1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

125436 Commits

Author SHA1 Message Date
Stefan Metzmacher
74aca02a8f libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL
Windows doesn't complain about invalid av_pair blobs,
we need to do the same.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f123c1a171)
2022-01-19 08:08:14 +00:00
Stefan Metzmacher
ab38fec433 s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx
A netapp diag tool uses a NTLMv2_CLIENT_CHALLENGE with invalid bytes
as av_pair blob. Which is supposed to be ignored by DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(similar to commit e7e521fe9b)
2022-01-19 08:08:14 +00:00
Stefan Metzmacher
c51625b483 auth/credentials: cli_credentials_set_ntlm_response() pass session_keys
Otherwise cli_credentials_get_ntlm_response() will return session keys
with a 0 length, which leads to errors in the NTLMSSP code.

This wasn't noticed as cli_credentials_set_ntlm_response() has no
callers yet, but that will change in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 0ef1254f44)
2022-01-19 08:08:14 +00:00
Stefan Metzmacher
be1b37e7c6 s3:libsmb: fix signing regression SMBC_server_internal()
commit d0062d312c introduced
SMBC_ENCRYPTLEVEL_DEFAULT as default, but the logic to enforce
signing wasn't adjusted, so we required smb signing by default.

That broke guest authentication for libsmbclient using applications.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 27 16:38:11 UTC 2021 on sn-devel-184

(cherry picked from commit 9d2bf01537)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Tue Jan 18 18:56:06 UTC 2022 on sn-devel-184
2022-01-18 18:56:06 +00:00
Stefan Metzmacher
7aa5875ff9 s4:selftest: run libsmbclient.noanon_list against maptoguest
This demonstrates the problem with guest access being rejected
by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0a808f6b53)
2022-01-18 17:39:17 +00:00
Stefan Metzmacher
8feb866c21 s4:torture/libsmbclient: add libsmbclient.noanon_list test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 59e436297b)
2022-01-18 17:39:17 +00:00
Stefan Metzmacher
72e5b758e0 selftest/Samba3: enable SMB1 for maptoguest
guest authentication is an old school concept,
so we should make sure it also works with SMB1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 648b476dcd)
2022-01-18 17:39:17 +00:00
Jeremy Allison
4a6813f7bc s3: smbd: Add missing pop_sec_ctx() in error code path of close_directory()
If delete_all_streams() fails.

Found by Andrew Walker <awalker@ixsystems.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14944

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 14 03:34:47 UTC 2022 on sn-devel-184

(cherry picked from commit 5f9dbf3dec)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Mon Jan 17 09:57:52 UTC 2022 on sn-devel-184
2022-01-17 09:57:52 +00:00
Volker Lendecke
870991a12c ctdb-protocol: Allow rfc5952 "[2001:db8::1]:80" ipv6 notation
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14934
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 224e99804e)
2022-01-17 08:46:13 +00:00
Jones Syue
70d81ab148 s3: includes: Make the comments describing itime consistent. Always use "invented" time.
It gets confusing if we call it "imaginary" or "instantiation"
in different places.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 10 18:42:02 UTC 2022 on sn-devel-184

(cherry picked from commit 745af26a1a)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Jan 12 12:26:56 UTC 2022 on sn-devel-184
2022-01-12 12:26:56 +00:00
Jeremy Allison
15599f3390 s3: lib: In create_clock_itime(), use timespec_current() -> clock_gettime(CLOCK_REALTIME..).
CLOCK_MONOTONIC (which we previously used) is reset
when the system is rebooted.

CLOCK_REALTIME is a "wall clock" time. It's still affected by NTP
changes (for Linux we should probably use CLOCK_TAI instead
but that is Linux-specific). For most systems CLOCK_REALTIME
will be good enough.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 920611f0bc)
2022-01-12 11:11:15 +00:00
Jeremy Allison
7841b45a7f s3: smbd: Create and use a common function for generating a fileid - create_clock_itime().
This first gets the clock_gettime_mono() value, converts to an NTTIME (as
this is what is stored in the dos attribute EA), then mixes in 8 bits of
randomness shifted up by 55 bits to cope with poor resolution clocks to
avoid duplicate inodes.

Using 8 bits of randomness on top of an NTTIME gives us around 114
years headroom. We can now guarentee returning a itime-based
fileid in a normal share (storing dos attributes in an EA).

Remove knownfail.d/fileid-unique

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jan  8 06:35:22 UTC 2022 on sn-devel-184

(cherry picked from commit 23fbf0bad0)
2022-01-12 11:11:15 +00:00
Jeremy Allison
a0934daa71 lib: util: Add a function nt_time_to_unix_timespec_raw().
Not yet used. Does no checks on the converted values.

