1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

39018 Commits

Author SHA1 Message Date
Joseph Sutton
e09bf1bc9e s4:auth: Explicitly initialize claims structures
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
3e5aba62ec s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims
Having the lifetime of the encoded claims be tied in a predictable
fashion to a caller‐controlled memory context is less prone to error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
e3953e18ae s4:kdc: Declare ‘auth_entry’ to be of type ‘samba_kdc_entry_pac’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
72b26d5684 s4:kdc: Rename samba_kdc_obtain_user_info_dc() to samba_kdc_get_user_info_dc()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
9937c1c546 s4:kdc: Cache user info and resource groups from PACs
When authentication policies are implemented, we shall need to fetch
SIDs (and claims) from the PACs of users and devices repeatedly — not
just when first looking up a user, but every time a policy needs to be
evaluated.

This will likely be more efficient if we can cache this information,
removing the need to derive it more than once.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Andrew Bartlett
37321e6f76 s4-kdc: Do not modify the returned user_info_dc from samba_kdc_get_user_info_dc()
We have the duplicated shallow copy in each caller so that the caller is
clear on what memory can be changed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-10-12 23:13:32 +00:00
Joseph Sutton
19b1e31e23 s4:kdc: Always fetch resource groups
No behaviour change, and if the caller doesn’t need the resource groups
after all, the cost incurred is little more than the allocation of a
couple of dozen bytes of memory.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
a7765d1381 s4:kdc: Label ‘resource_groups_out’ parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
2f3a8ae8d5 s4:kdc: Remove ‘group_inclusion’ parameter from samba_kdc_obtain_user_info_dc()
It could be equal only to AUTH_EXCLUDE_RESOURCE_GROUPS.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
300459e86a s4:kdc: Pass AUTH_EXCLUDE_RESOURCE_GROUPS into samba_kdc_obtain_user_info_dc()
As the ‘group_inclusion’ parameter has an effect only if the
‘resource_groups_out’ parameter is non‐NULL, this does not result in a
change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
30cfa9b79a s4:kdc: Pass resource groups parameter only if we are creating a TGT
No change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
3f6e6a3c23 s4:kdc: Make ‘resource_groups_out’ parameter const
The caller shouldn’t need to modify this.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
d7ed1b5302 s4:kdc: Check parameters of samba_kdc_get_user_info_from_pac()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
b2bb86bc54 s4:kdc: Simplify memory management with talloc stackframe
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
886bbcdc1c s4:kdc: Remove common out path from samba_kdc_obtain_user_info_dc()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
02daf011f7 s4:kdc: Split samba_kdc_get_user_info_from_pac() out of samba_kdc_obtain_user_info_dc()
View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
453bb84e64 s4:kdc: Rename variable ‘user_info_dc’ to ‘info’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
7ee08114d4 s4:kdc: Rename parameter ‘user_info_dc_out’ to ‘info_out’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
3045908557 s4:kdc: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
c559e9922e s4:kdc: Introduce intermediate variable ‘resource_groups’
No change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
d57062300f s4:kdc: Initialize out parameter of samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
0ed6d11e58 s4:kdc: Check parameters of samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
d02f37b489 s4:kdc: Rename local variable ‘user_info_dc’ to ‘info’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
024d8cf500 s4:kdc: Pass ‘samdb’ into samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
8b518817e3 s4:kdc: Add ‘samdb’ parameter to samba_kdc_get_device_info_blob()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
29c230531c s4:kdc: Add ‘samdb’ parameter to samba_kdc_verify_pac()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
16cb8c4787 s4:kdc: Make boolean members into bit‐fields
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
a57d973d80 s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code
instead of an NT status code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
54cd2af2de s4:kdc: Pass Kerberos context into samba_kdc_get_device_info_blob()
We shall need it in order to produce an error string.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
d51c505d35 s4:kdc: Rename samba_kdc_entry::user_info_dc to samba_kdc_entry::info_from_db
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
64326818eb s4:kdc: Rename samba_kdc_get_user_info_dc() to samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
c35d1fe593 s4:kdc: Inline samba_kdc_get_user_info_from_db() into its only caller
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
0a61dc6ce9 s4:kdc: Replace calls to samba_kdc_get_user_info_from_db() with calls to samba_kdc_get_user_info_dc()
The latter function behaves identically, except that it makes a shallow
copy of the returned structure, thus avoiding lifetime issues.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
96ab35bb91 s4:kdc: Add ‘msg’ parameter to samba_kdc_get_user_info_dc()
We want to call this function from more places. But some potential
callers, found in db-glue.c, have only a partially‐initialized
‘samba_kdc_entry’ structure, without the crucial ‘msg’ member. These
callers need to be able to pass in the ldb message as a separate
parameter.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
ce7c543ffc s4:kdc: Rename ‘user_info_dc_out’ parameter of samba_kdc_get_user_info_dc() to ‘info_out’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
9c4647436c s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_dc() to ‘entry’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
f03b14f8b8 s4:kdc: Rename ‘user_info_dc’ parameter of samba_kdc_get_user_info_from_db() to ‘info_out’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
a7323d704e s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_from_db() to ‘entry’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Ralph Boehme
94462dfabf s4:torture/smb2: fix typo in acls.c
This fixes the failing samba-codecheck CI job and is not part of the functional
security fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-10-11 11:47:44 +00:00
Volker Lendecke
768990ec4d rpc_netlogon4: Simplify dcesrv_netr_ServerAuthenticate3_helper()
Use a switch/case statement instead of a if/else chain. Easier to read
to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Volker Lendecke
e2e5ae1eb2 dsdb: Slightly simplify dsdb_trust_get_incoming_passwords()
Use talloc_memdup() instead of a manual copy.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Volker Lendecke
7bc1fa707d lsa_srv4: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Andrew Bartlett
2e87c9d865 s4-echo: Remove the "echo" server (port 7, RFC 862) in production builds
This demonstration should never be enabled in production, if
echo service is required other software is far better positioned
to provide it.  Reflection attacks on echo are a known issue.

