnJArk5Kqf/0ysvjdYIggW
DvanL7VsT6x7pIKonzhkF25ytnxMxUQqCrQlDbAMq5hK+RoayaZZ9AClCm8K0KU0
yg/0Dvu617s+LHwMaGsm/xwp/nf5MIUNRIyvkIpwk106thiLpYURXKNdVxbdx8gA
8QVxwm4HPDdpNnwSxZ4baRFFRB7rubKWsYnNTfqJ65JJ8kY1852HPL7k+LcxpzZL
gXabsgTVgH1P5gLtJEygA8SdAJ+dcZMNpbg3YisDw70kJSzDQ9TIJ7BtBdTGxdhb
CZToJ2vZbbe83na/1Zw2JgS5lx3wyY2Rk4IyDbcWl0ExmiILLrqZUShr9QS6yT1X
DHLo4SQa1Cpq5+O2uZRh405CgeVD5B7vbcRdpPm07DqKNP61x6j+GY3PfRtgIbol
bzXNT3IoQn2HCKraM35j5ltf5wGo4wvTCFqm3+rnKxNIp4MylsS60f8VZlIzhkZf
wp9ZSgCYtxuhhyXfrWhb9yYXK+uEYp3DvZlnagJdcHI+GJKZjL3ZTwIDAQABoAAw
DQYJKoZIhvcNAQELBQADggIBAFRI0PRZO7XlWIpWUC0wc3KjVvTGxieaalJdPC/j
dxT7lBkSTHGjbeLIkqjVAuhONziKT2RP9QxzK2sa9jxIi5zR1byZv500suTez+96
KkqSnFTgM4nwJdv2S8x0uBPmlREL4K1I0FGZX29wd0bqFhBQqSzVQvQqGSiqSJfU
KkIys1tAIrC7DfNvfhogIrupuN8clluLe0T25qxGeaqXN+EYB7U/O+4FZccpGoeP
dHO2zYeRib0oGTlnk1noRmlqgXPEKfzoWMJ2cUkexlRy1ajW0r1rvcIgc1rPnB8h
6c6YhFGwbYW54/I6tLxJc5pyWCQNH/uYEeFnGs/w85lPKvLM0RXsQ7rfnDRv3LOj
Mex+3whmIs5dAVdQQMy0ngsbPpaR+5Ry8eWAPmwnRXwVaysGgmTysVCzFGqSO3ul
7FgbKEEM1cNe4+Gvl2LEl+aJ5CB1DBslDjXMQVwLMpAU2sthJurhujx3/j598IUp
why48F4056Uf33CncLSEriykIEFXUionXUxtDsCaS13+CfKw+gUJJRsg4ZWqrY6M
b0KHAtzq4g7lFZ+XaXpGdxntqGOrgxfcgWBRhJnp35ILoMFNV2OHjySnF6SWDJvP
AY9IQsUDiMruNjCS9s5zaH7KqmJJ+pgcjVSholozUEI2J3hUpq3KFsE20Cyi+YbO
kTlo
-----END CERTIFICATE REQUEST-----

1
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem Symbolic link
View File

@ -0,0 +1 @@
DC-localdc.samba.example.com-S00-cert.pem

1
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem Symbolic link
View File

@ -0,0 +1 @@
DC-localdc.samba.example.com-S00-private-key.pem

190
selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem Normal file
View File

@ -0,0 +1,190 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Validity
Not Before: Mar 16 23:28:44 2016 GMT
Not After : Mar 11 23:28:44 2036 GMT
Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=localdc.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e6:a4:76:ce:e8:63:fe:57:f9:a3:ae:e0:ad:4d:
e2:15:8e:d8:27:c8:7d:7f:2b:b1:e8:aa:50:8f:94:
f9:c7:71:3f:52:32:91:d1:6d:52:22:5f:cd:8d:cc:
62:16:7a:8b:58:65:ed:07:f7:ea:24:d3:88:d8:26:
ca:eb:ec:16:a7:84:1c:7e:15:46:64:09:22:46:b9:
dd:5c:07:84:50:a7:4e:31:3f:01:23:d1:f8:36:04:
1a:bb:d4:e5:b6:d4:1b:5c:16:c9:9e:37:8a:3e:a9:
7d:30:24:40:b2:b5:44:40:fa:5c:6f:d5:3e:ff:32:
c2:e7:24:0a:e4:e4:aa:9f:ff:4c:ac:be:37:58:22:
08:16:0e:f6:a7:2f:b5:6c:4f:ac:7b:a4:82:a8:9f:
38:64:17:6e:72:b6:7c:4c:c5:44:2a:0a:b4:25:0d:
b0:0c:ab:98:4a:f9:1a:1a:c9:a6:59:f4:00:a5:0a:
6f:0a:d0:a5:34:ca:0f:f4:0e:fb:ba:d7:bb:3e:2c:
7c:0c:68:6b:26:ff:1c:29:fe:77:f9:30:85:0d:44:
8c:af:90:8a:70:93:5d:3a:b6:18:8b:a5:85:11:5c:
a3:5d:57:16:dd:c7:c8:00:f1:05:71:c2:6e:07:3c:
37:69:36:7c:12:c5:9e:1b:69:11:45:44:1e:eb:b9:
b2:96:b1:89:cd:4d:fa:89:eb:92:49:f2:46:35:f3:
9d:87:3c:be:e4:f8:b7:31:a7:36:4b:81:76:9b:b2:
04:d5:80:7d:4f:e6:02:ed:24:4c:a0:03:c4:9d:00:
9f:9d:71:93:0d:a5:b8:37:62:2b:03:c3:bd:24:25:
2c:c3:43:d4:c8:27:b0:6d:05:d4:c6:c5:d8:5b:09:
94:e8:27:6b:d9:6d:b7:bc:de:76:bf:d5:9c:36:26:
04:b9:97:1d:f0:c9:8d:91:93:82:32:0d:b7:16:97:
41:31:9a:22:0b:2e:ba:99:51:28:6b:f5:04:ba:c9:
3d:57:0c:72:e8:e1:24:1a:d4:2a:6a:e7:e3:b6:b9:
94:61:e3:4e:42:81:e5:43:e4:1e:ef:6d:c4:5d:a4:
f9:b4:ec:3a:8a:34:fe:b5:c7:a8:fe:19:8d:cf:7d:
1b:60:21:ba:25:6f:35:cd:4f:72:28:42:7d:87:08:
aa:da:33:7e:63:e6:5b:5f:e7:01:a8:e3:0b:d3:08:
5a:a6:df:ea:e7:2b:13:48:a7:83:32:96:c4:ba:d1:
ff:15:66:52:33:86:46:5f:c2:9f:59:4a:00:98:b7:
1b:a1:87:25:df:ad:68:5b:f7:26:17:2b:eb:84:62:
9d:c3:bd:99:67:6a:02:5d:70:72:3e:18:92:99:8c:
bd:d9:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
Domain Controller Certificate localdc.samba.example.com
X509v3 Subject Key Identifier:
E1:DF:73:0B:F1:3E:86:43:A4:B3:E9:8D:44:7D:3C:B2:19:C1:BC:F2
X509v3 Authority Key Identifier:
keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
X509v3 Subject Alternative Name:
DNS:localdc.samba.example.com, othername:<unsupported>
X509v3 Issuer Alternative Name:
email:ca-samba.example.com@samba.example.com
Netscape CA Revocation Url:
http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication, msKDC
Signature Algorithm: sha256WithRSAEncryption
89:2c:57:98:17:c1:73:a6:10:02:6f:a6:ac:47:1c:37:2d:1d:
a1:3c:c5:29:b6:3a:e6:e8:14:ec:3b:74:ee:da:db:2d:97:3e:
d3:8c:9d:42:7e:b0:46:e9:54:74:4f:34:df:9e:34:7f:9e:8a:
9d:4d:b2:cf:fb:71:3f:cb:32:e6:45:e7:b4:d3:9e:e8:ca:a5:
cf:16:7b:76:b5:4e:e0:b9:bb:79:b1:82:a7:d3:23:cb:3c:46:
63:63:96:b3:5b:62:9e:99:dc:02:17:f9:07:63:86:76:06:1a:
02:1b:9a:df:1d:cd:e7:46:fe:9a:13:87:47:dd:e2:77:58:50:
a2:6c:c9:a0:f8:14:1f:3b:d7:59:9c:89:bd:2e:2d:ce:60:f4:
c6:2c:e3:63:cf:34:84:61:d9:90:2e:90:fc:5b:4f:a2:00:87:
e7:40:e0:fc:d1:24:8b:d0:28:01:d3:53:ac:b1:58:7f:87:29:
38:56:93:dd:a2:14:4a:9a:94:b9:f8:94:b2:04:47:db:b8:38:
e6:85:2b:cf:d4:72:88:8b:0d:8e:a0:69:f9:9f:10:22:82:9c:
c5:ec:01:e3:07:a1:69:37:94:25:3a:cd:17:29:37:8d:24:d3:
27:0f:4d:bf:b0:31:36:b8:c6:a8:69:0b:df:28:f8:e2:dc:da:
95:3e:7f:d7:3f:a5:8f:92:6a:7d:ad:3a:ac:af:73:2b:5f:f1:
b3:22:92:ef:da:71:84:9e:4b:23:7b:69:b7:29:fc:c5:05:84:
4b:ff:06:92:ee:f5:9b:14:2a:af:be:ef:02:e1:e7:d0:e8:d0:
29:7c:48:40:f1:95:bb:08:b2:30:c5:81:80:a8:91:5b:2e:08:
3b:30:44:07:b5:c4:0b:07:74:ca:5d:37:3d:75:f9:bc:6d:21:
a6:e0:91:d8:f9:27:88:05:58:a7:f4:36:eb:ba:40:63:36:15:
