1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

2843 Commits

Author SHA1 Message Date
Andrew Bartlett
e96dfc74b3 s4-rpc_server/drsuapi: Use dsdb_normalise_dn_and_find_nc_root()
This reuses the search done for dsdb_find_nc_root() to normalise the DN.

This will allow a GUID-input DN to be compared safely with a RID Manager DN
or Naming Context.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-01-31 12:50:33 +00:00
Samuel Cabrero
fcecdfa8e5 s4:dnsserver: Rename dns_name_equal() to samba_dns_name_equal()
This function already exists in bind9 but takes different arguments, so when
the DLZ is loaded and this function is called bind crashes:

  named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118  type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0
  named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118  type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0
  named[1523]: client @0x7f26caa90f68 192.168.101.118#58223/key DESKTOP-8BUKMBK\$\@AFOREST.AD: updating zone '101.168.192.in-addr.arpa/NONE': deleting rrset at '118.101.168.192.in-addr.ar
  named[1523]: name.c:664: REQUIRE(((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))) failed, back trace

Backtrace:

  #0  0x00007f2716c957ec in __pthread_kill_implementation () from /lib64/libc.so.6
  #1  0x00007f2716c42816 in raise () from /lib64/libc.so.6
  #2  0x00007f2716c2b81c in abort () from /lib64/libc.so.6
  #3  0x000055d4de847995 in assertion_failed (file=<optimized out>, line=<optimized out>,
      type=<optimized out>, cond=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/main.c:237
  #4  0x00007f27176388fc in isc_assertion_failed (file=file@entry=0x7f27173b0df6 "name.c",
      line=line@entry=664, type=type@entry=isc_assertiontype_require,
      cond=cond@entry=0x7f27173b0268 "((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))")
      at /usr/src/debug/bind-9.18.10/lib/isc/assertions.c:48
  #5  0x00007f27172946f9 in dns_name_equal (name1=<optimized out>, name2=<optimized out>)
      at /usr/src/debug/bind-9.18.10/lib/dns/name.c:664

  **** Here bind's dns_name_equal() is called instead of samba's dns_name_equal() ****

  #6  0x00007f27077ad6f2 in dns_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10)
      at ../../source4/dns_server/dnsserver_common.c:1346
  #7  0x00007f271404732c in b9_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10)
      at ../../source4/dns_server/dlz_bind9.c:1830
  #8  0x00007f2714047daa in dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa",
      rdatastr=0x7f26c9c10000 "118.101.168.192.in-addr.arpa.\t1200\tIN\tPTR\tDESKTOP-8BUKMBK.aforest.ad.",
      dbdata=0x7f271003d300, version=0x7f26f8044b20) at ../../source4/dns_server/dlz_bind9.c:2077
  #9  0x000055d4de84afb4 in dlopen_dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa",
      rdatastr=<optimized out>, driverarg=<optimized out>, dbdata=0x7f270430f680, version=<optimized out>)
      at /usr/src/debug/bind-9.18.10/bin/named/dlz_dlopen_driver.c:483
  #10 0x00007f271738e734 in modrdataset.constprop.0 (db=0x7f2704291740, node=0x7f26c9c006e0,
      version=0x7f26f8044b20, rdataset=0x7f2706ff8830,
      mod_function=0x55d4de84af80 <dlopen_dlz_subrdataset>, options=<optimized out>)
      at /usr/src/debug/bind-9.18.10/lib/dns/sdlz.c:1107
  #11 0x00007f2717251855 in diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740,
      ver=ver@entry=0x7f26f8044b20, warn=warn@entry=true) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:370
  #12 0x00007f2717251c8a in dns_diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740,
      ver=ver@entry=0x7f26f8044b20) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:465
  #13 0x00007f2717d105aa in do_one_tuple (tuple=tuple@entry=0x7f2706ff8e50, db=db@entry=0x7f2704291740,
      ver=ver@entry=0x7f26f8044b20, diff=diff@entry=0x7f2706ff9400)
      at /usr/src/debug/bind-9.18.10/lib/ns/update.c:454
  #14 0x00007f2717d10fff in update_one_rr (rdata=0x7f2706ff8ee8, ttl=<optimized out>,
      name=<optimized out>, op=DNS_DIFFOP_DEL, diff=0x7f2706ff9400, ver=0x7f26f8044b20, db=0x7f2704291740)
      at /usr/src/debug/bind-9.18.10/lib/ns/update.c:505
  #15 delete_if_action (data=<optimized out>, rr=0x7f2706ff8ee0)
      at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1427
  #16 0x00007f2717d10ccd in foreach_rr (db=0x7f2704291740, ver=<optimized out>, name=0x7f26caa61d00,
      type=<optimized out>, covers=<optimized out>,
      rr_action=rr_action@entry=0x7f2717d10f60 <delete_if_action>, rr_action_data=0x7f2706ff9280)
      at /usr/src/debug/bind-9.18.10/lib/ns/update.c:736
  #17 0x00007f2717d10e76 in delete_if (predicate=predicate@entry=0x7f2717d0fb10 <true_p>,
      db=<optimized out>, ver=<optimized out>, name=<optimized out>, type=<optimized out>,
      covers=<optimized out>, update_rr=0x7f2706ff94b0, diff=0x7f2706ff9400)
      at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1454
  #18 0x00007f2717d1bccd in update_action (task=<optimized out>, event=<optimized out>)
      at /usr/src/debug/bind-9.18.10/lib/ns/update.c:3299
  #19 0x00007f271765eb4c in task_run (task=0x7f27155ccf00)
      at /usr/src/debug/bind-9.18.10/lib/isc/task.c:823
  #20 isc_task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:904
  #21 0x00007f271762cb12 in isc__nm_async_task (worker=0x7f2716236560, ev0=0x7f26caa07000)
      at netmgr/netmgr.c:840
  #22 process_netievent (worker=worker@entry=0x7f2716236560, ievent=0x7f26caa07000) at netmgr/netmgr.c:918
  #23 0x00007f271762d197 in process_queue (worker=worker@entry=0x7f2716236560,
      type=type@entry=NETIEVENT_TASK) at netmgr/netmgr.c:1011
  #24 0x00007f271762d3b3 in process_all_queues (worker=0x7f2716236560) at netmgr/netmgr.c:765
  #25 async_cb (handle=0x7f27162368c0) at netmgr/netmgr.c:794
  #26 0x00007f2717c4cb0d in uv__async_io (loop=0x7f2716236570, w=<optimized out>, events=<optimized out>)
      at src/unix/async.c:163
  #27 0x00007f2717c6825d in uv__io_poll (loop=0x7f2716236570, timeout=<optimized out>)
      at src/unix/epoll.c:374
  #28 0x00007f2717c5247a in uv__io_poll (timeout=<optimized out>, loop=0x7f2716236570)
      at src/unix/udp.c:122
  #29 uv_run (loop=loop@entry=0x7f2716236570, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:406
  #30 0x00007f271762d834 in nm_thread (worker0=0x7f2716236560) at netmgr/netmgr.c:696
  #31 0x00007f27176627f5 in isc__trampoline_run (arg=0x55d4dfe3ad70)
      at /usr/src/debug/bind-9.18.10/lib/isc/trampoline.c:189
  #32 0x00007f2716c9398d in start_thread () from /lib64/libc.so.6
  #33 0x00007f2716d19344 in clone () from /lib64/libc.so.6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14030

