1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

2229 Commits

Author SHA1 Message Date
Jule Anger
0c7cfb7a11 s4:ldap_server: reload tls certificates on smbcontrol reload-certs
Reload certificates with the command 'smbcontrol ldap_server reload-certs'.
The message is send to the master process, who forwards it to the workers
processes.
The master process reload and, if necessary, create the certificates first,
then the workers processes reload them.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-25 20:04:29 +00:00
Ralph Boehme
566427c4f0 librpc/idl: mdssvc: unkn4 field is a fragment indicator
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2023-07-24 15:18:32 +00:00
Joseph Sutton
0da6cc7105 claims.idl: Fix AD claims encoding
Up to now we have been absorbing the discriminant in the NDR padding,
and setting it to zero in the push. But if the discriminant is not set
correctly, Windows will refuse to regard any of the claims.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 02:19:48 UTC 2023 on atb-devel-224
2023-07-21 02:19:48 +00:00
Douglas Bagnall
eb2bed3899 lib/fuzzing: add fuzzer for arbitrary token/sd access checks
The token and descriptor are stored in NDR format; for this purpose we
add a new IDL struct containing this pair (along with a desired access
mask).

An upcoming commit will show how to collect seeds for this fuzzer.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Stefan Metzmacher
56ee153cae netlogon.idl: add some comments to netr_OsVersionInfoEx
[MS-RPRN] 7 Appendix B: Product Behavior contains information
about the products and their announced versions.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Stefan Metzmacher
5f87888ed5 netlogon.idl: add support for netr_LogonGetCapabilities response level 2
We don't have any documentation about this yet, but tests against
a Windows Server 2022 patched with KB5028166 revealed that
the response for query_level=2 is exactly the same as
for querey_level=1.

Until we know the reason for query_level=2 we won't
use it as client nor support it in the server, but
we want ndrdump to work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 06:37:31 +00:00
Joseph Sutton
edad945339 librpc/nbt: Avoid reading invalid member of union
WACK packets use the ‘data’ member of the ‘nbt_rdata’ union, but they
claim to be a different type — NBT_QTYPE_NETBIOS — than would normally
be used with that union member. This means that if rr_type is equal to
NBT_QTYPE_NETBIOS, ndr_push_nbt_res_rec() has to guess which type the
structure really is by examining the data member. However, if the
structure is actually of a different type, that union member will not be
valid and accessing it will invoke undefined behaviour.

To fix this, eliminate all the guesswork and introduce a new type,
NBT_QTYPE_WACK, which can never appear on the wire, and which indicates
that although the ‘data’ union member should be used, the wire type is
actually NBT_QTYPE_NETBIOS.

This means that as far as NDR is concerned, the ‘netbios’ member of the
‘nbt_rdata’ union will consistently be used for all NBT_QTYPE_NETBIOS
structures; we shall no longer access the wrong member of the union.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38480

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15019

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jul  7 01:14:06 UTC 2023 on atb-devel-224
2023-07-07 01:14:06 +00:00
Joseph Sutton
47b6696dcd librpc:ndr: Fix overflow in ndr_push_expand
If ‘size’ was equal to UINT32_MAX, the expression ‘size+1’ could
overflow to zero.

This could result in inadequate memory being allocated, which could
cause ndr_pull_compression_xpress_huff_raw_chunk() to overflow memory
with zero bytes.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57728

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15415

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-07-07 00:17:31 +00:00
Andreas Schneider
eba5b05a51 librpc:rpc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-23 13:44:31 +00:00
Andreas Schneider
4ec8ecce07 librpc:ndr: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-23 13:44:31 +00:00
Andreas Schneider
ba02d89be1 librpc:idl: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-23 13:44:31 +00:00
Volker Lendecke
c4e27ae4f6 smbd: Don't set security_descriptor_hash_v4->time
This prevents de-duplication of xattrs in the backend file system
where otherwise ACLs are often very similar.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jun 21 07:11:56 UTC 2023 on atb-devel-224
2023-06-21 07:11:56 +00:00
Joseph Sutton
359e820404 librpc/idl: Add authentication policy event IDs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Pavel Filipenský
38565ff2df s3:winbind: Add wbint_LookupAliasMembers to winbind interface
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Andrew Bartlett
ff310caabd librpc: No longer consider the DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED bits as invalid
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:35 +00:00
Joseph Sutton
642079771b librpc/idl: Fix indentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Andrew Bartlett
a5235a9d05 librpc/idl: Alias the DS_ constants in netlogon.idl to the NBT_SERVER equivilants
Both the NBT_SERVER versions (in python scripts) and DS_ constants are
in use in freeIPA so we can not just drop one for the other without
discussion.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 24 01:52:28 UTC 2023 on atb-devel-224
2023-05-24 01:52:28 +00:00
Andrew Bartlett
4caab32f08 librpc/idl: Use nbt_server_type instead of netr_DsR_DcFlags netlogon.idl
We should not keep two idential bitfield tables in two nearby IDL files.

However a number of python files in Samba and in freeIPA use the nbt.NBT_SERVER_*
constants, so these are the better names to keep.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-24 00:50:31 +00:00
Andrew Bartlett
089f555eb7 librpc/idl: Merge missing bits into nbt_server_type in nbt.idl
These bits are defined in netr_DsR_DcFlags in netlogon.idl already.

