1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

3296 Commits

Author SHA1 Message Date
Rob van der Linde
6736fc0cff CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-03-20 10:04:44 +01:00
Stefan Metzmacher
d5a8e41313 CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
This allows the tests to be executed without an explicit
PYTHONPATH="bin/python".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184

(similar to commit 987cba9057)
[jsutton@samba.org Fixed conflicts; removed changes to non-existent
 tests]

Autobuild-User(v4-16-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-16-test): Wed Dec 14 11:34:00 UTC 2022 on sn-devel-184
2022-12-14 11:34:00 +00:00
Stefan Metzmacher
160e566d59 CVE-2022-37966 samba-tool: add 'domain trust modify' command
For now it only allows the admin to modify
the msDS-SupportedEncryptionTypes values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit d1999c152a)
2022-12-14 10:28:17 +00:00
Stefan Metzmacher
be57176c3a CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa64f8fa8d)
2022-12-14 10:28:17 +00:00
Stefan Metzmacher
c8afae7869 CVE-2022-37966 python:tests/krb5: test much more etype combinations
This tests work out the difference between
- msDS-SupportedEncryptionTypes value or it's default
- software defined extra flags for DC accounts
- accounts with only an nt hash being stored
- the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1dfa91682e)
2022-12-14 10:28:17 +00:00
Stefan Metzmacher
8e6d2953ba CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c7c5762089)
2022-12-14 10:28:17 +00:00
Stefan Metzmacher
f4dc5721be CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 77bd3258f1)

[jsutton@samba.org Fixed conflicts in parameters]
2022-12-14 10:28:17 +00:00
Stefan Metzmacher
aeb7c646bb CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f434a30ee7)
2022-12-14 10:28:17 +00:00
Stefan Metzmacher
b20acd876c CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d8fd6a22b6)
2022-12-14 10:28:17 +00:00
Stefan Metzmacher
3ea9946f65 CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
I'm using the following options:

SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1

in order to run these:

python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(cherry picked from commit e0f89b7bc8)
[jsutton@samba.org Fixed conflicts in parameters; brought in rep_padata
 non-None assertion]
2022-12-14 10:28:17 +00:00
Joseph Sutton
da9da918f7 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 44802c46b1)

[jsutton@samba.org Fixed import conflict]
2022-12-14 10:28:16 +00:00
Joseph Sutton
f29efb011f CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

(similar to commit 371d7e63fc)
[jsutton@samba.org Removed unneeded fast_tests.py change, added
 non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and
 tests.py]

[jsutton@samba.org Fixed conflicts in tests and knownfails]
2022-12-14 10:28:16 +00:00
Joseph Sutton
71fcd5366a CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 086646865e)
2022-12-14 10:28:16 +00:00
Joseph Sutton
b899650938 CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
This option does the opposite of what the documentation claims.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6b155b22e6)
2022-12-14 10:28:16 +00:00
Joseph Sutton
0601bb94c6 CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

(similar to commit a50a2be622)
[jsutton@samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]

[jsutton@samba.org Fixed conflicts in kdc_base_test.py, raw_testcase.py,
 knownfails, tests.py. Adapted KDC PAC changes to older function.]
2022-12-14 10:28:16 +00:00
Joseph Sutton
8d208ab061 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(similar to commit 177334c042)
[jsutton@samba.org Fixed conflicts in usage.py, knownfails, tests.py]

[jsutton@samba.org Fixed knownfail conflicts]
2022-12-14 10:28:16 +00:00
Joseph Sutton
9ed5a352ca CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
This lets us select the encryption types we claim to support in the
request body.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(similar to commit e0a91dddc4)
[jsutton@samba.org Adapted to 4.17 version of function taking different
 parameters]
2022-12-14 10:28:16 +00:00
Joseph Sutton
cc2bea27a6 CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
We will use it for testing our handling of encryption types.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(similar to commit 50e075d2db)
[jsutton@samba.org Adapted to 4.17 version of function]
2022-12-14 10:28:16 +00:00
Andrew Bartlett
2408d405d3 CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
This makes it easier to test against a server that is not accessible via DNS.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c7cd688917)
2022-12-14 10:28:16 +00:00
Joseph Sutton
a65fc1fa47 CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184

(cherry picked from commit 50cbdecf2e)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2022-12-14 10:28:16 +00:00
Joseph Sutton
0fee9c469c CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2f17cbf3b2)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