42:98:0b:e2:d1:c9:11:0b:29:81:e1:c7:02:7e:fa:05:65:51:
7b:d6:1a:33:46:fc:a5:d4:fd:64:e8:c8:11:d4:d1:41:d9:39:
18:08:a3:ed:15:70:d9:14:f5:ba:c9:bb:3e:96:8d:5d:cc:c3:
5c:b6:c8:79:02:2e:e2:a1:06:ba:a5:21:1c:bf:16:7f:2d:d9:
93:07:92:b1:fa:ee:3f:e3:56:35:f3:30:aa:11:54:d3:71:cb:
29:d4:60:e1:6c:ae:c4:24:e3:00:4f:5f:52:b0:3f:f4:76:f3:
6d:db:bc:d8:65:c4:37:be:1a:87:9b:65:c4:20:dd:da:a9:4c:
9f:86:33:2b:49:a6:f7:aa:ce:da:98:3b:e3:5f:ac:b8:1b:45:
0e:56:59:fb:49:38:0f:b7:d4:49:f8:7b:ac:fa:d8:b8:1d:16:
db:b2:4c:15:d8:e7:eb:6b:38:ff:d2:69:26:a6:f6:50:15:45:
2f:12:b2:05:d4:bf:6f:53:79:64:9b:d5:8b:a1:08:3e:43:ee:
08:fe:9b:ea:83:89:8a:6a:53:98:1e:c5:91:4c:7a:99:2b:6d:
97:dc:96:1b:de:27:c5:af:0f:dd:42:5c:23:7d:bc:6b:5b:ab:
47:29:98:35:8f:9e:e6:e1:5f:96:6a:bd:cf:3c:47:89:8b:ad:
21:de:20:da:99:82:c1:0e:9b:7c:38:21:d8:b1:1c:34:c5:4e:
f7:fe:7d:5e:a4:2f:f8:7d:5c:30:2c:9e:e6:5a:4f:d3:15:90:
e6:6f:69:ea:51:93:8f:2c:dd:a7:c3:3c:50:a8:d1:ba:0b:5c:
cc:2e:4e:57:71:21:08:a1:2c:bd:a7:20:4b:ae:5c:02:7a:cd:
9a:fe:1e:db:ec:ce:3b:12:37:cb:96:20:7b:3b:b1:5a:2e:84:
03:f9:0b:32:43:c0:4e:e3:ea:79:e7:9a:13:54:e5:a8:1a:17:
c4:79:78:25:63:ab:67:39:39:a0:6c:c4:c5:94:ac:16:92:3d:
f0:1a:1a:9e:ca:7a:84:1b:c1:5a:5f:4c:65:8a:30:a6:5e:6c:
0e:ae:bf:ac:09:97:0f:83:5c:92:ce:e4:43:de:06:4b:96:f5:
46:3b:7d:a8:e3:0f:d3:fe:00:c7:d4:79:4e:5f:bd:ec:59:12:
f9:65:23:fa:e7:97:a2:a6:39:3b:a3:1e:da:47:c5:18:5b:8d:
a7:7b:29:1c:5a:7a:06:c6:92:9e:b7:3b:f0:c5:56:e8:cf:84:
cd:dd:61:0f:21:25:f4:1e:2b:40:b6:74:28:8d:41:f6:2c:1d:
ce:b4:39:d1:e1:be:15:78:c9:d7:99:a1:9d:50:43:da:ec:40:
69:6a:3b:17:af:28:22:09:e0:7d:38:9e:a7:ca:b7:f7:94:8a:
2a:1b:32:4e:28:6d:18:95:ca:42:67:c8:bb:13:24:31:43:84:
3e:95:66:08:5c:15:7f:6b:93:cc:8f:b8:76:7a:fd:74:4a:d6:
6f:64:74:df:72:f7:34:a3:50:f0:db:bf:0a:2b:1b:48:b7:c9:
c0:97:23:27:b1:56:5b:9e:10:12:5a:bf:ff:38:61:da:41:75:
15:c5:03:c2:20:fd:7f:84:c0:94:8e:11:ed:01:ba:f1:19:b5:
05:1d:bf:89:ea:c9:38:4e:d2:cf:5b:24:c6:37:a1:8e:60:89:
5c:52:ff:7d:5e:2d:c9:f8:b1:79:07:4c:2f:18:85:e8:ba:bf:
3e:da:59:43:df:29:79:7e:00:38:d2:fc:a9:8e:3b:9d
-----BEGIN CERTIFICATE-----
MIIJ6zCCBdOgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
MTYyMzI4NDRaFw0zNjAzMTEyMzI4NDRaMIG1MQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
CwwSRG9tYWluIENvbnRyb2xsZXJzMSIwIAYDVQQDDBlsb2NhbGRjLnNhbWJhLmV4
YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNvbUBz
YW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AOakds7oY/5X+aOu4K1N4hWO2CfIfX8rseiqUI+U+cdxP1IykdFtUiJfzY3MYhZ6
i1hl7Qf36iTTiNgmyuvsFqeEHH4VRmQJIka53VwHhFCnTjE/ASPR+DYEGrvU5bbU
G1wWyZ43ij6pfTAkQLK1RED6XG/VPv8ywuckCuTkqp//TKy+N1giCBYO9qcvtWxP
rHukgqifOGQXbnK2fEzFRCoKtCUNsAyrmEr5GhrJpln0AKUKbwrQpTTKD/QO+7rX
uz4sfAxoayb/HCn+d/kwhQ1EjK+QinCTXTq2GIulhRFco11XFt3HyADxBXHCbgc8
N2k2fBLFnhtpEUVEHuu5spaxic1N+onrkknyRjXznYc8vuT4tzGnNkuBdpuyBNWA
fU/mAu0kTKADxJ0An51xkw2luDdiKwPDvSQlLMND1MgnsG0F1MbF2FsJlOgna9lt
t7zedr/VnDYmBLmXHfDJjZGTgjINtxaXQTGaIgsuuplRKGv1BLrJPVcMcujhJBrU
Kmrn47a5lGHjTkKB5UPkHu9txF2k+bTsOoo0/rXHqP4Zjc99G2AhuiVvNc1PcihC
fYcIqtozfmPmW1/nAajjC9MIWqbf6ucrE0ingzKWxLrR/xVmUjOGRl/Cn1lKAJi3
G6GHJd+taFv3Jhcr64RincO9mWdqAl1wcj4YkpmMvdlPAgMBAAGjggHxMIIB7TAJ
BgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEuZXhh
bXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEGCWCG
SAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwRgYJYIZIAYb4QgENBDkWN0RvbWFp
biBDb250cm9sbGVyIENlcnRpZmljYXRlIGxvY2FsZGMuc2FtYmEuZXhhbXBsZS5j
b20wHQYDVR0OBBYEFOHfcwvxPoZDpLPpjUR9PLIZwbzyMB8GA1UdIwQYMBaAFKI+
Aiqjp005tAhNmcwMdTbqJ8M+MD0GA1UdEQQ2MDSCGWxvY2FsZGMuc2FtYmEuZXhh
bXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1UdEgQqMCiBJmNh
LXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0GCWCGSAGG+EIB
BARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEu
ZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcDAgYIKwYBBQUH
AwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAIksV5gXwXOmEAJvpqxHHDct
HaE8xSm2OuboFOw7dO7a2y2XPtOMnUJ+sEbpVHRPNN+eNH+eip1Nss/7cT/LMuZF
57TTnujKpc8We3a1TuC5u3mxgqfTI8s8RmNjlrNbYp6Z3AIX+QdjhnYGGgIbmt8d
zedG/poTh0fd4ndYUKJsyaD4FB8711mcib0uLc5g9MYs42PPNIRh2ZAukPxbT6IA
h+dA4PzRJIvQKAHTU6yxWH+HKThWk92iFEqalLn4lLIER9u4OOaFK8/UcoiLDY6g
afmfECKCnMXsAeMHoWk3lCU6zRcpN40k0ycPTb+wMTa4xqhpC98o+OLc2pU+f9c/
pY+San2tOqyvcytf8bMiku/acYSeSyN7abcp/MUFhEv/BpLu9ZsUKq++7wLh59Do
0Cl8SEDxlbsIsjDFgYCokVsuCDswRAe1xAsHdMpdNz11+bxtIabgkdj5J4gFWKf0
Nuu6QGM2FUKYC+LRyRELKYHhxwJ++gVlUXvWGjNG/KXU/WToyBHU0UHZORgIo+0V
cNkU9brJuz6WjV3Mw1y2yHkCLuKhBrqlIRy/Fn8t2ZMHkrH67j/jVjXzMKoRVNNx
yynUYOFsrsQk4wBPX1KwP/R2823bvNhlxDe+GoebZcQg3dqpTJ+GMytJpveqztqY
O+NfrLgbRQ5WWftJOA+31En4e6z62LgdFtuyTBXY5+trOP/SaSam9lAVRS8SsgXU
v29TeWSb1YuhCD5D7gj+m+qDiYpqU5gexZFMepkrbZfclhveJ8WvD91CXCN9vGtb
q0cpmDWPnubhX5Zqvc88R4mLrSHeINqZgsEOm3w4IdixHDTFTvf+fV6kL/h9XDAs
nuZaT9MVkOZvaepRk48s3afDPFCo0boLXMwuTldxIQihLL2nIEuuXAJ6zZr+Htvs
zjsSN8uWIHs7sVouhAP5CzJDwE7j6nnnmhNU5agaF8R5eCVjq2c5OaBsxMWUrBaS
PfAaGp7KeoQbwVpfTGWKMKZebA6uv6wJlw+DXJLO5EPeBkuW9UY7fajjD9P+AMfU
eU5fvexZEvllI/rnl6KmOTujHtpHxRhbjad7KRxaegbGkp63O/DFVujPhM3dYQ8h
JfQeK0C2dCiNQfYsHc60OdHhvhV4ydeZoZ1QQ9rsQGlqOxevKCIJ4H04nqfKt/eU
iiobMk4obRiVykJnyLsTJDFDhD6VZghcFX9rk8yPuHZ6/XRK1m9kdN9y9zSjUPDb
vworG0i3ycCXIyexVlueEBJav/84YdpBdRXFA8Ig/X+EwJSOEe0BuvEZtQUdv4nq
yThO0s9bJMY3oY5giVxS/31eLcn4sXkHTC8Yhei6vz7aWUPfKXl+ADjS/KmOO50=
-----END CERTIFICATE-----

