sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
Code
139,126 Commits 60 Branches 1,144 Tags 452 MiB
910a331f3e
Commit Graph

149 Commits

Author SHA1 Message Date
Alexander Bokovoy
e2d5b4d709 CVE-2020-25717: Add FreeIPA domain controller role 
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Alexander Bokovoy
2a8b672652 auth_sam: use pdb_get_domain_info to look up DNS forest information 
When Samba is used as a part of FreeIPA domain controller, Windows
clients for a trusted AD forest may try to authenticate (perform logon
operation) as a REALM\name user account.

Fix auth_sam plugins to accept DNS forest name if we are running on a DC
with PASSDB module providing domain information (e.g. pdb_get_domain_info()
returning non-NULL structure). Right now, only FreeIPA or Samba AD DC
PASSDB backends return this information but Samba AD DC configuration is
explicitly ignored by the two auth_sam (strict and netlogon3) modules.

Detailed logs below:

[2020/11/11 09:23:53.281296,  1, pid=42677, effective(65534, 65534), real(65534, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:482(ndr_print_function_debug)
       netr_LogonSamLogonWithFlags: struct netr_LogonSamLogonWithFlags
          in: struct netr_LogonSamLogonWithFlags
              server_name              : *
                  server_name              : '\\master.ipa.test'
              computer_name            : *
                  computer_name            : 'AD1'
              credential               : *
                  credential: struct netr_Authenticator
                      cred: struct netr_Credential
                          data                     : 529f4b087c5f6546
                      timestamp                : Wed Nov 11 09:23:55 AM 2020 UTC
              return_authenticator     : *
                  return_authenticator: struct netr_Authenticator
                      cred: struct netr_Credential
                          data                     : 204f28f622010000
                      timestamp                : Fri May  2 06:37:50 AM 1986 UTC
              logon_level              : NetlogonNetworkTransitiveInformation (6)
              logon                    : *
                  logon                    : union netr_LogonLevel(case 6)
                  network                  : *
                      network: struct netr_NetworkInfo
                          identity_info: struct netr_IdentityInfo
                              domain_name: struct lsa_String
                                  length                   : 0x0010 (16)
                                  size                     : 0x01fe (510)
                                  string                   : *
                                      string                   : 'IPA.TEST'
                              parameter_control        : 0x00002ae0 (10976)
                                     0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED
                                     0: MSV1_0_UPDATE_LOGON_STATISTICS
                                     0: MSV1_0_RETURN_USER_PARAMETERS
                                     0: MSV1_0_DONT_TRY_GUEST_ACCOUNT
                                     1: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
                                     1: MSV1_0_RETURN_PASSWORD_EXPIRY
                                     1: MSV1_0_USE_CLIENT_CHALLENGE
                                     0: MSV1_0_TRY_GUEST_ACCOUNT_ONLY
                                     1: MSV1_0_RETURN_PROFILE_PATH
                                     0: MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY
                                     1: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
                                     0: MSV1_0_DISABLE_PERSONAL_FALLBACK
                                     1: MSV1_0_ALLOW_FORCE_GUEST
                                     0: MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED
                                     0: MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY
                                     0: MSV1_0_ALLOW_MSVCHAPV2
                                     0: MSV1_0_S4U2SELF
                                     0: MSV1_0_CHECK_LOGONHOURS_FOR_S4U
                                     0: MSV1_0_SUBAUTHENTICATION_DLL_EX
                              logon_id                 : 0x0000000000884ef2 (8933106)
                              account_name: struct lsa_String
                                  length                   : 0x000e (14)
                                  size                     : 0x000e (14)
                                  string                   : *
                                      string                   : 'idmuser'
                              workstation: struct lsa_String
                                  length                   : 0x0000 (0)
                                  size                     : 0x0000 (0)
                                  string                   : *
                                      string                   : ''
                         challenge                : 417207867bd33c74
                          nt: struct netr_ChallengeResponse
                              length                   : 0x00c0 (192)
                              size                     : 0x00c0 (192)
                              data                     : *
                                  data: ARRAY(192)
  [0000] A5 24 62 6E 31 DF 69 66   9E DC 54 D6 63 4C D6 2F   .$bn1.if ..T.cL./
  [0010] 01 01 00 00 00 00 00 00   50 37 D7 60 0C B8 D6 01   ........ P7.`....
  [0020] 15 1B 38 4F 47 95 4D 62   00 00 00 00 02 00 0E 00   ..8OG.Mb ........
  [0030] 57 00 49 00 4E 00 32 00   30 00 31 00 36 00 01 00   W.I.N.2. 0.1.6...
  [0040] 06 00 41 00 44 00 31 00   04 00 18 00 77 00 69 00   ..A.D.1. ....w.i.
  [0050] 6E 00 32 00 30 00 31 00   36 00 2E 00 74 00 65 00   n.2.0.1. 6...t.e.
  [0060] 73 00 74 00 03 00 20 00   61 00 64 00 31 00 2E 00   s.t... . a.d.1...
  [0070] 77 00 69 00 6E 00 32 00   30 00 31 00 36 00 2E 00   w.i.n.2. 0.1.6...
  [0080] 74 00 65 00 73 00 74 00   05 00 18 00 77 00 69 00   t.e.s.t. ....w.i.
  [0090] 6E 00 32 00 30 00 31 00   36 00 2E 00 74 00 65 00   n.2.0.1. 6...t.e.
  [00A0] 73 00 74 00 07 00 08 00   50 37 D7 60 0C B8 D6 01   s.t..... P7.`....
  [00B0] 06 00 04 00 02 00 00 00   00 00 00 00 00 00 00 00   ........ ........
                          lm: struct netr_ChallengeResponse
                              length                   : 0x0018 (24)
                              size                     : 0x0018 (24)
                              data                     : *
                                  data                     : 000000000000000000000000000000000000000000000000
              validation_level         : 0x0006 (6)
              flags                    : *
                  flags                    : 0x00000000 (0)
                         0: NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT
                         0: NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP
                         0: NETLOGON_SAMLOGON_FLAG_RODC_TO_OTHER_DOMAIN
                         0: NETLOGON_SAMLOGON_FLAG_RODC_NTLM_REQUEST