[jsutton@samba.org Removed changes to protected_users_tests.py]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-12-14 10:28:16 +00:00
Andrew Bartlett
d7eccdbb02 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test
A new file will shorlty fail as it is binary input

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5a02915913)
2022-12-06 14:24:11 +00:00
Andrew Bartlett
1a4d3a2db7 python-drs: Add client-side debug and fallback for GET_ANC
Samba 4.5 and earlier will fail to do GET_ANC correctly and will not
replicate non-critical parents of objects with isCriticalSystemObject=TRUE
when DRSUAPI_DRS_CRITICAL_ONLY is set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit bff2bc9c7d)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Fri Oct  7 09:56:12 UTC 2022 on sn-devel-184
2022-10-07 09:56:12 +00:00
Douglas Bagnall
6a6db20068 pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 251360d6e5)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
fba1864d7a pytest/join: use TestCaseInTempDir.rm_files/dirs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 7455c53fa4)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
6e217c047d pytest/samdb_api: use TestCaseInTempDir.rm_files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 4e3dabad0b)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
70de610892 pytest/downgradedatabase: use TestCaseInTempDir.rm_files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 85bc1552e3)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
2003f7cf74 pytest: add file removal helpers for TestCaseInTempDir
In several places we end a test by deleting a number of files and
directories, but we do it rather haphazardly with unintentionally
differing error handling. For example, in some tests we currently have
something like:

        try:
            shutil.rmtree(os.path.join(self.tempdir, "a"))
            os.remove(os.path.join(self.tempdir, "b"))
            shutil.rmtree(os.path.join(self.tempdir, "c"))
        except Exception:
            pass

where if, for example, the removal of "b" fails, the removal of "c" will
not be attempted. That will result in the tearDown method raising an
exception, and we're no better off. If the above code is replaced with

        self.rm_files('b')
        self.rm_dirs('a', 'c')

the failure to remove 'b' will cause a test error, *unless* the failure
was due to a FileNotFoundError (a.k.a. an OSError with errno ENOENT),
in which case we ignore it, as was probably the original intention.

If on the other hand, we have

        self.rm_files('b', must_exist=True)
        self.rm_dirs('a', 'c')

then the FileNotFoundError causes a failure (not an error).

We take a little bit of care to stay within self.tempdir, to protect
test authors who accidentally write something like `self.rm_dirs('/')`.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 2359741b28)
2022-10-07 08:45:15 +00:00
Joseph Sutton
0e3ac110df CVE-2021-20251 tests/krb5: Convert password lockout tests to use os.fork() and os.pipe()
Running the password lockout tests on Fedora 35 occasionally results in
errors similar to the following:

    [1(0)/1 at 0s] samba.tests.krb5.lockout_tests(ad_dc:local)
    EPOLL_CTL_DEL EBADF for fde[0x5569dc76c670] mpx_fde[(nil)] fd[14] - disabling

    EPOLL_CTL_DEL EBADF for fde[0x5569dc6089c0] mpx_fde[(nil)] fd[14] - disabling

    EPOLL_CTL_DEL EBADF for fde[0x5569dbbe58e0] mpx_fde[(nil)] fd[14] - disabling

    UNEXPECTED(error): samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc(ad_dc:local)
    REASON: Exception: Exception: concurrent.futures.process._RemoteTraceback:
    """
    Traceback (most recent call last):
      File "/usr/lib64/python3.10/concurrent/futures/process.py", line 243, in _process_worker
        r = call_item.fn(*call_item.args, **call_item.kwargs)
      File "/home/samba/src/bin/python/samba/tests/krb5/lockout_tests.py", line 141, in connect_kdc
        pipe.send_bytes(b'0')
      File "/usr/lib64/python3.10/multiprocessing/connection.py", line 205, in send_bytes
        self._send_bytes(m[offset:offset + size])
      File "/usr/lib64/python3.10/multiprocessing/connection.py", line 416, in _send_bytes
        self._send(header + buf)
      File "/usr/lib64/python3.10/multiprocessing/connection.py", line 373, in _send
        n = write(self._handle, buf)
    OSError: [Errno 9] Bad file descriptor
    """

    The above exception was the direct cause of the following exception:

    Traceback (most recent call last):
      File "/home/samba/src/bin/python/samba/tests/krb5/lockout_tests.py", line 537, in test_lockout_race_kdc
        self.do_lockout_race(connect_kdc)
      File "/home/samba/src/bin/python/samba/tests/krb5/lockout_tests.py", line 863, in do_lockout_race
        self.wait_for_ready(our_pipe, connect_future)
      File "/home/samba/src/bin/python/samba/tests/krb5/lockout_tests.py", line 471, in wait_for_ready
        raise exception
    OSError: [Errno 9] Bad file descriptor