169
selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem Normal file
View File

@ -0,0 +1,169 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Validity
Not Before: Mar 16 23:29:04 2016 GMT
Not After : Mar 11 23:29:04 2036 GMT
Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:87:9e:1e:7f:c0:ab:da:47:22:74:d0:df:01:
f1:67:6c:ac:c4:b7:d9:18:97:e5:7a:62:76:33:b6:
52:f2:92:90:75:ac:a3:94:7e:0c:29:75:c9:83:2f:
19:66:60:84:45:ff:d5:a9:bd:c5:3a:a2:d8:25:cf:
15:8a:23:3e:09:73:2f:99:1d:24:1f:e6:96:7e:7b:
c4:1e:8d:55:5b:c1:18:69:cd:1d:b4:22:d5:7b:db:
5e:7c:91:f2:8e:c1:03:30:ee:63:46:5a:54:d5:40:
ac:79:55:00:71:07:8d:3e:0e:ed:ff:93:6c:f1:2d:
84:c1:51:a3:7c:49:cf:ff:85:7b:c0:64:c1:ba:c8:
66:7a:ff:17:2a:74:ea:16:6a:1d:97:c0:27:57:10:
be:76:f5:9a:63:56:c7:25:c6:fc:a7:5e:00:a6:1a:
3d:21:bd:7a:f9:e3:03:60:ce:df:16:06:fc:05:bc:
d1:c8:5d:e7:33:ed:52:8b:60:5b:60:c5:70:13:1d:
c1:b3:08:13:09:3b:05:e8:02:40:12:45:89:af:87:
1f:6a:8f:62:ce:1e:17:13:34:82:81:86:e9:bb:85:
5b:75:1d:f4:3a:02:b4:a6:58:23:fe:c3:3a:35:09:
95:bb:f7:79:bc:e3:97:e6:6d:77:24:aa:2d:51:50:
37:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
Smart Card Login Certificate for administrator@samba.example.com
X509v3 Subject Key Identifier:
45:DA:4B:8D:05:9C:62:4E:62:C3:D7:5C:5F:D3:D9:85:B4:9B:F2:2C
X509v3 Authority Key Identifier:
keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
X509v3 Subject Alternative Name:
email:administrator@samba.example.com, othername:<unsupported>
X509v3 Issuer Alternative Name:
email:ca-samba.example.com@samba.example.com
Netscape CA Revocation Url:
http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, scardLogin
Signature Algorithm: sha256WithRSAEncryption
a2:bb:e6:97:67:3c:b6:6e:6e:dd:34:99:16:c6:80:91:08:bf:
91:ba:51:62:5d:76:2f:e5:53:91:3d:99:03:18:a9:84:69:73:
76:66:c3:eb:56:d7:c5:40:91:15:da:de:b2:76:48:7d:8a:8c:
80:79:3c:e6:da:0e:a6:c3:53:d6:74:ee:5f:29:b7:03:46:de:
89:32:14:22:03:30:68:2e:7e:06:d4:ac:9e:82:c0:02:16:7f:
81:ba:ee:7a:e7:8b:f7:fb:99:7f:8c:eb:78:54:97:4e:28:44:
da:f4:e2:1b:f8:3e:ac:ca:cc:e3:e3:71:90:91:47:9c:78:ed:
6f:bc:b7:98:12:ea:75:e5:15:f7:26:56:a7:5c:d6:74:a8:13:
7b:23:35:4e:6a:01:f6:a9:f5:5b:9b:d0:ea:ba:0f:c3:c4:1a:
e0:b9:a3:ed:5d:28:cb:7f:1d:3e:8a:9a:af:4c:88:00:3c:10:
f0:49:85:24:60:e6:cb:d6:9e:00:46:78:4d:90:22:68:4f:10:
39:84:3b:e2:7c:3d:ed:23:41:19:7e:6f:45:59:89:a9:9f:26:
c1:f9:7d:4d:0a:b4:10:f9:31:7d:cc:87:d0:4b:62:14:70:86:
c8:7d:14:ff:e4:68:e2:de:42:ca:01:c7:aa:2d:5a:a5:72:64:
f1:4c:fa:6e:60:15:22:08:68:e6:c6:6a:75:63:24:b5:54:76:
d1:97:4f:e0:e8:bc:eb:d0:62:84:4a:b4:3a:07:38:5f:b9:a6:
6a:31:14:47:33:81:bd:d0:a4:a2:da:2b:92:0d:dc:42:c4:0f:
28:0d:b6:1b:33:b5:88:df:1b:a8:d8:90:9a:11:ce:df:d4:14:
e9:ac:94:94:95:bb:bc:6e:f1:be:85:29:3f:17:ab:41:14:d8:
20:ba:e0:a2:a3:d3:d4:8b:1e:4b:32:22:8d:0d:c1:e6:39:1a:
ce:cd:f3:1d:f1:82:85:d5:e7:80:34:90:a4:0e:d4:af:32:c8:
79:4e:25:32:b6:1e:06:3a:26:42:38:47:1a:32:96:71:5b:fe:
5b:b0:ef:7d:fe:58:ca:eb:b5:c9:4b:2f:12:cb:89:36:22:7c:
a6:39:ab:20:c1:2d:cd:6b:34:e1:cd:bc:ed:45:45:12:4a:65:
4b:ab:45:f2:6d:7a:9d:f8:b5:52:78:1b:da:2f:e0:ce:f7:e2:
b0:fa:6f:40:3d:dd:e9:39:c3:63:68:ab:77:53:be:3b:dd:9a:
bc:d7:d7:fa:6a:bf:bf:74:f7:11:80:87:f9:d3:45:eb:1e:8e:
d1:a9:a0:2e:66:e7:20:67:1c:4c:22:43:77:85:ff:1a:23:37:
cc:49:de:51:ee:f2:04:2f:a8:98:88:0f:b6:18:53:eb:e2:49:
15:5e:02:8b:1e:7b:e6:c5:d1:0c:df:84:4e:d9:bd:fe:21:48:
d4:a4:11:01:27:57:51:d6:c1:b2:a1:1c:11:9a:a7:d1:ab:f0:
99:16:b2:c8:3f:74:25:68:0b:1a:cf:58:0d:cd:cc:1a:6d:8b:
ec:1f:70:82:02:40:97:0f:75:2c:53:87:c1:42:5c:d1:7e:19:
78:2c:2c:88:73:33:81:63:38:84:07:0f:16:bb:7c:54:59:03:
94:e7:b8:85:d7:f8:5e:53:35:65:2e:e5:27:65:be:f0:89:65:
f6:ab:3f:6e:a5:bd:c1:1a:9e:31:30:68:6e:50:af:54:4c:33:
f8:73:2f:41:60:4f:4c:85:1b:ad:7d:db:62:42:dc:87:96:b4:
cf:ce:12:50:ed:6c:01:5f:e2:f9:03:f5:f7:4c:6c:8f:2b:5b:
7a:64:7d:19:e8:20:f2:e9:10:58:f3:71:0e:1e:58:68:f2:59:
3c:06:53:7a:f3:60:62:5b:c7:b7:83:58:1d:3d:a6:17:db:33:
cc:91:14:af:d6:b9:08:bf:60:af:ac:3e:fe:8b:74:71:20:c7:
e7:31:5e:26:6c:28:52:67:12:1e:c3:9b:89:23:5d:88:ee:b0:
6b:db:cc:94:8b:9b:1b:40:b7:66:bc:7d:1d:e1:08:00:20:ba:
41:cd:17:d6:4c:7b:c4:5a:fd:cf:6b:20:e2:b8:86:9c:31:17:
c2:d7:7f:1c:3a:d0:fc:1d:f5:7f:c9:96:04:27:de:b8:ef:8d:
38:9a:b3:56:60:ac:c2:07:38:64:19:39:9e:73:6f:ba:59:15:
ac:45:42:4d:bb:79:60:7f:ae:c3:8d:63:4a:27:16:0a:ca:92:
7f:f7:a2:02:76:f5:e6:7c:ec:ba:ea:18:cd:9c:3b:ee:37:2c:
9d:78:4e:c9:40:6d:94:cc:ce:ca:f4:33:fc:a4:dd:05:62:d6:
0f:1e:19:63:af:10:c3:ff:02:1a:0a:48:fd:af:f2:a4:0e:64:
dd:90:f4:4f:14:1b:90:1f:9e:29:b0:0b:94:a4:d1:2a:87:b9:
3a:76:c2:b6:af:c3:d4:84:6e:85:1c:64:73:46:d0:df:72:c0:
3c:42:91:c4:30:10:11:18:36:bc:e5:17:36:22:5f:c2:3f:ac:
1d:2e:9d:87:11:be:a7:ac:b2:62:35:74:b9:27:27:95:bc:c1:
11:44:f8:64:36:60:74:06:a2:e7:e9:76:be:a7:86:5e:18:1e:
bd:dc:b0:aa:ae:92:d6:dd:d6:25:80:d6:c1:be:c1:21:1c:01:
6f:83:20:ae:b7:54:4f:3d:2d:12:fc:a2:cc:49:fd:59
-----BEGIN CERTIFICATE-----
MIII/TCCBOWgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
MTYyMzI5MDRaFw0zNjAzMTEyMzI5MDRaMIGnMQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
CwwFVXNlcnMxKDAmBgNVBAMMH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5j
b20xLjAsBgkqhkiG9w0BCQEWH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvh54ef8Cr2kcidNDf
AfFnbKzEt9kYl+V6YnYztlLykpB1rKOUfgwpdcmDLxlmYIRF/9WpvcU6otglzxWK
Iz4Jcy+ZHSQf5pZ+e8QejVVbwRhpzR20ItV72158kfKOwQMw7mNGWlTVQKx5VQBx
B40+Du3/k2zxLYTBUaN8Sc//hXvAZMG6yGZ6/xcqdOoWah2XwCdXEL529ZpjVscl
xvynXgCmGj0hvXr54wNgzt8WBvwFvNHIXecz7VKLYFtgxXATHcGzCBMJOwXoAkAS
RYmvhx9qj2LOHhcTNIKBhum7hVt1HfQ6ArSmWCP+wzo1CZW793m845fmbXckqi1R
UDdpAgMBAAGjggIRMIICDTAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0
dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxl
LmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwTwYJ
YIZIAYb4QgENBEIWQFNtYXJ0IENhcmQgTG9naW4gQ2VydGlmaWNhdGUgZm9yIGFk
bWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFEXaS40FnGJO
YsPXXF/T2YW0m/IsMB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFsG
A1UdEQRUMFKBH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5jb22gLwYKKwYB
BAGCNxQCA6AhDB9hZG1pbmlzdHJhdG9yQHNhbWJhLmV4YW1wbGUuY29tMDEGA1Ud
EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcD
AgYKKwYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCBAEAorvml2c8tm5u3TSZFsaA
kQi/kbpRYl12L+VTkT2ZAxiphGlzdmbD61bXxUCRFdresnZIfYqMgHk85toOpsNT
1nTuXym3A0beiTIUIgMwaC5+BtSsnoLAAhZ/gbrueueL9/uZf4zreFSXTihE2vTi
G/g+rMrM4+NxkJFHnHjtb7y3mBLqdeUV9yZWp1zWdKgTeyM1TmoB9qn1W5vQ6roP
w8Qa4Lmj7V0oy38dPoqar0yIADwQ8EmFJGDmy9aeAEZ4TZAiaE8QOYQ74nw97SNB
GX5vRVmJqZ8mwfl9TQq0EPkxfcyH0EtiFHCGyH0U/+Ro4t5CygHHqi1apXJk8Uz6
bmAVIgho5sZqdWMktVR20ZdP4Oi869BihEq0Ogc4X7mmajEURzOBvdCkotorkg3c
QsQPKA22GzO1iN8bqNiQmhHO39QU6ayUlJW7vG7xvoUpPxerQRTYILrgoqPT1Ise
SzIijQ3B5jkazs3zHfGChdXngDSQpA7UrzLIeU4lMrYeBjomQjhHGjKWcVv+W7Dv
ff5Yyuu1yUsvEsuJNiJ8pjmrIMEtzWs04c287UVFEkplS6tF8m16nfi1Ungb2i/g
zvfisPpvQD3d6TnDY2ird1O+O92avNfX+mq/v3T3EYCH+dNF6x6O0amgLmbnIGcc
TCJDd4X/GiM3zEneUe7yBC+omIgPthhT6+JJFV4Cix575sXRDN+ETtm9/iFI1KQR
ASdXUdbBsqEcEZqn0avwmRayyD90JWgLGs9YDc3MGm2L7B9wggJAlw91LFOHwUJc
0X4ZeCwsiHMzgWM4hAcPFrt8VFkDlOe4hdf4XlM1ZS7lJ2W+8Ill9qs/bqW9wRqe
MTBoblCvVEwz+HMvQWBPTIUbrX3bYkLch5a0z84SUO1sAV/i+QP190xsjytbemR9
Gegg8ukQWPNxDh5YaPJZPAZTevNgYlvHt4NYHT2mF9szzJEUr9a5CL9gr6w+/ot0
cSDH5zFeJmwoUmcSHsObiSNdiO6wa9vMlIubG0C3Zrx9HeEIACC6Qc0X1kx7xFr9
z2sg4riGnDEXwtd/HDrQ/B31f8mWBCfeuO+NOJqzVmCswgc4ZBk5nnNvulkVrEVC
Tbt5YH+uw41jSicWCsqSf/eiAnb15nzsuuoYzZw77jcsnXhOyUBtlMzOyvQz/KTd
BWLWDx4ZY68Qw/8CGgpI/a/ypA5k3ZD0TxQbkB+eKbALlKTRKoe5OnbCtq/D1IRu
hRxkc0bQ33LAPEKRxDAQERg2vOUXNiJfwj+sHS6dhxG+p6yyYjV0uScnlbzBEUT4
ZDZgdAai5+l2vqeGXhgevdywqq6S1t3WJYDWwb7BIRwBb4MgrrdUTz0tEvyizEn9
WQ==
-----END CERTIFICATE-----