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Thu Jan 19 10:20:27 UTC 2023 on atb-devel-224
2023-01-19 10:20:27 +00:00
Joseph Sutton
5aafff0aab s4:rpc_server/dnsserver: Zero-initialise pointers
Ensuring pointers are always initialised simplifies the code and avoids
compilation errors with FORTIFY_SOURCE=2.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-01-10 20:22:32 +00:00
Volker Lendecke
b73ecb28a7 lib: Remove idtree from samba_util.h
No need to recompile the world when only a few files need this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-01-10 00:28:37 +00:00
Volker Lendecke
43f041de65 lib: Add "starting_id" to idr_get_new_random()
To be used in smbXsrv_open.c, for this we need a lower bound.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-01-10 00:28:37 +00:00
Samuel Cabrero
121e7b0e39 CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check functions to librpc
Will be used later by s3 netlogon server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-01-09 14:23:36 +00:00
Samuel Cabrero
d9e6b490db CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-01-09 14:23:35 +00:00
Stefan Metzmacher
b3ed90a054 CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
privacy/sealing/encryption.

But we allow exceptions for specific computer/trust accounts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15260

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
3c57608e11 CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
689507457f CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
f43dc4f0bd CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
43df4be359 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
configuration if required.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
69b3654160 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.

'allow nt4 crypto = no' is already the default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
b09f51eefc CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
4c7f84798a CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
b6339fd1dc CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
16ee03efc1 CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.

Review with: git show -w

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
ec62151a2f CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
0e6a2ba83e CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
7baabbe981 CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
e060ea5b3e CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Volker Lendecke
15f958d76e rpc_server: Remove an unneeded #include
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-10-27 18:18:36 +00:00
Noel Power
416bf5a418 s4/rpc_server/sambr: don't mutate the return of samdb_set_password_aes
prior to this commit return of samdb_set_password_aes was set to
NT_STATUS_WRONG_PASSWORD on failure. Useful status that should be
returned such as NT_STATUS_PASSWORD_RESTRICTION are swallowed here
otherwise (and in this case can be partially responsible for failures
in test samba.tests.auth_log_pass_change (with later gnutls)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-10-25 09:34:33 +00:00
Andrew Bartlett
314bc44fa9 s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT
This emulates older verions of Samba that fail to implement
DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.