In such case checks for a workgroup name will not match the DNS forest
name used in the username specification:

[2020/11/11 09:23:53.283055,  3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:200(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [IPA.TEST]\[idmuser]@[] with the new password interface
[2020/11/11 09:23:53.283073,  3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:203(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [IPA.TEST]\[idmuser]@[]
[2020/11/11 09:23:53.283082, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:213(auth_check_ntlm_password)
  check_ntlm_password: auth_context challenge created by fixed
[2020/11/11 09:23:53.283091, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:216(auth_check_ntlm_password)
  challenge is:
[2020/11/11 09:23:53.283099,  5, pid=42677, effective(65534, 65534), real(65534, 0)] ../../lib/util/util.c:678(dump_data)
  [0000] 41 72 07 86 7B D3 3C 74                             Ar..{.<t
[2020/11/11 09:23:53.283113, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:209(auth_sam_netlogon3_auth)
  auth_sam_netlogon3_auth: Check auth for: [IPA.TEST]\[idmuser]
[2020/11/11 09:23:53.283123,  5, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:234(auth_sam_netlogon3_auth)
  auth_sam_netlogon3_auth: IPA.TEST is not our domain name (DC for IPA)
[2020/11/11 09:23:53.283131, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:249(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_netlogon3 had nothing to say

and overall authentication attempt will fail: auth_winbind will complain
that this domain is not a trusted one and refuse operating on it:

[2020/11/11 09:23:53.283784, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:742(process_request_send)
  process_request_send: process_request: Handling async request smbd(42677):PAM_AUTH_CRAP
[2020/11/11 09:23:53.283796,  3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam_auth_crap.c:110(winbindd_pam_auth_crap_send)
  [42677]: pam auth crap domain: [IPA.TEST] user: idmuser
[2020/11/11 09:23:53.283810,  3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam.c:409(find_auth_domain)
  Authentication for domain [IPA.TEST] refused as it is not a trusted domain
[2020/11/11 09:23:53.283825, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:810(process_request_done)
  process_request_done: [smbd(42677):PAM_AUTH_CRAP]: NT_STATUS_NO_SUCH_USER
[2020/11/11 09:23:53.283844, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:855(process_request_written)
  process_request_written: [smbd(42677):PAM_AUTH_CRAP]: delivered response to client

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-11-12 13:49:34 +00:00
Volker Lendecke
ef0350221e auth: Fix CID 1458418 Null pointer dereferences (REVERSE_INULL) 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2020-02-14 12:15:32 +00:00
Volker Lendecke
503fc8f2ba auth: Fix CID 1458420 Null pointer dereferences (REVERSE_INULL) 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2020-02-14 12:15:32 +00:00
Stefan Metzmacher
590df382be s3:auth_sam: map an empty domain or '.' to the local SAM name 
When a domain member gets an empty domain name or '.', it should
not forward the authentication to domain controllers of
the primary domain.

