1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

133817 Commits

Author SHA1 Message Date
Joseph Sutton
2ab15cf117 tests/krb5: Allow passing a pre-created certificate into _pkinit_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
b73a01eefd tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key
These are useful to keep around for other purposes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
01196cc741 tests/krb5: Factor out a method to fetch the CA certificate and private key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
ce9786748b tests/krb5: Factor out a method to create a certificate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
db64b2762c s4:kdc: Add auth_data_reqd flag to SDBFlags
This is to adapt to Heimdal:

commit 3c4548025c0a239ff580e7974939185eadf1856b
Author: Nicolas Williams <nico@twosigma.com>
Date:   Sun Jun 4 22:54:03 2023 -0500

    hdb: Add auth-data-reqd flag

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
7340351097 third_party/heimdal_build: Make Heimdal version strings const
This is to adapt to Heimdal:

commit 997916e3f67d70bb52674829615c50455918fbb3
Author: Taylor R Campbell <campbell+heimdal@mumble.net>
Date:   Sun May 28 20:34:34 2023 +0000

    krb5: Make heimdal_version and heimdal_long_version const.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
a25f549e9a third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
5bfccbb764 tests/krb5: Test Windows 2000 variant of PK-INIT
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
af97579f16 tests/krb5: Add ASN.1 definitions for Windows 2000 PK-INIT
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
ecc62bc120 tests/krb5: Add tests for PK-INIT Freshness Extension (RFC 8070)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
f7393da2c0 tests/krb5: Remove unused methods
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
97ead77767 tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer
When PK-INIT is performed, check that the buffer is as expected and
contains the correct NT hash.

The PK-INIT tests now pass against Windows Server 2019.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14985

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
3ea1c55921 tests/krb5: Add PK-INIT testing framework
To run these tests standalone, you will need the certificate and private
key of the Certificate Authority. These can be specified together in the
same file with the environment variable CA_CERT, or the private key may
be specified in its own file with CA_PRIVATE_KEY.

If either of these files are encrypted, you can specify the password in
the environment variable CA_PASS.

These tests create a new certificate for the user account, signed with
the private key of the Certificate Authority. We negotiate the reply key
with either of the public-key and Diffie-Hellman PK-INIT variants, and
use the reply key to decrypt the enc-part in the response. We also check
that the KDC’s signatures are valid.

Most of the failures with the Heimdal KDC are due to the wrong nonce
being returned in the reply compared to Windows, which issue is simple
enough to correct.

An example command line for manual testing against Windows:
SMB_CONF_PATH=ad_dc.conf KRB5_CONFIG=krb5.conf SERVICE_USERNAME=win2k19-dc.example.com ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass ADMIN_KVNO=1 FOR_USER=Administrator USERNAME=Administrator PASSWORD=locDCpass DC_SERVER=win2k19-dc.example.com SERVER=win2k19-dc.example.com DOMAIN=example REALM=example.com PYTHONPATH=bin/python STRICT_CHECKING=1 FAST_SUPPORT=1 CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 TKT_SIG_SUPPORT=1 FULL_SIG_SUPPORT=1 GNUTLS_PBKDF2_SUPPORT=1 EXPECT_PAC=1 EXPECT_EXTRA_PAC_BUFFERS=1 CHECK_CNAME=1 CHECK_PADATA=1 KADMIN_IS_TGS=0 FORCED_RC4=1 DEFAULT_ETYPES=36 CA_CERT=./win2k19-ca.pfx CA_PASS=1234 python3 python/samba/tests/krb5/pkinit_tests.py

To set up windows for this I first installed an Certificate Authority with an Enterprise CA.
Then I exported the private key and certificate of the CA:

1. go into the Certification Authority snap-in for the relevant computer,
2. right-clicking the CA
3. clicking ‘All Tasks’ → ‘Back up CA...’
4. and exporting the private key and CA certificate.

(I downloaded the resulting file via smbclient).

After setting up an Enterprise CA, I also needed to edit the domain
controller GPO to enable auto-enrollment, otherwise Windows would
refuse to accept as legitimate any certificates provided by the client.

