1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

2796 Commits

Author SHA1 Message Date
Joseph Sutton
240b082dc4 s4:rpc_server: Check return values of gnutls functions (CID 1452111)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
ca2a97b729 s4:rpc_server: Check mkdir() return value (CID 1034649)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Volker Lendecke
768990ec4d rpc_netlogon4: Simplify dcesrv_netr_ServerAuthenticate3_helper()
Use a switch/case statement instead of a if/else chain. Easier to read
to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Volker Lendecke
7bc1fa707d lsa_srv4: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Andrew Bartlett
3cf1beed5d CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Joseph Sutton
8b496331b9 s4:rpc_server: Use Builtin SID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
7e62f3921f s4:rpc_server: Switch to using smb_krb5_princ_component()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
36ccc9cf26 s4:rpc_server: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Andreas Schneider
8d85b9987e s4:rpc_server: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 21:45:29 +00:00
Joseph Sutton
d175550162 s4:rpc_server: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Andrew Bartlett
79ca6ef28a s4-rpc_server/drsupai: Avoid looping with Azure AD Connect by not incrementing temp_highest_usn for the NC root
We send the NC root first, as a special case for every chunk
that we send until the natural point where it belongs.

We do not bump the tmp_highest_usn in the highwatermark that
the client and server use (it is meant to be an opauqe cookie)
until the 'natural' point where the object appears, similar
to the cache for GET_ANC.

The issue is that without this, because the NC root was sorted
first in whatever chunk it appeared in but could have a 'high'
highwatermark, Azure AD Connect will send back the same
new_highwatermark->tmp_highest_usn, and due to a bug,
a zero reserved_usn, which makes Samba discard it.

The reserved_usn is now much less likely to ever be set because
the tmp_higest_usn is now always advancing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
17359afa62 s4-rpc_server/drsuapi: Ensure logs show DN for replicated objects, not (null)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15407
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
2aba9e230e s4-rpc_server/drsuapi: Update getnc_state to be != NULL
This is closer to our READDME.Coding style

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
2ed9815eea s4-rpc_server/drsuapi: Rename ncRoot -> untrusted_ncRoot to avoid misuse
Because of the requirement to echo back the original string, we can
not force this to be a trustworthy value.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
548f141f11 s4-rpc_server/drsuapi: Avoid modification to ncRoot input variable in GetNCChanges
This tries to avoid it appearing that ncRoot is a value that can
be trusted and used internally by not updating it and instead leaving
it just as an input/echo-back value.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
fe7418e176 s4-rpc_server/drsuapi: Fix indentation in GetNCChanges()
This avoids the indentation correction being in the previous patch.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
99579e7063 s4-rpc_server/drsuapi: Only keep and invalidate replication cycle state for normal replication
This changes the GetNCChanges server to use a per-call state for
extended operations like RID_ALLOC or REPL_OBJ and only maintain
and (more importantly) invalidate the state during normal replication.

This allows REPL_OBJ to be called during a normal replication cycle
that continues using after that call, continuing with the same
highwatermark cookie.

Azure AD will do a sequence of (roughly)

* Normal replication (objects 1..100)
* REPL_OBJ (of 1 object)
* Normal replication (objects 101..200)

However, if there are more than 100 (in this example) objects in the
domain, and the second replication is required, the objects 1..100
are sent, as the replication state was invalidated by the REPL_OBJ call.

RN: Improve GetNChanges to address some (but not all "Azure AD Connect")
syncronisation tool looping during the initial user sync phase.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
0550e469ed s4-rpc_server/drsuapi: Remove rudundant check for valid and non-NULL ncRoot_dn
This check was valuable before aee2039e63
but now only checks things we know to be true, as the value has come
from Samba via drs_ObjectIdentifier_to_dn_and_nc_root() either on this
or a previous call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
a12bcce89d s4-rpc_server/drsuapi: Improve debug message for drs_ObjectIdentifier_to_dn_and_nc_root() failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
d0c1ce53ad s4-rpc_server/drsuapi: Improve debugging of invalid DNs
This is still unreachable, so but improve the logging
to give more detail in this area anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Andrew Bartlett
0d9ea6c559 s4-rpc_server/drsuapi: Add tmp_highest_usn tracking to replication log
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Joseph Sutton
56561fd045 s4:rpc_server: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
29c927054d s4:rpc_server: Remove unnecessary parentheses
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
2e1adcfc2d s4:rpc_server/backupkey: Fix leaks
Allocate these objects on a shorter-lived memory context.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
68bf480b9c s4:rpc_server: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
ebfa5ff6a1 s4:rpc_server/backupkey: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
13a04d6791 s4:rpc_server: Add missing newlines to debugging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Andrew Bartlett
9b4f3f3cb4 s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
13eed1e0e7 s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
a900f6aa5d s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
4e18066fa2 s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Arvid Requate
2d461844a2 Bug #9959: Don't search for CN=System
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:32 +00:00
Arvid Requate
b6e80733c3 For Bug #9959: local talloc frame for next commit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Arvid Requate <requate@univention.de>

