mirror of
https://github.com/samba-team/samba.git
synced 2025-01-25 06:04:04 +03:00
CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
There are a lot of knownfail entries added with this commit. These all need to be addressed and removed in subsequent commits which will restructure the tests to pass within this new reality. This default applies even to users with administrator rights, as changing the default based on permissions would break to many assumptions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
parent
755e8a53ce
commit
e5b94eea6a
42
selftest/knownfail.d/uac_objectclass_restrict
Normal file
42
selftest/knownfail.d/uac_objectclass_restrict
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
# Knownfail entries due to restricting the creation of computer/user
|
||||||
|
# accounts (in terms of userAccountControl) that do not match the objectclass
|
||||||
|
#
|
||||||
|
# All these tests need to be fixed and the entries here removed
|
||||||
|
|
||||||
|
^samba4.sam.python\(fl2008r2dc\).__main__.SamTests.test_isCriticalSystemObject\(fl2008r2dc\)
|
||||||
|
^samba4.sam.python\(fl2008r2dc\).__main__.SamTests.test_userAccountControl\(fl2008r2dc\)
|
||||||
|
^samba4.sam.python\(fl2008r2dc\).__main__.SamTests.test_users_groups\(fl2008r2dc\)
|
||||||
|
^samba4.ldap.python\(ad_dc_default\).__main__.BasicTests.test_all\(ad_dc_default\)
|
||||||
|
^samba4.sam.python\(ad_dc_default\).__main__.SamTests.test_isCriticalSystemObject\(ad_dc_default\)
|
||||||
|
^samba4.sam.python\(ad_dc_default\).__main__.SamTests.test_userAccountControl\(ad_dc_default\)
|
||||||
|
^samba4.sam.python\(ad_dc_default\).__main__.SamTests.test_users_groups\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_add_computer_sd_cc\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_admin_mod_uac\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_mod_computer_cc\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_0x10000000\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_0x20000000\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_0x40000000\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_0x80000000\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_00000004\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_00000400\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_00004000\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_00008000\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_ACCOUNTDISABLE\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_DONT_EXPIRE_PASSWD\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_DONT_REQUIRE_PREAUTH\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_HOMEDIR_REQUIRED\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_LOCKOUT\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_MNS_LOGON_ACCOUNT\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_NORMAL_ACCOUNT\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_NOT_DELEGATED\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_NO_AUTH_DATA_REQUIRED\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_PASSWD_CANT_CHANGE\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_PASSWD_NOTREQD\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_PASSWORD_EXPIRED\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_SCRIPT\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_SMARTCARD_REQUIRED\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_USE_AES_KEYS\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_USE_DES_KEY_ONLY\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_WORKSTATION_TRUST_ACCOUNT\(ad_dc_default\)
|
||||||
|
^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_unrelated_modify_UF_NORMAL_ACCOUNT\(ad_dc_default\)
|
@ -1416,19 +1416,33 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
|
|||||||
|
|
||||||
switch(ac->type) {
|
switch(ac->type) {
|
||||||
case SAMLDB_TYPE_USER: {
|
case SAMLDB_TYPE_USER: {
|
||||||
|
bool is_computer_objectclass;
|
||||||
bool uac_generated = false, uac_add_flags = false;
|
bool uac_generated = false, uac_add_flags = false;
|
||||||
|
uint32_t default_user_account_control = UF_NORMAL_ACCOUNT;
|
||||||
/* Step 1.2: Default values */
|
/* Step 1.2: Default values */
|
||||||
ret = dsdb_user_obj_set_defaults(ldb, ac->msg, ac->req);
|
ret = dsdb_user_obj_set_defaults(ldb, ac->msg, ac->req);
|
||||||
if (ret != LDB_SUCCESS) return ret;
|
if (ret != LDB_SUCCESS) return ret;
|
||||||
|
|
||||||
|
is_computer_objectclass
|
||||||
|
= (samdb_find_attribute(ldb,
|
||||||
|
ac->msg,
|
||||||
|
"objectclass",
|
||||||
|
"computer")
|
||||||
|
!= NULL);
|
||||||
|
|
||||||
|
if (is_computer_objectclass) {
|
||||||
|
default_user_account_control
|
||||||
|
= UF_WORKSTATION_TRUST_ACCOUNT;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/* On add operations we might need to generate a
|
/* On add operations we might need to generate a
|
||||||
* "userAccountControl" (if it isn't specified). */
|
* "userAccountControl" (if it isn't specified). */
|
||||||
el = ldb_msg_find_element(ac->msg, "userAccountControl");
|
el = ldb_msg_find_element(ac->msg, "userAccountControl");
|
||||||
if ((el == NULL) && (ac->req->operation == LDB_ADD)) {
|
if ((el == NULL) && (ac->req->operation == LDB_ADD)) {
|
||||||
ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg,
|
ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg,
|
||||||
"userAccountControl",
|
"userAccountControl",
|
||||||
UF_NORMAL_ACCOUNT);
|
default_user_account_control);
|
||||||
if (ret != LDB_SUCCESS) {
|
if (ret != LDB_SUCCESS) {
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@ -1447,11 +1461,14 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
|
|||||||
raw_uac = user_account_control;
|
raw_uac = user_account_control;
|
||||||
/*
|
/*
|
||||||
* "userAccountControl" = 0 or missing one of
|
* "userAccountControl" = 0 or missing one of
|
||||||
* the types means "UF_NORMAL_ACCOUNT". See
|
* the types means "UF_NORMAL_ACCOUNT"
|
||||||
* MS-SAMR 3.1.1.8.10 point 8
|
* or "UF_WORKSTATION_TRUST_ACCOUNT" (if a computer).
|
||||||
|
* See MS-SAMR 3.1.1.8.10 point 8
|
||||||
*/
|
*/
|
||||||
if ((user_account_control & UF_ACCOUNT_TYPE_MASK) == 0) {
|
if ((user_account_control & UF_ACCOUNT_TYPE_MASK) == 0) {
|
||||||
user_account_control = UF_NORMAL_ACCOUNT | user_account_control;
|
user_account_control
|
||||||
|
= default_user_account_control
|
||||||
|
| user_account_control;
|
||||||
uac_generated = true;
|
uac_generated = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user