sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-27 14:04:05 +03:00
Code
127,667 Commits 60 Branches 1,146 Tags
Commit Graph

3152 Commits

Author SHA1 Message Date
Joseph Sutton
7ff05eb8d4 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
2e1e57fca8 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
b8c85fe81c CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
72f82d949a CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets 
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.

It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
8752b83bb9 CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
42405aa46b CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
58455c4876 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
40a3f71818 CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets 
https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
2158ba1eb0 CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
e647186c14 CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
924f323188 CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
faf47b0b6b CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
a236e2cc25 CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
9602594585 CVE-2020-25719 tests/krb5: Return ticket from _tgs_req() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
21298ddfc5 CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
383bedd6fd CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
dd251f26df CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
336dfc3207 CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
2249143fe3 CVE-2020-25718 tests/krb5: Fix indentation 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Douglas Bagnall
11540375af CVE-2020-25722 pytest: test setting servicePrincipalName over ldap 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Douglas Bagnall
df34c11cbc CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap 
Because the sam account name + the dns host name is used as the
default user principal name, we need to check for collisions between
these. Fixes are coming in upcoming patches.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Douglas Bagnall
72a2c21f3f CVE-2020-25722 samba-tool spn add: remove --force option 
This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.

It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Douglas Bagnall
7243bd7d38 CVE-2020-25722 samba-tool spn: accept -H for database url 
Following the convention and making testing easier

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Douglas Bagnall
b919246c55 CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy 
This makes it easier to convert tests that don't have good messages.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Douglas Bagnall
de24916a82 CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes 
You can give ldb_err() it a number, an LdbError, or a sequence of
numbers, and it will return the corresponding strings. Examples:

ldb_err(68)       # "LDB_ERR_ENTRY_ALREADY_EXISTS"
LDB_ERR_LUT[68]   # "LDB_ERR_ENTRY_ALREADY_EXISTS"

expected = (ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
            ldb.ERR_INVALID_CREDENTIALS)
try:
    foo()
except ldb.LdbError as e:
    self.fail(f"got {ldb_err(e)}, expected one of {ldb_err(expected)}")

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Samuel Cabrero
14b9f905da CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Fixed knowfail per instruction from metze]
 2021-11-09 19:45:33 +00:00
Joseph Sutton
b4ea50f8b2 CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Stefan Metzmacher
9fe1b719e1 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC 
At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if
no PAC is available.

For now we want to look for ACCESS_DENIED as this allows
the test to pass (showing that gensec:require_pac = true
is a useful partial mitigation).

This will also help others doing backports that do not
take the full patch set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
903ab1a027 CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
24be204834 CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
3af0c36a06 CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
7f7476b08c CVE-2020-25719 tests/krb5: Add principal aliasing test 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
48e5154de6 CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
bd87905cf1 CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
3f7b971d37 CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
89c88a83da CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
4125650a27 CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
873ac6d814 CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service 
This allows us to use get_tgt() and get_service_ticket() to obtain
tickets, which simplifies the logic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
23dc0cbd53 CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
4ac05264a7 MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
dbedf5b6e2 CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
4a792ad92d CVE-2020-25719 tests/krb5: Add is_tgt() helper method 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
43df8d0b2e CVE-2020-25722 tests/krb5: Allow creating server accounts 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
06168fd4e3 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
ff6631ecdc CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
f7f49db722 CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Andrew Bartlett
adfae12584 CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 2021-11-09 19:45:32 +00:00
David Mulder
1fce72f796 samba-tool: Add domain member leave 
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>

Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Thu Nov  4 20:43:32 UTC 2021 on sn-devel-184
 2021-11-04 20:43:32 +00:00
David Mulder
5199eb1412 gp: Apply Firewalld Policy 
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov  1 21:16:43 UTC 2021 on sn-devel-184
 2021-11-01 21:16:43 +00:00
David Mulder
cd73e41013 gp: Test Firewalld Group Policy Apply 
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2021-11-01 20:29:36 +00:00