1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

1358 Commits

Author SHA1 Message Date
Stefan Metzmacher
3e4a521a2a CVE-2022-37966 s3:libads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a683507e56)
2022-12-14 10:28:16 +00:00
Stefan Metzmacher
836646d4a0 CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2bd27955ce)
2022-12-14 10:28:16 +00:00
Andreas Schneider
a708af3665 s3:libads: Check if we have a valid sockaddr
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15106

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit fbf134c8d9)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jul 11 11:33:49 UTC 2022 on sn-devel-184
2022-07-11 11:33:49 +00:00
Andreas Schneider
42edafd3ed s4:libads: Fix trailing whitespaces in ldap.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15106

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit d96a6cafe5)
2022-07-11 10:27:17 +00:00
Samuel Cabrero
53ac81eef2 s3:libads: Clear previous CLDAP ping flags when reusing the ADS_STRUCT
Before commit 1d066f37b9, when the LDAP
connection wasn't established yet (ads->ldap.ld == NULL), the
ads_current_time() function always allocated and initialized a new
ADS_STRUCT even when ads->ldap.ss had a good address after having called
ads_find_dc().

After that commit, when the ADS_STRUCT is reused and passed to the
ads_connect() call, ads_try_connect() may fail depending on the
contacted DC because ads->config.flags field can contain the flags
returned by the previous CLDAP call. For example, when having 5 DCs:

* 192.168.101.31 has PDC FSMO role
* 192.168.101.32
* 192.168.101.33
* 192.168.101.34
* 192.168.101.35

$> net ads info -S 192.168.101.35

net_ads_info()
  ads_startup_nobind()
    ads_startup_int()
      ads_init()
      ads_connect()
        ads_try_connect(192.168.101.35)
          check_cldap_reply_required_flags(returned=0xF1FC, required=0x0)
  ads_current_time()
    ads_connect()
      ads_try_connect(192.168.101.35)
        check_cldap_reply_required_flags(returned=0xF1FC, required=0xF1FC)

The check_cldap_reply_required_flags() call fails because
ads->config.flags contain the flags returned by the previous CLDAP call,
even when the returned and required values match because they have
different semantics:

  if (req_flags & DS_PDC_REQUIRED)
        RETURN_ON_FALSE(ret_flags & NBT_SERVER_PDC);

  translates to:

  if (0xF1FC & 0x80)
        RETURN_ON_FALSE(0xF1FC & 0x01);

  which returns false because 192.168.101.35 has no PDC FSMO role.

The easiest fix for now is to reset ads->config.flags in
ads_current_time() when reusing an ADS_STRUCT before calling
ads_connect(), but we should consider storing the required and returned
flags in different fields or at least use the same bitmap for them
because check_cldap_reply_required_flags() is checking a
netr_DsRGetDCName_flags value using the nbt_server_type bitmap.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May 23 19:18:38 UTC 2022 on sn-devel-184

(cherry picked from commit a26f535ded)
2022-05-30 08:15:10 +00:00
Andreas Schneider
9272ec1a24 s3:libads: Fix creating local krb5.conf
We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184

(cherry picked from commit 68d181ee67)
2022-03-17 09:14:56 +00:00
Andreas Schneider
abe01ca6b2 s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 12c843ad0a)
2022-03-17 09:14:56 +00:00
Andreas Schneider
3c5d0c379d s3:libads: Remove obsolete free's of kdc_str
This is allocated on the stackframe now!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit cca189d093)
2022-03-17 09:14:56 +00:00
Andreas Schneider
3c98408be7 s3:libads: Allocate all memory on the talloc stackframe
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 652c8ce167)
2022-03-17 09:14:56 +00:00
Andreas Schneider
cfbd47d7b4 s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 812032833a)
2022-03-17 09:14:56 +00:00
Andreas Schneider
cce13c772f s3:libads: Improve debug messages for get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 7f721dc2ee)
2022-03-17 09:14:56 +00:00
Andreas Schneider
2599f5313b s3:libads: Leave early on error in get_kdc_ip_string()
This avoids useless allocations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 313f03c784)
2022-03-17 09:14:56 +00:00
Andreas Schneider
c20ca210fb s3:libads: Remove trailing spaces in kerberos.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 567b199679)
2022-03-17 09:14:56 +00:00
Samuel Cabrero
85fdd88e3c s3:libads: Return canonical principal and realm from kerberos_return_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 00b1f44a7e)
2022-02-25 17:12:17 +00:00
Samuel Cabrero
3fef25f2e6 s3:libads: Fix memory leak in kerberos_return_pac() error path
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3dbcd20de9)
2022-02-25 17:12:17 +00:00
Ralph Boehme
188b96164c s3/libads: ensure a sockaddr variable is correctly zero initialized
is_zero_addr() doesn't work with addresses that have been zero-initialized.