This is removed for consistency with the removal of rpcecho, but was
never enabled in the default smb.conf so is mostly harmless.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:40 +00:00
Andrew Bartlett
3cf1beed5d CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
cfeb9fe50e CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
d3d83a8f2e CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
0a79ed2c0b CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication.  Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
d4a71fbece CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
76b8d3edce CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
b644bb0665 CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
07d2b28fb3 CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
6578a65ed7 CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Ralph Boehme
b1fd656941 CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>
2023-10-10 14:49:39 +00:00
Volker Lendecke
8107aafb40 idl: Add smb3posix.idl
Let PIDL take care of encoding SMB2_FILE_POSIX_INFORMATION. This way
we also get parsing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Joseph Sutton
77b35c423e s4:kdc: Make use of ‘samba_kdc_entry_pac’ wrapper type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
bad7a3fcea s4:kdc: Add function to get device PAC entry from Heimdal request structure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
79b33eeacc s4:kdc: Add function to determine whether a KDC entry represents a trust
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
1ea4b27162 s4:kdc: Fix indentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
45e8e19719 s4:kdc: Remove unused declaration
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
1c456912a1 s4:kdc: Add ‘samba_kdc_entry_pac’ wrapper type
With embedded Heimdal, we can mark a PAC as being trusted (i.e. not
issued by an RODC). This is convenient, as it saves us needing to carry
that information in flags, hoping it isn’t inadvertently lost.

System Heimdal and MIT Kerberos, however, don’t provide a way to mark a
PAC trusted. So we add a new wrapper type, ‘samba_kdc_entry_pac’, that
contains this extra information if ‘krb5_const_pac’ doesn’t contain it
already. As it also stores a pointer to the client entry, the
structure’s lifetime must therefore be carefully managed. Finally, it
keeps track of whether the PAC came across a trust, to know which is
useful in some circumstances.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
321e0ed675 s4:kdc: Remove unused parameters from samba_kdc_verify_pac()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
3358b04a58 s4:kdc: Remove device PAC validation
In the first place, this check was only applicable to the Heimdal KDC,
the MIT KDC not having support for compounded authentication. Secondly,
it was redundant, because _kdc_fast_check_armor_pac() would have already
been called to verify the armor ticket; a second round of validation
achieved nothing. And finally, the check was flawed: it checked only
*explicitly* armored PACs, and so would have done nothing for an armored
*AS‐REQ*.