We need these new bits to announce FL 2012R2 and 2016 support.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-24 00:50:31 +00:00
Stefan Metzmacher
e03e738dfc librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms
We should not limit the possible encryption algorithms to the currently
known ones.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15374

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May 17 07:34:28 UTC 2023 on atb-devel-224
2023-05-17 07:34:28 +00:00
Volker Lendecke
59694ad0a4 rpc_server3: Pass winbind_env_set() state through to rpcd_*
Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224
2023-05-16 11:54:32 +00:00
Volker Lendecke
bdba027a33 rpc: Remove named_pipe_auth_req_info6->need_idle_server
Involves bumping up the version number

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-05-16 10:53:40 +00:00
Volker Lendecke
1d11e0489b librpc: Simplify dcerpc_is_transport_encrypted()
Simplify logic by using security_token_count_flag_sids()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-05-16 10:53:40 +00:00
Andrew Bartlett
963688b3a5 librpc: Always call ndr_push_compression_state_init() for compression
This allows the push routine to cache the chosen compression algorithm in
the struct ndr_compression_state in ndr->cstate and so, in claims, avoid
calling ndr_size_CLAIMS_SET_NDR() three times per compression (more in the
overall push).

As claims is now the primary use of the libndr compression code, this is
a reasonable tradeoff compared to the other callers who have more static
algorithm selections.

By removing the struct ndr_compression_state **state argument from
ndr_push_compression_state_init() we make clear that the ndr->cstate
belongs to this NDR context, and this context alone.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-05 02:54:30 +00:00
Andrew Bartlett
ff2de50aa4 librpc: Fix talloc hierarchy for ndr_compression_state
The complexity of generic_mszip_free() is not needed, nor is a talloc
destructor required if the memory is correctly created in a tree.

Credit to OSS-Fuzz for showing the use-after-free

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57608

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15349

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-05 02:54:30 +00:00
Joseph Sutton
a1e64e5737 libndr: Handle allocation failure
If a talloc function returns NULL, indicating failure, the failure could
be masked by the next talloc call allocating on the NULL context.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
fd159aaa80 librpc/ndr: Add missing newlines to error messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
f1174c6e0c librpc/ndr: Fix NULL pointer dereference
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15348

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Andrew Bartlett
2d2f68236e librpc/ndr: Use libndr compression for claims
This ensures our python layer and C layer (in the KDC, when implementated)
use the same compression logic and so allows us to test the production
compression via the IDL-generated interfaces.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
c6981f6054 librpc/ndr: Make ndr_push_compression_state_free() a talloc destructor
This means that the generic_mszip_free() will still be called on failure.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
327c84cf87 librpc/ndr: Implement lzxpress_huffman() compression in libndr for Kerberos Claims
Rather than just pick the next value we re-arrange compression values
in libndr to be memnonic to values in MS Windows ntifs.h

This helps avoid confusing developers who compare these
algorithms with local the MS Windows interface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
c85cadf195 librpc/ndr: Add a "NONE" compression format to libndr
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
b95117dc56 libndr/ndr: Remove unused argument from ndr_push_compression_{start,end}()
Removing the unused arguments avoids thier value being calculated in the
PIDL generated code, which can be expensive.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
8c58da347c libndr/ndr: Add NDR_COMPRESSION_INVALID
This will help make a mapping from wire-specified compression
algorithms to our available choices safer by allowing an invalid
choice to map to NDR_COMPRESSION_INVALID

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
937bf4b836 librpc/ndr: Unimplement DRSUAPI_COMPRESSION_TYPE_XPRESS and rename
DRSUAPI_COMPRESSION_TYPE_XPRESS is not MS-XCA nor is it implemented by
lzexpress_compress(), so disconnect from that algorithm.

This avoids someone fixing lzxpress_compress() to work for DRSUAPI
and breaking claims support.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
1dedffab8b librpc/ndr: Remove incorrect comment that ndr_compression.h is autogenerated
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
4e32ea1519 librpc: Remove incorrect NDR_COMPRESSION dependency from NDR_KRB5CCACHE
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
053aa51653 ndrdump: Allow a long string of hexidecimal digits as well as a hex dump for --hex-input
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
03d9b7b8b6 librpc/idl: Explain why PAC_TYPE_CLIENT_CLAIMS_INFO is not directly decoded
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Joseph Sutton
2e8e93fdd1 s4:kdc: Refactor PAC handling
It's getting unwieldy adding new PAC buffer types when each one has to
have its own handling. It also makes the possibility of mistakes more
likely.

Add a new container, 'struct pac_blobs', containing the types of PAC
buffers in a given PAC, with an index for quick access to the types we
support specifically. We can add new blobs (overriding existing ones) by
calling pac_blobs_add_blob(), and override certain blobs that must be
present with pac_blobs_replace_existing().

This removes the need to have a complicated 'switch' statement with
different logic for each PAC buffer type, or a dozen index variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Volker Lendecke
cc4a2d4edc librpc: Simplify dcerpc_default_transport_endpoint()
We don't need strcmp for just 1 byte

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-09 18:10:33 +00:00
Joseph Sutton
e20067c52d auth: Make more liberal use of SID index constants
Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
5147f011d9 auth: Shorten long SID flags combinations
The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very
commonly used, and introducing a shorter alias for it makes the code
clearer.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
e3fdb2d001 s4:kdc: Add resource SID compression
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.

In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
14d94460ca auth: Pass through entire PAC flags value in auth_user_info
Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
8aef16bbbc named_pipe_auth: Bump info5 to info6
In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
94cda2dfd5 auth: Exclude resource groups from a TGT
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
7050e05742 auth: Store group attributes in auth_user_info_dc
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.

Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
c0011bcdc8 auth.idl: Add auth_SidAttr type
This type incorporates, alongside a SID, a group attributes member,
through which attributes from a PAC or the AD database can be conveyed
into the completed PAC. A useful benefit this provides is the ability to
distinguish and exclude domain-local groups, which only belong in
service tickets, from the PAC of a TGT.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Volker Lendecke
b73ecb28a7 lib: Remove idtree from samba_util.h
No need to recompile the world when only a few files need this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-01-10 00:28:37 +00:00