1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

2125 Commits

Author SHA1 Message Date
Andrew Bartlett
55147335ae CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval() out
authsam_calculate_lastlogon_sync_interval() is split out of authsam_update_lastlogon_timestamp()

Based on work by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Gary Lockyer
b954acfde2 CVE-2021-20251 auth4: Return only the result message and free the surrounding result
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Andrew Bartlett
4a9e0fdccf CVE-2021-20251 auth4: Add missing newline to debug message on PSO read failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Andrew Bartlett
de4cc0a3da CVE-2021-20251 s4 auth: make bad password count increment atomic
Ensure that the bad password count is incremented atomically,
and that the successful logon accounting data is updated atomically.

Use bad password indicator (in a distinct TDB) to determine if to open a transaction

We open a transaction when we have seen the hint that this user
has recorded a bad password.  This allows us to avoid always
needing one, while not missing a possible lockout.

We also go back and get a transation if we did not take out
one out but we chose to do a write (eg for lastLogonTimestamp)

Based on patches by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Gary Lockyer
d6cf245b96 CVE-2021-20251 s4 auth test: Unit tests for source4/auth/sam.c
cmocka unit tests for the authsam_reread_user_logon_data in
source4/auth/sam.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:37 +00:00
Andrew Bartlett
7b8e32efc3 CVE-2021-20251 auth4: Reread the user record if a bad password is noticed.
As is, this is pointless, as we need a transaction to make this
any less of a race, but this provides the steps towards that goal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Gary Lockyer
408717242a CVE-2021-20251 s4 auth: Prepare to make bad password count increment atomic
To ensure that the bad password count is incremented atomically,
and that the successful logon accounting data is updated atomically,
without always opening a transaction, we will need to make a note
of all bad and successful passwords in a side-DB outside the
transaction lock.

This provides the functions needed for that and hooks them in
(future commits will handle errors and use the results).

Based on patches by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Andreas Schneider
b475e02066 s4:gensec: Do not link subsystems against dlopen() modules!
This is not a shared library. This only worked because we use
'--as-needed' as linker option.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-08 22:34:36 +00:00
Joseph Sutton
0d8995910f CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
We use the presence or absence of a REQUESTER_SID PAC buffer to
determine whether the ticket is a TGT. We will later use this to reject
TGTs where a service ticket is expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
6a10e890a0 CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
bbfbbb9f64 CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
This will be used in the kpasswd service to ensure that the client has
an initial ticket to kadmin/changepw, and not a service ticket.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Andrew Bartlett
6029e2250c s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored
Since we don't store a salt per-key, but only a single salt, when we do
not have the NT hash in the unicodePwd (eg ntlm auth = disabled), the check
will fail for a previous password if the account was renamed prior to a
newer password being set.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-06-26 22:10:29 +00:00
Joseph Sutton
48bff3c44f dsdb/common: Make some parameters const
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-06-14 07:21:29 +00:00
Joseph Sutton
feb36dbebf lib/util: Change function to mem_equal_const_time()
Since memcmp_const_time() doesn't act as an exact replacement for
memcmp(), and its return value is only ever compared with zero, simplify
it and emphasize the intention of checking equality by returning a bool
instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Joseph Sutton
ae6634c787 auth: Use constant-time memcmp when comparing sensitive buffers
This helps to avoid timing attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Andrew Bartlett
d7a91a855c s4-auth: Remove last traces of LanMan authentiation support in the AD DC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184
2022-03-29 03:32:57 +00:00
Andrew Bartlett
86f7e4e690 s4-auth: Only build auth_developer module in developer mode
This is a silly module for provoking NTSTATUS replies for testing and
was useful many moons ago for determining the NTSTATUS -> DOS table that
windows uses.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-29 02:33:34 +00:00
Andrew Bartlett
360bb864e9 s4-auth: Do not trigger RODC replication unless missing all passwords
With the NT hash becoming optional we cannot make blind assumptions that
a missing value means we are on an RODC needing the password replicated.