In short, this check was useless; remove it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
68dc69d86f s4:kdc: Remove ‘asserted_identity’ parameter from samba_kdc_get_user_info_dc()
It was not used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
3c480886ad s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add an Asserted Identity SID
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_asserted_identity() into the
former function’s callers, we’ll be able to remove the
‘asserted_identity’ parameter in the next commit, reducing the
function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
f250a24e92 s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_get_user_info_dc()
It was not used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
cfeb3d75cb s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_claims_valid() into the former
function’s callers, we’ll be able to remove the ‘claims_valid’ parameter
in the next commit, reducing the function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
e0a3dd5499 s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_get_user_info_dc()
It was never used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
41527cfaf9 s4:kdc: Remove unused memory context from samba_kdc_lookup_realm()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
2f9d2ff895 s4:kdc: Add parameters for claims and device info to authn_policy_authenticate_to_service()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
3ae7599830 s4:kdc: Add claims parameter to authn_policy_authenticate_from_device()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
54cd7f4f80 s4:kdc: Add parameters for claims and device info to authn_policy_access_check()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
8a5921d974 s4:auth: Add parameters for claims and device info to auth_generate_security_token()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
a3a489fa53 s4:kdc: Reformat function call
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
a2b6c2199f s4:auth: Reformat function calls
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
4f0ba2b0bf s4:auth: Rename parameter to match function implementation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
a621e9ab99 s4:dsdb: Add session info flag to indicate authentication with a device
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
c829dd1ba8 s4:dsdb: Add parameters for claims and device SIDs to security_token_create()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
c45a24cc41 s4:kdc: Initialize pointer to NULL
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
7587532292 s4:kdc: Remove unnecessary assignments
These structures have been zero‐initialized already.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
af22a6552d s4:kdc: Check that principal being copied is not NULL
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
452aeb218d s4:kdc: Prefer explicit initialization to ZERO_STRUCTP()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
d30a612410 s4:auth: Ensure that some parameters are not NULL
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
bc680b6f4a s4:torture: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
c2f55b061f s4:ntvfs: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Rob van der Linde
f9d406dca6 netcmd: tests: bugfix: argument -U was already in creds so listed twice
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Joseph Sutton
08b9d5c7b9 tests/krb5: Add samba.tests.krb5.conditional_ace_tests
This is a test using conditional ACEs and claims to confirm that we understand
the full end-to-end network behaviour of these all the way from the PAC to the
application in the access check of the KDC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 28 04:35:05 UTC 2023 on atb-devel-224
2023-09-28 04:35:05 +00:00
Joseph Sutton
4839adf9da s4:auth: Add functions to convert between different claims formats
The new ‘claims_data’ structure can store claims in three different
representations — as an encoded blob, as a CLAIMS_SET structure, or as a
series of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 claims. Given a set of
claims, the accompanying functions provide a way to convert them into
the desired format.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
58aa8d99c4 s4:auth: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
5e164cc2d6 s4:kdc: Move encode_claims_set() into the auth_session subsystem
Some functions in the auth_session subsystem will need to be able to
call encode_claims_set(). Moving said function lets them do that whilst
avoiding circular dependencies and additional public dependencies.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
ab227bbe8e s4:auth: Fix ‘user_info_dc_out’ leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
0a9f248642 s4:auth: Return a talloc‐allocated resource groups structure
Future callers will rely on resource_groups_out being talloc‐allocated.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
219ee05d6e s4:auth: Introduce helper variable ‘resource_groups_in’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
842f845c8a s4:auth: Make returning resource groups the last thing we do
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
a2700cf685 s4:torture: Initialize ‘tm’ structure
‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
9bd9b9bfd9 s4:kdc: Fix ldb_msg_find_krb5time_ldap_time()
strptime() will fail to parse the LDAP ‘whenCreated’ time string,
because the format string is wrong: it will expect to get a time like
“20230920043849Z”, but the time string seems to be actually formatted
“20230920043849.0Z” — like a GeneralizedTime.

