1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1813 Commits

Author SHA1 Message Date
Joseph Sutton
1137ebc654 sddl: Remove SDDL SID strings unsupported by Windows
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 23:11:37 +00:00
Joseph Sutton
732d17a129 sddl: Add new SDDL SID strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 23:11:37 +00:00
Joseph Sutton
e61fa573fe sddl: Fix incorrect SDDL SID strings
Change the values to match those used by Windows.

Verified with PowerShell commands of the form:
New-Object Security.Principal.SecurityIdentifier ER

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 23:11:37 +00:00
Jeremy Allison
3e021c3762 s3: libcli: Rename smb_key_derivation() -> smb1_key_derivation()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
0b391fc19f s3: libcli: Rename smb_signing_is_negotiated() -> smb1_signing_is_negotiated()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
7a385775ee s3: libcli: Rename smb_signing_set_negotiated() -> smb1_signing_set_negotiated()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
79633b42d6 s3: libcli: Rename smb_signing_is_mandatory() -> smb1_signing_is_mandatory()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
e42fc9bc24 s3: libcli: Rename smb_signing_is_desired() -> smb1_signing_is_desired()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
2fd2916971 s3: libcli: Remove unused smb_signing_is_allowed()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
0c8bc1bf56 s3: libcli: Rename smb_signing_is_active() -> smb1_signing_is_active()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
8dd252ad91 s3: libcli: Rename smb_signing_activate() -> smb1_signing_activate()
Fix the debugs that also used this name.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
84a498feec s3: libcli: Rename smb_signing_check_pdu() -> smb1_signing_check_pdu()
Fix the debugs that also used this name.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
6a68caff96 s3: libcli: Rename smb_signing_sign_pdu() -> smb1_signing_sign_pdu()
Fix the debugs that also used this name.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
fd9325587c s3: libcli: Rename smb_signing_cancel_reply() -> smb1_signing_cancel_reply()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
e563725a19 s3: libcli: Rename smb_signing_next_seqnum() -> smb1_signing_next_seqnum()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
00d8b05ddb s3: libcli: Rename smb_signing_md5() -> smb1_signing_md5()
Fix the debug that also used this name.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
7e82ac3a40 s3: libcli: Rename smb_signing_good() -> smb1_signing_good()
Fix the debugs that also used this name.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
6ae33a62bc s3: libcli: Rename smb_signing_init() -> smb1_signing_init()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
cba8ba327f s3: libcli: Rename smb_signing_init_ex() -> smb1_signing_init_ex()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
aee7bfa079 s3: libcli: Rename static smb_signing_reset_info() -> smb1_signing_reset_info()
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Jeremy Allison
41393579de s3: Simple rename 'struct smb_signing_state' -> 'struct smb1_signing_state'
This is only used by the SMB1 signing code, except for one
bool for SMB2 which we will replace next.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
2022-03-08 22:12:37 +00:00
Stefan Metzmacher
735f3d7dde libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt() ptext_len bug
The initial implementation of gnutls_aead_cipher_decrypt() had a bug and
used:
    *ptext_len = ctext_len;
instead of:
    *ptext_len = ctext_len - tag_size;

This got fixed with gnutls 3.5.2.

As we only require gnutls 3.4.7 we need to cope with this...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb  2 18:29:08 UTC 2022 on sn-devel-184
2022-02-02 18:29:08 +00:00
Stefan Metzmacher
99182af4ab libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid ptext_len
When the ptext_size != m_total check fails, we call this:

   status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
   goto out;

As rc is 0 at that point we'll exit smb2_signing_decrypt_pdu()
with NT_STATUS_OK, but without copying the decrypted data
back into the callers buffer. Which leads to strange errors
in the caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-02-02 17:36:35 +00:00
Jeremy Allison
2e72b9cd2d s3: smbd: Add the definition for SMB2_FIND_POSIX_INFORMATION info level.
Will be used by smb2_query_directory. Not yet used or available.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-02-01 16:30:37 +00:00
Jeremy Allison
722d0d3c55 libcli: Add SMB2 posix negotiate context flag.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-02-01 16:30:37 +00:00
Volker Lendecke
f60780c8b6 libcli/dns: Fix TCP fallback
A customer has come across a DNS server that really just cuts a SRV
reply if it's too long. This makes the packet invalid according to
ndr_pull and according to wireshark. DNS_FLAG_TRUNCATION is however
set. As this seems to be legal according to the DNS RFCs, we need to
hand-parse the first two uint16's and look whether DNS_FLAG_TRUNCATION
is set.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 20 18:01:41 UTC 2022 on sn-devel-184
2022-01-20 18:01:41 +00:00
Volker Lendecke
8732561396 lib: Remove unused tstream_npa_socketpair()
This was used in the pre samba-dcerpcd source3 rpc server.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-18 20:22:38 +00:00
Stefan Metzmacher
23bedd69b2 libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp requests
We should avoid spamming the logs with wellknown messages like:
ndr_pull_error(Buffer Size Error): Pull bytes 39016

They just confuse admins (and developers).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-04 20:07:28 +00:00
Stefan Metzmacher
f123c1a171 libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL
Windows doesn't complain about invalid av_pair blobs,
we need to do the same.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-04 20:07:28 +00:00
Volker Lendecke
00e41d198d librpc: Get transport out of tstream_npa_accept_existing_recv()
To be used by the RPC servers in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
1bab76223c librpc: Add named_pipe_auth_req_info5->transport
This will serve as a check to make sure that in particular a SAMR
client is really root. This is for example used in get_user_info_18()
handing out a machine password.

