sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-20 05:49:28 +03:00
Code Activity
123,826 Commits 64 Branches 1,166 Tags
v4-13-stable
Commit Graph

2732 Commits

Author SHA1 Message Date
Joseph Sutton
7368e0051a CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN 
This test currently fails, as re-adding an SPN means that later checks
do not run.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 2022-01-30 14:05:32 +01:00
Joseph Sutton
32ba258cd7 CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[metze@samba.org removed unused tests for a feature that
 was removed before merging]
Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit 494bf7de6f)
 2021-11-17 14:35:14 +00:00
Joseph Sutton
302bb70ebc CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 5ea347d367)
 2021-11-17 14:35:14 +00:00
Stefan Metzmacher
f4492f9309 CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
 2021-11-08 10:52:13 +01:00
Stefan Metzmacher
1f66e3f97e CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False) 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
 2021-11-08 10:52:13 +01:00
Stefan Metzmacher
adcd0d7613 CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
 2021-11-08 10:52:13 +01:00
Stefan Metzmacher
6afefee92c CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
 2021-11-08 10:52:13 +01:00
Stefan Metzmacher
9ac2254c50 CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
c05ea4568f CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
06a46f79dd CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Andrew Bartlett
c59f5762ea CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
0954b59e85 CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
3c832b5a8a CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
d151c2528d CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
9990c478bf CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
9e29510f3e CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
8bd96fc1ae CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
2895186282 CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets 
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.

It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
241d3956af CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
04ceb10cbb CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
e496c04a6c CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
5ad4581668 CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets 
https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
51890d8428 CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
837e153c74 CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
05c3582eae CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
97e5b765f2 CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
fad4159de4 CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
80a8c900eb CVE-2020-25719 tests/krb5: Return ticket from _tgs_req() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:12 +01:00
Joseph Sutton
a01303f07c CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Joseph Sutton
5d83f3ba83 CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Joseph Sutton
e60e6301ad CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Joseph Sutton
4dfa0a77ce CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Joseph Sutton
decb2883d7 CVE-2020-25718 tests/krb5: Fix indentation 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Douglas Bagnall
38e858b12c CVE-2020-25722 pytest: test setting servicePrincipalName over ldap 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Douglas Bagnall
40a3b71e05 CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap 
Because the sam account name + the dns host name is used as the
default user principal name, we need to check for collisions between
these. Fixes are coming in upcoming patches.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Douglas Bagnall
47279630f1 CVE-2020-25722 samba-tool spn add: remove --force option 
This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.

It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Douglas Bagnall
55c6c01a65 CVE-2020-25722 samba-tool spn: accept -H for database url 
Following the convention and making testing easier

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Douglas Bagnall
f64fe0b1e7 CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy 
This makes it easier to convert tests that don't have good messages.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Douglas Bagnall
a65866a6c7 CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes 
You can give ldb_err() it a number, an LdbError, or a sequence of
numbers, and it will return the corresponding strings. Examples:

ldb_err(68)       # "LDB_ERR_ENTRY_ALREADY_EXISTS"
LDB_ERR_LUT[68]   # "LDB_ERR_ENTRY_ALREADY_EXISTS"

expected = (ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
            ldb.ERR_INVALID_CREDENTIALS)
try:
    foo()
except ldb.LdbError as e:
    self.fail(f"got {ldb_err(e)}, expected one of {ldb_err(expected)}")

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:11 +01:00
Samuel Cabrero
eea6447886 CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Fixed knowfail per instruction from metze]
 2021-11-08 10:52:10 +01:00
Joseph Sutton
2aa37d595e CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00
Stefan Metzmacher
2966b61522 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC 
At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if
no PAC is available.

For now we want to look for ACCESS_DENIED as this allows
the test to pass (showing that gensec:require_pac = true
is a useful partial mitigation).

This will also help others doing backports that do not
take the full patch set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00
Joseph Sutton
718aefaacf CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00
Joseph Sutton
9463564519 CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00
Joseph Sutton
62af3d24a4 CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00
Joseph Sutton
f839cc40af CVE-2020-25719 tests/krb5: Add principal aliasing test 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00
Joseph Sutton
6b82704c2f CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00
Joseph Sutton
98f570d084 CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00
Joseph Sutton
f4841ce8c1 CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00
Joseph Sutton
894be09a93 CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:52:10 +01:00