[abartlet@samba.org Added additional talloc_free() in failure paths]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:32 +00:00
Stefan Metzmacher
d5f1097b62 s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 06:37:31 +00:00
Andrew Bartlett
eda1022b59 crypto: Rely on GnuTLS 3.6.13 and gnutls_pbkdf2()
This removes a lot of inline #ifdef and means this feature is always tested.

We can do this as we have chosen GnuTLS 3.6.13 as the new minimum version.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Joseph Sutton
ca9d27ae99 auth: Add functionality to log client and server policy information
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Björn Jacke
659e88544a dcesrv_drsuapi.c:use DBG* macros instead of static log level numbers
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-16 20:28:29 +00:00
Andrew Bartlett
9aa440d52d s4-rpc_server: Filter via dsdb_dc_functional_level() before we are returning a lookup directly
Otherwise, punt to winbindd to see if another DC has this capability.

This allows a FL2008-emulating DC to forward a request to a
2012R2-emlating DC, particularly in another domain.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 31 04:59:01 UTC 2023 on atb-devel-224
2023-05-31 04:59:01 +00:00
Joseph Sutton
5dfb090d9c s4:rpc_server/samr: Log correct authentication description for samr_ChangePasswordUser2()
We would unconditionally log "samr_ChangePasswordUser3", which was
misleading.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
6a3accec4c s4:rpc_server: Ensure EnumDomainUsers() doesn't return a NULL array
This is what source4/torture/rpc/samr.c:test_EnumDomainUsers_all() in
the test 'samba4.rpc.samr' expects, and allows that test to pass.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Joseph Sutton
6abc50c94e s4:rpc_server: Handle LDB_ERR_NO_SUCH_ATTRIBUTE when deleting group
This is what source4/torture/rpc/samr.c:test_AddGroupMember() in the
test 'samba4.rpc.samr' expects.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Joseph Sutton
f273dcf6c5 s4-drs: Don't skip over elements in uref_del_dest()
If we remove an element, we should not skip over the element following.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
c17e46a231 ldap: Make use of LDB_OID_COMPARATOR constants
These constants allow one to tell at a glance what search operation is
being performed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:40 +00:00
Joseph Sutton
5147f011d9 auth: Shorten long SID flags combinations
The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very
commonly used, and introducing a shorter alias for it makes the code
clearer.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
e3fdb2d001 s4:kdc: Add resource SID compression
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.

In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
94cda2dfd5 auth: Exclude resource groups from a TGT
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Andrew Bartlett
0f2978bbc0 s4-drsuapi: Give an error that matches windows on destination_dsa_guid lookup failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 31 13:43:54 UTC 2023 on atb-devel-224
2023-01-31 13:43:54 +00:00
Andrew Bartlett
1838f349c9 s4-drsuapi: Clarify role of drs_security_access_check_nc_root()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-01-31 12:50:33 +00:00
Andrew Bartlett
115a3a1044 s4-rpc_server: Pre-check destination_dsa_guid in GetNCChanges for validity
This allows our new tests to pass as these need to be checked first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-01-31 12:50:33 +00:00
Andrew Bartlett
09ec6a1db2 s4-drsuapi: Use samdb_get_ntds_obj_by_guid() to find RODC in REPL_SECRET
We need to find the RODC per the destination_dsa_guid to mark the secrets as
having been replicated, and by using samdb_get_ntds_obj_by_guid() we are stricter
in the checks, as the RODC has to be the right objectClass (nTDSDSA) and under
the CN=Configuration partition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-01-31 12:50:33 +00:00