This fixes the logic added in c863cc2ba3.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2354

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb  8 20:24:12 UTC 2022 on sn-devel-184

(cherry picked from commit 3ee690455e)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Feb  9 12:03:17 UTC 2022 on sn-devel-184
2022-02-09 12:03:17 +00:00
Ralph Boehme
8cbf38a1b2 s3/libads: simplify storing existing ads->ldap.ss
We just need temporal storage for ads->ldap.ss, no need to store it as a struct
samba_sockaddr.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2354

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c266ed40ae)
2022-02-09 11:09:41 +00:00
Pavel Filipenský
17ea2ccdab s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-21 23:33:36 +00:00
Pavel Filipenský
5f6251abf2 s3:libads: Improve debug messages for SASL bind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-21 23:33:36 +00:00
Pavel Filipenský
7785eb9b78 s3:libads: Disable NTLMSSP for FIPS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-21 23:33:36 +00:00
Pavel Filipenský
49d18f2d6e s3:libads: Remove trailing spaces from sasl.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-21 23:33:36 +00:00
Volker Lendecke
3b6b12a19f libads: Convert sitename_key() to talloc
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-18 20:22:38 +00:00
Günther Deschner
36db8faea3 s3-libnet_join: return account rid in libnet_JoinCtx
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-14 16:49:30 +00:00
Pavel Filipenský
edcb095c62 s3:libads: Remove extra new line in keytab list output
net ads keytab list prints extra new line for uknown encoding types,
so it spans over two lines, instead over a single line:

  1  AES-128 CTS mode with 96-bit SHA-1 HMAC     ADDC$@ADDOM.SAMBA.EXAMPLE.COM
  1  UNKNOWN: 3
                                 ADDC$@ADDOM.SAMBA.EXAMPLE.COM

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jul  2 11:45:48 UTC 2021 on sn-devel-184
2021-07-02 11:45:48 +00:00
Andreas Schneider
521f77c667 auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andreas Schneider
1298280a22 auth:creds: Rename CRED_USE_KERBEROS values
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-03 15:25:37 +00:00
Volker Lendecke
4c1f61cb80 libads: Improve a debug message
"kdc_ip_string" is a multi-line string starting with a tab. It looks
better in the debug message when starting in a new line.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:32 +00:00
Volker Lendecke
f02e76d023 libads: Improve a debug message
"kdc_str" is a multi-line string starting with a tab. It looks
better in the debug message when starting in a new line.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:32 +00:00
Jeremy Allison
b59de9e5ee s3: libsmb: Rename get_sorted_dc_list_sa() -> get_sorted_dc_list().
Everyone now uses samba_sockaddr arrays.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.com>
2020-09-15 10:09:39 +00:00
Jeremy Allison
2a57e7ede3 s3: libads: Rename cldap_ping_list_sa() -> cldap_ping_list().
The old cldap_ping_list() is now gone.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
bef9ebd8c9 s3: libads: Remove cldap_ping_list().
No longer used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
5a448e96ac s3: libads: Make resolve_and_ping_dns() use get_sorted_dc_list_sa().
We no longer use cldap_ping_list(), comment it out
for removal.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
6be32826d7 s3: libads: Make resolve_and_ping_netbios() use get_sorted_dc_list_sa().
Now we use cldap_ping_list_sa() so uncomment it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
4b6fc2b034 s3: libads: Add an alternate version of cldap_ping_list() that takes an array of samba_sockaddrs.
Preparing for get_sorted_dc_list() returning such an array.
ifdef'ed out as not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
1eecdd9401 s3: libsmb: Rename get_kdc_list_sa() back to get_kdc_list().
The samba_sockaddr interface is now the only one.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
516d8734c7 s3: libads: Convert get_kdc_ip_string() to use get_kdc_list_sa().
No more callers of get_kdc_list().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
76beee8129 s3: libads: Use size_t counts inside cldap_ping_list().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:37 +00:00
Jeremy Allison
d044d20c6f s3: libads: Reformat args to cldap_ping_list().
Pure reformatting.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:37 +00:00
Jeremy Allison
23fb64f35a s3: libsmb: Rename get_sorted_dc_list_talloc() -> get_sorted_dc_list()
There are no non-talloc callers.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:41 +00:00
Jeremy Allison
fbc2031800 s3: libads: Move callers of get_sorted_dc_list() -> get_sorted_dc_list_talloc().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:41 +00:00
Jeremy Allison
6deb23c618 s3: libads: Rename get_kdc_list_talloc() -> get_kdc_list().
It's the only version now.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:40 +00:00
Noel Power
5307b0e319 s3/libads: Cleanup() get_kdc_ip_string, free kdc_str on error
kdc_str will be cleaned up when the passed ctx is freed,
it just seems odd that we now return NULL without cleaning up allocated mem.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-09-07 13:23:40 +00:00
Noel Power
9d62c3e981 s3/libads: Only set result to kdc_str on success
Prior to this change result was set even when any or all errors
occured in the function.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-09-07 13:23:40 +00:00
Jeremy Allison
8e1b6602f5 s3: libads: Make get_kdc_ip_string() use get_kdc_list_talloc().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:40 +00:00
Jeremy Allison
13acac25cb s3: libsmb: Cleanup - ensure we initialize all stack variables to 'safe' values when calling get_sorted_dc_list() that may not touch returns on error.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:39 +00:00
Jeremy Allison
c4c00d626c s3: libsmb: Cleanup - ensure we initialize all stack variables to 'safe' values when calling get_kdc_list() that may not touch returns on error.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:39 +00:00
Andreas Schneider
6444a74352 s3:libads: Also add a realm entry for the domain name
This is required if we try to authenticate as Administrator@DOMAIN so it
can find the KDC. This fixes 'net ads join' for ad_member_fips if we
require Kerberos auth.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14479

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Sep  7 09:25:33 UTC 2020 on sn-devel-184
2020-09-07 09:25:33 +00:00
Andreas Schneider
a530396728 s3:libads: Only add RC4 if weak crypto is allowed
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-09-07 08:03:38 +00:00
Andreas Schneider
9cf1aecd73 s3:libads: Remove DES legacy types for Kerberos
We already removed DES support for Kerberos in Samba 4.12.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-09-07 08:03:38 +00:00
Jeremy Allison
ce84521c7c s3: libads: Cleanup - Remove two more ugly const struct sockaddr * casts in get_kdc_ip_string().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-08-25 16:21:33 +00:00