A later cleanup will allow us to move nt_time_to_unix_timespec()
and nt_time_to_full_timespec() to use common code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
(cherry picked from commit 29d69c22a0)
2022-01-12 11:11:15 +00:00
Jeremy Allison
9f0353b2f4 tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories.
smb2.fileid_unique.fileid_unique
smb2.fileid_unique.fileid_unique-dir

Create 100 files or directories as fast as we can
against a "normal" share, then read info on them
and ensure (a) top bit is set (generated from itime)
and (b) uniqueness across all generated objects
(checks poor timestamp resolution doesn't create
duplicate fileids).

This shows that even on ext4, this is enough to
cause duplicate fileids to be returned.

Add knownfail.d/fileid-unique

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
(back-ported picked from commit 30fea0d311)
2022-01-12 11:11:15 +00:00
Jule Anger
1d27e85826 VERSION: Bump version up to Samba 4.14.12...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>
2021-12-15 15:47:55 +01:00
Jule Anger
ae3229e76d VERSION: Disable GIT_SNAPSHOT for the 4.14.11 release.
Signed-off-by: Jule Anger <janger@samba.org>
2021-12-15 15:46:52 +01:00
Jule Anger
808afc79cc WHATSNEW: Add release notes for Samba 4.14.11.
Signed-off-by: Jule Anger <janger@samba.org>
2021-12-15 15:46:22 +01:00
Stefan Metzmacher
08eb470b9c smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids
smbd_smb2_request_process_ioctl() already detailed checks for file_ids,
which not reached before.

.allow_invalid_fileid = true was only used for SMB2_OP_IOCTL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1744dd8c5b)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Mon Dec 13 09:44:15 UTC 2021 on sn-devel-184
2021-12-13 09:44:15 +00:00
Stefan Metzmacher
25c97fc3a0 smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()
We should not send more data than the client requested.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit aab5405034)
2021-12-13 08:41:08 +00:00
Stefan Metzmacher
016d9c40bc smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO
We should not fail this just because the user doesn't have permissions
on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c850ce96fd)
2021-12-13 08:41:08 +00:00
Stefan Metzmacher
fd82e1e4ba smb2_server: decouple IOCTL check from signing/encryption states
There's no reason to handle FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT
differently if signing/encryption is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bd3ba3c96e)
2021-12-13 08:41:08 +00:00
Stefan Metzmacher
ea6db15c31 smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1cd948d852)
2021-12-13 08:41:08 +00:00
Stefan Metzmacher
8eb06f10a1 s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE
Demonstrate that smbd fails FSCTL_VALIDATE_NEGOTIATE_INFO
only because the user doesn't have permissions on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 735fc34682)
2021-12-13 08:41:08 +00:00
Stefan Metzmacher
fd8864ef4f libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*
This will be used in tests in order to separate the tcon from
validate_negotiate_info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 04a79139a4)
2021-12-13 08:41:08 +00:00
Stefan Metzmacher
4d2d5a3c66 s3:smbd: remove dead code from smbd_smb2_request_dispatch()
We have '} else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {'
before...

Use 'git show -U52' to see the whole story...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f8f4a9faf0)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
2021-12-13 08:41:08 +00:00
Ralph Boehme
3d35397e10 smbd: s3-dsgetdcname: handle num_ips == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec  3 12:54:04 UTC 2021 on sn-devel-184

(cherry picked from commit 5e3df5f9ee)

Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-14-test): Wed Dec  8 14:36:05 UTC 2021 on sn-devel-184
2021-12-08 14:36:05 +00:00
Andrew Bartlett
ce1186e06e dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f621317e3b)
2021-12-08 13:38:14 +00:00
Ralph Boehme
b0d67dc3d4 CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.

As a quick solution it might be possible to use the username map script based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
sure this behaves identical, but it might work in the standalone server case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922

Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1e61de8306)
2021-12-08 13:38:14 +00:00
Jeremy Allison
aef700ad3c s3: docs-xml: Clarify the "delete veto files" paramter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 29 14:57:14 UTC 2021 on sn-devel-184