This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-10-04 02:48:37 +00:00
Joseph Sutton
fcabcb326d CVE-2021-20251 s4-rpc_server: Extend scope of transaction for ChangePasswordUser3
Now the initial account search is performed under the transaction,
ensuring the overall password change is atomic. We set DSDB_SESSION_INFO
to drop our privileges to those of the user before we perform the actual
password change, and restore them afterwards if we need to update the
bad password count.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:38 +00:00
Joseph Sutton
f74f92aea1 CVE-2021-20251 s4-rpc_server: Use user privileges for SAMR password change
We don't (and shouldn't) need system prvileges to perform the password
change, so drop to the privileges of the user by setting
DSDB_SESSION_INFO. We need to reuse the same sam_ctx: creating a new one
with only user privileges would not work, because any database
modifications would be blocked by the transaction taken out on the
original context.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:38 +00:00
Joseph Sutton
fabbea2531 CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user
This helps the bad password and audit log handling code as it
allows assumptions to be made about the attributes found in
the variable "msg", such as that DSDB_SEARCH_SHOW_EXTENDED_DN
was used.

This ensures we can re-search on the DN via the embedded GUID,
which in in turn rename-proof.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:38 +00:00
Joseph Sutton
a268a1a0e3 CVE-2021-20251 s4-rpc_server: Check badPwdCount update return status
If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:37 +00:00
Andrew Bartlett
439f96a2cf CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user
This helps the bad password and audit log handling code as it
allows assumptions to be made about the attributes found in
the variable "msg", such as that DSDB_SEARCH_SHOW_EXTENDED_DN
was used.

This ensures we can re-search on the DN via the embedded GUID,
which in in turn rename-proof.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Joseph Sutton
15c86028a8 CVE-2022-32743 s4:rpc_server/netlogon: Reconnect to samdb as workstation account
This ensures that the database update can be attributed to the
workstation account, rather than to the anonymous SID, in the audit
logs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 28 23:41:27 UTC 2022 on sn-devel-184
2022-07-28 23:41:27 +00:00
Joseph Sutton
6b76bc7339 CVE-2022-32743 s4:rpc_server/common: Add dcesrv_samdb_connect_session_info()
This function allows us to connect to samdb as a particular user by
passing in that user's session info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-07-28 22:47:38 +00:00
Joseph Sutton
f545142380 CVE-2022-32743 s4:rpc_server/netlogon: Connect to samdb as a user, rather than as system
This allows us to perform validation on a client-specified dNSHostName
value, to ensure that it matches the sAMAccountName.

We might not have any rights to modify the account, so pass the control
FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE which allows us to perform
a validated write to dNSHostName and servicePrincipalName (and
unvalidated writes to other attributes, such as operatingSystem).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-07-28 22:47:37 +00:00
Joseph Sutton
02c2a8c7b0 CVE-2022-32743 s4:rpc_server/netlogon: Always observe NETR_WS_FLAG_HANDLES_SPN_UPDATE flag
Even when there is no old DNS hostname present.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-07-28 22:47:37 +00:00
Joseph Sutton
d07641fc5a CVE-2022-32743 s4:rpc_server/netlogon: Remove dNSHostName prefix check
This check is not exhaustive (it does not check the suffix of the
dNSHostName), and should be covered by a validated write check in
acl_modify().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-07-28 22:47:37 +00:00
Andreas Schneider
85b7179a58 s4:rpc_server: Implement dcesrv_samr_ChangePasswordUser4()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
54766eed2e s4:rpc_server: Implement support for SetUserInfo(2) level 32
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
cef5bb0223 s4:rpc_server: Implement support for SAMR SetUserInfo(2) level 31
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
835de358ec s4:rpc_server: Add samr_set_password_aes()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
1aa403517f s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
1b3d7f8116 s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
a246ae993f s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo()
This will be used in the following commits.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
2ecdbe17e8 samr.idl: Add samr_ChangePasswordUser4()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
308f89ce6a samr:idl: add samr_SupportedFeatures for samr_Connect5()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:28 +00:00
Joseph Sutton
0a3aa5f908 CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
This aims to minimise usage of the error-prone pattern of searching for
a just-added message element in order to make modifications to it (and
potentially finding the wrong element).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
feb36dbebf lib/util: Change function to mem_equal_const_time()
Since memcmp_const_time() doesn't act as an exact replacement for
memcmp(), and its return value is only ever compared with zero, simplify
it and emphasize the intention of checking equality by returning a bool
instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Joseph Sutton
a554e2ce53 lib/util: Change function to data_blob_equal_const_time()
Since data_blob_cmp_const_time() doesn't act as an exact replacement for
data_blob_cmp(), and its return value is only ever compared with zero,
simplify it and emphasize the intention of checking equality by
returning a bool instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Joseph Sutton
ae6634c787 auth: Use constant-time memcmp when comparing sensitive buffers
This helps to avoid timing attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Volker Lendecke
540d4ae6b9 lsa_server4: Simplify get_tdo() with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-06-06 19:22:28 +00:00
Volker Lendecke
49b3bbdead lsa_server4: Simplify get_tdo() with dom_sid_str_buf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-06-06 19:22:28 +00:00
Andrew Bartlett
c4e576052f s4-samr: Fix missing check for GnuTLS errors from E_old_pw_hash()
Not likely to be an issue in the real world as the earlier calls
will have failed if weak crypto was disabled, but this was missed
in dce944e8a1.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 12 03:18:42 UTC 2022 on sn-devel-184
2022-05-12 03:18:42 +00:00
Joseph Sutton
03894de3ab rpc_server/lsa: Match Windows security descriptor
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-05-02 19:13:31 +00:00
Samuel Cabrero
68096b5615 s4:rpc_server: Fix duplicated function name between s3 and s4
It can lead to link errors:

