1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

159 Commits

Author SHA1 Message Date
Jo Sutton
b2d777a1ed s4:dsdb: Make use of DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-21 22:10:36 +00:00
Jo Sutton
e1d27ba545 s4:dsdb: Add to ‘user_attrs’ attributes required for Group Managed Service Accounts
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
75d9f5332d s4:auth: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Joseph Sutton
d30a612410 s4:auth: Ensure that some parameters are not NULL
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
c4933dd4b7 s4:auth: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
8b2e14052c s4:auth: Check return values of talloc functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Andreas Schneider
795e464cfa s4:auth: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Joseph Sutton
4667707720 s4:auth: Allocate user_info_dc->sids on correct talloc context
‘user_info_dc->sids’ must live for at least as long as ‘user_info_dc’,
or a use-after-free may result.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
1fdff37105 s4:kdc: Look up authentication policies for Kerberos clients and servers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
8cc0b76509 s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
34080e8839 s4:auth: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
b5bd55fe85 s4:auth: Check ldb_binary_encode_string() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
07e53939dc s4-auth: Log correct function name
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Andrew Bartlett
075bd6b9f1 s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc()
It is up to the caller to choose if it wants to clean up the user_info_dc
memory early, we do so only in the KDC as was allocated on a context
provided to samba_kdc_update_pac_blob(), whereas auth_winbind uses
a locally managed tevent state as the memory context.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb  8 01:05:47 UTC 2023 on atb-devel-224
2023-02-08 01:05:47 +00:00
Joseph Sutton
1c3a8fa20c auth: Correct primary group handling
Heretofore we have treated the primary group SID specially, storing it
in a fixed position as the second element of the user_info_dc->sids
array, and filtering out other copies in the PAC_LOGON_INFO base
structure. This filtering has made it difficult to distinguish between
the case where the primary group is a universal or global group, located
in the base RIDs, and the case where it is a domain-local group, missing
from the base RIDs; especially since the attributes of a domain-local
primary group are lost by being stored in the PAC. Domain-local primary
groups are normally disallowed by Windows, but are allowed by Samba, and
so it is reasonable to support them with at least some measure of
consistency.

The second element of user_info_dc->sids is still reserved for the
primary group's SID, but we no longer filter out any other copies in the
array. The first two elements are no more than the SIDs of the user and
the primary group respectively; and the remaining SIDs are as if taken
without modification from arrays of SIDs in the PAC. user_info_dc->sids
should therefore become a more faithful representation of the SIDs in
the PAC. After adding resource SIDs to it with
dsdb_expand_resource_groups(), we should have a result that more closely
and in more cases matches that of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:40 +00:00
Joseph Sutton
e00eeed9d2 auth: Align integer types
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:40 +00:00
Joseph Sutton
c17e46a231 ldap: Make use of LDB_OID_COMPARATOR constants
These constants allow one to tell at a glance what search operation is
being performed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:40 +00:00
Joseph Sutton
5147f011d9 auth: Shorten long SID flags combinations
The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very
commonly used, and introducing a shorter alias for it makes the code
clearer.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
14d94460ca auth: Pass through entire PAC flags value in auth_user_info
Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
c21d5bf674 s4: Add 'const' to some parameters
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
7050e05742 auth: Store group attributes in auth_user_info_dc
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.

Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Volker Lendecke
fa8a657b91 auth4: Save lines with talloc_asprintf_addbuf() in authsam_domain_group_filter()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-14 04:32:34 +00:00
Stefan Metzmacher
1414269dcc CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
This fixes a use after free problem introduced by
commit 7b8e32efc3,
which has msg = current; which means the lifetime
of the 'msg' memory is no longer in the scope of th
caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-24 11:01:37 +00:00
Andrew Bartlett
b5f78b7b89 CVE-2021-20251 auth4: Avoid reading the database twice by precaculating some variables
These variables are not important to protect against a race with
and a double-read can easily be avoided by moving them up the file
a little.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Andrew Bartlett
712181032a CVE-2021-20251 auth4: Inline samdb_result_effective_badPwdCount() in authsam_logon_success_accounting()
By bringing this function inline it can then be split out in a
subsequent commit.

Based on work by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Andrew Bartlett
55147335ae CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval() out
authsam_calculate_lastlogon_sync_interval() is split out of authsam_update_lastlogon_timestamp()

Based on work by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Gary Lockyer
b954acfde2 CVE-2021-20251 auth4: Return only the result message and free the surrounding result
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Andrew Bartlett
4a9e0fdccf CVE-2021-20251 auth4: Add missing newline to debug message on PSO read failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Andrew Bartlett
de4cc0a3da CVE-2021-20251 s4 auth: make bad password count increment atomic
Ensure that the bad password count is incremented atomically,
and that the successful logon accounting data is updated atomically.

