1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

37642 Commits

Author SHA1 Message Date
Stefan Metzmacher
03730459fe CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
privacy/sealing/encryption.

But we allow exceptions for specific computer/trust accounts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b3ed90a054)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
1d9c939eba CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 3c57608e11)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
9f809e2dd3 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 689507457f)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
abba8c4579 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f43dc4f0bd)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
729e905776 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
configuration if required.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 43df4be359)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
d2dc3622d4 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.

'allow nt4 crypto = no' is already the default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 69b3654160)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
c25546926f CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b09f51eefc)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
852763adc2 CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4c7f84798a)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
35ff122101 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b6339fd1dc)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
3f4c9c13b1 CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.

And AES will be required by default soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit cfd55a22cd)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
82af786a36 CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.

Review with: git show -w

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 16ee03efc1)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
88018634c7 CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ec62151a2f)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
0c32166174 CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0e6a2ba83e)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
a5996700ad CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7baabbe981)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
2139565c2f CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e060ea5b3e)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
a1136ed2e0 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
This fixes a use after free problem introduced by
commit 7b8e32efc3,
which has msg = current; which means the lifetime
of the 'msg' memory is no longer in the scope of th
caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1414269dcc)

Autobuild-User(v4-16-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-16-test): Mon Dec 12 15:52:22 UTC 2022 on sn-devel-184
2022-12-12 15:52:22 +00:00
Ralph Boehme
8c2f27d442 torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fdb19ce8aa)
2022-12-05 10:11:17 +00:00
Jeremy Allison
efa48817d3 s4: torture: libsmbclient: Add a torture test to ensure smbc_stat() returns ENOENT on a non-existent file.
Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15195

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
(cherry picked from commit 9eda432836)
2022-10-31 14:30:09 +00:00
Stefan Metzmacher
f7a84cffe9 s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time
If the client is not able to receive the results within connections idle
time, then we should treat it as dead. It's value is 15 minutes (900 s)
by default.

In order to limit that further an admin can use 'socket options'
and set TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and/or TCP_USER_TIMEOUT
to useful values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 19 17:13:39 UTC 2022 on sn-devel-184

(cherry picked from commit eb2f352603)
2022-10-31 14:30:09 +00:00
Jule Anger
a901109313 samba: tag release samba-4.16.6
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNWba0ACgkQqplEL7aA
 tiAj2w/8DgIpsNJSFaUM/yjCPc3brNMFmr1ljBDWIqDOuAuYmx+wBsrPsLaewalp
 0O99kP8Tcsqanwc0HQ+SJcCuprCsxk2qQCMz3SdjSr/lpdDjaIZTAf8ycb1BtjQ3
 U7LxAU7Rv0pmlH277HS6aZAPd1iHWOhUpZpFMZsECOHJLVjdIghXW+x8SDEPl41Y
 ulogbEj7xebJk62N2Z4HrbxlSsoPtPtKSRAytstclnDf4+QSK2pIO2magobsA5q9
 V0z7k7E+8qp/nWiTG2g1hkozZjUVV3UfvOOXmPnr2JatXFblr3Id1gTIRjrPqK2L
 UvQu1r4idA4IWmnbyYldqu7SeQuRtnXHWNa1RVoVa8K5vO6NlhgyfZdLxDFlxO4b
 hKCFV6CvYs2+gDH1Ir7mQc/dV0LUAIUmRdBGwX8BUidyOgYIuoXgyWJAIVKdBGQX
 U9WA3fCS3jPM9RNgeNZMY0RRBmuTVjH/uJA22MEeBfdOKD/iqdt4O9RboC5NlrdS
 s72tiECST6dItBEc5EDTa7jtTd5tQyZkXjhvBLn7DIND0Kdes93u8HCazi74HhRK
 Sq8nbwuadxmGoBEPiISBoxK4fkWucHTRtOgISMfuhqHHug1WCOiHf2Q1IYANKlW0
 rcfC1x2LhTnb1TeRukOfzvXriAksOEhvcTG/HnJolWFZvfwnrgY=
 =bBex
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.16.6' into v4-16-test

samba: tag release samba-4.16.6

Signed-off-by: Jule Anger <janger@samba.org>
2022-10-25 11:55:25 +02:00
Joseph Sutton
03eefa45d3 CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Stefan Metzmacher
c28d971b12 s4:messaging: let imessaging_client_init() use imessaging_init_discard_incoming()
imessaging_client_init() is for temporary stuff only, so we should drop
(unexpected) incoming messages unless we expect irpc responses.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 13 13:32:30 UTC 2022 on sn-devel-184