The unix domain sockets for NCACN_NP can only be contacted by root,
the "np\" subdirectory for those sockets is root/root 0700.

Connecting to such a socket is done in two situations: First, local
real root processes connecting and smbd on behalf of SMB clients
connecting to \\pipe\name, smbd does become_root() there. Via the
named_pipe_auth_req_info4 smbd hands over the SMB session information
that the RPC server blindly trusts. The session information (i.e. the
NT token) is heavily influenced by external sources like the KDC. It
is highly unlikely that we get a system token via SMB, but who knows,
this is information not fully controlled by smbd.

This is where this additional field in named_pipe_auth_req_info5 makes
a difference: This field is set to NCACN_NP by smbd's code, not
directly controlled by the clients. Other clients directly connecting
to a socket in "np\" is root anyway (only smbd can do become_root())
and can set this field to NCALRPC.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
d1934e2331 named_pipe_auth: Bump info4 to info5
We'll add a field soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Andreas Schneider
d1ea9c5aab libcli:auth: Allow to connect to netlogon server offering only AES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec  2 14:49:35 UTC 2021 on sn-devel-184
2021-12-02 14:49:35 +00:00
Stefan Metzmacher
04a79139a4 libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*
This will be used in tests in order to separate the tcon from
validate_negotiate_info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-01 11:04:29 +00:00
Volker Lendecke
b7fc678107 libcli: Remove NT_STATUS_INACCESSIBLE_SYSTEM_SHORTCUT error code
This is the same as STATUS_STOPPED_ON_SYMLINK, and this is what also
wireshark displays. Avoid some confusion.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-11-11 19:08:37 +00:00
Volker Lendecke
d0759cb648 libsmb: move reparse_symlink to libcli/smb/
This will be useful for smbXcli_create to parse the symlink error

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-11-11 19:08:37 +00:00
Volker Lendecke
fadce102d4 libcli: "smb_util.h" needs "ntstatus.h"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-11-11 19:08:37 +00:00
Alexander Bokovoy
e2d5b4d709 CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
8a607e7577 netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore result
This is a low level function that should not ignore results.

If the caller doesn't care it's his choice.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 19 20:20:00 UTC 2021 on sn-devel-184
2021-10-19 20:20:00 +00:00
Stefan Metzmacher
dd07bb81bb libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing algorithms
We can only assume that servers with support for AES-GMAC-128 signing
will except an SMB2 Cancel with ASYNC_ID and real MID.
This strategy is also used by Windows clients, because
some vendors don't cope otherwise.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14855

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 19 19:23:39 UTC 2021 on sn-devel-184
2021-10-19 19:23:39 +00:00
Volker Lendecke
e5b446fe11 libcli: Simplify get_sec_mask_str()
Use talloc_asprintf_addbuf()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:32 +00:00
Volker Lendecke
34c08da059 libcli: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:31 +00:00
Volker Lendecke
423e5726d2 libcli: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:31 +00:00
Volker Lendecke
f24b2163be libcli: Simplify security_session_user_level()
Use sid_compose(), use struct dom_sid on the stack.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:31 +00:00
Volker Lendecke
70b1260020 libcli: Introduce a helper variable in security_session_user_level()
Makes it easier to read for me

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:31 +00:00
Volker Lendecke
82281ca34f libcli: Remove unused security_token_has_sid_string()
This should have been removed in ef990008f2, I just was not aware
it's there...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:31 +00:00
Volker Lendecke
e2256c99a6 smbd: Make SID_SAMBA_SMB3 a static SID
No need to parse it

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:31 +00:00
Matthew Grant
617a5a1d35 libcli/dns: smb.conf dns forwarder port support
Call new tsocket_address_inet_from_hostport_strings() instead of
tsocket_address_inet_from_strings() to implement setting a port to query
for a DNS forwarder.

Signed-off-by: Matthew Grant <grantma@mattgrant.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-28 09:44:35 +00:00
Volker Lendecke
ef990008f2 libcli: Remove unused security_token_is_sid_string()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-24 23:55:32 +00:00
Volker Lendecke
df4c03d524 lib: Add required #includes
dom_sid.h itself references talloc, and security.h references
DATA_BLOB.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-21 00:13:32 +00:00