191
selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem Normal file
View File

@ -0,0 +1,191 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Validity
Not Before: Mar 16 23:29:25 2016 GMT
Not After : Mar 11 23:29:25 2036 GMT
Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:a6:c4:a9:bf:75:ea:4c:8d:3b:fd:8a:0f:b0:a2:
b6:c7:a8:1f:e4:0e:3e:41:ef:d6:10:48:77:7b:4e:
4c:59:e1:bf:6d:c7:18:7b:a8:01:a7:d5:d2:2c:21:
3e:d0:1a:da:58:03:e8:42:f1:53:0e:a7:91:b9:2c:
b9:e7:7a:c9:de:5e:ed:4c:93:6b:cc:dd:17:d0:c7:
d1:f1:7c:3d:0d:6f:df:5d:53:5a:b1:1f:a3:7b:5b:
41:65:0c:7c:ea:53:df:bb:da:41:15:da:49:e3:b9:
2d:bb:b5:af:ef:8c:b8:84:74:d0:18:16:8e:5c:e4:
c2:e7:a1:87:8f:e3:87:8b:0b:bb:90:30:e8:e0:f3:
eb:c0:50:5f:b5:7f:54:9a:1b:34:43:fd:be:5a:80:
6e:0f:63:a2:b3:79:42:4a:85:c8:07:c7:82:55:23:
88:d4:4e:03:2f:f1:95:bd:ed:15:2d:3e:16:cd:ff:
c7:9b:03:29:36:a6:5d:c9:1a:1e:89:a5:ba:66:83:
0f:96:a8:07:9f:24:b9:1b:8f:02:9a:b8:50:29:8b:
be:63:45:fa:45:c3:38:23:a0:98:3a:b4:6b:42:99:
13:36:4b:84:ef:27:89:39:34:79:f8:67:16:7b:9c:
2a:03:41:15:63:46:e4:db:2f:f2:3e:6d:fe:7c:20:
1e:9f:02:48:a4:bc:15:42:a6:f8:38:86:dc:6b:7c:
4e:67:a3:31:81:8e:b6:30:1a:eb:3d:08:25:19:5f:
42:dc:39:ec:79:1d:30:0a:fb:16:8f:3d:19:14:cc:
f5:af:d7:c6:75:cf:b3:96:a2:b2:9b:d9:03:01:a3:
ca:88:1d:72:ed:6f:d1:bf:57:56:8e:b9:07:9b:b9:
04:13:1e:0b:5a:06:6b:2b:43:a2:dc:d5:b7:f4:ba:
d3:ae:9d:ad:fd:d3:8a:7c:2f:87:32:fa:89:88:58:
00:ae:16:2b:9c:1d:58:82:4d:e5:21:da:d5:6c:f7:
a8:40:8b:c7:02:d5:36:30:ef:3f:09:9b:a6:d2:31:
a3:bf:20:d4:a2:9e:26:c4:b4:c3:0f:0b:6c:00:d1:
2c:16:b1:2a:eb:06:d9:d5:98:c3:cd:cb:20:68:ad:
0a:2c:a1:2f:27:41:5c:91:de:49:62:ed:d8:3a:ef:
68:1c:6d:fe:94:c3:28:68:32:60:08:65:cd:02:9f:
97:96:2f:0f:87:27:3d:b9:0f:85:62:e8:2b:9a:b4:
f4:d3:d7:c1:93:96:27:23:29:88:b1:39:99:53:3a:
20:aa:88:44:3b:4a:24:2a:8b:e0:b4:8d:dd:66:30:
df:a6:6e:b7:fc:21:43:16:9e:3e:12:20:c8:7a:30:
c1:3d:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
Domain Controller Certificate addc.addom.samba.example.com
X509v3 Subject Key Identifier:
3D:BC:70:0C:74:D4:B8:85:49:1D:08:84:C4:1B:27:F2:AF:72:37:D3
X509v3 Authority Key Identifier:
keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
X509v3 Subject Alternative Name:
DNS:addc.addom.samba.example.com, othername:<unsupported>
X509v3 Issuer Alternative Name:
email:ca-samba.example.com@samba.example.com
Netscape CA Revocation Url:
http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication, msKDC
Signature Algorithm: sha256WithRSAEncryption
9e:8b:bb:0a:7a:dc:c0:94:33:bc:18:a5:e6:4a:1f:ff:8e:21:
b1:8f:33:f0:3e:8b:6c:72:55:c4:47:71:5f:ce:e7:31:ef:5b:
62:04:b7:57:8f:a8:27:9f:ed:69:d2:ec:a8:0d:e2:76:33:8d:
41:3a:67:61:5c:53:60:c7:53:ed:d7:99:72:29:1d:ae:d3:ee:
c9:76:1c:6d:18:47:e9:94:dd:2e:97:3f:99:af:b5:f4:a1:7c:
92:f6:4d:b5:c1:7a:0c:38:ba:d1:b6:19:9a:9f:e2:02:84:d4:
54:01:38:7b:55:86:4a:ee:3d:85:48:01:da:34:09:69:43:25:
7e:6e:06:73:e0:b9:7c:b5:9c:4e:9c:b5:52:85:32:62:62:25:
39:fa:02:4b:51:2e:df:8e:52:17:02:50:f4:99:29:bf:7e:97:
53:91:12:85:9a:69:62:45:59:c4:5b:3f:af:18:e6:7b:e4:86:
5d:f1:9e:5a:2b:3e:14:6e:7e:d4:47:24:ef:d9:a8:ec:d9:a6:
cb:b8:4f:1a:86:d9:43:20:41:16:15:5f:81:0d:fe:6b:31:53:
c1:f6:84:4c:f3:03:64:d2:e6:44:3d:7a:60:79:d7:37:6f:33:
de:c0:a8:b9:6e:fe:b2:79:ac:b4:53:92:b8:0a:59:2b:cc:6b:
37:c4:6f:c6:44:02:f7:7c:c5:c6:a6:6f:c2:ad:de:78:1e:48:
96:cc:fe:59:2e:53:ce:34:d6:e8:f0:56:43:30:32:90:6f:f9:
47:76:ab:99:63:e3:e8:a3:f3:83:98:e9:05:2b:ea:f9:f9:9d:
66:70:c7:2c:00:c2:9e:57:3e:31:43:50:50:c8:db:a8:2d:21:
4e:6f:39:c2:bd:ef:d8:47:99:27:0d:48:b2:58:f1:be:45:bd:
fe:c4:a2:56:fc:06:02:dc:19:33:85:53:ed:38:59:01:16:bc:
aa:c5:d3:4b:37:54:83:1b:e5:c1:4b:dd:34:6b:e5:d8:35:86:
95:e6:9f:d2:22:84:b1:e2:4f:a7:2e:4d:e6:9c:eb:db:df:42:
e1:b4:66:e6:58:d3:28:10:34:97:f3:9c:6b:5f:05:2c:47:2c:
e3:75:eb:6f:74:0a:ec:d7:1d:30:80:56:44:12:26:f6:4e:5f:
ff:92:f4:62:02:36:9c:62:eb:39:98:53:68:68:95:fb:94:68:
69:b8:3c:66:1a:ce:78:c4:cf:c4:6f:21:ac:a8:a6:f4:ab:69:
2a:2e:00:5d:f7:67:06:b1:4f:97:58:88:55:d8:6e:eb:a5:98:
50:36:21:70:3d:b0:a4:f5:3b:21:b3:1c:f5:a9:dd:c6:4a:c2:
89:b8:5a:b3:bc:1f:21:ce:4c:68:5f:98:d8:39:70:d2:7e:a0:
90:df:ad:a3:13:eb:3c:93:f6:b8:f4:d9:a7:51:b3:0d:ea:ee:
d4:57:aa:db:ca:7c:8a:a0:08:c3:98:9a:3a:b7:ba:2a:50:92:
26:c2:e3:11:ba:12:60:24:b9:59:df:62:a8:d7:4d:a3:cb:ea:
46:e8:39:f9:83:14:a8:5c:44:75:71:6b:7f:99:bd:68:58:d9:
6b:d1:cd:c7:45:95:9e:44:1e:85:35:c0:30:2b:18:aa:eb:2f:
93:d5:be:66:5d:70:ed:1d:04:f2:c1:1e:b5:ec:45:0c:04:f6:
9d:88:d3:0c:20:5e:5b:23:df:34:a1:f5:ea:b4:a1:44:c0:da:
d5:ea:89:e8:b5:cb:dc:f8:92:ee:ac:8d:61:ed:bf:74:2b:28:
79:1f:f4:9a:ff:63:bd:e6:aa:79:1d:2c:26:4a:b2:26:53:57:
ba:88:0e:eb:19:57:c0:10:a0:1e:81:2a:c0:56:2e:c3:2a:81:
bf:c1:5a:e7:48:ce:c1:6a:b9:6c:41:cc:44:a6:b8:70:e2:57:
0e:6d:41:d6:61:da:bf:ac:20:2c:a7:2a:67:23:98:00:ba:ce:
8b:a8:c2:45:66:a7:08:eb:7f:0a:b5:e7:9b:d6:f4:07:d5:b3:
43:cd:27:d4:fa:c9:40:8f:af:b2:36:1c:e7:44:b4:4e:cc:5a:
2b:73:ad:8f:c4:d9:47:a6:fb:2c:7d:1a:80:2a:55:b3:80:34:
6f:8e:17:27:93:05:21:40:e9:8f:bf:47:6a:52:f5:2e:b5:18:
d1:8c:1d:83:04:80:55:fd:21:28:dc:7c:be:c8:c1:5f:e4:40:
d3:13:e4:66:bf:ad:92:4e:9b:db:c1:be:a3:42:74:da:c3:2c:
0a:da:3f:94:14:ad:7e:de:81:c6:01:6a:f7:7a:b4:25:51:b0:
ab:cd:b3:3a:77:bf:c3:6b:04:44:30:73:41:ad:93:49:67:ee:
43:d1:96:8e:36:83:2b:1b:6c:e7:cc:3e:d6:16:b9:88:4a:ab:
56:c0:76:00:f6:9a:6a:8a:e3:e0:41:75:9d:3b:47:0f:c9:0a:
8e:9f:9c:00:92:bb:ae:d8:42:56:35:64:eb:59:13:da:2c:63:
83:c3:ec:68:91:b5:f3:71:85:48:54:c3:9d:a1:c8:63:f3:de:
5d:a5:34:a9:1e:85:2c:2c:b5:d8:a9:62:8d:26:1f:b2:9e:a7:
83:4d:df:69:63:b5:b7:e5:dd:e7:3b:18:e5:b3:77:df:c5:47:
b3:f7:8c:e7:5e:87:2e:46:e3:8f:b1:2b:9b:c6:26:2d:1a:28:
30:13:10:86:5b:46:87:b1:2d:12:ce:b6:fe:1c:4e:44
-----BEGIN CERTIFICATE-----
MIIJ9DCCBdygAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
MTYyMzI5MjVaFw0zNjAzMTEyMzI5MjVaMIG4MQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
CwwSRG9tYWluIENvbnRyb2xsZXJzMSUwIwYDVQQDDBxhZGRjLmFkZG9tLnNhbWJh
LmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNv
bUBzYW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAKbEqb916kyNO/2KD7CitseoH+QOPkHv1hBId3tOTFnhv23HGHuoAafV0iwh
PtAa2lgD6ELxUw6nkbksued6yd5e7UyTa8zdF9DH0fF8PQ1v311TWrEfo3tbQWUM
fOpT37vaQRXaSeO5Lbu1r++MuIR00BgWjlzkwuehh4/jh4sLu5Aw6ODz68BQX7V/
VJobNEP9vlqAbg9jorN5QkqFyAfHglUjiNROAy/xlb3tFS0+Fs3/x5sDKTamXcka
HomlumaDD5aoB58kuRuPApq4UCmLvmNF+kXDOCOgmDq0a0KZEzZLhO8niTk0efhn
FnucKgNBFWNG5Nsv8j5t/nwgHp8CSKS8FUKm+DiG3Gt8TmejMYGOtjAa6z0IJRlf
Qtw57HkdMAr7Fo89GRTM9a/XxnXPs5aispvZAwGjyogdcu1v0b9XVo65B5u5BBMe
C1oGaytDotzVt/S6066drf3TinwvhzL6iYhYAK4WK5wdWIJN5SHa1Wz3qECLxwLV
NjDvPwmbptIxo78g1KKeJsS0ww8LbADRLBaxKusG2dWYw83LIGitCiyhLydBXJHe
SWLt2DrvaBxt/pTDKGgyYAhlzQKfl5YvD4cnPbkPhWLoK5q09NPXwZOWJyMpiLE5
mVM6IKqIRDtKJCqL4LSN3WYw36Zut/whQxaePhIgyHowwT2rAgMBAAGjggH3MIIB
8zAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEu
ZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEG
CWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwSQYJYIZIAYb4QgENBDwWOkRv
bWFpbiBDb250cm9sbGVyIENlcnRpZmljYXRlIGFkZGMuYWRkb20uc2FtYmEuZXhh
bXBsZS5jb20wHQYDVR0OBBYEFD28cAx01LiFSR0IhMQbJ/KvcjfTMB8GA1UdIwQY
MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MEAGA1UdEQQ5MDeCHGFkZGMuYWRkb20u
c2FtYmEuZXhhbXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1Ud
EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcD
AgYIKwYBBQUHAwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAJ6Luwp63MCU
M7wYpeZKH/+OIbGPM/A+i2xyVcRHcV/O5zHvW2IEt1ePqCef7WnS7KgN4nYzjUE6
Z2FcU2DHU+3XmXIpHa7T7sl2HG0YR+mU3S6XP5mvtfShfJL2TbXBegw4utG2GZqf
4gKE1FQBOHtVhkruPYVIAdo0CWlDJX5uBnPguXy1nE6ctVKFMmJiJTn6AktRLt+O
UhcCUPSZKb9+l1OREoWaaWJFWcRbP68Y5nvkhl3xnlorPhRuftRHJO/ZqOzZpsu4
TxqG2UMgQRYVX4EN/msxU8H2hEzzA2TS5kQ9emB51zdvM97AqLlu/rJ5rLRTkrgK
WSvMazfEb8ZEAvd8xcamb8Kt3ngeSJbM/lkuU8401ujwVkMwMpBv+Ud2q5lj4+ij
84OY6QUr6vn5nWZwxywAwp5XPjFDUFDI26gtIU5vOcK979hHmScNSLJY8b5Fvf7E
olb8BgLcGTOFU+04WQEWvKrF00s3VIMb5cFL3TRr5dg1hpXmn9IihLHiT6cuTeac
69vfQuG0ZuZY0ygQNJfznGtfBSxHLON16290CuzXHTCAVkQSJvZOX/+S9GICNpxi
6zmYU2holfuUaGm4PGYaznjEz8RvIayopvSraSouAF33ZwaxT5dYiFXYbuulmFA2
IXA9sKT1OyGzHPWp3cZKwom4WrO8HyHOTGhfmNg5cNJ+oJDfraMT6zyT9rj02adR
sw3q7tRXqtvKfIqgCMOYmjq3uipQkibC4xG6EmAkuVnfYqjXTaPL6kboOfmDFKhc
RHVxa3+ZvWhY2WvRzcdFlZ5EHoU1wDArGKrrL5PVvmZdcO0dBPLBHrXsRQwE9p2I
0wwgXlsj3zSh9eq0oUTA2tXqiei1y9z4ku6sjWHtv3QrKHkf9Jr/Y73mqnkdLCZK
siZTV7qIDusZV8AQoB6BKsBWLsMqgb/BWudIzsFquWxBzESmuHDiVw5tQdZh2r+s
ICynKmcjmAC6zouowkVmpwjrfwq155vW9AfVs0PNJ9T6yUCPr7I2HOdEtE7MWitz
rY/E2Uem+yx9GoAqVbOANG+OFyeTBSFA6Y+/R2pS9S61GNGMHYMEgFX9ISjcfL7I
wV/kQNMT5Ga/rZJOm9vBvqNCdNrDLAraP5QUrX7egcYBavd6tCVRsKvNszp3v8Nr
BEQwc0Gtk0ln7kPRlo42gysbbOfMPtYWuYhKq1bAdgD2mmqK4+BBdZ07Rw/JCo6f
nACSu67YQlY1ZOtZE9osY4PD7GiRtfNxhUhUw52hyGPz3l2lNKkehSwstdipYo0m
H7Kep4NN32ljtbfl3ec7GOWzd9/FR7P3jOdehy5G44+xK5vGJi0aKDATEIZbRoex
LRLOtv4cTkQ=
-----END CERTIFICATE-----

169
selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem Normal file
View File