/usr/lib64/gcc/x86_64-suse-linux/11/../../../../x86_64-suse-linux/bin/ld: source3/rpc_server/rpc_server.c.24.o: in function `dcesrv_transport_terminate_connection':
/home/scabrero/workspace/samba/samba/bin/default/../../source3/rpc_server/rpc_server.c:242: multiple definition of `dcesrv_transport_terminate_connection'; source4/rpc_server/dcerpc_server.c.5.o:/home/scabrero/workspace/samba/samba/bin/default/../../source4/rpc_server/dcerpc_server.c:710: first defined here

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-04-08 20:13:37 +00:00
Samuel Cabrero
e0fadfd0d8 s4:rpc_server: Fix duplicated function name between s3 and s4
It can lead to link errors:

/usr/lib64/gcc/x86_64-suse-linux/11/../../../../x86_64-suse-linux/bin/ld: source3/rpc_server/rpc_server.c.24.o: in function `dcesrv_assoc_group_find':
/home/scabrero/workspace/samba/samba/bin/default/../../source3/rpc_server/rpc_server.c:229: multiple definition of `dcesrv_assoc_group_find'; source4/rpc_server/dcerpc_server.c.5.o:/home/scabrero/workspace/samba/samba/bin/default/../../source4/rpc_server/dcerpc_server.c:121: first defined here

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-04-08 20:13:37 +00:00
Joseph Sutton
cf8048cd49 s4:rpc_server/samr: Use extended DN when searching for user
Switch to dsdb_search() for looking up the user for changing the
password, and specify that we want extended DNs. Using the SID or GUID
avoids a race condition if the DN of the user changes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 18 12:45:17 UTC 2022 on sn-devel-184
2022-03-18 12:45:17 +00:00
Joseph Sutton
62cf7a4ad3 s4:rpc_server/samr: Simplify lp_ctx expression
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Joseph Sutton
9b913fcb0f s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation
This is to prepare for the SDDL string being removed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 23:11:37 +00:00
Andrew Bartlett
75c54d54ad dsdb: Remove LM hash parameter from samdb_set_password() and callers
This fixes the rpc.samr test because we no longer specify an LM hash
to the DSDB layer only to have it rejected by password_hash.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andrew Bartlett
f161e3f18f dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute
This means Samba will essentially ignore this attribute, not even attempting
to read it from the AD DC sam.ldb

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andrew Bartlett
0f53bfe723 s4-rpc_server: Do not use LM hash in password changes
We now only change passwords based on the NT hash.

This means we no longer support samr_OemChangePasswordUser2()
and we do not check the LM verifier din samr_ChangePasswordUser3()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andrew Bartlett
338492d345 s4-rpc_server: Remove pre-check for existing NT and LM hash from netlogon
We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andrew Bartlett
1144addec5 dsdb: No longer supply exact password hashes in a control to indicate password changes
This returns the API for password changes via (eg) kpasswd to the
previous design as at 7eebcebbab
where a control but no partiuclar values were specified.

This avoids the issues that were attempted to be addressed between
7eebcebbab and 786c41b095
by still keeping the ACL check from 23bd3a7417.

The purpose of this change is to move away from the NT hash (unicodePwd) being
the primary password in Samba, to allow installations to operate without this
unsalted hash.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Stefan Metzmacher
52787b9c1e s4:rpc_server/samr: don't set mapped_state in auth_usersupplied_info for audit logging
mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Stefan Metzmacher
0651fa474c dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
This is important for the source3/rpc_server code as it might
be called embedded in smbd and may not run as root with access
to our private tdb/ldb files.

Note this is only really needed for 4.15 and older, as
we no longer run the rpc_server embedded in smbd,
but we better be consistent for now.

This should be able to fix the problem the printing no longer works
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).

Windows uses NTLMSSP with privacy at the DCERPC layer on top
of NCACN_NP (smb).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-24 15:25:36 +00:00
Stefan Metzmacher
1243f52f7a s4:rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 11 22:03:03 UTC 2022 on sn-devel-184
2022-01-11 22:03:03 +00:00
Stefan Metzmacher
9a68025ad3 s4:rpc_server/netlogon: adjust the valid_flags based on dsdb_dc_functional_level()
This allows us to let DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED through
based on the manual changed msDS-Behavior-Version of our NTDSA object.