Instead, check for supplementalCredentials as well.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-29 02:33:34 +00:00
Andrew Bartlett
1884bc11f0 s4-auth: Remove unused acct_flags parameter
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-29 02:33:34 +00:00
Joseph Sutton
16a7ce0cdf s4:auth: Disable NTLM authentication for Protected Users
We also move the authentication to after checking whether the user is
protected, so that if a user in the Protected Users group tries to
authenticate with a wrong password, the bag password count is not
incremented and the account is not locked out. This does not match
MS-APDS, but matches the behaviour of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Andrew Bartlett
f161e3f18f dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute
This means Samba will essentially ignore this attribute, not even attempting
to read it from the AD DC sam.ldb

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andrew Bartlett
6aaa124563 s4-auth: Do not supply the LM hash to the AD DC authentication code
This still passes in the value in the LM field for checking
in case it is an NT response or LMv2.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andrew Bartlett
2dbc8b9843 s4-auth: Disable LM authenticaton in the AD DC despite "lanman auth = yes"
LM authentication is very weak and a very bad idea, so has been deprecated since
Samba 4.11.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Stefan Metzmacher
40f2070d3b s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names
authenticate_ldap_simple_bind*() needs to pass the
result of the cracknames operation into the auth stack
as user_info->client.{account,domain}_name, because
user_info->client.{account,domain}_name is also used
when forwarding the request via netrLogonSamLogon*
to a remote server, for exactly that the values are
also used in order to map a AUTH_PASSWORD_PLAIN into
AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
contains the account and domain names passed in the
netr_IdentityInfo value.

Otherwise it would not be possible to forward the
LDAP simple bind authentication request to a remote
DC.

Currently this only applies to an RODC that forwards
the request to an RWDC.

But note that LDAP simple binds (as on Windows) only
work for users in the DCs forest, as the DsCrackNames
need to work and it can't work for users of remote
forests. I tested that in a DC of a forest root domain,
if rejected the LDAP simple bind against a different forest,
but allowed it for a users of a child domain in the
same forest. The NTLMSSP bind worked in both cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184
2022-03-10 04:10:54 +00:00
Stefan Metzmacher
427125d182 s4:auth: rename user_info->mapped_state to user_info->cracknames_called
This makes it much clearer what it is used for and
it is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in
authsam_check_password_internals().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Stefan Metzmacher
a12683bd12 s4:auth: fix confusing DEBUG message in authsam_want_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Stefan Metzmacher
c7b8c71b2b s4:auth: check for user_info->mapped.account_name if it needs to be filled
mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals().

But that code will be changed in the next commits, so we can simplify
the logic and only check for user_info->mapped.account_name being NULL.
As it's the important factor that user_info->mapped.account_name is
non-NULL down in the auth stack.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Stefan Metzmacher
a6fb598d9d s4:auth: encrypt_user_info() should set password_state instead of mapped_state
user_info->mapped_state has nothing to do with enum auth_password_state,
user_info->password_state is the one that holds the auth_password_state value.

Luckily user_info->password_state was never referenced in the
encrypt_user_info() callers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Stefan Metzmacher
31db704882 s4:auth: a simple bind uses the DCs name as workstation
I've seen that in LogonSamLogonEx request triggered
by a simple bind with a user of a trusted domain
within the same forest. Note simple binds don't
work with users for another forest/external domain,
as the DsCrackNames call on the bind_dn fails.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14641

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Stefan Metzmacher
2ad4468622 s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon
Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.

It means an LDAP simble bind will now honour
'old password allowed period'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Andreas Schneider
41ffba1302 s4:auth: Also look up msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Andreas Schneider
1a4d43d38e s4:auth: Remove trailing spaces in sam.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Isaac Boukris
ea15ecfe4d krb5-mit: Enable S4U client support for MIT build
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Stefan Metzmacher
f6fe86924c s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 17:11:35 +00:00
Douglas Bagnall
309f198226 s4/auth/simple_bind: correctly report TLS state
It went wrong in 366f8cf090

