1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

222 Commits

Author SHA1 Message Date
Stefan Metzmacher
3d96b093b7 s4:gensec_gssapi: fix CID 1409781: Possible Control flow issues (DEADCODE)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-16 19:34:17 +02:00
Stefan Metzmacher
7bf0308a31 s4:auth/gensec: let GENSEC_FEATURE_SESSION_KEY result in GSS_C_INTEG_FLAG
This is important to allow the 'new_spnego' with mech_list protection to work
for a SMB session setup.

This is not strictly needed as we always announce GENSEC_FEATURE_SESSION_KEY
in gensec_gssapi_have_feature(), but it's better to send GSS_C_INTEG_FLAG
over the wire.

This may prevent a ticket from a Samba client to an SMB server
(particularly a DC) being misused to connect to the LDAP server on that
DC, as the LDAP server will require GSSAPI signing of the connection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:22 +02:00
Stefan Metzmacher
58b629b2b1 s4:gensec_gssapi: add simple gensec_gssapi_update_send/recv() wrapper functions
TODO: we still need to make the internal async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:11 +02:00
Stefan Metzmacher
0ff6a1ae1f s4:gensec_gssapi: always announce GENSEC_FEATURE_SIGN_PKT_HEADER
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:08 +02:00
Jeremy Allison
3cfa58de12 gensec: Add a TALLOC_CTX * to gensec_register().
Pass in the TALLOC_CTX * from the module init to remove
another talloc_autofree_context() use.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-13 16:50:13 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Andrew Bartlett
0e508853fc auth_log: Also log the final type of authentication (ntlmssp,krb5)
Administrators really care about how their users were authenticated, so make
this clear.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andreas Schneider
2dd4887648 s4:gensec_gssapi: Correctly handle external trusts with MIT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-03-10 11:37:22 +01:00
Andreas Schneider
3781eb2501 s4:gensec_gssapi: Use smb_krb5_get_realm_from_hostname()
With credentials for administrator@FOREST1.EXAMPLE.COM
this patch changes the target_principal for
the ldap service of host dc2.forest2.example.com
from

  ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM

to

  ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM

Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
to generate a referral ticket for
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.

The problem is that KDCs only return such referral tickets
if there's a forest trust between FOREST1.EXAMPLE.COM
and FOREST2.EXAMPLE.COM. If there's only an external domain
trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.

In the case of an external trust the client can still ask
explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
and the KDC of FOREST1.EXAMPLE.COM will generate it.

From there the client can use the
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.

With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
target principal. As _krb5_get_cred_kdc_any() first calls
get_cred_kdc_referral() (which always starts with the client realm)
and falls back to get_cred_kdc_capath() (which starts with the given realm).

MIT krb5 only tries the given realm of the target principal,
if we want to autodetect support for transitive forest trusts,
we'll have to do the fallback ourself.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-03-10 11:37:22 +01:00
Andreas Schneider
bf6358bf03 s4:gensec_gssapi: Move setup of service_principal to update function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-03-10 11:37:21 +01:00
Andreas Schneider
8f7c452942 s4:gensec-gssapi: Create a helper function to setup server_principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-03-10 11:37:21 +01:00
Stefan Metzmacher
3a870baee8 s4:gensec_gssapi: require a realm in gensec_gssapi_client_start()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-10 13:54:17 +01:00
Stefan Metzmacher
48bcca566e s4:gensec_gssapi: the value gensec_get_target_principal() should overwrite gensec_get_target_hostname()
If gensec_get_target_principal() has a value, we no longer have to verify
the gensec_get_target_hostname() value, it can be just an ipadress.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-10 13:54:17 +01:00
Andreas Schneider
fd98174443 auth/gensec: Fix typo in log message
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-24 17:16:06 +01:00
David Mulder
99d8788028 auth/gensec: Remove unneeded cli_credentials_set_conf() call
The cli_credentials_set_client_gss_creds() will set the correct realm
from the gss creds.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: David Mulder <dmulder@suse.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2016-12-24 17:16:06 +01:00
Stefan Metzmacher
6459543b5a CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
2016-12-20 07:51:14 +01:00
Stefan Metzmacher
558e78c7e3 s4:gensec_gssapi: We need to use the users realm in the target_principal
This is important in order to let the kdc of the users realm start with
the trust referral routing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:26 +01:00
Stefan Metzmacher
f0afefefe4 s4:gensec_gssapi: pass gss_got_flags to gssapi_get_sig_size()
We need to calculate the signature length based on the negotiated
flags. This is most important on the server side where,
gss_accept_sec_context() doesn't get gss_want_flags, but fills
gss_got_flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Andreas Schneider
0733ce3c6e gensec: Fix picky unused variable errors
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-11-23 15:17:18 +01:00
Andreas Schneider
80509dffdb s3-auth: Add MIT return code for KDC not reachable
This fixes authentication with local credentials against its own server
using netbios domain name.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Douglas Bagnall
3e35e0d6f8 Fix gensec_gssapi compilation for i386
Fixes this:

../source4/auth/gensec/gensec_gssapi.c:1017:3: error: format ‘%ju’ expects argument of type ‘uintmax_t’, but argument 3 has type ‘size_t’ [-Werror=format=]