We still need to have tests depending on the msDS-Behavior-Version
value if the DSGETDC_VALID_FLAGS is really correct at all.
But for now this allows us to test krb5 FAST from Windows clients.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Dec 24 03:03:50 UTC 2021 on sn-devel-184
2021-12-24 03:03:50 +00:00
Joseph Sutton
d9abd7fff5 s4:rpc_server/netlogon: adjust the flags logic to MS-NRPC 3.5.4.3.1 DsrGetDcNameEx2
Note that this doesn't change the logic as we still reject
DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED via the initial DSGETDC_VALID_FLAGS
check. The may change that in future, but may need some tests for it.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2021-12-24 02:16:33 +00:00
Stefan Metzmacher
2926cfb299 s4:rpc_server/dnsserver: make use of dsdb_dc_functional_level()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-12-24 02:16:33 +00:00
Stefan Metzmacher
3121be69ca CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
This avoids a crash that's triggered by windows clients using
handles from samr_Connect*() on across multiple connections within
an association group.

In other cases is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and also
improves the auditing for the dcesrv_samdb_connect_as_system() case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Tue Nov  9 20:37:30 UTC 2021 on sn-devel-184
2021-11-09 20:37:30 +00:00
Stefan Metzmacher
5724868c22 CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and
also improves auditing for the dcesrv_samdb_connect_as_system() case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
2a159e6f03 CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
This avoids a crash that's triggered by windows clients using
handles from OpenPolicy[2]() on across multiple connections within
an association group.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
965fe0e906 CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
af6151ef12 CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
This avoids a crash that's triggered by windows clients using
DsCrackNames across multiple connections within an association group
on the same DsBind context(policy) handle.

It also improves the auditing for the dcesrv_samdb_connect_as_system() case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
897c0e8fc6 CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
We already had dcesrv_samdb_connect_as_system(), but it uses the per
connection memory of auth_session_info and remote_address.

But in order to use the samdb connection on a per association group
context/policy handle, we need to make copies, which last for the
whole lifetime of the 'samdb' context.

We need the same logic also for all cases we make use of
the almost same logic where we want to create a samdb context
on behalf of the authenticated user (without allowing system access),
so we introduce dcesrv_samdb_connect_as_user().

In the end we need to replace all direct callers to samdb_connect()
from source4/rpc_server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
b176ddba2a CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
a9ac1f9191 CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
These common routines will assist the KDC to do the same access
checking as the RPC servers need to do regarding which accounts
a RODC can act with regard to.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
158765d1f3 CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
These are added for the uncommon cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
a831ef74c5 CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
c70710a048 CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
16f96dbb5d CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
This shares the lookup of the tokenGroups attribute.

There will be a new caller that does not want to do this step,
so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list()
rather than part of it

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
6014035043 CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
8ee6753a6e CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
While these checks were not in the NETLOGON case, there is no sense where
an RODC should be resetting a bad password count on either a
UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
edd3d61fea CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
cdb5690be4 CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
This will allow the creation of a common helper routine that
takes the token SID list (from tokenGroups or struct auth_user_info_dc)
and returns the allowed/denied result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
4796b0a5c1 CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
This is instead of an array of struct dom_sid *.

The reason is that auth_user_info_dc has an array of struct dom_sid
(the user token) and for checking if an RODC should be allowed
to print a particular ticket, we want to reuse that a rather
then reconstruct it via tokenGroups.

This also avoids a lot of memory allocation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Alexander Bokovoy
e2d5b4d709 CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Volker Lendecke
246a5ceab1 netlogon: Move netlogon_server_pipe_state to netlogon.idl
Make this available as a shared structure for both source3 and source4

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:32 +00:00
Volker Lendecke
ad462c27a4 rpc_server4: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-21 00:13:32 +00:00
Andrew Bartlett
ae57d22e45 s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
Since 5c0345ea9b this
would not have been implicitly cached via the ldb_wrap
cache, due to the recording of the remote IP address
(which is a good thing).

This creates a more explicit and direct correct
cache on the connection.

The common code, including the SCHANNEL check is
placed into a helper function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Sep  5 03:19:26 UTC 2021 on sn-devel-184
2021-09-05 03:19:26 +00:00
Andreas Schneider
d6c7a2a700 netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Andreas Schneider
868a9577d6 s4:rpc_server: Allow to set user password in FIPS mode
Only in case we have an SMB encrypted connection ...

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Andreas Schneider
5dd3a0cc17 s4:rpc_server: Check return code of cli_credentials_set_conf()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Douglas Bagnall
701c55841f rpc/dnsserver: check talloc_strndup return
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Douglas Bagnall
14ce22f446 rpc dnsserver: improve handling of serial numbers
This is not correct, but it gets closer. We need to save the updated
serial number in the SOA.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Douglas Bagnall
0fa98cd38b rpc dnsserver: set the record rank
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Douglas Bagnall
8b3d2556da rpc dnsserver: updates reset more than timestamp
This is based on observed Windows behaviour.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Douglas Bagnall
9fb87134b8 rpc:dnsserver: allow update replacing with similar record
We have been refusing to handle the case where the replaced record
matches the replacement according to dns_record_match() (meaning the
wType and data are semantically identical). In Windows this is
explicitly used for changing TTL.