@ -0,0 +1,169 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Validity
Not Before: Mar 16 23:29:41 2016 GMT
Not After : Mar 11 23:29:41 2036 GMT
Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:91:64:f2:1b:2b:ed:9b:40:bc:0d:46:23:49:
77:32:74:fe:cb:9a:46:86:33:1e:56:bd:c8:da:dd:
e6:2a:07:34:61:1c:f0:b8:71:29:24:2b:90:f3:43:
99:6f:69:f6:ff:8d:b9:b7:3f:f3:36:6a:99:90:90:
d6:95:63:4e:88:5a:d7:41:89:7f:73:13:64:49:c7:
de:42:65:08:5d:ca:04:b2:68:3a:40:7f:6a:05:df:
56:30:2f:ac:1b:8b:0f:c3:15:3c:38:0f:90:50:44:
00:bb:59:40:f6:d2:e8:5b:73:03:0d:f6:7d:38:5d:
2f:99:c3:0d:13:0f:74:d0:9e:ef:1e:92:42:c4:46:
7c:dc:85:7e:e9:af:91:4e:9d:5f:82:af:58:60:18:
a5:ac:91:6e:dd:cf:a7:32:3c:d2:f4:e9:81:be:80:
9e:0c:ca:1f:1a:be:98:c4:fe:e6:25:c1:89:fe:16:
0a:30:90:d3:d4:e5:af:89:24:64:12:d0:4f:19:e2:
1b:86:fb:06:a9:63:d1:47:10:89:dc:2b:52:24:dc:
66:a9:56:c2:cb:f4:ec:35:12:f4:ad:5e:fc:ff:86:
e9:b1:f9:1f:b3:ce:44:fb:be:04:af:8d:42:9b:56:
a5:02:7f:c5:cf:5f:23:41:1c:69:ee:33:97:7a:81:
50:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
Smart Card Login Certificate for administrator@addom.samba.example.com
X509v3 Subject Key Identifier:
30:10:6E:1F:7E:52:33:8C:C8:85:E5:92:74:5D:76:7E:E9:33:5B:36
X509v3 Authority Key Identifier:
keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
X509v3 Subject Alternative Name:
email:administrator@addom.samba.example.com, othername:<unsupported>
X509v3 Issuer Alternative Name:
email:ca-samba.example.com@samba.example.com
Netscape CA Revocation Url:
http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, scardLogin
Signature Algorithm: sha256WithRSAEncryption
53:3e:51:d2:5d:2c:69:23:5b:dd:05:1a:23:ff:39:5d:54:63:
e5:da:e1:4b:60:8c:09:7c:4e:8e:da:8a:bb:63:5d:bc:2d:a0:
d4:ce:9e:d2:ce:38:d7:32:67:ba:4a:a6:d1:1d:c4:c7:50:e8:
9a:9e:44:56:1a:9c:f4:8f:b9:8e:39:84:21:db:0f:60:8a:60:
b4:0f:4f:3c:35:a0:d2:37:3d:88:e8:0a:18:a7:a7:2d:19:e3:
aa:d3:8e:18:8f:35:ef:3e:4a:95:c4:d3:9b:f4:cf:89:c2:70:
b9:8c:5c:ef:8a:9e:7a:56:73:13:eb:8b:b7:d9:e1:88:5b:c4:
62:47:42:45:8d:7b:2d:cf:71:83:1b:48:9d:84:8f:65:66:97:
61:fc:f6:30:34:e8:88:2a:34:91:48:dc:7a:b7:65:bc:9c:98:
00:4c:e7:49:fe:4d:a9:56:ea:87:d6:6c:46:39:f2:98:5b:56:
14:82:f2:9e:b8:ad:fd:89:36:48:87:4e:5c:ef:3f:e0:35:ff:
72:5f:5b:e1:c2:fd:d9:6e:40:2b:35:ad:50:08:74:94:87:89:
c4:cd:c7:ab:a7:19:4e:ba:f2:1d:83:0f:b0:cf:9c:e6:df:73:
36:88:cf:42:9c:a3:72:27:0f:f7:bf:5b:cc:6b:e5:20:03:b5:
4a:1c:f3:7d:ae:92:43:aa:bb:13:07:a4:3a:77:3d:34:01:00:
f1:89:aa:e8:1b:09:7b:b8:b0:e1:54:03:ff:3d:8d:be:35:b9:
13:b2:59:58:32:48:93:f8:e7:d7:3d:49:70:01:44:e6:2b:21:
b3:75:49:ae:44:7a:50:15:b8:65:f3:c3:48:96:df:c8:d9:2a:
f7:c5:2a:7e:2c:68:77:af:2d:78:1b:fc:1a:d8:f4:8b:a6:86:
35:d2:f0:87:e9:d6:30:0a:76:65:f8:71:e9:80:0d:1f:16:86:
89:92:81:34:d9:be:9b:41:25:ec:65:a9:0a:56:b2:03:91:54:
02:21:97:99:74:61:8c:4a:2e:f4:d0:b1:8b:f1:e6:26:52:bc:
f6:f2:e0:bd:96:66:22:c3:4e:51:2f:c3:c4:65:65:c7:97:b5:
1b:29:23:7a:c0:7b:fb:49:33:a0:a9:6a:b7:2f:f3:44:6b:5b:
0c:2c:0d:75:f2:50:d5:82:ba:9a:ab:e0:89:0a:b6:b5:8a:5e:
1a:67:ab:d9:a7:21:22:75:61:1e:d7:21:36:15:6a:da:a8:39:
4d:95:50:2b:e6:ac:c4:f6:38:74:c9:c5:ac:ce:2f:b3:c8:d4:
ad:18:a7:93:d4:1a:be:c2:be:9e:39:e6:a7:b1:0e:93:d0:9e:
cf:b0:ac:53:7d:08:1f:9d:a5:98:2b:4e:f6:80:e4:df:ea:43:
a2:f9:64:bf:84:b2:ff:1c:93:36:60:74:08:4e:5b:d6:24:9a:
f8:ac:c7:81:f9:2a:a9:00:28:44:15:6a:31:b9:b5:08:89:c8:
31:15:1e:8f:9d:2c:d0:e3:a8:32:2c:68:42:41:19:6c:43:8e:
69:c0:44:01:ba:1c:c4:ea:f4:ff:c8:57:03:ba:df:3f:5e:a5:
03:da:75:31:2e:07:67:a7:5c:02:55:c3:6f:8f:11:f5:8c:56:
a1:f7:4b:bb:46:d0:e5:ff:68:c1:77:3d:0d:35:12:f5:40:af:
cd:05:5c:53:74:ff:54:e0:c0:c6:10:5c:e8:33:06:0a:50:47:
7e:71:3a:36:66:aa:f8:de:97:2a:ae:bf:8d:6d:d4:39:c4:fd:
b3:03:1d:a5:9c:47:39:8c:c0:b3:73:f8:3a:d6:34:ac:49:4f:
b3:87:74:11:20:8f:c0:aa:24:a7:30:20:0c:c0:d9:1c:44:ee:
ae:c8:b8:13:63:e5:f8:5e:8f:b0:5a:46:c5:83:3d:41:62:06:
e4:62:a6:0a:40:cc:8e:59:ad:8a:36:4e:20:e6:f2:32:04:6e:
ee:4e:7d:97:88:dc:ea:74:90:c4:ab:a8:b5:bc:6c:81:b1:64:
77:a6:93:34:44:e4:60:38:b1:0c:2b:29:3a:4a:f7:17:d7:3a:
c8:42:7e:db:4d:5f:09:92:ae:6c:90:e1:7d:9f:96:9c:1a:82:
bd:45:02:76:29:62:e5:b9:14:53:01:53:c0:5a:d5:34:53:7a:
25:49:3e:3d:db:19:7e:29:57:80:78:67:ea:21:3e:3d:59:36:
e0:8b:da:75:57:9b:c8:9d:a1:18:18:e2:5c:35:35:9e:62:2c:
f5:0f:c0:8f:55:16:a5:d4:9e:cd:0e:78:87:9d:53:d3:01:e1:
18:61:36:1c:06:c3:3a:43:f3:8a:13:e6:4e:52:32:fd:46:21:
cd:62:18:1f:ae:f5:f2:1a:ea:7a:01:3b:a1:3f:1d:16:00:91:
5e:94:78:f4:60:33:54:a9:fc:1c:0a:75:f9:17:aa:dd:12:91:
66:4b:f0:d1:60:25:d4:06:d1:99:9c:c5:64:01:4b:ba:d9:66:
ba:9c:f7:68:75:fd:11:3a:eb:6e:fb:8f:a6:17:8a:cd:bc:1a:
59:f9:a9:cd:33:db:7d:71:26:7d:c7:be:de:eb:2e:c0:7e:db:
29:08:0e:82:63:1e:8c:8f:e6:21:1c:b1:49:13:9e:df:78:3b:
68:01:17:0f:df:97:96:58:32:48:1e:5c:ff:fa:db:90:b5:05:
84:68:fd:7c:c0:a5:35:d9:75:1e:ea:cc:25:25:3f:6e
-----BEGIN CERTIFICATE-----
MIIJGzCCBQOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
MTYyMzI5NDFaFw0zNjAzMTEyMzI5NDFaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
CwwFVXNlcnMxLjAsBgNVBAMMJWFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhh
bXBsZS5jb20xNDAyBgkqhkiG9w0BCQEWJWFkbWluaXN0cmF0b3JAYWRkb20uc2Ft
YmEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+
kWTyGyvtm0C8DUYjSXcydP7LmkaGMx5Wvcja3eYqBzRhHPC4cSkkK5DzQ5lvafb/
jbm3P/M2apmQkNaVY06IWtdBiX9zE2RJx95CZQhdygSyaDpAf2oF31YwL6wbiw/D
FTw4D5BQRAC7WUD20uhbcwMN9n04XS+Zww0TD3TQnu8ekkLERnzchX7pr5FOnV+C
r1hgGKWskW7dz6cyPNL06YG+gJ4Myh8avpjE/uYlwYn+FgowkNPU5a+JJGQS0E8Z
4huG+wapY9FHEIncK1Ik3GapVsLL9Ow1EvStXvz/humx+R+zzkT7vgSvjUKbVqUC
f8XPXyNBHGnuM5d6gVCLAgMBAAGjggIjMIICHzAJBgNVHRMEAjAAME8GA1UdHwRI
MEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1z
YW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNV
HQ8EBAMCBeAwVQYJYIZIAYb4QgENBEgWRlNtYXJ0IENhcmQgTG9naW4gQ2VydGlm
aWNhdGUgZm9yIGFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20w
HQYDVR0OBBYEFDAQbh9+UjOMyIXlknRddn7pM1s2MB8GA1UdIwQYMBaAFKI+Aiqj
p005tAhNmcwMdTbqJ8M+MGcGA1UdEQRgMF6BJWFkbWluaXN0cmF0b3JAYWRkb20u
c2FtYmEuZXhhbXBsZS5jb22gNQYKKwYBBAGCNxQCA6AnDCVhZG1pbmlzdHJhdG9y
QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29tMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4
YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0GCWCGSAGG+EIBBARAFj5odHRw
Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j
b20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcDAgYKKwYBBAGCNxQCAjANBgkq
hkiG9w0BAQsFAAOCBAEAUz5R0l0saSNb3QUaI/85XVRj5drhS2CMCXxOjtqKu2Nd
vC2g1M6e0s441zJnukqm0R3Ex1Domp5EVhqc9I+5jjmEIdsPYIpgtA9PPDWg0jc9
iOgKGKenLRnjqtOOGI817z5KlcTTm/TPicJwuYxc74qeelZzE+uLt9nhiFvEYkdC
RY17Lc9xgxtInYSPZWaXYfz2MDToiCo0kUjcerdlvJyYAEznSf5NqVbqh9ZsRjny
mFtWFILynrit/Yk2SIdOXO8/4DX/cl9b4cL92W5AKzWtUAh0lIeJxM3Hq6cZTrry
HYMPsM+c5t9zNojPQpyjcicP979bzGvlIAO1Shzzfa6SQ6q7EwekOnc9NAEA8Ymq
6BsJe7iw4VQD/z2NvjW5E7JZWDJIk/jn1z1JcAFE5ishs3VJrkR6UBW4ZfPDSJbf
yNkq98Uqfixod68teBv8Gtj0i6aGNdLwh+nWMAp2Zfhx6YANHxaGiZKBNNm+m0El
7GWpClayA5FUAiGXmXRhjEou9NCxi/HmJlK89vLgvZZmIsNOUS/DxGVlx5e1Gykj
esB7+0kzoKlqty/zRGtbDCwNdfJQ1YK6mqvgiQq2tYpeGmer2achInVhHtchNhVq
2qg5TZVQK+asxPY4dMnFrM4vs8jUrRink9QavsK+njnmp7EOk9Cez7CsU30IH52l
mCtO9oDk3+pDovlkv4Sy/xyTNmB0CE5b1iSa+KzHgfkqqQAoRBVqMbm1CInIMRUe
j50s0OOoMixoQkEZbEOOacBEAbocxOr0/8hXA7rfP16lA9p1MS4HZ6dcAlXDb48R
9YxWofdLu0bQ5f9owXc9DTUS9UCvzQVcU3T/VODAxhBc6DMGClBHfnE6Nmaq+N6X
Kq6/jW3UOcT9swMdpZxHOYzAs3P4OtY0rElPs4d0ESCPwKokpzAgDMDZHETursi4
E2Pl+F6PsFpGxYM9QWIG5GKmCkDMjlmtijZOIObyMgRu7k59l4jc6nSQxKuotbxs
gbFkd6aTNETkYDixDCspOkr3F9c6yEJ+201fCZKubJDhfZ+WnBqCvUUCdili5bkU
UwFTwFrVNFN6JUk+PdsZfilXgHhn6iE+PVk24IvadVebyJ2hGBjiXDU1nmIs9Q/A
j1UWpdSezQ54h51T0wHhGGE2HAbDOkPzihPmTlIy/UYhzWIYH6718hrqegE7oT8d
FgCRXpR49GAzVKn8HAp1+Req3RKRZkvw0WAl1AbRmZzFZAFLutlmupz3aHX9ETrr
bvuPpheKzbwaWfmpzTPbfXEmfce+3usuwH7bKQgOgmMejI/mIRyxSROe33g7aAEX
D9+XllgySB5c//rbkLUFhGj9fMClNdl1HurMJSU/bg==
-----END CERTIFICATE-----

1
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt Normal file
View File

@ -0,0 +1 @@
01

1
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old Normal file
View File

@ -0,0 +1 @@
00

4
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt Normal file
View File

@ -0,0 +1,4 @@
V 360311232844Z 00 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=localdc.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
V 360311232904Z 01 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com
V 360311232925Z 02 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
V 360311232941Z 03 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com

1
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

1
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

3
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old Normal file
View File

@ -0,0 +1,3 @@
V 360311232844Z 00 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=localdc.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
V 360311232904Z 01 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com
V 360311232925Z 02 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com

203
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf Normal file
View File

@ -0,0 +1,203 @@
#
# Based on the OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
scardLogin=1.3.6.1.4.1.311.20.2.2
# Used in a smart card login certificate's subject alternative name
msUPN=1.3.6.1.4.1.311.20.2.3
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
msKDC=1.3.6.1.5.2.3.5
# Identifies the AD GUID
msADGUID=1.3.6.1.4.1.311.25.1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = CA-samba.example.com # Where everything is kept
certs = $dir/_none_certs # Where the issued certs are kept
crl_dir = $dir/_none_crl # Where the issued crl are kept
database = $dir/Private/CA-samba.example.com-index.txt # database index file.
unique_subject = yes # Set to 'no' to allow creation of
# several certificates with same subject.
new_certs_dir = $dir/NewCerts # default place for new certs.
certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
# must be commented out to leave a V1 CRL
#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
#x509_extensions = # The extensions to add to the cert
x509_extensions = template_x509_extensions
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
crl_extensions = crl_ext
default_days = 1 # how long to certify for
default_crl_days= 7300 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = supplied
####################################################################
[ req ]
default_bits = 8192
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SambaState
localityName = Locality Name (eg, city)
localityName_default = SambaCity
organizationName = Organization Name (eg, company)
organizationName_default = SambaSelfTesting
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = CA Administration
commonName = Common Name (eg, YOUR name)
commonName_default = CA of samba.example.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = ca-samba.example.com@samba.example.com
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
#
#unstructuredName = An optional company name
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate.
keyUsage = cRLSign, keyCertSign
crlDistributionPoints=URI:$CRLDISTPT
# Some might want this also
nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
subjectAltName=email:copy
# Copy issuer details
issuerAltName=issuer:copy
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ template_x509_extensions ]

102
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem Normal file
View File

