IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We should not allocate memory on a longer-lived context than necessary.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 31 09:30:17 UTC 2023 on atb-devel-224
We now create a client claims blob and add it to the PAC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
get_claims_for_principal() is a new function that creates a claims blob
for a principal based on attributes in the database.
It's not hooked into the KDC yet, so this entails no change in
behaviour.
Constructed claims and certificate claims are not supported yet.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is to adapt to the changed Heimdal KDC plugin API.
When we add support for device claims, we want to be able to verify the
PAC of the armor ticket without modifying or updating it. Previously, we
couldn't do this as the two operations were tightly intertwined. Now the
parts that only perform verification are split out into a new function,
samba_kdc_verify_pac().
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 22 19:36:28 UTC 2023 on atb-devel-224
Instead of having one large function that returns every PAC blob, we now
have a more manageable assortment of smaller functions that each return
one blob.
That gives us more fine-grained handling of PAC blobs, with callers now
able to procure only the specific blobs that they need.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will not be the only claims blob. Later there will also be a
device_claims_blob.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba_kdc_get_pac_blobs() passes a pointer to a user_info_dc structure
obtained from samba_kdc_get_user_info_from_db() into
samba_add_asserted_identity(). The latter function modifies the SIDs of
the user_info_dc structure in order to add the Asserted Identity SID,
but samba_kdc_get_user_info_from_db() actually caches that structure
internally, meaning that subsequent calls will return the modified
structure.
We should not modify cached SIDs, so have
samba_kdc_get_user_info_from_db() return a pointer to constant data, and
copy the returned array of SIDs before adding the Asserted Identity SID.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Windows only consults the PAC-OPTIONS claims bit to find out whether or
not to add claims to the PAC if the ClaimsCompIdFASTSupport option is
set to 1. If this option is set to 2 or 3, the bit is ignored and claims
are always added.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These will be used later when we add support for compound
authentication.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Heimdal contains an assertion that the data pointer is not NULL. We need
to pass in a pointer to some dummy data instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Until we support claims we just return an empty blob,
that matches what Windows is doing without defined claims.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 20 01:25:07 UTC 2023 on atb-devel-224
It's getting unwieldy adding new PAC buffer types when each one has to
have its own handling. It also makes the possibility of mistakes more
likely.
Add a new container, 'struct pac_blobs', containing the types of PAC
buffers in a given PAC, with an index for quick access to the types we
support specifically. We can add new blobs (overriding existing ones) by
calling pac_blobs_add_blob(), and override certain blobs that must be
present with pac_blobs_replace_existing().
This removes the need to have a complicated 'switch' statement with
different logic for each PAC buffer type, or a dozen index variables.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
krb5_pac_add_buffer() makes its own copy of the data we pass in. We
don't need to make yet another copy.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Heimdal contains an assertion that the data pointer is not NULL. We need
to pass in a pointer to some dummy data instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As these parameters are not assigned to, make them const.
Const specifiers for non-pointer types, such as in 'const
krb5_principal', don't do anything in function declarations. Remove
them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Make it clear what these parameters actually are.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
A double negative is just confusing and prone to error.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It is up to the caller to choose if it wants to clean up the user_info_dc
memory early, we do so only in the KDC as was allocated on a context
provided to samba_kdc_update_pac_blob(), whereas auth_winbind uses
a locally managed tevent state as the memory context.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 8 01:05:47 UTC 2023 on atb-devel-224
Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very
commonly used, and introducing a shorter alias for it makes the code
clearer.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.
In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.
Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
FreeBSD has ENOATTR but not ENODATA, Linux has ENODATA but not ENOATTR for
returning "attr does not exist". With 2eb899de6a we settled on ENOATTR to
handle this case.
Alternatively we could
#define ENODATA ENOATTR
on FreeBSD...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: douglas.bagnall@catalyst.net.nz
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 19 09:24:15 UTC 2023 on atb-devel-224
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need to take the value from the msDS-SupportedEncryptionTypes
attribute and only take the default if there's no value or
if the value is 0.
For krbtgt and DC accounts we need to force support for
ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits
in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is
completely ignored the hardcoded value is the default, so there's
no AES256-SK for krbtgt).
For UF_USE_DES_KEY_ONLY on the account we reset
the value to 0, these accounts are in fact disabled completely,
as they always result in KRB5KDC_ERR_ETYPE_NOSUPP.
Then we try to get all encryption keys marked in
supported_enctypes, and the available_enctypes
is a reduced set depending on what keys are
actually stored in the database.
We select the supported session key enctypes by the available
keys and in addition based on AES256-SK as well as the
"kdc force enable rc4 weak session keys" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As part of matching the behaviour of Windows, assume that trust objects
support AES256, but not RC4, if not specified otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We pass the stack variable 'req' to dcerpc_winbind_SendToSam_r_send(),
so we need to make sure the runtime of the subreq in not longer
than the stack variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The blob will be empty until we properly support claims.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to add claims blobs to the PAC once we have the ability
to create them.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The name of the context looks like it should match the name of the
function, but doesn't quite.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Heimdal's 'data->length > 0' assertion in krb5_pac_add_buffer() is gone
as of f33f73f82f, so we no longer need to
specify a non-zero length.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>