1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

66 Commits

Author SHA1 Message Date
Günther Deschner
5b2ce01b77 werror: replace WERR_UNKNOWN_LEVEL with WERR_INVALID_LEVEL in source3/rpc_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:34 +02:00
Günther Deschner
402bafcbca werror: replace WERR_INVALID_PARAM with WERR_INVALID_PARAMETER in source3/rpc_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:22 +02:00
Günther Deschner
74d3bf1488 werror: replace WERR_NOMEM with WERR_NOT_ENOUGH_MEMORY in source3/rpc_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:19 +02:00
Stefan Metzmacher
93e3f25d42 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:24 +02:00
Stefan Metzmacher
9ed11972d2 CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:23 +02:00
Günther Deschner
d4a64baf91 CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
The ensures we apply the "server schannel = yes" restrictions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2016-04-12 19:25:23 +02:00
Stefan Metzmacher
038659dcbb s3:rpc_server/netlogon: improve the netr_LogonControl*() error returns
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Günther Deschner
a0700dd275 netlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Andreas Schneider
bb41484509 s3-netlogon: Make sure we do not deference a NULL pointer.
This is an additional patch for CVE-2015-0240.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-02-23 17:33:07 +01:00
Jeremy Allison
28f10a89e6 CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-02-23 17:33:07 +01:00
Günther Deschner
a62cc2ce44 samba: pass down size_t instead of int to add_string_to_array().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Nov 17 19:53:22 CET 2014 on sn-devel-104
2014-11-17 19:53:22 +01:00
Andrew Bartlett
4d50c75159 s3-auth: Finally change make_user_info_*() use a parent talloc context
Change-Id: Iedf516e8c24e0d18064aeedd8e287ed692d3c5b4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2014-04-02 11:05:46 +02:00
Andreas Schneider
4d792db03f s3-auth: Pass mem_ctx to auth_check_ntlm_password().
Coverity-Id: 1168009
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598

Signed-off-by: Andreas Schneider <asn@samba.org>

Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-02-19 11:29:29 +13:00
Stefan Metzmacher
dcc2c8362d s3:rpc_server/netlogon: return a zero return_authenticator on error
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:12:21 +01:00
Jeremy Allison
0dc6181894 CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
2013-12-09 07:05:46 +01:00
Andreas Schneider
8b1a2144fe s3-netlogon: Connecting with the system token should be sufficient.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Aug  6 18:22:06 CEST 2013 on sn-devel-104
2013-08-06 18:22:06 +02:00
Stefan Metzmacher
7b3ddd1a0b s3:netlogon: make use of netlogon_creds_decrypt_samlogon_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:30:01 +02:00
Alexander Bokovoy
a308db6587 s3-netlogon: enumerate UPN suffixes from PASSDB when available
Optionally append list of UPN suffixes if PDB module returns non-empty one.

Refactor fill_forest_trust_array() in source3 to allow reuse of the code between
_netr_DsRGetForestTrustInformation() and _netr_GetForestTrustInformation()

Implement a special case of _netr_DsRGetForestTrustInformation in smbd
when trusted_domain_name is NULL (covered by test_DsrEnumerateDomainTrusts()
in rpc.netlogon torture tests, see comment in source4/torture/rpc/netlogon.c).

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr  9 22:19:34 CEST 2013 on sn-devel-104
2013-04-09 22:19:34 +02:00
Karolin Seeger
75ca814f1e srv_netlog_nt.c: Fix typo in comment.
redundent -> redundant

Signed-off-by: Karolin Seeger <kseeger@samba.org>
2013-02-18 22:07:39 +11:00
Sumit Bose
62e6ea408a s3-rpc_server: Fix password encoding in _netr_ServerGetTrustInfo().
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-02-07 14:07:50 +01:00
Günther Deschner
823a25f6a4 s3-rpc_server: Dont wipe out ref pointers in _netr_ServerGetTrustInfo().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-02-07 14:07:15 +01:00
Günther Deschner
be43456c94 s3-rpc_server: use netlogon_creds_encrypt_samlogon().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-12-15 21:50:36 +01:00
Günther Deschner
f2d9589b17 s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
All crypto is dealt with within the netlogon samlogon server now.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Günther Deschner
c1fb595081 s3-rpc_server: Remove obsolete process_creds boolean in samlogon server.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Günther Deschner
645289216e s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
Still need to fix AES support for the returned validation info.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Günther Deschner
a52115ce67 s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo().
Sumit, please check.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Günther Deschner
306a78d97f s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Günther Deschner
1362d542df s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:07 +01:00
Stefan Metzmacher
396f3177ca s3:rpc_server/netlogon: make usage of session_extract_session_key()
This makes sure we return NO_USER_SESSION_KEY if there's no session key.