(cherry picked from commit 266bcedc18)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Oct 19 09:45:53 UTC 2022 on sn-devel-184
2022-10-19 09:45:53 +00:00
Stefan Metzmacher
6ba44033e3 s4:messaging: add imessaging_init_discard_incoming()
We often create imessaging contexts just for sending messages,
but we'll never process incoming messages because a temporary event
context was used and we just queue a lot of imessaging_post_state
structures with immediate events.

With imessaging_init_discard_incoming() we'll discard any incoming messages
unless we have pending irpc requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a120fb1c72)
2022-10-19 08:39:17 +00:00
Noel Power
7480f9c01d s4/lib/registry: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==6357== Command: ./bin/regpatch file
==6357==
Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it
==6357== Syscall param openat(filename) points to unaddressable byte(s)
==6357==    at 0x4BFE535: open (in /usr/lib64/libc.so.6)
==6357==    by 0x4861432: reg_diff_load (patchfile.c:345)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
Error reading registry patch file `file'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184

(cherry picked from commit 7e0e3f47cd)
2022-10-19 08:39:17 +00:00
Jeremy Allison
24bc377a0e s4: smbtorture: Add fsync_resource_fork test to fruit tests.
This shows we currently hang when sending an SMB2_OP_FLUSH on
an AFP_Resource fork.

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit 1b8a873284)
2022-10-18 08:34:18 +00:00
Andrew Bartlett
0a8330ab7d s4-libnet: Add messages to object count mismatch failures
This helps explain these better than WERR_GEN_FAILURE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 483c48f52d)
2022-10-07 08:45:15 +00:00
Andrew Bartlett
a0e0c7e989 s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT
This emulates older verions of Samba that fail to implement
DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.

This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 314bc44fa9)
2022-10-07 08:45:15 +00:00
Andrew Bartlett
997b8f8341 selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database
This test, compared with the direct to RPC tests, will succeed, then fail once the
server is changed to emulate Samba 4.5 and and again succeed once the python code
changes to allow skipping the DRSUAPI_DRS_CRITICAL_ONLY step

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7ff743d65d)
2022-10-07 08:45:15 +00:00
Andrew Bartlett
2d2156b01d selftest: Prepare for "old Samba" mode regarding getncchanges GET_ANC/GET_TGT
The chgdcpass environment will emulate older verions of Samba
that fail to implement DRSUAPI_DRS_GET_ANC correctly and
totally fails to support DRSUAPI_DRS_GET_TGT.

This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 62b426243f)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
dd2c5f9698 pytest/samba_tool_drs_no_dns: use TestCaseInTempDir.rm_files/.rm_dirs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 24f7d71416)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
42b5bfa68e pytest/samba_tool_drs: use TestCaseInTempDir.rm_files/.rm_dirs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 3f0aab45c8)
2022-10-07 08:45:15 +00:00
Joseph Sutton
6a0280d955 CVE-2021-20251 dsdb/common: Remove transaction logic from samdb_set_password()
All of its callers, where necessary, take out a transaction covering the
entire password set or change operation, so a transaction is no longer
needed here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7981cba87e)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Sun Sep 18 17:46:29 UTC 2022 on sn-devel-184
2022-09-18 17:46:29 +00:00
Andreas Schneider
d0cd367da4 s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1aa403517f)
2022-09-18 16:46:09 +00:00
Andreas Schneider
f7f1106b2e s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1b3d7f8116)
2022-09-18 16:46:09 +00:00
Andreas Schneider
c56e2e2e70 s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo()
This will be used in the following commits.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a246ae993f)
2022-09-18 16:46:09 +00:00
Joseph Sutton
f78ff75c51 CVE-2021-20251 s4-rpc_server: Extend scope of transaction for ChangePasswordUser3
Now the initial account search is performed under the transaction,
ensuring the overall password change is atomic. We set DSDB_SESSION_INFO
to drop our privileges to those of the user before we perform the actual
password change, and restore them afterwards if we need to update the
bad password count.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fcabcb326d)