That can be done by first enabling the policy:
 ‘Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client — Auto-Enrollment’,
and then ticking both ‘Renew expired certificates…’ and ‘Update certificates…’)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
699d211084 tests/krb5: Allow KerberosCredentials to have associated RSA private key
This is needed for PK-INIT testing.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
7584e7a3a1 tests/krb5: Add helper methods for PK-INIT testing
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
7f9547fda7 tests/krb5: Refactor encryption type selection
Add and use some methods to calculate the highest supported AES and RC4
encryption types, respectively.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
ef9ffbacb9 tests/krb5: Add PK-INIT ASN1 definitions and include licence
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-19 01:47:33 +00:00
Joseph Sutton
477fbd7bb4 tests/krb5: Add PKINIT pre-authentication types
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
8a0bde46a2 tests/krb5: Add PKINIT typed data errors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
d818ed644a tests/krb5: Add PKINIT error codes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
7d2c267ae1 s4:kdc: Fix wrong debug message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
97cde6f97b tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Andreas Schneider
7d2c68f2e2 s3:nmbd: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 17 12:41:21 UTC 2023 on atb-devel-224
2023-07-17 12:41:21 +00:00
Andreas Schneider
0ff51f86a6 s3:nmbd: Fix trailing white spaces in nmbd_incomingrequests.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
4e1f1a8ace s3:nmbd: Fix trailing white spaces in nmbd_incomingdgrams.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
6c2338f36c s3:nmbd: Fix trailing white spaces in nmbd.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
856b5abc95 s3:modules: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
1d2ec674a7 s3:modules: Remove fruit:ressource option with incorrect spelling
The plan was to remove it in 4.7. I think it is safe to remove it with
4.19.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
005a78ee7f s3:modules: Remove trailing white spaces of README.nfs4acls.txt
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
b64308f2a4 s3:modules: Remove trailing white spaces of vfs_hpuxacl.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
b746f77732 s3:locking: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
f64add9947 s3:librpc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
7f033268c8 wscript: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
f9107c55a8 examples: Remove outdated validchars
I don't think we even look into this anymore and have other tests in
place.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Andreas Schneider
573e5e06f8 example: Remove outdated config files from tridge
I don't think he still runs Windows 95 ...

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 11:46:29 +00:00
Stefan Metzmacher
dfeabce44f s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
2023-07-17 07:35:09 +00:00
Stefan Metzmacher
d5f1097b62 s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 06:37:31 +00:00
Stefan Metzmacher
404ce08e90 s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 06:37:31 +00:00
Stefan Metzmacher
5f87888ed5 netlogon.idl: add support for netr_LogonGetCapabilities response level 2
We don't have any documentation about this yet, but tests against
a Windows Server 2022 patched with KB5028166 revealed that
the response for query_level=2 is exactly the same as
for querey_level=1.

Until we know the reason for query_level=2 we won't
use it as client nor support it in the server, but
we want ndrdump to work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 06:37:31 +00:00
Andreas Schneider
5a5cccce24 s3:libsmb: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 13 06:34:01 UTC 2023 on atb-devel-224
2023-07-13 06:34:01 +00:00
Andreas Schneider
939ec7ea46 s3:libads: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Andreas Schneider
71b40127e1 s3:lib: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Andreas Schneider
09d2e58986 s3:include: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Andreas Schneider
ba5b1f633a s3:include: Remove trailing whitepaces in MacExtensions.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Andreas Schneider
929ed4800c python:tests: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Andreas Schneider
bb0297dadc python: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Andreas Schneider
3d4235eb60 examples: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Andreas Schneider
acd846aac4 examples: Make codespell happy
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Douglas Bagnall
05e2ec1d8b configure: ensure sizeof(int) >= 4
There are multiple places we make this assumption. For example, in
source3/lib/tldap.c, we have this line

      if (ld->msgid == 2147483647) {

where ld->msgid is an int. And in librpc/idl/security.idl we have
several lines like:

      const int SEC_MASK_GENERIC        = 0xF0000000;

In lib/replace/inet_pton.c and inet_ntop.c we have

  /*
   * WARNING: Don't even consider trying to compile this on a system where
   * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
   */

but no attempt to enforce that as far as I can see, until now.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 11 22:44:15 UTC 2023 on atb-devel-224
2023-07-11 22:44:15 +00:00
Martin Schwenke
230f8db40f docs-xml: Fix script idmap backend documentation
This was clearly copied from the tdb2 backend and incompletely edited.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Jul 10 23:47:12 UTC 2023 on atb-devel-224
2023-07-10 23:47:12 +00:00