But we need to keep passing UPN account names with
an empty domain to the DCs as a domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-05 16:30:42 +00:00
Stefan Metzmacher
a63e2a312c s3:auth_sam: introduce effective_domain helper variables 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-05 16:30:42 +00:00
Stefan Metzmacher
01b8374e79 s3:auth_sam: make sure we never handle empty usernames 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-05 16:30:42 +00:00
Stefan Metzmacher
72ef8d3a52 s3:auth_sam: unify the debug messages of all auth_sam*_auth() functions 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-05 16:30:42 +00:00
Stefan Metzmacher
85b168c6da s3:auth_sam: replace confusing FALL_THROUGH; with break; 
There's no real logic change here, but is makes it easier to
understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-05 16:30:42 +00:00
Volker Lendecke
59cb155a27 auth: Remove the "typedef auth_methods" 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
 2020-01-06 01:47:30 +00:00
Andreas Schneider
6744e8c7d4 s3:auth: Add FALL_THROUGH statements in auth_sam.c 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2018-03-01 04:37:42 +01:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *) 
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
 2017-04-22 01:17:00 +02:00
Stefan Metzmacher
9ad3b43d03 auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC 
This will be used in the s3 netlogon server in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-04-10 01:11:20 +02:00
Stefan Metzmacher
800e248dcd auth3: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-03-24 11:57:10 +01:00
Andrew Bartlett
597d2a7a29 auth: Provide a way to use the auth stack for winbindd authentication 
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.

That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.

Andrew Bartlett

Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2014-06-11 10:18:26 +02:00
Andrew Bartlett
2ed6b0818a auth: Ensure auth_sam is not used on the AD DC 
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu May 16 22:51:26 CEST 2013 on sn-devel-104
 2013-05-16 22:51:26 +02:00
Andrew Bartlett
ad0a07c531 s3-talloc Change TALLOC_ZERO_P() to talloc_zero() 
Using the standard macro makes it easier to move code into common, as
TALLOC_ZERO_P isn't standard talloc.
 2011-06-09 12:40:08 +02:00
Günther Deschner
58db720e27 s3-auth: run minimal_includes.pl 
Guenther
 2011-05-05 02:05:26 +02:00
Günther Deschner
7e73214ebf s3-auth: use auth.h where needed. 
Guenther
 2011-03-30 01:13:09 +02:00
Andrew Bartlett
fc956cfcbb s3:auth Rename user_info->domain -> user_info->mapped.domain_name 
This is closer to the structure I want for a common struct
auth_usersupplied_info.

Andrew Bartlett
 2010-06-07 23:34:28 +10:00
Andrew Bartlett
7a021df96d s3:auth Rename user_info->internal_username -> user_info->mapped.account_name 
This is closer to the structure I want for a common struct
auth_usersupplied_info.

Andrew Bartlett
 2010-06-07 23:34:28 +10:00
Simo Sorce
33c633df0b s3:auth make it easier to trace auth modules 2010-05-29 17:08:10 -04:00
Volker Lendecke
5792ccc7c8 s3: Move check_sam_security to auth/check_sam.c 2010-04-11 22:59:46 +02:00
Volker Lendecke
04f9e33de1 s3: Make check_sam_security public 2010-04-11 22:59:46 +02:00
Volker Lendecke
a0c175eca9 s3: Replace "auth_context" by "challenge" in need_to_increment_bad_pw_count args 2010-04-11 22:59:45 +02:00
Volker Lendecke
19c0086553 s3: Replace "auth_context" by "challenge" in sam_password_ok args 2010-04-11 22:59:45 +02:00
Volker Lendecke
a2d1e5e0f7 s3: Remove the make_auth_methods routine 
This was just TALLOC_ZERO_P
 2010-04-11 13:53:19 +02:00
Michael Adam
8573471154 s3:auth: fix account unlock regression introduced with fix for bug #4347 
By an oversight, the patchset for #4347 made the unlocking of a locked
account after the lockout duration ineffective.
Thanks to Björn for finding this!

Michael
 2010-01-14 15:48:09 +01:00
Michael Adam
444ecac2d2 s3:auth: add comment to nulling out stolen sampass 
Adding this comment makes me think, I could also
have changed make_server_info_sam() talloc_move
instead of talloc_steal, but that would have
changed the signature... Well the comment is a
first step. :-)

Michael
 2010-01-12 16:19:56 +01:00
Volker Lendecke
081573091b s3: Remove the typedef for "auth_serversupplied_info" 2010-01-10 20:56:16 +01:00
Volker Lendecke
9bb4766bba s3: Remove the typedef for "auth_usersupplied_info" 2010-01-10 20:56:16 +01:00
Michael Adam
dc68982711 s3:auth: don't update the bad pw count if pw is among last 2 history entries 
This conforms to the behaviour of Windows 2003:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

This is supposed to fixes Bug #4347 .