There are further changes we need to properly handle this case.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Douglas Bagnall
fa60883736 rpc:dnsserver: split off record rank setting logic
We want to do this also in update (in following commits), and we later
will want to fix the logic.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Douglas Bagnall
b707720325 dns: merge dns_records_match and dns_record_match
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-11 08:38:34 +00:00
Andreas Schneider
a00726593c s4:rpc_server: Set Kerberos to desired
This is required for ncalrpc_as_system to work. In FIPS enabled mode,
'client use kerberos' is forced to required. We need to allow
non-kerberos use for ncalrpc_as_system here.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andreas Schneider
4b2e7da37a s4:rpc_server: Use cli_credentials_init_server()
This also removes dcerpc_remote:domain option for the machine account case.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-09 10:46:28 +00:00
Douglas Bagnall
d1c47d0c83 rpc/idl dnsserver s/DNS_RPC_DATA/DNS_RPC_RECORD_DATA/
Following MS-DNSP.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 30 00:20:53 UTC 2021 on sn-devel-184
2021-03-30 00:20:53 +00:00
Douglas Bagnall
162e6fb25a librpc/idl: dnsp tombstone timestamp name matches MS-DNSP
MS-DNSP uses the term "EntombedTime" in e.g. "2.2.2.2.4.23 DNS_RPC_RECORD_TS"
which is more descriptive than the generic "timestamp", and less likely to be
confused with dwTimestamp, which has been our curse. Let's make it grep-able,
google-able, and evocative.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 23:20:37 +00:00
Andrew Bartlett
7415f712db smb.conf: Remove "share backend" option
This is a confusing hold-over from the NTVFS fileserver that never became part of
the merged architecture.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-26 03:04:39 +00:00
Volker Lendecke
8d37c632b9 rpc_server4: Make "srv_callbacks" static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:31 +00:00
Volker Lendecke
403eabe4fc librpc: Add "private_data" to struct dcesrv_context_callbacks
Not used right now, but we should never have callbacks without a
"private_data" pointer. Some of the callbacks could even today benefit
from this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:31 +00:00
Andreas Schneider
4b398bb476 s4:rpc_server: Add missing break in switch statement
error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-02-01 21:50:32 +00:00
Volker Lendecke
895f459b4b epmapper: Simplify _epm_Map()
We have a routine to compare ndr_syntax_id, don't do it manually.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
f055d3f7db rpc_server: Fix a "bool==true" condition
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-22 19:54:38 +00:00
Volker Lendecke
d6c3faa188 rpc_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-22 19:54:37 +00:00
Ralph Boehme
4142bde7e5 s4: rename source4/smbd/ to source4/samba/
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Nov 27 10:07:18 UTC 2020 on sn-devel-184
2020-11-27 10:07:18 +00:00
Andreas Schneider
c75dd1ea17 s4:rpc_server: Allow to use RC4 for creating trusts
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-11-09 08:58:35 +00:00
Andreas Schneider
c93ccebdfe s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
It doesn't matter for RC4, but just to be correct.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-09 08:58:35 +00:00
Andreas Schneider
a9c532c6d3 s4:rpc_server: Allow to use RC4 for setting passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-29 14:19:36 +00:00
Gary Lockyer
b9b6abf18b CVE-2020-1472(ZeroLogon): rpc_server/netlogon: Fix confounder check
Add check for zero length confounder, to allow setting of passwords 512
bytes long. This does not need to be backported, as it is extremely
unlikely that anyone is using 512 byte passwords.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Alexander Bokovoy
234957a2e4 Fix build after removal of an extra safe_string.h
Move of strcasecmp redefine to lib/util/safe_string.h in
https://gitlab.com/samba-team/samba/-/merge_requests/1507 broke build on
Fedora 33 with GCC 10.2.1 for those compilation units that use
ldb_att_cmp().

The reason for that is that ldb_attr_cmp() defined as

   #define ldb_attr_cmp(a, b) strcasecmp(a, b)

because attribute names restricted to be ASCII by RFC2251 (LDAPv3 spec).

A solution is to add

   #undef strcasecmp

to all source code files which use ldb_attr_cmp().

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct  1 22:45:29 UTC 2020 on sn-devel-184
2020-10-01 22:45:29 +00:00
Stefan Metzmacher
ca8a0098ac CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations
This should give admins wawrnings until they have a secure
configuration.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:39 +00:00
Stefan Metzmacher
f9b772bf28 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using "server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Stefan Metzmacher
be8e639499 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check()
We should debug more details about the failing request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Stefan Metzmacher
d8a6e6549c CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Stefan Metzmacher
74eb448adf CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of netlogon_creds_random_challenge()
This is not strictly needed, but makes things more clear.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Andreas Schneider
6c94ebf77f s4:rpc_server: Use cli_credentials_init_server()
Signed-off-by: Andreas Schneider <asn@samba.org>
2020-09-07 12:02:15 +00:00
Matthew DeVore
232054c09b lib/util: remove extra safe_string.h file
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.

Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
2020-08-28 02:18:40 +00:00
Douglas Bagnall
df98e7db04 s4/dns: do not crash when additional data not found
Found by Francis Brosnan Blázquez <francis@aspl.es>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184
2020-08-24 00:21:41 +00:00
Douglas Bagnall
7afe449e72 s4: dns: Ensure variable initialization with NULL.
Ensure no use after free.

Based on patches from Francis Brosnan Blázquez <francis@aspl.es>
and Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-23 22:55:29 +00:00
Ralph Boehme
2327471756 lib: relicense smb_strtoul(l) under LGPLv3
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug  3 22:21:04 UTC 2020 on sn-devel-184
2020-08-03 22:21:02 +00:00
Samuel Cabrero
61e93698e5 s4:rpc_server: Implement epmapper LookupHandleFree
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Tue Jul  7 13:43:14 UTC 2020 on sn-devel-184
2020-07-07 13:43:14 +00:00
Samuel Cabrero
72f73efd7f librpc: core: Move the s4 handles implementation to the RPC server core
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-24 23:55:36 +00:00
Andrew Bartlett
004e7a1fee s4/rpc_server/dnsserver: Allow parsing of dnsProperty to fail gracefully
On (eg) the

DC=_msdcs.X.Y,CN=MicrosoftDNS,DC=ForestDnsZones,DC=X,DC=Y

record, in domains that have had a Microsoft Windows DC an attribute:

dNSProperty:: AAAAAAAAAAAAAAAAAQAAAJIAAAAAAAAA

000000 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  >................<
000010 92 00 00 00 00 00 00 00                          >........<
000018

We, until samba 4.12, would parse this as:

pull returned Success
    dnsp_DnsProperty: struct dnsp_DnsProperty
        wDataLength              : 0x00000000 (0)
        namelength               : 0x00000000 (0)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_NS_SERVERS_DA (146)
        data                     : union dnsPropertyData(case 0)
        name                     : 0x00000000 (0)
dump OK

However, the wDataLength is 0.  There is not anything in
[MS-DNSP] 2.3.2.1 dnsProperty to describe any special behaviour
for when the id suggests that there is a value, but wDataLength is 0.

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/445c7843-e4a1-4222-8c0f-630c230a4c80

We now fail to parse it, because we expect an entry with id DSPROPERTY_ZONE_NS_SERVERS_DA
to therefore have a valid DNS_ADDR_ARRAY (section 2.2.3.2.3).

As context we changed it in our commit fee5c6a424
because of bug https://bugzilla.samba.org/show_bug.cgi?id=14206
which was due to the artificial environment of the fuzzer.

Microsoft advises that Windows also fails to parse this, but
instead of failing the operation, the value is ignored.

Reported by Alex MacCuish.  Many thanks for your assistance in
tracking down the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 15 07:29:17 UTC 2020 on sn-devel-184
2020-05-15 07:29:16 +00:00
Stefan Metzmacher
87ae154ef9 s4:rpc_server/lsa: remove some useless talloc_reference() calls
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-05 08:46:38 +00:00
Samuel Cabrero
e24ce0023f pidl:NDR/Server: Allow to define endpoint server shutdown functions
The next commits will register legacy api_struct when the endpoint server
is initialized. This commit adds a shutdown function which will be used
to unregister the legacy api_struct.

The shutdown function will be also used to replace the rpc_srv_callbacks
struct shutdown member used, for example, by the spoolss service to
cleanup before exiting.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-12 00:35:31 +00:00
Samuel Cabrero
90eb485cf9 librpc:core: Add public functions to initialize endpoint servers
The dcesrv_init_registered_ep_servers() will be used by the S3 server to
initialize all registered endpoint servers (for embedded services), and
the dcesrv_init_ep_server() function will be used by the external
daemons to initialize the required ones.

As serveral S3 services may require to initialize another one before
itself (svcctl and eventlog for example require winreg) a boolean flag is
added to track the initialization status.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-12 00:35:30 +00:00
Samuel Cabrero
39dfc5c82b librpc:core: Split dcesrv context init and endpoint servers init
The S4 server will initialize the endpoint servers specified in smb.conf,
but the S3 server need to initialize all registered endpoint servers (the
embedded ones).

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-12 00:35:30 +00:00
Andrew Bartlett
defb237325 CVE-2019-14861: s4-rpc/dnsserver: Avoid crash in ldb_qsort() via dcesrv_DnssrvEnumRecords)
dns_name_compare() had logic to put @ and the top record in the tree being
enumerated first, but if a domain had both then this would break the
older qsort() implementation in ldb_qsort() and cause a read of memory
before the base pointer.