[jsutton@samba.org Included dsdb/common/util.h header for
 DSDB_SESSION_INFO define]
2022-09-18 16:46:09 +00:00
Joseph Sutton
05447dfb20 CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting()
This may return an error if we find the account is locked out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 268ea7bef5)
2022-09-18 16:46:09 +00:00
Joseph Sutton
96c24b58b8 CVE-2021-20251 s4-rpc_server: Check badPwdCount update return status
If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a268a1a0e3)
2022-09-18 16:46:09 +00:00
Joseph Sutton
74d8c3d584 CVE-2021-20251 s4:kdc: Check badPwdCount update return status
If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bdfc9d96f8)

[jsutton@samba.org Fixed knownfail conflicts due to not having claims
 tests]

[jsutton@samba.org Fixed knownfail conflicts]
2022-09-18 16:46:09 +00:00
Joseph Sutton
5eb5daaa15 CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting()
If we find that the user has been locked out sometime during the request
(due to a race), we will now return an error code.

Note that we cannot avoid the MIT KDC aspect of the issue by checking
the return status of mit_samba_zero_bad_password_count(), because
kdb_vftabl::audit_as_req() returning void means we cannot pass on the
result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b1e740896e)
2022-09-18 16:46:09 +00:00
Joseph Sutton
29b31129fd CVE-2021-20251 s4:kdc: Move logon success accounting code into existing branch
This simplifies the code for the following commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b593c34c4)
2022-09-18 16:46:09 +00:00
Joseph Sutton
f58d7e4200 CVE-2021-20251 s4:dsdb: Make badPwdCount update atomic
We reread the account details inside the transaction in case the account
has been locked out in the meantime. If it has, we return the
appropriate error code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 96479747bd)

[jsutton@samba.org Fixed conflict due to lack of dbg_ret variable]
2022-09-18 16:46:09 +00:00
Joseph Sutton
f725f2f244 CVE-2021-20251 s4:dsdb: Update bad password count inside transaction
Previously, there was a gap between calling dsdb_update_bad_pwd_count()
and dsdb_module_modify() where no transaction was in effect. Another
process could slip in and modify badPwdCount, only for our update to
immediately overwrite it. Doing the update inside the transaction will
help for the following commit when we make it atomic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a65147a9e9)

[jsutton@samba.org Fixed conflicts due to lack of dbg_ret variable]
2022-09-18 16:46:09 +00:00
Joseph Sutton
2fe2485b93 CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update
The error code may be NT_STATUS_ACCOUNT_LOCKED_OUT, which we use in
preference to NT_STATUS_WRONG_PASSWORD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d8a862cb81)
2022-09-18 16:46:09 +00:00
Andrew Bartlett
6a70d00691 CVE-2021-20251 auth4: Avoid reading the database twice by precaculating some variables
These variables are not important to protect against a race with
and a double-read can easily be avoided by moving them up the file
a little.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b5f78b7b89)
2022-09-18 16:46:09 +00:00
Andrew Bartlett
dd38fae8c8 CVE-2021-20251 auth4: Inline samdb_result_effective_badPwdCount() in authsam_logon_success_accounting()
By bringing this function inline it can then be split out in a
subsequent commit.

Based on work by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 712181032a)
2022-09-18 16:46:09 +00:00
Andrew Bartlett
0d6da5250b CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval() out
authsam_calculate_lastlogon_sync_interval() is split out of authsam_update_lastlogon_timestamp()

Based on work by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 55147335ae)
2022-09-18 16:46:09 +00:00
Gary Lockyer
6b826a375a CVE-2021-20251 auth4: Return only the result message and free the surrounding result
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b954acfde2)
2022-09-18 16:46:09 +00:00
Andrew Bartlett
a9aae34d5a CVE-2021-20251 auth4: Add missing newline to debug message on PSO read failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 4a9e0fdccf)
2022-09-18 16:46:09 +00:00
Andrew Bartlett
79f791ff0e CVE-2021-20251 s4 auth: make bad password count increment atomic
Ensure that the bad password count is incremented atomically,
and that the successful logon accounting data is updated atomically.

Use bad password indicator (in a distinct TDB) to determine if to open a transaction

We open a transaction when we have seen the hint that this user
has recorded a bad password.  This allows us to avoid always
needing one, while not missing a possible lockout.

We also go back and get a transation if we did not take out
one out but we chose to do a write (eg for lastLogonTimestamp)

Based on patches by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit de4cc0a3da)
2022-09-18 16:46:09 +00:00