@ -0,0 +1,102 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIISljBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI8gnWGjK+GVYCAggA
MBQGCCqGSIb3DQMHBAjV6Im8e0V05wSCElCDz2WaJB4sMLy3WQI/JoMnq+DDjyNC
7+9th9jeu0Nzcax9NqQ2pKWav2eIwhjS61AM7Zw4+SIqV6mJmuv1IVohHgxAx+nN
1Poq6bAbgbxk0uwS4nSYXQWOA6xhmjLuZcQcl8bZ6c50Vvc1GLkKiJ7T2x0xr2qt
pkw86WzbBtrUDbg5IHR3AsgTpyg1Lhs/E1ZCJ3Kd5qXpJwoejvjMCeCqroEzEfo0
TzIRQS3R/hbnsAzwP03p4HyNs7rY8qGY0K+xv6fTHHiiw+0KbJK0w8KLi7ru0pp8
YPTTSWBLd96ws0nlhY0aVQzDhlbXSXtqMSQNgZYln7CcH2R8dycwcjDhX0JsPAql
tIzvkl2goYU7jNI5QnpGPA9VH2U2ipMaEhiaY4yfDolnRaueo3YdmigFz7I4Tanx
kB3BaF0WrUkIk9oXXH2yIbRm6UAgYhGvNkTcifu6Iv+xfxn2JPulNGWcsJlVsRof
Hrdy3ZzcDp3bYDoA7gVWQgQKoz3ngIhrgH98zSiNCpKvjWXYx+oWYKHtxVFtFwij
Pc6+AUdTTjVfQsfNBkE9B2sjmvif6lnKWaMS349zodVCjWQrjsUITJV9Hbqv/8lw
GrCTFS4R1Wt+ABQDZXZDj4qXQ3Y8NhNI4Z/rkGN9rdaNJuDoyDYzm0tGvoRBP2uV
GJrAWKt6amx0oSI18L1cqm2hoY7wiZSYFqdXbZm5fbhoELfeak0tMPkHEXx1HtCu
cVQjcbHTakHcc1cW5TFRlmWZwar4RC//6YO5PENhMacPuW1ld0qF5AbwH303Gw1/
k4+sYBe0IxiFQWnIFyfCoZI9swTojuUU/p+wxHjwCoxLoiYDN8EOCkHvgcgu7ddQ
WVHpWyhcNeKcYH71PvyPXjJufbaBouMHrGAodAQXYuRZCwpXvfRG6rqs3yPYkFYn
dBRdUKDIj2KBLg5n2ssy7ENpRcygUwfgK4H7Qn1yHmDMuq9VjgWNSn1ufCQa+M2L
CAOMrzX6uRuzw04K2vvv9xhC/Vrr+ISbOL9CDJyvyD4Xzk09JXV9CL8zTDzlJf6s
DnGhd4F/ejKn8MiOTOYuKugqoFDIw0D3WtbiAHYkXyB1Q13JXjc+N5E74xtGPVUW
IezrC9yEnQWrrtCBFbAtAKehphfZrvseAB4tBSyToio9wXBVKupa/ghoKEuBIQtE
OAsBY5Vd8JwZyaLFLBzkPfDqZE6mNSQuSm/x4HjciToQBYicNoGApRH0qneHXdUU
YUA5QeRp/HRL+yawNPq47HgvmbJh1cpyOsBOGjwqo0Tf0Q6WcqhrZmceHJbpxFeR
ySDEsuqdSp0prk5CCJ6HO3gsrE6DFLmLNNkZACycIndKO/I98ORY4dmR+zGUoMTS
Y5Gqpxhuh2LleiquFv3c/mrXVRA4Vl6F43H8isv+7/avhoSkBdoVi17wCR3pdk9F
naPHRqv6O+VT82S8BqYLR0xk3or+0wzFuaGkh6zPjlYr+DGrTr9qSW34+hJAUsSh
pcmePlS4A08sM2aZ/z4NSBzGrtSAI0KaeZOZMEyHL7MwZGHvQYz4WbekZJMZR33L
51ia/VkA2rMw6fgV/HYA3Zwd3NSTQ9jvwP8oAYmjrIbkApQTZQdbGQIh+8kcA4QE
3seLJAQQ3/reJvkc4jzwbF+A6K53iu23s/FhP89fK93xz+2zxt4bfMb0RQYWSb4u
aMsTHMC+Aenx93KrVYHvBi/O3PRxPUZQaPPQ+GQVerpmqhnrAtPh8xMjtxRpF3mI
Hff9RJTCi9jAQWDYAuuWNo1nFi4q6tQU8vCX2T5o+AsvwIrRDxz9E3ELqwPD1Zl8
YRSBVgQPpy9xS/eHCgBOa7Lch2/gmew0pE6JgHmGSAZbZGVa7QxIsWvrgvNwuDmQ
pV9xVWttK5dup1un9Z9fiuozO+Iu6a8x0ECCxsUEO2C9bh+Qt1EzjirVy+1WWnKc
fW2XrFHwQMqIMTjM8JOuWgL2R+YjhFFge0h8CGiXk4f6mnuuGfHhP858Mmxuw0rZ
bdwwyBq1eiXPrkxm88yo8FYmLXCQExlyFsLbFZ+kJVhZbxeP9siedP14Tgqy2FC0
2A+tcmypVLu5Vthu66I3wUvmgi9hucwe/s8qCRQwYciN1wzHH6f+uDz//kQIgA75
AuNAHJYV3uWCKUESpnDL/9W2O6FvWY/j24QG0AkXsl+peovo8CucGUZxphLfsua6
4x2WrTLehObG+G54CHdOLTrFQDIDRL9Kvmrw8/TGkXEles+WNnB8HxiUQKokA3ld
fhXy+e/yjaGzwoNY84CV1WXowWJ2vA1Z9gdr1mFpl2uJm1s+RRquuyRI/yXBvGQ4
x0pPSe8vbQ2OlCzuVMjFpG4dx4oqBwXUR69YigpsVi1A3n23qAPUSjJBflgPLWdG
x/T+NiQ9TVhFKHqkgiL7e5s5VWaYREXjfDeiVowst/7vJdX3RugJTlVfnmPJ/pJZ
JnObpWxm7jmJu72fek0bmNaOMvMf4YVB5G/z2gQ0bpwSbl91kxJvTJ6DG9Kb10h9
ekfffdFdiZHD5V7BUibmt3aYAZSPRG3Scurrv/kKzkH1/cEMnMDb2ppxsfT+LrLu
92P/7sCxqGJtk6JNiV9MhY3c9gBHsWTIbcJG/wZHzXhwZphoPyFf21I3x11jzQ86
D3WTC4UQ8ez+PgMvl1ifP0wC0e7ANs8GsDZg9GEI+tBxx4GsAP1dcpr8c+v/wEDF
/a2fXqtymxWUDc4qCcrE5Az/U7k4tMSIvOiH/QVBsYOybcuvHd4E+Yrx7bXapk0V
KIgFQm8kVftR32h7KDx55Vcv5a11dEp4TUF1k1MH36GVxMzfqQnnTnwDs67Q2FCs
YAGt9jF0imAU3KZUwHbJvPYpjNEV9g3pkd4shyB7ZqNXjOFG+rU7F6xOVcf33lBu
yP653eMJjLR7hKrQ1UiWhgosc9zSUhl+Er6EqV0OoNtXzDI0uHsCzJ4BuLeKzOga
wXS8JjzHR9Qb+Nf0OljkNgmfCUBk7BDGuvt6ZQwP4pift9+YKJQ9dTLz0QZxeEoA
Ky9BOkhF4Q9cYACZiSnZGWq5Y+5I+zIPr1LxGfu8gOqhkvne5wAHmC97YbSXaHXI
rHvFhAzbwdsX2Crgvgd+feIP3LU5T7YhGW3nZMbigaDsBOTUQQW0f8tXygc1QjzT
dV/mbpoIDz/39PIYKC0BlQQ2S3clfr8SoRWR0bKEypPd7CZXAH4zAdPjKJih3yV/
SqWxvMKuZFpSu3BJTcrXvN7nvKBzW17VGI0eSE9+SwrsMHZVUjXUolarSYczdC6v
QKkNV7+Uu04GCNivnE6sYs3M0n5ZSvvBha1/8kUDIi1k6QhvtEauA3WuoMp8/iU2
mlvT5Kev96glUo1SdCQRLZFh1HXtvKgYiqEZ8FVW3kHMrvDF3Nxh4XDGvuQ6nO8O
w8TfE56kZVot8KTcYkOBDiyVX/qGLYNNvW2WHm+zygHKVQRkxnL5Y1/GOU10Wr2i
7ynFFYyjHwj5vkKsqLytQmuIxig2L8eW2WSx74WyWJPLbeHUSVweHjO9DTh9TgUZ
QEqPRuhTJMXq6VYpMWq9CUYAF/nal1vTab3Q7BbKcDFma89d4m+yv6FTnOnswS5q
r22NvQwl+09grdVYaL14a+BtkkCYH+SL30B54Vws5W7JS+34OSkMzDZtwwuGUqC3
P61oG3jsGyJt6knWTgnp83GHKo1jsrP6IooatP4BaPf7PmKcftPuzies10G7MGHm
h7gAAYVrAW9lDvKKYc7UC/rgf4kJpkqcM6d3eU+9+ccVfmCIbHN4dEE/+VGKMHAA
qKQS9j5dyoCZH14PXAotyHCmvst08pkKG9Oj7VPG/+rX6tBD3y1LOlMbMKet9Owy
WA0yTBYXHxr22zcJD6k/7AgkBKbdkJPMR+X9IyINQojpvXJZIKZkVhoSCa4d9DYF
2xLKo3W3Mqoi3U7sQ42mQsdaozlql+CBYqd3wq1bkGyyqZ4zgm+D9VI+mZ6hZGt/
77Qlp2j8JeCdsPDy+igzCpz6fkVaQum5fZlg1II5uYR+4EOvn33LbCT+kcqp+YC8
m32umo2Eg1In2xgfqCpPTEDIjLSxgvC+NtJ/CmGVo6gYebyFLXZlnDbzAhxaOIDO
p59Tm9K3+wL31FnQOlXtkO9VihN9k5W1qR/MjPH3LaWCFSgMjed3LlOPEFBYmzeV
oz1oBZcJGVA0aEMA/Oh8hqMjVjz3vaIQfCuJ6eTLob7RDfmnhVaCPHMT9sJDCqKU
j4r1P0SRj+SRt+tO3kPD3dz8ejXRUb/lTLTSx3fQK0sB7XWu/LJpP3jGgoES6W/t
Fj6Eai8LXjqr+1rMnc0NKCLlWZakYp8snikOI5b/+t4WsOwhKVFiMbMdtkf5u7J8
yKLPpkUS/YBxk4Uhv7srkITCzGpE9keV9umQImwPKAtb25DcAXPp5IXuJViHtu6Y
rKYYlmWgjobgCDvP7NFGKv+7hszZpWmSg/AS13QtPUZ9Fn9mM/Af8Swu5pp2HGUp
Zme8CjltYjtAk5ChNL+9C5AlVEZoD0x1ag16Gp09ODzEjQ0JebojJuw1X4+q3syD
BodCMFhwiO2nsnHrr5PALdoAy4YYmQop31HwjhsDShCuSc+8kWnvWRlzyVSI8/vV
jD8TV68QBeKyU8PDhC2Bmogy/xVYAJthgfK9LYD619Xz8+0h0cTFSwK/WAO4C38l
WV9SASyAj0O+JMUWheq/Qh4gP2NRDL2fyMFpf8uflwTjmg3Mu39oqcI3SQYk6ViI
Mq+ClfbU1hYZrakAN8pt8HUM1XbXJRDXnE3hmrTiU+jdNucuunHDjkf9ZaRNgBWW
yV309Ua9O91EEG0iGjkQ9Sy3ChscBolfvMpayzGtQRFDYWDX6UZnV5zI4ir21ikQ
A04zphPlCdOWelU8Qs8GuYX8HeXCzc1hUKffARtY2DQqiQ6lmh4YXHM0ILK/kDYo
ftmcBWpAZEntVRlnrCbPz29cwltn6DHQC6HWKGQyRxafp8fINUOINNMui+W4UR5f
tNn9IederuOpDvgYDMAzEt59BT8QgRggJl+hlXjRxOXANLTOHWqWKejk8+LAAH3+
DjBFTX84cfrbbLgrK57E9afEN84KM2EJCCGFXYvc5qBPgrS9oYQwIErvpy89k8fW
bR7pU41CrHYZG2am774H80FCfofzzAFoJ2pZdPF2Lo95cLxNENy8RjYfePJR2tcf
vlqNynUvBjabCW6XhtmRK8/fsakfqfaQkZfpHqtA+qAweLh1bcirz3rBeNvwsO3G
JBxUgNkMel2F78Lg/EfMQL/hxeajDV+LilJkeZeRbHNL18M8dzzJaZkBm2oGylc5
AS5r4r1EvSINjf1uXDA9CMBNydf6n62VPnDKrk1WK2R+pzFeeVvRayx7PVWacP3N
JnKPY+t2eIq5JlNCfIHcL8MDHaau4ck/f2lnUJm1OfqhdfAf6wsf+XuEhfkzqsV/
gRjrumWsuMs7B15eIZNoyP+x9XPfTXvKXtNpWaUbq2iC/rxgMzqzDN0XvHSr8eTL
I5sg9nlAiezZYcDsGcjpK5EUY3/3zmZtO+OvXg2kA0dQx8QWg51B8MI/f9EprAAp
O4ypSjvH+Hthnq4Cr1dXtJzOJru3wz0N37Hy/EhMrDYP3XJUjkYJqTrxM8dsT7TD
RwvRjbJaZYi1mmIakXbHAhEAcIg/Z7hueIYHrOzYaW6akPdxy0yS252mZ83KtUC9
oxNzYQdMi43bxbWgcTu5RxGPZ99IYUdKziBJiJlOpWFSzPwKcD0bkHeDAbWZ4Aex
msyzLubI3nPnuszVWgG8cUP1w1HbCC5KAWIOSoRYS6SzcirAZAXuqvoBGGSCiKdJ
kMIXRjSHgTfNPE0zSkuoYognqtPBQB+tCmEYUwmIidzp7iVe3muLJj1qHRcUNx1g
XzbpRMOGRUSgMJJlcba5BRNmFnSEjgnFx+v/NEiMhjacOiDDypi58eYPvgLZ0v8I
UlI0napiKxX1XS9XZE7SI8xXn5zte2de36xAfZTm1gMEYG/sOUndKUUrmsG4ag+u
ttyW6veD/LMXzYX/vP6zBe8l2RkZp15xMPMSTovij4ELLOAsWmAB8MAQ7p2TThOa
gmFx0AnWZ55GAXcM6/2dK54ZQjm12KgRz2uZD6RpHgxDlErzHBVY8VFWPHx4b60M
+BVqk94uAsprvWczcuowZwF41MsJ7wm3a1Jtd104mx1/0GokF6EG+NjpSFvHiDN8
JVlZ24lBIBv/7Q==
-----END ENCRYPTED PRIVATE KEY-----