By removing this special case (not required as the base pointer
is already seperatly located, no matter were it is in the
returned records) the crash is avoided.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 09:18:46 +00:00
Andrew Bartlett
4333e41c22 CVE-2019-14861: s4-rpc_server: Remove special case for @ in dns_build_tree()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 09:18:46 +00:00
Isaac Boukris
a75ca8d5d5 session: convert sess_crypt_blob to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:31 +00:00
Isaac Boukris
dcc33103d5 smbdes: convert des_crypt112_16 to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:31 +00:00
Isaac Boukris
dce944e8a1 smbdes: convert E_old_pw_hash to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:31 +00:00
Ralph Boehme
7dc7b9e554 smbdotconf: mark "server string" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Andrew Bartlett
6107c79c90 build: Do not build selftest binaries for builds without --enable-selftest
Add new for_selftest option to SAMBA_BINARY() and SAMBA3_BINARY()

This allows us to be much more consistent (at least in the core Samba)
and documents clearly why the binary should not be installed.

Not modified are
 - test_lp_load
 - notifyd-tests
 - gendrandperf
 - test* from examples/libsmbclient
 - dbwrap_torture
 - split_tokens
 - locktest2
 - msgtest
 - msg_sink
 - msg_source
 - versiontest
 - rpc_open_tcp
 - test_headers

As these are not tested in selftest so any change would also be
untested.  Of course they probably should be added in a different
MR.

Also not modified (because they are not tests, nor part of the
build system) are:
 - smb2mount
 - notifydd
 - log2pacp
 - debug2html
 - smbfilter
 - destroy_netlogon_creds_cli
 - spotlight2*
 - tevent_glib_tracker

These do however appear to be untested.

For now, the source4 forked client tools are left unchanged:
 - smbclient4
 - nmblookup4

Finally, the heimdal binaries are left as install=False as
they are either part of the build system or end-user tools
that we just don't want to install.  These are however tested.

The motivation is commit like c34ec003b7
and da87fa998a, which are both totally
correct but are not needed if the selftest is not run on MacOS.

There are likely other platforms or build environments where building
our test binaries is more pain than valuable, see for example also
https://lists.samba.org/archive/samba/2019-November/227137.html

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Nov 22 11:48:59 UTC 2019 on sn-devel-184
2019-11-22 11:48:59 +00:00
Andreas Schneider
9e51bb77f8 s4:rpc_server: Return the status code from dcesrv_transport_session_key()
Normally this returns the right status code, which normally is:

   NT_STATUS_NO_USER_SESSION_KEY

This is consitent with the source3 samr server implmentation.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Wed Nov 20 22:29:35 UTC 2019 on sn-devel-184
2019-11-20 22:29:35 +00:00
Andrew Bartlett
1af1ebe54a librpc: Unify packet dumping on ndr_pull() failure
There were two duplicate implementations of packet dumping just for the s4 RPC server!

This unifies them and makes them easier to find because they are not triggered
from the generated server stub any more.

The behaviour have unified on setting "dcesrv:stubs directory" and
being compiled with --enable-developer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 20 02:14:56 UTC 2019 on sn-devel-184
2019-11-20 02:14:56 +00:00
Andreas Schneider
afb5cb669c s4:rpc_server: Remove gnutls_global_(de)init()
This is done by the gnutls library constructor/destructor.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14 08:01:44 +00:00
Björn Jacke
9092120b0d source4/rpc_server/lsa/lsa_lookup.c: typo fixes
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2019-10-31 00:43:37 +00:00
Samuel Cabrero
6a6546b565 librpc:core: Allocate struct dcesrv_interface with talloc
The S3 implementation needs to reinit the dcesrv_context and free the
endpoints list with their registered interfaces.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-18 16:07:37 +00:00
Samuel Cabrero
491102b5b2 s4:rpc_server: Move core functions to core library
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-18 16:07:37 +00:00
Samuel Cabrero
076ec9173e s4:rpc_server: Move core structures and prototypes to core library
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-18 16:07:37 +00:00
Samuel Cabrero
3f33fdf2e3 librpc: Add new dcerpc server core library
Next commits will move the core of s4 rpc server to this library.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-18 16:07:37 +00:00
Samuel Cabrero
480dd6163b s4:rpc_server: Make functions public
These functions will be moved to core dcerpc library and called from
s4 and s3 implementations.

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-18 16:07:37 +00:00
Samuel Cabrero
0523f0b4d2 s4:rpc_server: Add public function dcesrv_connection_loop_start
This function starts the server loop and will be called from s3 and s4
implementations.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-18 16:07:37 +00:00
Samuel Cabrero
85de73354d s4:rpc_server: Add transport termination function pointer
As the dcesrv_terminate_connection function will be moved to the shared
rpc server core library, hide the stream_terminate_connection call behind
a function pointer.

The s3 implementation will define its own termination function.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-18 16:07:37 +00:00