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 26 12:39:52 UTC 2022 on sn-devel-184
2022-01-26 12:39:52 +00:00
Stefan Metzmacher
eb5c3bb951 s4:kerberos: adapt the heimdal send_to_kdc hooks to the send_to_kdc/realm plugin interface
With the recent heimdal upgrade we better try to use the send_to_realm()
hooks as it allows us to handle the KDC lookup as well as only getting
each logical request just once in the testing code, which makes it
let dependend on the heimdal internal kdc lookup logic.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-01-19 20:50:35 +00:00
Andrew Bartlett
6395cbe32b s4:kerberos: adjust smb_krb5_debug_wrapper() to embedded heimdal
In future we need a real configure check for Heimdal 8.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Stefan Metzmacher
84b76270ce s4:auth: debug make_user_info_dc_pac() failures in kerberos_pac_to_user_info_dc()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-01-17 20:05:32 +00:00
Andrew Bartlett
e2b7a2f781 s4-auth: Remove unused headers
These changes were submitted in a patch by
Stefan Metzmacher <metze@samba.org> in his lorikeet-heimdal
import branch of patches to upgrade to a modern Heimdal.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec  9 14:14:12 UTC 2021 on sn-devel-184
2021-12-09 14:14:12 +00:00
Douglas Bagnall
039f876c4e s4/auth/gensec/gensec_krb5_heimdal: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:37 +00:00
Andrew Bartlett
b176ddba2a CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
935feff8e5 CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
We'll require a PAC at the main gensec layer already.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Alexander Bokovoy
e2d5b4d709 CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
76ec5f9409 CVE-2020-25717: s4:auth_simple: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Stefan Metzmacher
0e23000f27 CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
6818d20489 pygensec: Don't modify Python bytes objects
gensec_update() and gensec_unwrap() can both modify their input buffers
(for example, during the inplace RRC operation on GSSAPI tokens).
However, buffers obtained from Python bytes objects must not be modified
in any way. Create a copy of the input buffer so the original isn't
modified.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
814df05f8c pygensec: Fix memory leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Stefan Metzmacher
0388a8f33b gensec_krb5: restore ipv6 support for kpasswd
We need to offer as much space we have in order to
get the address out of tsocket_address_bsd_sockaddr().

This fixes a regression in commit
43c808f2ff.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14750

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-05 23:00:38 +00:00
Andreas Schneider
6fb3cd8d13 s4:auth: Check return code of cli_credentials_set_conf()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Andreas Schneider
2f700ebda6 s4:auth: Check return code of cli_credentials_set_conf()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Joseph Sutton
290c1dc097 python: Ensure reference counts are properly incremented
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-05-19 01:32:34 +00:00
Joseph Sutton
50ade4cadc pygensec: Fix method documentation
This changes the docstrings to use the correct method names.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-05-19 01:32:34 +00:00
Andreas Schneider
521f77c667 auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andrew Bartlett
fbf95a641b auth4: Remove unused auth_unix
auth_unix was in the source4/auth/ntlm for two reasons:
 - inherited from earlier Samba before the Samba4 fork
 - To support the ejs-backed SWAT (web administration tool)

Neither of these are good reasons to keep this unused code
around, there is very unlikely to be a need to support
plaintext PAM authentication in this part of the code in the
future.

See b16362fab6 for some
context on the historical use case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Apr 19 07:07:01 UTC 2021 on sn-devel-184
2021-04-19 07:07:01 +00:00
Volker Lendecke
254af19ba8 auth4: Remove sync check_password from auth_operations
Remove complexity in the data structures, and pushes the async-ness
one level down.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-16 09:38:35 +00:00
Volker Lendecke
f852fb4cd4 auth4: Make auth_sam pseudo-async
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-16 09:38:35 +00:00
Volker Lendecke
a6f42ab8a7 auth4: Make auth_unix pseudo-async
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-16 09:38:35 +00:00
Volker Lendecke
43a1e42815 auth4: Make auth_developer pseudo-async
This is a simpler approach to really just wrap the code.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-16 09:38:35 +00:00
Volker Lendecke
7595731368 auth4: Make auth_anonymous pseudo-async
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-16 09:38:35 +00:00
Andreas Schneider
02fe2d050d s4:gensec: Fix overflow issues in switch statement
error: overflow converting case value to switch condition type (-1765328344 to 2529638952) [-Werror,-Wswitch]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-02-01 21:50:32 +00:00
Gary Lockyer
4e624478dc s4 auth ntlm: Fix integer overflow in authsam_password_check_and_record
Fix a ubsan detected integer overflow.
../../source4/auth/ntlm/auth_sam.c:445:56: runtime error:
     signed integer overflow: 60 * 600000000
     cannot be represented in type 'int'

In practice this meant that the default for the smb.conf parameter
"old password allowed period" was approximately 16 seconds, rather than
the intended 60 minutes. Similarly the value used would be 22.5 times
less than the value specified in smd.conf.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 13 23:52:38 UTC 2021 on sn-devel-184
2021-01-13 23:52:38 +00:00
Volker Lendecke
e60c435744 auth4: Use global_sid_Anonymous
dom_sid_dup() is much simpler than dom_sid_parse_talloc()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
6b73ffb69d auth4: Use global_sid_System
dom_sid_dup() is much simpler than dom_sid_parse_talloc()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
fbe6c6cd11 auth: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-08 20:31:33 +00:00
Volker Lendecke
04077435dc auth: Reformat a comment
Will fix a typo next

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-08 20:31:33 +00:00
Andreas Schneider
1298280a22 auth:creds: Rename CRED_USE_KERBEROS values
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-03 15:25:37 +00:00
Matthew DeVore
232054c09b lib/util: remove extra safe_string.h file
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.

Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
2020-08-28 02:18:40 +00:00
Andreas Schneider
59a1272a6c auth:creds: Remove unused credentials autoproto header
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Ralph Boehme
2327471756 lib: relicense smb_strtoul(l) under LGPLv3
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug  3 22:21:04 UTC 2020 on sn-devel-184
2020-08-03 22:21:02 +00:00
Björn Baumbach
d72a512e0f pyauth: add python binding for auth_session_info_set_unix()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14400

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-06-05 10:32:31 +00:00
Björn Baumbach
bde136a280 s4-auth/unix_token: add new function auth_session_info_set_unix()
Used to fill the unix info in a struct auth_session_info similar to
auth_session_info_fill_unix().

The new auth_session_info_set_unix() receives the uid and gid for
the unix token as an parameter. It does not query the unix token from
winbind (via security_token_to_unix_token()).
This is useful to fill a user session info manually if winbind is not
available.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14400

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-06-05 10:32:31 +00:00
Björn Baumbach
d159b4c0a5 s4-auth/unix_token: separate out filling the unix_info elements in a struct session_info
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14400

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-06-05 10:32:31 +00:00
Gary Lockyer
13a2f70a4d Fix clang 9 missing-field-initializer warnings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-08 09:31:31 +00:00
Gary Lockyer
f467727db5 CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:31 +00:00
Andrew Bartlett
5c1867ba45 py3: Remove #define PyInt_FromLong PyLong_FromLong
This allows us to end the use of Python 2/3 compatability macros.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power
2020-03-23 19:12:43 +00:00
Andrew Bartlett
f231a072d5 s4-auth: Allow simple bind login of a user with an @ in the samAccountName
LDAP Simple BIND authentications have already been mapped to a
DOMAIN\username pair and should not be mapped twice.

This appears to be a regression in 09e24ce40f
included in Samba 4.7.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Feb 14 17:13:33 UTC 2020 on sn-devel-184
2020-02-14 17:13:33 +00:00
Volker Lendecke
7e78d27542 gensec: Fix CID 1458419 Control flow issues (NO_EFFECT)
socklen_t can be unsigned

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 14 13:42:26 UTC 2020 on sn-devel-184
2020-02-14 13:42:26 +00:00
Volker Lendecke
43c808f2ff gensec: Fix CID 1458421 OVERRUN
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-02-14 12:15:32 +00:00
Stefan Metzmacher
15d2130bad s4:gensec_krb5: remove unused argument of gensec_krb5_common_client_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:37 +00:00
Stefan Metzmacher
8ec0e3194b s4:gensec_krb5: make use of talloc_zero() in gensec_krb5_start()
This is simpler and safter in case the structure gets new elements.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:37 +00:00
Stefan Metzmacher
a8ba35fa97 s4:gensec_krb5: make use of struct samba_sockaddr
This avoids some strict-aliasing warnings.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:37 +00:00
Ralph Boehme
d1b2254f45 s4/auth: use talloc_alpha_strcpy() in auth_session_info_fill_unix()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-06 10:17:43 +00:00
Torsten Fohrer
f0eb1e623f Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero.
(C) SBE network solutions GmbH

Signed-off-by: Torsten Fohrer <torsten.fohrer@sbe.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec 18 14:33:58 UTC 2019 on sn-devel-184
2019-12-18 14:33:58 +00:00
Isaac Boukris
a5548af018 smbdes: convert E_P24() and SMBOWFencrypt to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:30 +00:00
Isaac Boukris
2b88890ada krb5: move disabling dns-canon to lower level init calls
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 27 12:24:16 UTC 2019 on sn-devel-184
2019-11-27 12:24:16 +00:00
Isaac Boukris
d9d6ce6eca krb5: remove "set_dns_canonicalize" conf option
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:38 +00:00
Andrew Bartlett
6107c79c90 build: Do not build selftest binaries for builds without --enable-selftest
Add new for_selftest option to SAMBA_BINARY() and SAMBA3_BINARY()

This allows us to be much more consistent (at least in the core Samba)
and documents clearly why the binary should not be installed.

