1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-31 17:18:04 +03:00
Commit Graph

105 Commits

Author SHA1 Message Date
Stefan Metzmacher
ed6a9ccef6 libcli/auth: return RESOURCE_REQUIREMENTS_CHANGED is the proposed flags changed
This will be important when we add support for netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
a2b6a68b80 schannel.idl: change netlogon_creds_CredentialState layout for 4.22
This breaks compat with 4.21 and moves stuff out of
netlogon_creds_CredentialState_extra_info.

It also prepares support for netr_ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
52b94f3f0f Revert "libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy"
This reverts commit c3fa132fbe179bd4e1451240ce572ec791356a16.

We break the compat of the netlogon_creds_cli.tdb records compared to
4.21 with the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
aea024779f libcli/auth: don't loose server_dns_domain in netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
544838ac5b netlogon.idl: add NetlogonTicketLogonInformation/NetlogonValidationTicketLogon
I have basic tests, which have shown that the payload is not
encrypted at application level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
f340dce654 libcli/auth: make use of netlogon_creds_cli_check_transport() in more places
This was somehow missing in commit
7a5ad9f64a

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Nov  7 09:14:33 UTC 2024 on atb-devel-224
2024-11-07 09:14:33 +00:00
Stefan Metzmacher
7a5ad9f64a libcli/auth: split out netlogon_creds_cli_check_transport()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
1a5984ac63 libcli/auth: make use of netlogon_creds_client_verify()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
e92d0509d6 libcli/auth: make use of netlogon_creds_{de,en}crypt_samr_Password
This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
2bd77ff731 libcli/auth: make use of netlogon_creds_encrypt_SendToSam
This will help when implementing netr_ServerAuthenticateKerberos()...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
285ec9ecde libcli/auth: make use of netlogon_creds_encrypt_samr_CryptPassword
This will help when implementing netr_ServerAuthenticateKerberos()...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
3d4ea276bd libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_logon()
This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
a56356e399 libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation()
This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
3792fe3728 libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy
Before storing the structure into a ctdb managed volatile database
we check against netlogon_creds_CredentialState_legacy (the structure
used before recent changes). This makes sure unpatched cluster nodes
would not get a parsing error.

We'll remove this again in master when we try to implement
netr_ServerAuthenticateKerberos() and the related changes
to netlogon_creds_CredentialState, which will break the compat...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
17394ed7bb libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
8b972fea09 libcli/auth: also use netlogon_creds_CredentialState_extra_info for the client
In order to allow backports and cluster updates we simulate a
dom_sid, so that the old code is able to parse the blob.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
25a2105ca7 libcli/auth: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
276137e950 libcli/auth: use a LogonControl after a LogonGetCapabilities downgrade
If LogonGetCapabilities was downgraded by an DCERPC Fault, we
rely on the schannel message ordering to detect failures.

Instead of letting any real winbindd request trigger this,
we do it directly in netlogon_creds_cli_check() with
a LogonControl that is also used for 'wbinfo --ping-dc'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
3da40f1c68 libcli/auth: if we require aes we don't need to require arcfour nor strong key
But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
a9040c8ce7 libcli/auth: don't allow any unexpected upgrades of negotiate_flags
Only remove the unsupported flags from state->current_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
69cb9aea67 libcli/auth: make use of netlogon_creds_cli_store_internal() in netlogon_creds_cli_auth_srvauth_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
0248907e34 CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
1c6c112990 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.

Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:

 git show -U35 libcli/auth/netlogon_creds_cli.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
7e7adf86e5 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
This warns the admin about insecure options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
992f39a2c8 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Stefan Metzmacher
37c9600ff1 s3:g_lock: add callback function to g_lock_lock_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-20 00:34:35 +00:00
Joseph Sutton
feb36dbebf lib/util: Change function to mem_equal_const_time()
Since memcmp_const_time() doesn't act as an exact replacement for
memcmp(), and its return value is only ever compared with zero, simplify
it and emphasize the intention of checking equality by returning a bool
instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Joseph Sutton
a554e2ce53 lib/util: Change function to data_blob_equal_const_time()
Since data_blob_cmp_const_time() doesn't act as an exact replacement for
data_blob_cmp(), and its return value is only ever compared with zero,
simplify it and emphasize the intention of checking equality by
returning a bool instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Joseph Sutton
ae6634c787 auth: Use constant-time memcmp when comparing sensitive buffers
This helps to avoid timing attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Andreas Schneider
d1ea9c5aab libcli:auth: Allow to connect to netlogon server offering only AES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec  2 14:49:35 UTC 2021 on sn-devel-184
2021-12-02 14:49:35 +00:00
Stefan Metzmacher
8a607e7577 netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore result
This is a low level function that should not ignore results.

If the caller doesn't care it's his choice.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 19 20:20:00 UTC 2021 on sn-devel-184
2021-10-19 20:20:00 +00:00
Andreas Schneider
d6c7a2a700 netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Stefan Metzmacher
46642fd32d CVE-2020-1472(ZeroLogon): libcli/auth: make use of netlogon_creds_random_challenge() in netlogon_creds_cli.c
This will avoid getting rejected by the server if we generate
a weak challenge.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Isaac Boukris
dcc33103d5 smbdes: convert des_crypt112_16 to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:31 +00:00
Andrew Bartlett
0361a26e39 libcli:auth Check return code of netlogon_creds_aes_encrypt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 14 09:25:36 UTC 2019 on sn-devel-184
2019-11-14 09:25:36 +00:00
Andreas Schneider
0906848936 libcli:auth: Check return code of netlogon_creds_client_authenticator()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14 08:01:44 +00:00
Stefan Metzmacher
6e47f9ab37 libcli/auth: add netlogon_creds_cli_LogonGetDomainInfo()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-20 01:14:43 +00:00
Noel Power
78ca70925c libcli/auth: clang: Fix 'Value stored to 'status' is never read'
Fixes:

libcli/auth/netlogon_creds_cli.c:2622:2: warning: Value stored to 'status' is never read <--[clang]
        status = netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
        ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-08-27 23:04:37 +00:00
Andreas Schneider
689760f265 Revert "libcli:auth: Use generate_secret_buffer() for netlogon challenge"
This reverts commit c3ba556f52.

Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-08-14 15:07:24 +00:00
Andreas Schneider
c3ba556f52 libcli:auth: Use generate_secret_buffer() for netlogon challenge
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Aug 12 10:42:35 UTC 2019 on sn-devel-184
2019-08-12 10:42:34 +00:00
Andreas Schneider
67e6a9af2c libcli:auth: Return NTSTATUS for netlogon_creds_arcfour_crypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
31f110317f libcli:auth: Return NTSTATUS for netlogon_creds_encrypt_samlogon_logon()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
2e6fe27bad libcli:auth: Return NTSTATUS for netlogon_creds_decrypt_samlogon_validation()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
75a5db9c94 libcli:auth: Only use the required md4 header
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-02-27 07:59:27 +00:00
Volker Lendecke
1aeac2f85d dbwrap: Remove calls to loadparm
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:19 +02:00
Volker Lendecke
812312ca17 libcli: Call dbwrap_local_open with the correct tdb flags
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:19 +02:00
Volker Lendecke
807cb593ec libcli: Call dbwrap_local_open with the correct hash size
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:19 +02:00
Volker Lendecke
a104e08171 lib: Make g_lock_unlock use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
3bc87a20e9 lib: Make g_lock_lock_send use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
32e823e08d netlogon_creds_cli: Pass "capabilities" up from creds_cli_check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:13 +02:00