Such messages can be seen to come from epoll_del_event(). By resorting
to lower-level facilites such as fork() and OS pipes, we lose helpful
features such as timeouts and propagation of exceptions from child
processes, but we may avoid interactions with the event system that lead
to failures.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-09-18 16:46:09 +00:00
Joseph Sutton
63020bf13c CVE-2021-20251 tests/krb5: Add tests for password lockout race
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 91e2e5616c)

[jsutton@samba.org Fixed conflicts in usage.py, knownfails, and tests.py
 due to not having claims tests]

[jsutton@samba.org Removed tests for unsupported SAMR AES password
 change, removed related GNUTLS_PBKDF2_SUPPORT environment variable, and
 fixed knownfail conflicts; marked all password lockout tests as
 flapping due to sporadic failures seen with Fedora 35]
2022-09-18 16:46:09 +00:00
Joseph Sutton
f0c44d9e53 CVE-2021-20251 tests/krb5: Add PasswordKey_from_creds()
This is needed for generating a key when we don't have ETYPE-INFO2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-09-18 16:46:09 +00:00
Joseph Sutton
ff66f68a11 CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
The kpasswd service should require a kpasswd service ticket, and
disallow TGTs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

[jsutton@samba.org Fixed knownfail conflicts]
2022-07-24 09:23:56 +02:00
Joseph Sutton
1f54e16cf1 CVE-2022-2031 tests/krb5: Test truncated forms of server principals
We should not be able to use krb@REALM instead of krbtgt@REALM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:56 +02:00
Joseph Sutton
8a4f07c2ca CVE-2022-2031 tests/krb5: Add tests for kpasswd service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

[jsutton@samba.org Fixed conflicts in usage.py and knownfails; removed
 MIT KDC 1.20-specific knownfails as it's not supported]
2022-07-24 09:23:55 +02:00
Joseph Sutton
c84eb0e673 CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
Now we can test the kpasswd service from Python.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
06c7f3d3f6 CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

[jsutton@samba.org Fixed conflict due to lacking rc4_support parameter]
2022-07-24 09:23:55 +02:00
Joseph Sutton
3e52255fd1 tests/krb5: Add option for creating accounts with expired passwords
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
a907564b69 tests/krb5: Fix enum typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
5f32710d67 CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
This allows us to send and receive kpasswd messages, while avoiding the
existing logic for encoding and decoding other Kerberos message types.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
82bfffcdc3 CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
This allows us to use the kpasswd port, 464.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
7cc2b1ac55 CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
a0efc5bc0a CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
7c9faf1aac CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
3034c1933c CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
This allows us to make use of it in other tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
af53dbec65 CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
The environment variable is a string, but we expect an integer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
191adf2cf3 tests/krb5: Add helper function to modify ticket flags
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ded5115f73)
2022-07-24 09:23:55 +02:00
Noel Power
94a94383bb s3/client: fix dfs deltree, resolve dfs path
since 4cc4938a28 do_list seems
to deal with non dfs root path, hence we need to resolve the
path before calling cli_unlink.

Also remove the knownfail

We additionally have to also remove the fallback to remove 'file3'
int the smbcacls_dfs_propagate_inherit.teardown as the deltree
that happens in the baseclass now succeeds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15100

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 17 17:12:07 UTC 2022 on sn-devel-184

(cherry picked from commit 81fdcf95ae)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jun 20 10:56:52 UTC 2022 on sn-devel-184
2022-06-20 10:56:52 +00:00
Douglas Bagnall
1137957a13 s4/dlz: add support for bind 9.18
It seems nothing has changed since 9.16 for our purposes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14986

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andreas Hasenack <andreas@canonical.com>
Pair-programmed-with: Andreas Hasenack <andreas@canonical.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon May 23 00:53:09 UTC 2022 on sn-devel-184

(cherry picked from commit 03036442de)
2022-06-18 08:47:17 +00:00
Stefan Metzmacher
528ed90d03 python:tests: let insta_creds() also copy the bind_dn from the template
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a30a762625)
2022-03-16 13:41:14 +00:00
Stefan Metzmacher
a31721982f upgradehelpers.py: add a comment to update_krbtgt_account_password()
The backend generates its own random krbtgt password values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ad0b5561b4)
2022-03-07 10:54:17 +00:00