1
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt Normal file
View File

@ -0,0 +1 @@
04

1
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old Normal file
View File

@ -0,0 +1 @@
03

62
selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem Normal file
View File

@ -0,0 +1,62 @@
-----BEGIN CERTIFICATE-----
MIILPDCCBySgAwIBAgIJAM6BrnFPnFmXMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKU2FtYmFTdGF0ZTESMBAGA1UEBwwJU2FtYmFDaXR5
MRkwFwYDVQQKDBBTYW1iYVNlbGZUZXN0aW5nMRowGAYDVQQLDBFDQSBBZG1pbmlz
dHJhdGlvbjEgMB4GA1UEAwwXQ0Egb2Ygc2FtYmEuZXhhbXBsZS5jb20xNTAzBgkq
hkiG9w0BCQEWJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29t
MB4XDTE2MDMxNjIzMjgzMVoXDTM2MDMxMTIzMjgzMVowgcYxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApTYW1iYVN0YXRlMRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNV
BAoMEFNhbWJhU2VsZlRlc3RpbmcxGjAYBgNVBAsMEUNBIEFkbWluaXN0cmF0aW9u
MSAwHgYDVQQDDBdDQSBvZiBzYW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJ
ARYmY2Etc2FtYmEuZXhhbXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wggQiMA0G
CSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQC3qPlXMRW0bS5QonEW4MMRiZlgWRc3
DLtA1hSg0a0POKXIBTTb26kVWwJkdLdLPf9POdAWa+PtEDcgiTKeNeh3hdCaKQiR
LGtmR2Ncy5jcLyAaJPHL3ZrYCzKPyfhVLtZqrS+5CmJRs1Ar1zEpRPIcT0Qdb6Jp
gu43msIQnULTZPatF4Oi847jb/JIXnTYxto7cuk1I/2VFJ8OD2cYypNbCkthwAga
ftJ0GNsM2Ii0q5aFnrHpCh/UhvQ1XGZfGVgBRrFjQQ75GlSCFXuwLLiyXwpj6c/p
QPTQuWLe+21rnizpxmXBvP6d2LaX2Vsq/XP9iVN/jVigY4swgk61Z6XFkmsVJErB
+JEOrjdcO0kkkqlSY0aqqpoXgtV8lNxTeKrNllRmW/i/Wz174PPdvR6QQFMG0X/W
NOtqwBGZqiafHlu1xrtC/RnzC2S3ygKssP9463bO8IDvhv2I3QnbsuQdKhQSE5rr
VDJcSI1DHe+tGsko4QA2RBFvgO8+877K9qnBXpnVdYrnEk4UlZVk8L7TIngbA7RR
bZ7j1mE28PIzcGN2ps1IY80CbO6V+60YegT2F7smjRAS9YJyfqM0fs4yoRuT5Day
BHN9asy//gEVfebXytzfvZvh0Y+XTlxsXbZ24IsaW1IhsLNvny9BX2Ygrv5wnf7i
zvEGf4rnO4v+d4mn2HrkkYLfIJe/iQAY3c8uABbEZgzrTHqC+oyRE4MQUtjQR+10
8IOvbVeU716Q3SxyiGlq0Dici84J2izArVuZBGVoS2pytwbNFU7eL5SeirL1Xy/E
3siV+y6Oxr3sigrAmMQbzr0YQT7yDjVaP61ct8krc5N4Z95SciIlvmEIzKkV8kql
Uiom+XWP8aRnZmiuvfGnvEyB67MmggEkG1LGIhsp+ZsnTfo4nU716Djlq5pOZHY2
VTiOLET7Omo/a+RmHwrog4hRm2BYifyt3RGmzoWF77klbow13ov0UrsTF7Sw6Uft
EnaklsZU9cfFyNLsDjEwRTWQ4QMdq3dI6WSOYN9EWFtxLGY8FypH2QkTOOPsqgXY
/SxZUBqa3r+MrGRJ2NCF6kr1/yanLicVzNSR4tymEFDfF2FJVOtQqbO370JGIrJE
3kq89zUUMH9xNP6IJu+N11Xe63028KlJomWq6my8AUk7a0sk8z75FIa5PvUSYhQ8
gbTYXM2AyYLTYxkLt+OzLLyvQI1l6KX3PWLaa94lqxkjGQWIt/ViL1OTineiTbYJ
YR2SB4R3S3Y6N3AAT6l7D1/lxThrqzmWAAkbElBTZZrXGybjL3I9q8lzVt98X9HY
LrVClydpw42drOIX5PQ68+s8lYNBA1/uYim3IgTjDPIqsNIkBOjreYnPAgMBAAGj
ggEpMIIBJTAdBgNVHQ4EFgQUoj4CKqOnTTm0CE2ZzAx1Nuonwz4wHwYDVR0jBBgw
FoAUoj4CKqOnTTm0CE2ZzAx1Nuonwz4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMC
AQYwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNv
bS9jcmxzL0NBLXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwEQYJYIZIAYb4QgEB
BAQDAgEGMDEGA1UdEQQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4
YW1wbGUuY29tMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJh
LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IEAQCa8zKgFnArq4GM+OJfiK95
fYuTgbO+PaH19GWCyNkNCrtasxt6BIdxKYW+rC6VxXBRXSvaPLbiRCDhD9hL03IR
daQ+R9JanYzoloN7m5q+mSdJpfsIfdlvqKr4hyti6sfC3jnQC1Tp696KrW1P1Ymi
kOOxksmngZzTYr2q+JhydYsNAdpxeAIAILDZI0F4VzOVPXRy2+Gop+lwWYvtRjjn
Z8HemYJ8jIGUlldMVInd5+XmS4/+kFLB6Ly+JAoqC9PBUfWiwXIFIPOIM5ia4sNH
ZeViTG5Kw7MO/esPs7J8VKB6La4v+CYCT4ngT0ekRLXhRi/Dwa8Ok+hFmRtrikvU
TEqZPOQT3sRqGdlongAZ1kmCkU4n4RhwbMh6WitDKJf7YToMsyrm6LQvGo4Bf1Ns
mqnY93OSTyOblNGYwq45BMQbGhW21uW93SQg938ojuw4366KeGnHCD3zvyfWh6Yh
duAWNQb8TNDqhik0lLNVMyrEPpk0f24XrVC2LBia3Z4hQvep/pI8tg1656XbI6/J
GubM9KW6o0ndZLnMzFFga3JqztzL/Ooqu+yVaA9q89GlN2zv3hafXaC/AChG1b8k
Esx37mA68jVaTh/1hX8T2hz14EV3LUB2N21W228HuUhZ33PEcR10XMJNJsOOwHUn
5I902kznpUs3VTVvbWBsEfhZAD9uns07Z5b0b8UN3fZyNmXeE7gObt10obSFzoPt
yhnTCULNJ0K3cwuQDAC4Y6HQK5hvLBazdvnYT5rZqGneG9ALdQqr9if2gZFeUPQv
a63VZFwfyx5wQlFwLVbaH3tTl1dweJkZYjUC3BL1rngHNNvD1t//ERXqL2ngOe4C
1xNNOBAC2Q4upBYAuH+zoT8KMRCxEh22SPNGrlmN+9MwY+ceP1Dxa97vY9FtSMIB
dYEvoI8TyFhAjC6t4HOUxT4lvpc7Hma+1AlG5x/aSCY2A9ONdLLo5DyXSuLFHgtc
gh0dJygZ85sd90k8hl+73muHHofG6HuzMNaQhN8sFoaiedhIHa5+Lv6FVyd7Y0dy
QVHiPVcf5KG3o0y6OnXdfsGNUsak01fqQhIewVghdTU9liGW8PH1UVWO310q1K46
U46Hp/JBamvvW5B2ZSg8Dj4arS7/TxxNqbIPAtNxtN7Hwg1dubGWMatCv2A8Cx29
oWIeUG2HKY4XvbdOnpWvCGx+sUqBiK6Sf5zvJF+UigmZPKrZgbrFWSC1tf0RYn9d
IyH4JGo4uP5OCxBWFvtj2d51qJJvdnlegKkPd9E0vzIZRHJsSoAx54MmqRZQkPzV
56iQXA4iTfhv2sF7Uer379OV//ML5xIjsV+IkJepTUtAgimqkKKRktCPfFT6mOtw
-----END CERTIFICATE-----

32
selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem Normal file
View File

@ -0,0 +1,32 @@
-----BEGIN X509 CRL-----
MIIFdTCCAV0CAQEwDQYJKoZIhvcNAQELBQAwgcYxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIDApTYW1iYVN0YXRlMRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNh
bWJhU2VsZlRlc3RpbmcxGjAYBgNVBAsMEUNBIEFkbWluaXN0cmF0aW9uMSAwHgYD
VQQDDBdDQSBvZiBzYW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJARYmY2Et
c2FtYmEuZXhhbXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20XDTE2MDMxNjIzMjgz
NFoXDTM2MDMxMTIzMjgzNFqgYjBgMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4YW1w
bGUuY29tQHNhbWJhLmV4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKI+Aiqjp005tAhN
mcwMdTbqJ8M+MAoGA1UdFAQDAgEAMA0GCSqGSIb3DQEBCwUAA4IEAQA13bwPRi4+
CaG7MSTVA4Z4JZIU1CQagBJCah0XPXl+xIs/aWCxS3jdFnCUNLOxrKk5Onrsv0z7
YWQJHsH2Lu0I38SPyWhftmhrqn74QQyfbGMGblDufbfJsHNyeME2z0ZtCoHUgaz2
kMatR7ys6uvOY4Moghr/xNK2QYSzCFsetF/5ua2h547GK+VMqb4wH14WIx0ljVO0
knpqT+uX5b+3KX2QcUFDIzRJZWBj0gDWzNxL5PSbZbcxtpUpUIgbFHD8HGRAu3R3
MCJE3mKuKyaRKqLaF/qOWnskkHnIV3gObeKIgWFNLiyQKUAvu0m3QO7b5zqUeOep
JMy/3dwixIoDU5QU1O7TAvJQhVscjt0baQaklqlI7jKwdd1xk6brIXKqLa55ALd2
RIs7I01X/ZyukrY+NbvQOGh/Weqnxe2IM91DkVQGYNxaa52Fqlrop3U4qdZRgtuL
Ye8RP3IPcVEoH/t/fW6IBTEN1uG9vVvyUUW2H4lI44yeNt2Pd+6qXXFyKZ9pfctx
7zCOdo9/ikSzCddLFKL6bgJ4vxNuSt+4csq79BytK+69SrsGP/R87154uqA8nMPm
TXpFhL3YBqOklphc1JVCccTp/824vkrgrEOSB7uIZOtdTpTuRabo6R5yv2pjC5GR
om3sI8c7xKeUUsfxDF2jt4vJHlKgYEx8YgbAdKq3As0fkpsY0IcMSNR1KMq8H4ia
0eNWy1YmkvcZzZTL1GBtL1XNPHkvmuBHV2rglBg7PAklr/9WX7IM6AZh2WKP0Spe
ih1C7YlVzCgQgOaGEe28jegtgkr3I84j34GJmK5WO5fa7/au8wzUDEyGTJE1wZxv
k1s4TKiNuCSiH26qVUKfwpzrqhiW/ElAeKsXxjg/V7anhPbQsd+sz4RNFi9RldlY
tdXkPmKBTvupJkVa3ZUxl8gyXNW8t8bSpW2kYFOorxnEkvhwIxMhwSC9pyEyNFXa
sxsMZ/BcvFBcJYORhxMYVNksCriyWRuYsNORC8s9wnygbQ2n3TuoloZ9rR8mc6XK
3EgLwhOyENWToRurBdN7Vq6BuNtnl5P/Rd2WBTy62EcXkrnJCCUK4ouP3o0MRt/V
LdQiCVf9nnHdkiWMQMH4pkgrEJb70IvS/MAAee3SFuMNa72zgD9Pgk4NX6upqt8s
3+wo0gqmg1gJ9RQUyk/TuYMgdBVg68B6G1C8RifxffhZMj/rOm1xdXXwRfmDyrHZ
aaNZv3VHTEIJjSCHMkDV7SD9d36gdX0F1lLP5HIu0QTWJeyE/fFTD+hQMY5Ryk+c
nzW2ZYuTp14xWD3NTQzq/NS+BPpOcAtL3hSpyvP4UkIFGZc7OUPPBBwR2xTVLQfZ
YqKrAHJKgPXZ
-----END X509 CRL-----

169
selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem Normal file
View File