(cherry picked from commit 0b818c6b77)
(cherry picked from commit a549dc219c)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Thu Dec  2 11:52:33 UTC 2021 on sn-devel-184
2021-12-02 11:52:33 +00:00
Jeremy Allison
b61fb49a7a s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling symlinks.
Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e9ef970eee)
(backported from commit 5023dbc04b)
[pfilipen@redhat.com: can_delete_directory_fsp() got refactored in 4.15]
2021-12-02 10:33:13 +00:00
Jeremy Allison
7034f9b765 s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks.
Still need to add the same logic in can_delete_directory_fsp()
before we can delete the knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 26fecad2e6)
(backported from commit 4793c4d530)
[pfilipen@redhat.com: rmdir_internals() got refactored in 4.15]
2021-12-02 10:33:13 +00:00
Jeremy Allison
66d688cea2 s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set.
Fix the comments to match what the code actually does. The
exit at the end of the scan directory loop if we find a client
visible filename is a change in behavior, but the previous
behavior (not exist on visible filename, but delete it) was
a bug and in non-tested code. Now it's testd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a37d16e7c5)
(backported from commit e00fe095e8)
[pfilipen@redhat.com: rmdir_internals() got refactored in 4.15]
2021-12-02 10:33:13 +00:00
Jeremy Allison
3d4761cf04 s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f254be19d6)
(backported from commit 0dba0917fd)
[pfilipen@redhat.com: code in 4.15 uses different variable name]
2021-12-02 10:33:13 +00:00
Jeremy Allison
37804062ea s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 295d7d026b)
(backported from commit 7a4173809a)
[pfilipen@redhat.com: code in 4.15 uses different variable name]
2021-12-02 10:33:13 +00:00
Jeremy Allison
67c85f0ce8 s3: smbd: Add two tests showing the ability to delete a directory containing a dangling symlink over SMB2 depends on "delete veto files" setting.
Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 942123b959)
(cherry picked from commit 359517877d)
2021-12-02 10:33:13 +00:00
Jeremy Allison
db8eb865b5 s3: smbd: Add two tests showing recursive directory delete of a directory containing veto file and msdfs links over SMB2.
Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ad0082d79a)
(cherry picked from commit dab3fa1d8c)
2021-12-02 10:33:13 +00:00
Andrew Bartlett
3e8d6e681f CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts
This puts all the detail on one line so it can be searched
by IP address and connecting SID.

This relies on the anr handling as otherwise this log
becomes the expanded query, not the original one.

RN: Provide clear logs of the LDAP search and who made it, including
a warning (at log level 3) for queries that are 1/4 of the hard timeout.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 25 02:30:42 UTC 2021 on sn-devel-184

(cherry picked from commit 3507e96b3d)
2021-12-02 10:33:13 +00:00
Andrew Bartlett
3a4eb50cf7 CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it
RN: Do not modify the caller-supplied memory in the anr=* handling to
allow clear logging of the actual caller request after it has been processed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 5f0590362c)
2021-12-02 10:33:13 +00:00
Andrew Bartlett
d92dfb0dab CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2b3af3b560)
2021-12-02 10:33:13 +00:00
Andrew Bartlett
08c9016cb9 CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing
The LDB filter processing is where the time is spent in the LDB stack
but the timeout event will not get run while this is ongoing, so we
must confirm we have not yet timed out manually.

RN: Ensure that the LDB request has not timed out during filter processing
as the LDAP server MaxQueryDuration is otherwise not honoured.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1d5b155619)
2021-12-02 10:33:13 +00:00
Joseph Sutton
f9b2267c6e CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e1ab0c4362)
2021-12-02 10:33:13 +00:00
Joseph Sutton
f72090064b CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 86fe9d4888)
2021-12-02 10:33:13 +00:00
Joseph Sutton
dc71ae1778 CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts
We allow a timeout of 2x over to avoid this being a flapping test.
Samba is not very accurate on the timeout, which is not otherwise an
issue but makes this test fail sometimes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit dcfcafdbf7)
2021-12-02 10:33:13 +00:00
Andrew Bartlett
8ccb26c679 CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.

Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.

This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.

In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[metze@samba.org moved the new logic into the fallback codepath only
 in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184

(cherry picked from commit 0a546be052)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Thu Nov 18 07:39:38 UTC 2021 on sn-devel-184
2021-11-18 07:39:38 +00:00
Joseph Sutton
ff3798418e CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[metze@samba.org removed unused tests for a feature that
 was removed before merging]
Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit 494bf7de6f)
2021-11-18 06:40:13 +00:00
Joseph Sutton
9bef6bc6cf CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
In reality environments without 'nss_winbind' make use of 'idmap_nss'.

For testing, DOMAIN/bob is mapped to the local 'bob',
while DOMAIN/jane gets the uid based on the local 'jane'
vis idmap_nss.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[metze@samba.org avoid to create a new ad_member_idmap_nss environment
and merge it with ad_member_no_nss_wb instead]
Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit 8a9f2aa2c1)
2021-11-18 06:40:13 +00:00
Joseph Sutton
f00c993f0c CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit fdbee5e074)
2021-11-18 06:40:13 +00:00
Joseph Sutton
8bed2c3f7a CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 5ea347d367)
2021-11-18 06:40:13 +00:00
Stefan Metzmacher
1bd06f8cb3 CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain
We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bfd093648b)
2021-11-18 06:40:13 +00:00
Alexander Bokovoy
75ab0a306f IPA DC: add missing checks
When introducing FreeIPA support, two places were forgotten:

 - schannel gensec module needs to be aware of IPA DC
 - _lsa_QueryInfoPolicy should treat IPA DC as PDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184

(cherry picked from commit c69b66f649)
2021-11-18 06:40:13 +00:00