Fix this by delegating to ldb_val_to_time().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
bdf0e1be35 s4:kdc: Initialize ‘tm’ structure
‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
c94db7d2e8 s4:auth: Correct error message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
dc73160381 s4:torture: Use SID constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
8b496331b9 s4:rpc_server: Use Builtin SID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
4bef3fd7e9 s4:ntvfs: Use World and System SID constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
4405e709c0 s4:dsdb: Use Builtin SID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
e6bb3a347f s4:auth: Use Anonymous and System SID constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
b1b7d33bd5 s4:kdc: Use Compounded Authentication and Claims Valid SID constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
89985f6fec s4:kdc: Use Asserted Identity SID constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
dcca6bba2a s4:dsdb: Use NULL SID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Andrew Bartlett
e2cc29d132 libcli/security: Pass in claims evaluation state when building any security token
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:35 +00:00
Andrew Bartlett
f1fcbc0f10 s4-auth: pass lp_ctx to auth_generate_session_info() where possible
For non-testing callers of auth_generate_session_info(), passing
lp_ctx will allow us to correctly set a flag indicating if claims
should be evaluated.

For testing applications, the default will allow safe operation
inspecting the SID list.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
fabc2f351e pytest: sddl tests with conditional ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
829d77b4a0 s4/librpc: build conditional ace Python bindings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Joseph Sutton
df3816eb71 s4:dsdb: Fix comment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
fb17b17000 s4:kdc: Don’t prepend useless colon to MIT KDC logging messages
If we pass an empty string as the ‘whoami’ parameter, MIT’s logging
facilities will prepend a mysterious colon to the message. Printing
“mitkdc: ” ought at least to be more sensible, and perhaps more closely
to match our behaviour prior to commit
dd8138236b.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
d16337bd83 s4:wrepl_server: Correctly read ‘type’ element
winsdb_message() stores this element as hexadecimal, which format
ldb_msg_find_attr_as_uint() cannot cope with. Permit this element to be
in either decimal or hexadecimal format.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
238b5a8ad0 s4:kdc: Remove ks_is_tgs_principal()
This function is a near‐duplicate of smb_krb5_principal_is_tgs().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
2ff2d9bfa1 s4:setup: Fix script usage line
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
31212b0c14 s4:selftest: Fix script usage lines
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
187d74d9c0 lib:krb5_wrap: Remove Heimdal‐only krb5_princ_component() implementation
This implementation is no longer called: using a variable of static
storage duration as a conduit for return values is only asking for
trouble.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
7e62f3921f s4:rpc_server: Switch to using smb_krb5_princ_component()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
cec4ebbec8 s4:kdc: Switch to using smb_krb5_princ_component()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
9bb80c2738 s4:dsdb: Switch to using smb_krb5_princ_component()
This function has the handy feature of being able to be called twice in
succession without mysteriously breaking your code. Now, doesn’t that
sound useful?

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
229d26e25e lib:krb5_wrap: Add Heimdal‐specific smb_krb5_princ_component() implementation
This implementation doesn’t rely on a variable of static storage
duration being used as a conduit for the return value.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
eec9e54592 lib:krb5_wrap: Add smb_krb5_princ_component()
For now this function is a mere wrapper round krb5_princ_component(),
but one whose interface allows for a more sensible implementation.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
aa56750f97 s4:kdc: Fix leaks
Create a temporary memory context on which to allocate things.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
d902c134d7 s4:kdc: Be sure not to pass a NULL pointer into strcmp()
To do so is to invoke undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
41d974389e s4:kdc: Prefer explicit initialization to ZERO_STRUCTP()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
617f87a97e s4:kdc: Make RODC ID checks easier to understand with more clearly‐named variables
No change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
ed8d7497cf s4:kdc: Rename ‘status’ variables to ‘reply_status’
This makes it clearer what these variables are used for, and avoids
confusion with the similarly‐named ‘nt_status’ variables — also used in
these functions.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
b8368ed358 s4:kdc: Have samba_krbtgt_is_in_db() take a const KDC entry
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
c72d784a4f s4:kdc: Have samba_krbtgt_is_in_db() return a krb5_error_code
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
a5308a2d90 s4:kdc: Make pac_blobs_remove_blob() never fail
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
ed8436092b s4:kdc: Make ‘struct pac_blobs’ memory handling safer and more consistent
Having pac_blobs::type_blobs be managed both by talloc and by the
‘pac_blobs’ structure itself (with pac_blobs_destroy()) is very prone to
error. So is the current situation of having the other ‘pac_blobs’
functions each take in a memory context.

