1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

4994 Commits

Author SHA1 Message Date
Andrew Bartlett
0a8330ab7d s4-libnet: Add messages to object count mismatch failures
This helps explain these better than WERR_GEN_FAILURE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 483c48f52d)
2022-10-07 08:45:15 +00:00
Joseph Sutton
6a0280d955 CVE-2021-20251 dsdb/common: Remove transaction logic from samdb_set_password()
All of its callers, where necessary, take out a transaction covering the
entire password set or change operation, so a transaction is no longer
needed here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7981cba87e)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Sun Sep 18 17:46:29 UTC 2022 on sn-devel-184
2022-09-18 17:46:29 +00:00
Joseph Sutton
f58d7e4200 CVE-2021-20251 s4:dsdb: Make badPwdCount update atomic
We reread the account details inside the transaction in case the account
has been locked out in the meantime. If it has, we return the
appropriate error code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 96479747bd)

[jsutton@samba.org Fixed conflict due to lack of dbg_ret variable]
2022-09-18 16:46:09 +00:00
Joseph Sutton
f725f2f244 CVE-2021-20251 s4:dsdb: Update bad password count inside transaction
Previously, there was a gap between calling dsdb_update_bad_pwd_count()
and dsdb_module_modify() where no transaction was in effect. Another
process could slip in and modify badPwdCount, only for our update to
immediately overwrite it. Doing the update inside the transaction will
help for the following commit when we make it atomic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a65147a9e9)

[jsutton@samba.org Fixed conflicts due to lack of dbg_ret variable]
2022-09-18 16:46:09 +00:00
Joseph Sutton
a1a440c101 CVE-2021-20251 auth4: Detect ACCOUNT_LOCKED_OUT error for password change
This is more specific than NT_STATUS_UNSUCCESSFUL, and for the SAMR
password change, matches the result the call to samdb_result_passwords()
would give.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 336e303cf1)
2022-09-18 16:46:09 +00:00
Gary Lockyer
740c4c2b95 CVE-2021-20251 auth4: split samdb_result_msds_LockoutObservationWindow() out
samdb_result_msds_LockoutObservationWindow() is split out of
samdb_result_effective_badPwdCount()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2087b0cd98)
2022-09-18 16:46:09 +00:00
Joseph Sutton
e0d25e172c CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
To use memcpy(), we need to specify the number of bytes to copy, rather
than the number of ldb_val structures.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:22 +02:00
Joseph Sutton
701aef133f CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
Doing so is undefined behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:22 +02:00
Joseph Sutton
f2ded77168 CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
Currently, we can crash the server by sending a large number of values
of a specific attribute (such as sAMAccountName) spread across a few
message elements. If val_count is larger than the total number of
elements, we get an access beyond the elements array.

Similarly, we can include unrelated message elements prior to the
message elements of the attribute in question, so that not all of the
attribute's values are copied into the returned elements values array.
This can cause the server to access uninitialised data, likely resulting
in a crash or unexpected behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:22 +02:00
Joseph Sutton
1d7690b000 CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
This avoids potentially trying to access the first element of an empty
array.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:22 +02:00
Joseph Sutton
18b73e01ca CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
This aims to minimise usage of the error-prone pattern of searching for
a just-added message element in order to make modifications to it (and
potentially finding the wrong element).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
a7a59c540b CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message
Using the newly added ldb flag, we can now detect when a message has
been shallow-copied so that its elements share their values with the
original message elements. Then when adding values to the copied
message, we now make a copy of the shared values array first.

This should prevent a use-after-free that occurred in LDB modules when
new values were added to a shallow copy of a message by calling
talloc_realloc() on the original values array, invalidating the 'values'
pointer in the original message element. The original values pointer can
later be used in the database audit logging module which logs database
requests, and potentially cause a crash.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
738955d0e1 CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
f2ee4c78d9 CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
b436fa43f2 CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(el->flags & LDB_FLAG_MOD_MASK) == 0

which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
59cd645b39 CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0

which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
c83967ad71 CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN
If an account has an SPN that requires Write Property to set, we should
still be able to delete it with just Validated Write.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
16f3112687 CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Stefan Metzmacher
20be02ecfd s4:dsdb: don't set mapped_state in auth_usersupplied_info for audit logging
mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 99efe5f4e9)
2022-03-16 13:41:14 +00:00
Garming Sam
fcec3b21d9 rodc: Add tests for simple BIND alongside NTLMSSP binds
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 62fb6c1dc8)
2022-03-16 13:41:14 +00:00
Stefan Metzmacher
d92b46a4c0 dsdb/tests: add test_login_basics_simple()
This demonstrates that 'old password allowed period' also
applies to LDAP simple binds and not only to GSS-SPNEGO/NTLMSSP binds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3625d13815)
2022-03-16 13:41:14 +00:00
Stefan Metzmacher
54bb3569e5 dsdb/tests: prepare BasePasswordTestCase for simple bind tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0b1fbc9d56)
2022-03-16 13:41:14 +00:00
Stefan Metzmacher
4b24589141 dsdb/tests: introduce assertLoginSuccess
This makes it possible to catch failures with knownfail entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 751ce671a4)
2022-03-16 13:41:14 +00:00
Stefan Metzmacher
c35de738da dsdb/tests: make use of assertLoginFailure helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 03ba5af3d9)
2022-03-16 13:41:14 +00:00
Stefan Metzmacher
ff7ffbdf61 dsdb/tests: let all BasePasswordTestCase tests provide self.host_url[_ldaps]
This will make further changes easier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5a3214c990)
2022-03-16 13:41:14 +00:00
Stefan Metzmacher
43c4dc75e2 dsdb/tests: passwords.py don't need to import BasePasswordTestCase
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 90754591a7)
2022-03-16 13:41:14 +00:00
Stefan Metzmacher
4b6a6af868 s4:kdc: redirect pre-authentication failures to an RWDC
The most important case is that we still have a previous
password cached at the RODC and the inbound replication
hasn't wiped the cache yet and we also haven't triggered
a new replication yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0f5d7ff1a9)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Mar  8 14:30:45 UTC 2022 on sn-devel-184
2022-03-08 14:30:45 +00:00
Joseph Sutton
e4f18bfaec CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object
If an added SPN already exists on an object, we still want to check the
rest of the element values for conflicts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-01-31 14:26:10 +00:00
Stefan Metzmacher
7d16a56b9d s4:dsdb/vlv_pagination: fix segfault in vlv_results()
It can happen that the vlv_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184
2022-01-20 10:04:39 +00:00
Stefan Metzmacher
19fa22b1fb s4:dsdb/paged_results: fix segfault in paged_results()
It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