metze
2012-08-04 12:33:06 +02:00
Stefan Metzmacher
5e25fc6686 s3:rpc_server: add support for AES bases netlogon schannel
metze

Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17 10:58:39 +02:00
Andreas Schneider
fae6091f1d s3-rpc_server: Make it possible to use more rpc exceptions. 2012-07-06 10:00:56 +02:00
Andrew Bartlett
666dba3353 s3-param: Rename loadparm_s3_context -> loadparm_s3_helpers
This helps clarify the role of this structure and wrapper function.

The purpose here is to provide helper functions to the lib/param
loadparm_context that point back at the s3 lp_ functions.  This allows
a struct loadparm_context to be passed to any point in the code, and
always refer to the correct loadparm system.  If this has not been
set, the variables loaded in the lib/param code will be returned.

As requested by Michael Adam.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
2012-06-27 17:11:16 +02:00
Volker Lendecke
815eb53b33 s3: Fix Coverity ID 242714 Uninitialized scalar variable
In an error path we are closing domain_handle without opening it
2012-05-10 09:11:58 +02:00
Andrew Bartlett
77602d877e s3-auth: Remove single-implementation plugin layer
The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context
were only ever initialised to a single value.  Make it easier to follow by
just calling the function directly.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Sumit Bose
6765e7c2a6 s3-netlogon: use dsgetdcname() instead of get_dc_name()
Sometimes the domain parameter might not contain the NetBIOS name of the remote
domain but the DNS name.

Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Thu Dec 22 19:21:21 CET 2011 on sn-devel-104
2011-12-22 19:21:21 +01:00
Sumit Bose
1c8f326dc6 s3-netlogon: Add support to authenticate trusted domains. 2011-12-22 17:48:24 +01:00
Stefan Metzmacher
00d0b4d6d0 s3-rpc_server: Pass in our flags to netlogon_creds_server_init().
metze
2011-12-22 17:48:24 +01:00
Stefan Metzmacher
9c00d04ac1 s3-netlogon: Add support for LogonGetCapabilities.
This is also needed to support AES.

metze
2011-12-22 17:48:24 +01:00
Stefan Metzmacher
7dc1de73d3 s3:rpc_server/netlogon: remove unused send_sync_message()
metze
2011-12-13 12:36:36 +01:00
Jeremy Allison
767c54d8dd Fix bug #8562 - talloc: double free error.
Ensure we don't access an undefined pointer.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Nov  4 00:09:46 CET 2011 on sn-devel-104
2011-11-04 00:09:45 +01:00
Andreas Schneider
2f65ae25df s3: Include uid_wrapper where it is missing. 2011-10-27 13:32:02 +02:00
Andreas Schneider
bda9752b10 s3-netlogon: Fix setting the machinge account password.
This bug has been found with uid wrapper.
2011-10-27 13:32:00 +02:00
Andrew Bartlett
5603dab647 libcli/auth: Provide a struct loadparm_context to schannel calls
This will allow us to pass this down to the tdb_wrap layer.

Andrew Bartlett
2011-10-13 14:06:07 +02:00
Günther Deschner
70192f034c s3-build: remove some unused/duplicate headers.
Guenther
2011-07-31 22:37:28 +02:00
Andrew Bartlett
9fcc617ff5 s3-auth Use the common auth_session_info
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.

This will allow of our session handling to be accomplished with common code.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:13 +10:00
Andrew Bartlett
128ae06a61 s3-auth use auth_user_info not netr_SamInfo3 in auth3_session_info
This makes auth3_session_info identical to auth_session_info

The logic to convert the info3 to a struct auth_user_info is
essentially moved up the stack from the named pipe proxy in
source3/rpc_server to create_local_token().

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:13 +10:00
Andrew Bartlett
f16d8f4eb8 s3-auth Use struct auth3_session_info outside the auth subsystem
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)

The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andreas Schneider
7e46a84bb7 s3-auth: Pass the remote_address down to user_info.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-07-04 18:28:02 +10:00
Andreas Schneider
541f3cf639 s3-rpc_server: Migrate rpc function to tsocket_address.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-07-04 18:27:58 +10:00
Andrew Bartlett
74eed8f3ed s3-param Remove special case for global_myname(), rename to lp_netbios_name()
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.

Andrew Bartlett
2011-06-09 12:40:09 +02:00