Michael
 2010-01-07 16:51:18 +01:00
Michael Adam
46111dc4e4 s3:auth:check_sam_security: introduce a bool var to control pad_pw_count incrementation 
This is a preparatory patch for the last part in fixing bug #4347 .

Michael
 2010-01-07 16:51:18 +01:00
Michael Adam
7248873b48 s3:auth:check_sam_security: improve calling and logging of pdb_update_sam_account 
Log what went wrongl, and also call pdb_update_sam_account inside
become_root/unbecome_root: do the logging outside.

Michael
 2010-01-07 11:07:57 +01:00
Michael Adam
5ad1b7e0c5 s3:auth:check_sam_security: fix a leading tab/ws mixup 
Michael
 2010-01-07 11:07:57 +01:00
Michael Adam
970317c413 s3:auth:check_sam_security: create (and use) a common exit point 
for use after sam_password_ok() has been called.

Michael
 2010-01-07 11:07:56 +01:00
Michael Adam
de4fb80bee s3:auth:check_sam_security: null out sampass after it has been stolen. 
So that a later talloc_free would not harm. I could have used
talloc_move instead of talloc steal in make_server_info_sam(),
but this would have required a change of the signature.

Michael
 2010-01-07 11:07:56 +01:00
Michael Adam
3634859450 s3:auth:sam_password_ok: take username, acct_ctrl and nt/lm hashes, not sampass 
This is in preparation to extending check_sam_security to also check
against the password history before updating the bad password count.
This way, sam_password_ok can more easily be reused for that purpose.

Michael
 2010-01-07 11:07:56 +01:00
Michael Adam
c0f404a2e4 s3:auth: use data_blob_null instead of data_blob(NULL, 0) in sam_password_ok() 
This way it is more explicit that there is no allocated data here
that may leak.

Michael
 2010-01-07 11:07:56 +01:00
Michael Adam
0172587d8d s3:auth:sam_password_ok: fix allocation of a data blob. 
data_blob(mem_ctx, 16) does not use mem_ctx as a talloc ctx but
copies 16 bytes from mem_ctx into the newly allocated data blob.
This can not have been intentional. A blank uint8_t array of
length 16 is allocated by passing NULL instead of mem_ctx.
And using data_blob_talloc(mem_ctx, NULL, 16) adds the allocated
blank 16 byte array to mem_ctx - so this is what must have been
intended.

Michael
 2010-01-07 11:07:56 +01:00
Michael Adam
7ac18c743b s3:auth:sam_password_ok: enhance readability (imho) by adding some pointers 
and removing bool variables and several checks.

Michael
 2010-01-07 11:07:55 +01:00
Michael Adam
b5fcb34d6c s3:check_sam_security: untangle assignment from statement 
Michael
 2010-01-07 11:07:55 +01:00
Karolin Seeger
71018ebe53 s3:auth: Fix typo in debug message. 
Karolin
 2009-12-07 14:38:18 +01:00
Jeremy Allison
74c405db40 Tidyup prompted by #6554 - Wrong deallocation in sam_account_ok. 
Jeremy.
 2009-07-16 09:54:14 -07:00
Andrew Bartlett
8ee7b4ce29 s3:auth Fix segfault: Always initialise returned session keys 2009-04-19 21:50:13 +02:00
Andrew Bartlett
baf7274fed Make Samba3 use the new common libcli/auth code 
This is particuarly in the netlogon client (but not server at this
stage)
 2009-04-14 16:23:44 +10:00
Andrew Bartlett
f28f113d8e Rework Samba3 to use new libcli/auth code (partial) 
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).

We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server

Andrew Bartlett
 2009-04-14 16:23:35 +10:00
Volker Lendecke
1cbc58d3be Fix some nonempty blank lines 2009-02-10 21:55:13 +01:00
Jelmer Vernooij
cb78d4593b Cope with changed signature of http_timestring(). 2008-10-11 23:57:44 +02:00
Jeremy Allison
ee6b168e6e Fix bug #5555. Don't return NT_STATUS_PASSWORD_MUST_CHANGE error on machine account logon. 
Jeremy.
(This used to be commit 10da498a23)
 2008-06-24 16:37:15 -07:00