Use bad password indicator (in a distinct TDB) to determine if to open a transaction

We open a transaction when we have seen the hint that this user
has recorded a bad password.  This allows us to avoid always
needing one, while not missing a possible lockout.

We also go back and get a transation if we did not take out
one out but we chose to do a write (eg for lastLogonTimestamp)

Based on patches by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Andrew Bartlett
7b8e32efc3 CVE-2021-20251 auth4: Reread the user record if a bad password is noticed.
As is, this is pointless, as we need a transaction to make this
any less of a race, but this provides the steps towards that goal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Gary Lockyer
408717242a CVE-2021-20251 s4 auth: Prepare to make bad password count increment atomic
To ensure that the bad password count is incremented atomically,
and that the successful logon accounting data is updated atomically,
without always opening a transaction, we will need to make a note
of all bad and successful passwords in a side-DB outside the
transaction lock.

This provides the functions needed for that and hooks them in
(future commits will handle errors and use the results).

Based on patches by Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-09-12 23:07:37 +00:00
Joseph Sutton
6a10e890a0 CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Andrew Bartlett
f161e3f18f dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute
This means Samba will essentially ignore this attribute, not even attempting
to read it from the AD DC sam.ldb

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andreas Schneider
41ffba1302 s4:auth: Also look up msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Andreas Schneider
1a4d43d38e s4:auth: Remove trailing spaces in sam.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Stefan Metzmacher
f6fe86924c s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 17:11:35 +00:00
Andrew Bartlett
b176ddba2a CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Douglas Bagnall
0586395701 s4/auth/sam: silence CID 1435849
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Isaac Boukris
d94c8992f9 sam.c: allocate account_sid on tmp_ctx
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar  6 04:30:22 UTC 2019 on sn-devel-144
2019-03-06 04:30:22 +00:00
Isaac Boukris
ce83b21be8 sam.c: fix incorrect check of talloc_new() allocation
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-03-06 03:16:15 +00:00
Volker Lendecke
186fff5fc3 auth4: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-01-08 03:40:28 +01:00
Volker Lendecke
602d247e0b auth4: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-02 21:21:15 +01:00
Volker Lendecke
831ee63f54 lib: Add error checks in dom_sid_string_buf
Also, avoid casts by using PRIxxx macros

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-02 17:03:26 +01:00
Tim Beale
2fa2f132ae dsdb: Avoid calculating the PSO multiple times
In a typical user login query, the code tries to work out the PSO 2-3
times - once for the msDS-ResultantPSO attribute, and then again for the
msDS-User-Account-Control-Computed & msDS-UserPasswordExpiryTimeComputed
constructed attributes.

The PSO calculation is reasonably expensive, mostly due to the nested
groups calculation. If we've already constructed the msDS-ResultantPSO
attribute, then we can save ourselves extra work by just re-fetching the
result directly, rather than expanding the nested groups again from
scratch.

The previous patch improves efficiency when there are no PSOs in the
system. This should improve the case where there are PSOs that apply to
the users. (Unfortunately, it won't help where there are some PSOs in
the system, but no PSO applies to the user being queried).

Also updated sam.c so the msDS-ResultantPSO gets calculated first,
before the other constructed attributes.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed May 23 10:09:11 CEST 2018 on sn-devel-144
2018-05-23 10:09:10 +02:00
Tim Beale
442a38c918 dsdb/auth: Use PSO settings for lockOutThreshold/Duration
If a PSO applies to a user, use its lockOutThreshold/Duration settings
instead of the domain setting. When we lookup a user, we now include the
msDS-ResultantPSO attribute. If the attribute is present for a user,
then we lookup the corresponding PSO object to get the lockOutThreshold/
Duration settings.

Note: This is not quite enough to make the PSO lockout tests pass, as
msDS-User-Account-Control-Computed is still constructed based on the
domain lockoutDuration setting rather than the PSO.

Updating the password_hash.c code properly will be done in a subsequent
commit.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-23 06:55:30 +02:00
Andrew Bartlett
20fda4f600 auth: Use DBGC_AUTH as DBGC_CLASS for AD DC auth session code.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 22 02:42:32 CEST 2018 on sn-devel-144
2018-05-22 02:42:32 +02:00
Stefan Metzmacher
4565ac5998 s4:auth: add authsam_update_user_info_dc() that implements SID expanding for the local domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:51 +01:00
Stefan Metzmacher
d6ee065119 s4:auth: split out a authsam_domain_group_filter() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:51 +01:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
b50a147a7e auth_winbind: Allow badPwdCount to be set to 0 with this auth method
We rely on the other SAM modules to increment the badPwdCount locally,
but we must reset to 0 if the remote sends a success (to override our
failure).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00