Not modified are
 - test_lp_load
 - notifyd-tests
 - gendrandperf
 - test* from examples/libsmbclient
 - dbwrap_torture
 - split_tokens
 - locktest2
 - msgtest
 - msg_sink
 - msg_source
 - versiontest
 - rpc_open_tcp
 - test_headers

As these are not tested in selftest so any change would also be
untested.  Of course they probably should be added in a different
MR.

Also not modified (because they are not tests, nor part of the
build system) are:
 - smb2mount
 - notifydd
 - log2pacp
 - debug2html
 - smbfilter
 - destroy_netlogon_creds_cli
 - spotlight2*
 - tevent_glib_tracker

These do however appear to be untested.

For now, the source4 forked client tools are left unchanged:
 - smbclient4
 - nmblookup4

Finally, the heimdal binaries are left as install=False as
they are either part of the build system or end-user tools
that we just don't want to install.  These are however tested.

The motivation is commit like c34ec003b7
and da87fa998a, which are both totally
correct but are not needed if the selftest is not run on MacOS.

There are likely other platforms or build environments where building
our test binaries is more pain than valuable, see for example also
https://lists.samba.org/archive/samba/2019-November/227137.html

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Nov 22 11:48:59 UTC 2019 on sn-devel-184
2019-11-22 11:48:59 +00:00
Isaac Boukris
ad9016d579 kerberos: remove single DES enctypes from ENC_ALL_TYPES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-19 14:48:41 +00:00
Amitay Isaacs
93b9fc3da8 build: add missing crypt dependency for auth4_unix
Commit dc5788056b removed crypt library from replace.  This breaks the
build on fedora 30 ppc64.

  [2439/3956] Linking bin/default/source4/auth/ntlm/libauth4-samba4.so
  /usr/bin/ld: source4/auth/ntlm/auth_unix.c.5.o: in function `password_check':
  auth_unix.c:(.text+0x7e0): undefined reference to `crypt'

crypt library is required to build ntlm auth_unix.c.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Tue Nov 19 04:47:47 UTC 2019 on sn-devel-184
2019-11-19 04:47:47 +00:00
Volker Lendecke
8ec9e97666 auth: Simplify session generation
We don't need to parse a text sid, we have those as binary available

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-11-06 20:36:34 +00:00
Stefan Metzmacher
162b419949 s4:auth: kinit_to_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:37 +00:00
Stefan Metzmacher
db8fd3d6a3 s4:auth: use the correct client realm in gensec_gssapi_update_internal()
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last@example.com'
but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background.

It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:37 +00:00
Noel Power
6f733b5891 s4/auth/kerberos: clang: Fix Value stored to 'code' is never read
Fixes:

source4/auth/kerberos/kerberos_util.c:645:3: warning: Value stored to 'code' is never read <--[clang]
                code = 0;
                ^      ~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-24 04:19:27 +00:00
Noel Power
765fc314e4 s4/auth/kerberos: clang: Fix 'value stored to 'ret' is never read '
Fixes:

source4/auth/kerberos/kerberos_pac.c:116:2: warning: Value stored to 'ret' is never read <--[clang]
        ret = smb_krb5_make_pac_checksum(mem_ctx,
        ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-24 04:19:27 +00:00
Douglas Bagnall
3d33e33626 s4/auth/py: avoid null deref with bad python arguments
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:26 +00:00
Douglas Bagnall
936c966207 s4/gensec/py: avoid null deref with bad python arguments
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:26 +00:00
Douglas Bagnall
57fc8b6c53 s4/auth/pygensec: don't segfault when reporting bad types
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:26 +00:00
Noel Power
d6c67f7c88 s4/auth/gensec: clang: Fix 'initialization value is never read'
Fixes:

source4/auth/gensec/gensec_gssapi.c:431:11: warning: Value stored to 'nt_status' during its initialization is never read <--[clang]
        NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
                 ^~~~~~~~~   ~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-11 04:08:13 +00:00
Andrew Bartlett
4f32983ea8 py3: Remove duplicated PyUnicode_Check() after the py3 compat macros were removed
This came about because in py2 we had to check for strings and unicode.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Mon Jun 24 18:48:53 UTC 2019 on sn-devel-184
2019-06-24 18:48:53 +00:00
Andrew Bartlett
f32779b198 py3: Remove PyStr_AsUTF8AndSize() compatability macro
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2019-06-24 17:24:27 +00:00