sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-31 01:48:16 +03:00
Code
137,189 Commits 60 Branches 1,146 Tags
Commit Graph

212 Commits

Author SHA1 Message Date
Joseph Sutton
e61983c7f2 Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers" 
This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f.

We should not be generating these additional PAC buffers for service
tickets, only for TGTs.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
73a4806346 tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
690a00a40c kdc: Always add the PAC if the header TGT is from an RODC 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
b6a25f5f01 kdc: Match Windows error code for mismatching sname 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
bac5f75059 tests/krb5: Add test for S4U2Self with wrong sname 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
d5d22bf84a kdc: Adjust SID mismatch error code to match Windows 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
f7a2fef8f4 heimdal:kdc: Adjust no-PAC error code to match Windows 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
ca80c47406 tests/krb5: Add tests for validation with requester SID PAC buffer 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
ebc9137cee tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2 
We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
these checks are currently not enforced, which avoids a lot of test
failures.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
ec823c2a83 tests/krb5: Add TGS-REQ tests with FAST 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
d95705172b tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
fa65ceb3dc CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
756934f14c CVE-2020-25719 heimdal:kdc: Require PAC to be present 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Andrew Bartlett
4888e19811 CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
49a13f0fc9 CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
f08e6ac862 CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
fd50fecbe9 CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
1d3548aeff CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Andrew Bartlett
43983170fc CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
80257fa37c CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Andrew Bartlett
b176ddba2a CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
bacb51d0d3 CVE-2020-25719 heimdal:kdc: Require authdata to be present 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
2f9245f2a5 CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Andreas Schneider
0db5c69d29 CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
fa4c9bcefd CVE-2020-25719 s4/torture: Expect additional PAC buffers 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
a461b7d4f8 CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
26480ba2aa CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
7ff05eb8d4 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
2e1e57fca8 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
b8c85fe81c CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
faf47b0b6b CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
a236e2cc25 CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
903ab1a027 CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
24be204834 CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
3af0c36a06 CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
7f7476b08c CVE-2020-25719 tests/krb5: Add principal aliasing test 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
48e5154de6 CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
bd87905cf1 CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
89c88a83da CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
83a654a4ef tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
 2021-10-20 09:22:43 +00:00
Andrew Bartlett
031a828764 kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers 
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.

Tested against Windows 2019

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2021-10-20 08:31:31 +00:00
Andrew Bartlett
92e8ce18a7 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals 
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2021-10-20 08:31:31 +00:00
Joseph Sutton
9d3a691920 tests/krb5: Add tests for requesting a service ticket without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
 2021-10-17 23:40:33 +00:00
Joseph Sutton
02fa69c6c7 s4:kdc: Check ticket signature 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:32 +00:00
Joseph Sutton
28a5a586c8 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Isaac Boukris
d7b03394a9 kdc: sign ticket using Windows PAC 
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.

Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.

Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.

Lookup the delegated client in DB instead of passing the delegator DB entry.

Add PAC ticket-signatures and related functions.

Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.

Closes: #767

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

[jsutton@samba.org Backported from Heimdal commit
 2ffaba9401d19c718764d4bd24180960290238e9
 - Removed tests
 - Adapted to Samba's version of Heimdal
 - Addressed build failures with -O3
 - Added knownfails
]

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Isaac Boukris
ccabc7f16c kdc: remove KRB5SignedPath, to be replaced with PAC 
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).

Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

[jsutton@samba.org Backported from Heimdal commit
 bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
 - Removed tests
 - Removed auditing hook (only present in Heimdal master)
 - Added knownfails
]

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
d5002c34ce s4/torture: Expect ticket checksum PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
56ccdba54e tests/krb5: Add constrained delegation tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
ec4b264bdf tests/krb5: Add compatability tests for ticket checksums 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00