Improve these circumstances by requiring ‘pac_blobs’ to be managed by
talloc. Now the other functions can dispense with their ‘mem_ctx’
parameters, being instead able to allocate on to the ‘pac_blobs’
structure itself. pac_blobs_init() no longer must be a separate
function; inline it into pac_blobs_from_krb5_pac(). pac_blobs_destroy(),
being no longer of use, can go too.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
cb40095079 s4:kdc: Don’t corrupt pac_blobs structure if talloc_realloc() fails
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
e9590ac7bb s4:kdc: Add common out path to pac_blobs_from_krb5_pac()
This helps to make error‐checking and cleanup more systematic.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
cbf1e0c838 s4:kdc: Introduce a temporary talloc context in samba_kdc_update_pac()
This avoids allocating working structures on to a potentially long‐lived
context.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
8b49e05831 s4:kdc: Use temporary memory context in samba_kdc_verify_pac()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
0d2d3a9098 s4:kdc: Fix leak
Introduce a temporary memory context and allocate working structures on
to it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
cf2bde738d s4:kdc: Allocate variables on to more suitable memory context
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
953af6c3a3 s4:kdc: Increment PAC_DEVICE_INFO::domain_group_count only after SID has been successfully added
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
446e45be45 s4:kdc: Directly zero‐initialize PAC_DOMAIN_GROUP_MEMBERSHIP structure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
d4ceac448b s4:kdc: Assign RID and attribute together
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
6dae90bdd9 s4:kdc: Don’t corrupt domain groups structure if talloc_realloc() fails
Introduce a temporary variable instead of assigning the result of
talloc_realloc() directly to samr_RidWithAttributeArray::rids. In this
way we avoid having a structure with a non‐zero ‘count’ but with ‘rids’
set to the NULL pointer.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
d045809c0c s4:kdc: Check for overflow when adding a domain group SID
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
19b616d169 s4:kdc: Avoid potential use‐after‐free
We must allocate the domain groups on to the correct memory context,
lest they get freed prematurely.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
bf9b16884b s4:kdc: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
7718a9d61b s4:kdc: Use common exit point for functions
This makes it less likely that we forget to clean up resources.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
e48df09175 s4:kdc: Fix leaks
Allocate variables on to a temporary context rather than on to the
potentially long‐lived context passed in by the caller.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
5c580dbdb3 s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request
I’m not sure exactly how this check was supposed to work. But in any
case, within fast_unwrap_request() the Heimdal KDC replaces the outer
padata with the padata from the inner FAST request. Hence, this check
does not accomplish anything useful: at no point should the KDC plugin
see the outer padata.

A couple of unwanted consequences resulted from this check. One was that
a client who sent empty FX‐FAST padata within the inner FAST request
would receive the *Authentication Authority* Asserted Identity SID
instead of the *Service* Asserted Identity SID. Another consequence was
that a client could in the same manner bypass the restriction on
performing S4U2Self with an RODC‐issued TGT.

Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
Heimdal plugin API gives us nothing better to work with.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
c4933dd4b7 s4:auth: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
8b2e14052c s4:auth: Check return values of talloc functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
bd05237de4 s4:dsdb: Prefer explicit initialization to ZERO_STRUCT()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
2e8bbaea70 s4:dsdb: Parenthesize macro expression
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00