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-09 00:42:15 +02:00
Stefan Metzmacher
fa4f4fed2e s4:gensec/gssapi: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
This way are able to support GENSEC_FEATURE_SIGN_PKT_HEADER also together with
GENSEC_FEATURE_SEAL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 24 04:00:43 CEST 2015 on sn-devel-104
2015-06-24 04:00:43 +02:00
Stefan Metzmacher
f643677d3f s3:librpc/gse: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
This way are able to support GENSEC_FEATURE_SIGN_PKT_HEADER.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:17 +02:00
Stefan Metzmacher
7b916b5f9a s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes keys more clear
This way the result matches what gss_wrap_iov_length() would return.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:07 +02:00
Stefan Metzmacher
ac5283f788 s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all backends
This avoids calls to gensec_gssapi_sig_size() as fallback in
gensec_max_input_size().

gensec_gssapi_sig_size() needs to report the sig size
gensec_{sign,seal}_packet(), which could be different to the
overhead produced by gensec_wrap().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:07 +02:00
Günther Deschner
de6021127d gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
When requesting initiator credentials fails, we need to map the error code
KRB5KRB_AP_ERR_BAD_INTEGRITY to NT_STATUS_LOGON_FAILURE as well. This is what
current MIT kerberos returns.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Andreas Schneider
f05fbc1410 s4-gensec: Check if we have delegated credentials.
With MIT Kerberos it is possible that the GSS_C_DELEG_FLAG is set, but
the delegated_cred_handle is NULL which results in a NULL-pointer
dereference. This way we fix it.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Stefan Metzmacher
2bf79c419d s4:auth/gensec_gssapi: remove compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:12 +01:00
Stefan Metzmacher
09b3e42e70 s4:auth/gensec_gssapi: let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors
The 'nt_status' variable is set to NT_STATUS_OK before.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11164

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 03:00:06 +01:00
Volker Lendecke
a99a5a34a5 Fix the developer O3 build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
2015-02-25 16:32:29 +01:00
Andrew Bartlett
79ee8fc82c s4-gensec: Fix spelling in debug message
Change-Id: Ia0218c4b1f714d1b829ab0ce5851a4d02a1bf5df
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:41 +02:00
Andreas Schneider
0e45b40511 s4-auth: Initialize the tokens by default.
Found with valgrind.

Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Aug  8 19:01:56 CEST 2014 on sn-devel-104
2014-08-08 19:01:56 +02:00
Andrew Bartlett
086c06e361 kerberos: Remove un-used event context argument from smb_krb5_init_context()
The event context here was only specified in the server or admin-tool
context, which does not do network communication, so this only caused
a talloc_reference() and never any useful result.

The actual network communication code sets an event context directly
before making the network call.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
2014-04-28 02:24:57 +02:00
Andrew Bartlett
60024cdd73 kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUT
Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Stefan Metzmacher
6f527c8706 s4:auth/gensec: only include "librpc/gen_ndr/dcerpc.h"
We only need some DCERPC_ defines.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:13 +01:00
Stefan Metzmacher
54b5b3067f s4:gensec_gssapi: make sure gensec_gssapi_[un]seal_packet() rejects header signing
If header signing is requested we should error out instead of
silently ignoring it, our peer would hopefully reject it,
but we should also do that.

TODO: we should implement header signing using gss_wrap_iov().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Stefan Metzmacher
14f6c41754 s4:auth/gensec_gssapi: handle GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Stefan Metzmacher
71c63e85e7 auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:02 +02:00
Andrew Bartlett
9430310dc3 gensec: Make the no-hostname status message much less scary
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16 19:02:00 +02:00
Guenter Kukkukk
efd60aeff7 Fix some cut-and-paste and spelling in debug messages
Signed-off-by: Guenter Kukkukk <kukks@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 12 07:28:27 CET 2013 on sn-devel-104
2013-02-12 07:28:27 +01:00
Andreas Schneider
2b144531f1 gse: Use the smb_gss_oid_equal wrapper.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-05-23 17:51:51 +03:00
Simo Sorce
ad945bc68f gensec_gssapi: Make it possible to build with MIT krb5
We need to ifdef out some minor things here because there is no available API
to set these options in MIT.
The realm and canonicalize options should be not interesting in the client
case. Same for the send_to_kdc hacks.
Also the OLD DES3 enctype is not at all interesting. I am not aware that
Windows will ever use DES3 and no modern implementation relies on that enctype
anymore as it has been fully deprecated long ago, so we can simply ignore it.
2012-05-23 17:51:49 +03:00
Stefan Metzmacher
90c309b053 s4:auth/gensec_gssapi: add "gensec_gssapi:requested_life_time" option
metze
2012-05-17 20:04:34 +02:00
Stefan Metzmacher
6b38d0274a s4:auth/gensec: implement gensec_gssapi_expire_time()
metze
2012-05-17 20:04:33 +02:00
Stefan Metzmacher
677c4fd2c1 s4:auth/gensec_gssapi: add missing 'break' statements
metze
2012-05-17 20:04:32 +02:00
Stefan Metzmacher
943cb79596 s4:auth/gensec_gssapi: remember the expire time
metze
2012-05-17 20:04:31 +02:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Simo Sorce
f7070c90b9 For now just disable this Heindal specific stuff in the MIT build 2012-04-23 16:40:49 -04:00
Simo Sorce
70c303a7f3 auth-krb: Move pac related util functions in a single place.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00