We also should not call ldb_module_done() if paged_results()
fails, as it was already called.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-01-20 09:10:28 +00:00
Stefan Metzmacher
8c0391d38e dsdb/schema: let dsdb_syntax_DN_BINARY_drsuapi_to_ldb return WERR_DS_INVALID_ATTRIBUTE_SYNTAX
When Object(OR-Name) uses dsdb_syntax_DN_BINARY_drsuapi_to_ldb() it
should genrate WERR_DS_INVALID_ATTRIBUTE_SYNTAX if the binary part
is not empty.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 12 03:09:52 UTC 2022 on sn-devel-184
2022-01-12 03:09:52 +00:00
Stefan Metzmacher
8026efd647 dsdb/schema: add no memory checks for {ldb,dsdb}_dn_get_extended_linearized()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-12 02:20:27 +00:00
Stefan Metzmacher
15f332a1c0 dsdb/common: dsdb_dn_construct_internal() more strict checking
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-12 02:20:27 +00:00
Stefan Metzmacher
8115fb03b6 dsdb/schema: fix Object(OR-Name) syntax definition
This is a strange one, it uses DN_BINARY in the drsuapi
representation, while the binary part must be 0 bytes.
and the LDAP/ldb representation is a plain DN (without 'B:').

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-12 02:20:27 +00:00
Stefan Metzmacher
e16d29f719 dsdb/schema/tests: let samba4.local.dsdb.syntax call the validate_dn() hook
This demonstrates that our OR-Name syntax is wrong,
which wasn't noticed yet as it's not used in the AD-Schema.

I noticed it by installing the Exchange-Schema on a Samba DC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-12 02:20:27 +00:00
Joseph Sutton
5594843313 dsdb/netlogon: Indicate DC functional level support in samlogon response
The DS_SERVER_DS_8 flag is necessary for Windows to detect FAST support.

Note for know we only ever have DS_DOMAIN_FUNCTION_2008_R2 (4) in the
msDS-Behavior-Version attribute of our own NTDSA object. So
for now this is only for manual testing. In future we most likely
want to extend 'samba-tool domain level' to raise the dc level
manually or let 'samba' autoupgrade the value.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2021-12-24 02:16:33 +00:00
Stefan Metzmacher
0e515b3309 dsdb/netlogon: make use of dsdb_dc_functional_level() in fill_netlogon_samlogon_response()
[MS-ADTS] 6.3.3.2 "Domain Controller Response to an LDAP Ping" indicates
that the resulting flags depend on the server software (behavior)
and not the domain wide functional level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-12-24 02:16:33 +00:00
Stefan Metzmacher
b5f71e25d4 dsdb/common: add dsdb_dc_functional_level() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-12-24 02:16:33 +00:00
Andrew Bartlett
f621317e3b dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-03 12:05:42 +00:00
Joseph Sutton
ad4d6fb01f selftest: Check received LDB error code when STRICT_CHECKING=0
We were instead only checking the expected error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Andrew Bartlett
5f0590362c CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it
RN: Do not modify the caller-supplied memory in the anr=* handling to
allow clear logging of the actual caller request after it has been processed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-25 01:41:30 +00:00
Joseph Sutton
dcfcafdbf7 CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts
We allow a timeout of 2x over to avoid this being a flapping test.
Samba is not very accurate on the timeout, which is not otherwise an
issue but makes this test fail sometimes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-25 01:41:30 +00:00
Joseph Sutton
5f46343101 CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

If one of the objectClass checks passed, samldb_add() could return
through one of the samldb_fill_*() functions and skip the
servicePrincipalName uniqueness checking.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Joseph Sutton
ae47a73077 CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
a3aee582a5 CVE-2020-25722 Ensure the structural objectclass cannot be changed
If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.

Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Joseph Sutton
80257fa37c CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
b176ddba2a CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
a9ac1f9191 CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
These common routines will assist the KDC to do the same access
checking as the RPC servers need to do regarding which accounts
a RODC can act with regard to.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Joseph Sutton
72840a972b CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Douglas Bagnall
5fe2633b2a CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
Nobody uses it now. It never really did what it said it did. Almost
every use was wrong. It was a trap.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00