@ -0,0 +1,169 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
Validity
Not Before: Mar 16 23:29:41 2016 GMT
Not After : Mar 11 23:29:41 2036 GMT
Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:91:64:f2:1b:2b:ed:9b:40:bc:0d:46:23:49:
77:32:74:fe:cb:9a:46:86:33:1e:56:bd:c8:da:dd:
e6:2a:07:34:61:1c:f0:b8:71:29:24:2b:90:f3:43:
99:6f:69:f6:ff:8d:b9:b7:3f:f3:36:6a:99:90:90:
d6:95:63:4e:88:5a:d7:41:89:7f:73:13:64:49:c7:
de:42:65:08:5d:ca:04:b2:68:3a:40:7f:6a:05:df:
56:30:2f:ac:1b:8b:0f:c3:15:3c:38:0f:90:50:44:
00:bb:59:40:f6:d2:e8:5b:73:03:0d:f6:7d:38:5d:
2f:99:c3:0d:13:0f:74:d0:9e:ef:1e:92:42:c4:46:
7c:dc:85:7e:e9:af:91:4e:9d:5f:82:af:58:60:18:
a5:ac:91:6e:dd:cf:a7:32:3c:d2:f4:e9:81:be:80:
9e:0c:ca:1f:1a:be:98:c4:fe:e6:25:c1:89:fe:16:
0a:30:90:d3:d4:e5:af:89:24:64:12:d0:4f:19:e2:
1b:86:fb:06:a9:63:d1:47:10:89:dc:2b:52:24:dc:
66:a9:56:c2:cb:f4:ec:35:12:f4:ad:5e:fc:ff:86:
e9:b1:f9:1f:b3:ce:44:fb:be:04:af:8d:42:9b:56:
a5:02:7f:c5:cf:5f:23:41:1c:69:ee:33:97:7a:81:
50:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
Smart Card Login Certificate for administrator@addom.samba.example.com
X509v3 Subject Key Identifier:
30:10:6E:1F:7E:52:33:8C:C8:85:E5:92:74:5D:76:7E:E9:33:5B:36
X509v3 Authority Key Identifier:
keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
X509v3 Subject Alternative Name:
email:administrator@addom.samba.example.com, othername:<unsupported>
X509v3 Issuer Alternative Name:
email:ca-samba.example.com@samba.example.com
Netscape CA Revocation Url:
http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, scardLogin
Signature Algorithm: sha256WithRSAEncryption
53:3e:51:d2:5d:2c:69:23:5b:dd:05:1a:23:ff:39:5d:54:63:
e5:da:e1:4b:60:8c:09:7c:4e:8e:da:8a:bb:63:5d:bc:2d:a0:
d4:ce:9e:d2:ce:38:d7:32:67:ba:4a:a6:d1:1d:c4:c7:50:e8:
9a:9e:44:56:1a:9c:f4:8f:b9:8e:39:84:21:db:0f:60:8a:60:
b4:0f:4f:3c:35:a0:d2:37:3d:88:e8:0a:18:a7:a7:2d:19:e3:
aa:d3:8e:18:8f:35:ef:3e:4a:95:c4:d3:9b:f4:cf:89:c2:70:
b9:8c:5c:ef:8a:9e:7a:56:73:13:eb:8b:b7:d9:e1:88:5b:c4:
62:47:42:45:8d:7b:2d:cf:71:83:1b:48:9d:84:8f:65:66:97:
61:fc:f6:30:34:e8:88:2a:34:91:48:dc:7a:b7:65:bc:9c:98:
00:4c:e7:49:fe:4d:a9:56:ea:87:d6:6c:46:39:f2:98:5b:56:
14:82:f2:9e:b8:ad:fd:89:36:48:87:4e:5c:ef:3f:e0:35:ff:
72:5f:5b:e1:c2:fd:d9:6e:40:2b:35:ad:50:08:74:94:87:89:
c4:cd:c7:ab:a7:19:4e:ba:f2:1d:83:0f:b0:cf:9c:e6:df:73:
36:88:cf:42:9c:a3:72:27:0f:f7:bf:5b:cc:6b:e5:20:03:b5:
4a:1c:f3:7d:ae:92:43:aa:bb:13:07:a4:3a:77:3d:34:01:00:
f1:89:aa:e8:1b:09:7b:b8:b0:e1:54:03:ff:3d:8d:be:35:b9:
13:b2:59:58:32:48:93:f8:e7:d7:3d:49:70:01:44:e6:2b:21:
b3:75:49:ae:44:7a:50:15:b8:65:f3:c3:48:96:df:c8:d9:2a:
f7:c5:2a:7e:2c:68:77:af:2d:78:1b:fc:1a:d8:f4:8b:a6:86:
35:d2:f0:87:e9:d6:30:0a:76:65:f8:71:e9:80:0d:1f:16:86:
89:92:81:34:d9:be:9b:41:25:ec:65:a9:0a:56:b2:03:91:54:
02:21:97:99:74:61:8c:4a:2e:f4:d0:b1:8b:f1:e6:26:52:bc:
f6:f2:e0:bd:96:66:22:c3:4e:51:2f:c3:c4:65:65:c7:97:b5:
1b:29:23:7a:c0:7b:fb:49:33:a0:a9:6a:b7:2f:f3:44:6b:5b:
0c:2c:0d:75:f2:50:d5:82:ba:9a:ab:e0:89:0a:b6:b5:8a:5e:
1a:67:ab:d9:a7:21:22:75:61:1e:d7:21:36:15:6a:da:a8:39:
4d:95:50:2b:e6:ac:c4:f6:38:74:c9:c5:ac:ce:2f:b3:c8:d4:
ad:18:a7:93:d4:1a:be:c2:be:9e:39:e6:a7:b1:0e:93:d0:9e:
cf:b0:ac:53:7d:08:1f:9d:a5:98:2b:4e:f6:80:e4:df:ea:43:
a2:f9:64:bf:84:b2:ff:1c:93:36:60:74:08:4e:5b:d6:24:9a:
f8:ac:c7:81:f9:2a:a9:00:28:44:15:6a:31:b9:b5:08:89:c8:
31:15:1e:8f:9d:2c:d0:e3:a8:32:2c:68:42:41:19:6c:43:8e:
69:c0:44:01:ba:1c:c4:ea:f4:ff:c8:57:03:ba:df:3f:5e:a5:
03:da:75:31:2e:07:67:a7:5c:02:55:c3:6f:8f:11:f5:8c:56:
a1:f7:4b:bb:46:d0:e5:ff:68:c1:77:3d:0d:35:12:f5:40:af:
cd:05:5c:53:74:ff:54:e0:c0:c6:10:5c:e8:33:06:0a:50:47:
7e:71:3a:36:66:aa:f8:de:97:2a:ae:bf:8d:6d:d4:39:c4:fd:
b3:03:1d:a5:9c:47:39:8c:c0:b3:73:f8:3a:d6:34:ac:49:4f:
b3:87:74:11:20:8f:c0:aa:24:a7:30:20:0c:c0:d9:1c:44:ee:
ae:c8:b8:13:63:e5:f8:5e:8f:b0:5a:46:c5:83:3d:41:62:06:
e4:62:a6:0a:40:cc:8e:59:ad:8a:36:4e:20:e6:f2:32:04:6e:
ee:4e:7d:97:88:dc:ea:74:90:c4:ab:a8:b5:bc:6c:81:b1:64:
77:a6:93:34:44:e4:60:38:b1:0c:2b:29:3a:4a:f7:17:d7:3a:
c8:42:7e:db:4d:5f:09:92:ae:6c:90:e1:7d:9f:96:9c:1a:82:
bd:45:02:76:29:62:e5:b9:14:53:01:53:c0:5a:d5:34:53:7a:
25:49:3e:3d:db:19:7e:29:57:80:78:67:ea:21:3e:3d:59:36:
e0:8b:da:75:57:9b:c8:9d:a1:18:18:e2:5c:35:35:9e:62:2c:
f5:0f:c0:8f:55:16:a5:d4:9e:cd:0e:78:87:9d:53:d3:01:e1:
18:61:36:1c:06:c3:3a:43:f3:8a:13:e6:4e:52:32:fd:46:21:
cd:62:18:1f:ae:f5:f2:1a:ea:7a:01:3b:a1:3f:1d:16:00:91:
5e:94:78:f4:60:33:54:a9:fc:1c:0a:75:f9:17:aa:dd:12:91:
66:4b:f0:d1:60:25:d4:06:d1:99:9c:c5:64:01:4b:ba:d9:66:
ba:9c:f7:68:75:fd:11:3a:eb:6e:fb:8f:a6:17:8a:cd:bc:1a:
59:f9:a9:cd:33:db:7d:71:26:7d:c7:be:de:eb:2e:c0:7e:db:
29:08:0e:82:63:1e:8c:8f:e6:21:1c:b1:49:13:9e:df:78:3b:
68:01:17:0f:df:97:96:58:32:48:1e:5c:ff:fa:db:90:b5:05:
84:68:fd:7c:c0:a5:35:d9:75:1e:ea:cc:25:25:3f:6e
-----BEGIN CERTIFICATE-----
MIIJGzCCBQOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
MTYyMzI5NDFaFw0zNjAzMTEyMzI5NDFaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
CwwFVXNlcnMxLjAsBgNVBAMMJWFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhh
bXBsZS5jb20xNDAyBgkqhkiG9w0BCQEWJWFkbWluaXN0cmF0b3JAYWRkb20uc2Ft
YmEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+
kWTyGyvtm0C8DUYjSXcydP7LmkaGMx5Wvcja3eYqBzRhHPC4cSkkK5DzQ5lvafb/
jbm3P/M2apmQkNaVY06IWtdBiX9zE2RJx95CZQhdygSyaDpAf2oF31YwL6wbiw/D
FTw4D5BQRAC7WUD20uhbcwMN9n04XS+Zww0TD3TQnu8ekkLERnzchX7pr5FOnV+C
r1hgGKWskW7dz6cyPNL06YG+gJ4Myh8avpjE/uYlwYn+FgowkNPU5a+JJGQS0E8Z
4huG+wapY9FHEIncK1Ik3GapVsLL9Ow1EvStXvz/humx+R+zzkT7vgSvjUKbVqUC
f8XPXyNBHGnuM5d6gVCLAgMBAAGjggIjMIICHzAJBgNVHRMEAjAAME8GA1UdHwRI
MEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1z
YW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNV
HQ8EBAMCBeAwVQYJYIZIAYb4QgENBEgWRlNtYXJ0IENhcmQgTG9naW4gQ2VydGlm
aWNhdGUgZm9yIGFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20w
HQYDVR0OBBYEFDAQbh9+UjOMyIXlknRddn7pM1s2MB8GA1UdIwQYMBaAFKI+Aiqj
p005tAhNmcwMdTbqJ8M+MGcGA1UdEQRgMF6BJWFkbWluaXN0cmF0b3JAYWRkb20u
c2FtYmEuZXhhbXBsZS5jb22gNQYKKwYBBAGCNxQCA6AnDCVhZG1pbmlzdHJhdG9y
QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29tMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4
YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0GCWCGSAGG+EIBBARAFj5odHRw
Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j
b20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcDAgYKKwYBBAGCNxQCAjANBgkq
hkiG9w0BAQsFAAOCBAEAUz5R0l0saSNb3QUaI/85XVRj5drhS2CMCXxOjtqKu2Nd
vC2g1M6e0s441zJnukqm0R3Ex1Domp5EVhqc9I+5jjmEIdsPYIpgtA9PPDWg0jc9
iOgKGKenLRnjqtOOGI817z5KlcTTm/TPicJwuYxc74qeelZzE+uLt9nhiFvEYkdC
RY17Lc9xgxtInYSPZWaXYfz2MDToiCo0kUjcerdlvJyYAEznSf5NqVbqh9ZsRjny
mFtWFILynrit/Yk2SIdOXO8/4DX/cl9b4cL92W5AKzWtUAh0lIeJxM3Hq6cZTrry
HYMPsM+c5t9zNojPQpyjcicP979bzGvlIAO1Shzzfa6SQ6q7EwekOnc9NAEA8Ymq
6BsJe7iw4VQD/z2NvjW5E7JZWDJIk/jn1z1JcAFE5ishs3VJrkR6UBW4ZfPDSJbf
yNkq98Uqfixod68teBv8Gtj0i6aGNdLwh+nWMAp2Zfhx6YANHxaGiZKBNNm+m0El
7GWpClayA5FUAiGXmXRhjEou9NCxi/HmJlK89vLgvZZmIsNOUS/DxGVlx5e1Gykj
esB7+0kzoKlqty/zRGtbDCwNdfJQ1YK6mqvgiQq2tYpeGmer2achInVhHtchNhVq
2qg5TZVQK+asxPY4dMnFrM4vs8jUrRink9QavsK+njnmp7EOk9Cez7CsU30IH52l
mCtO9oDk3+pDovlkv4Sy/xyTNmB0CE5b1iSa+KzHgfkqqQAoRBVqMbm1CInIMRUe
j50s0OOoMixoQkEZbEOOacBEAbocxOr0/8hXA7rfP16lA9p1MS4HZ6dcAlXDb48R
9YxWofdLu0bQ5f9owXc9DTUS9UCvzQVcU3T/VODAxhBc6DMGClBHfnE6Nmaq+N6X
Kq6/jW3UOcT9swMdpZxHOYzAs3P4OtY0rElPs4d0ESCPwKokpzAgDMDZHETursi4
E2Pl+F6PsFpGxYM9QWIG5GKmCkDMjlmtijZOIObyMgRu7k59l4jc6nSQxKuotbxs
gbFkd6aTNETkYDixDCspOkr3F9c6yEJ+201fCZKubJDhfZ+WnBqCvUUCdili5bkU
UwFTwFrVNFN6JUk+PdsZfilXgHhn6iE+PVk24IvadVebyJ2hGBjiXDU1nmIs9Q/A
j1UWpdSezQ54h51T0wHhGGE2HAbDOkPzihPmTlIy/UYhzWIYH6718hrqegE7oT8d
FgCRXpR49GAzVKn8HAp1+Req3RKRZkvw0WAl1AbRmZzFZAFLutlmupz3aHX9ETrr
bvuPpheKzbwaWfmpzTPbfXEmfce+3usuwH7bKQgOgmMejI/mIRyxSROe33g7aAEX
D9+XllgySB5c//rbkLUFhGj9fMClNdl1HurMJSU/bg==
-----END CERTIFICATE-----

Some files were not shown because too many files have changed in this diff Show More