1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

872 Commits

Author SHA1 Message Date
Andreas Schneider
8d637d667d auth:gensec: Fully initialize struct spnego_data
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/auth/gensec/spnego.c:1129: var_decl: Declaring variable ""spnego_out"" without initializer.
samba-4.20.0rc2/auth/gensec/spnego.c:1154: uninit_use_in_call: Using uninitialized value ""spnego_out.negTokenTarg.negResult"" when calling ""spnego_write_data"".
 1152|   	}
 1153|
 1154|-> 	if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 1155|   		DEBUG(1, (""Failed to write SPNEGO reply to NEG_TOKEN_TARG\n""));
 1156|   		return NT_STATUS_INVALID_PARAMETER;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-07-18 12:47:30 +00:00
Volker Lendecke
1cea29c398 credentials: Protect the cred's nt hash with talloc_keep_secret
This avoids the need for an explict ZERO_STRUCT before TALLOC_FREE

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
3c84a84fff spnego: Fix typos
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
2b06123a9b gensec: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Stefan Metzmacher
5b40cdf6e8 auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts
We only turn desired into off in the NT4 domain member case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224
2024-06-19 10:17:28 +00:00
Stefan Metzmacher
eeb60574b6 auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
c715ac5e49 auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-06-19 09:07:36 +00:00
Volker Lendecke
8f90ec12a5 lib: gensec.h references NTTIME, add time.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
5c736ffe35 gensec: Simplify gensec_security_by_fn()
We don't need that intermediate talloc ctx, we only allocate backends
and don't pass it anywhere else.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
82c477b980 gensec: Filter out disabled mechs in gensec_security_mechs()
Every single caller of gensec_security_mechs() had to manually filter
out disabled mechanisms. Don't offer them from the start.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
426c084767 gensec: Refactor gensec_security_mechs()
The decision whether to offer a mechanism was split between
gensec_security_mechs() and gensec_use_kerberos_mechs() with two
booleans passed down. Consolidate that decision into one
gensec_offer_mech() function that queries all information on its own.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
b28de27f6b gensec: Simplify gensec_security_by_*
Centralize looping over all backends

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
b436f5fec1 creds: Add cli_credentials_add_gensec_features
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Andreas Schneider
f64e728444 auth:ntlmssp: Use lpcfg_dns_hostname()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
78c2427d9b auth:ntlmssp: Remove trailing spaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
7b02221c4f auth:credentials: Check for NT hash being NULL
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Stefan Metzmacher
afcd53b8d0 auth/credentials_krb5: let cli_credentials_set_ccache() use smb_force_krb5_cc_default()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:32 +00:00
Stefan Metzmacher
a5d46f69d1 auth/credentials_krb5: use system/{gssapi,kerberos}.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:32 +00:00
Stefan Metzmacher
16a5279e29 auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_new_ccache()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
176c55efb2 auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_shallow_ccache()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
5d385ab691 auth/credentials: use smb_krb5_cc_new_unique_memory() in smb_gss_krb5_copy_ccache()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
92bebeb58e auth/credentials: use smb_krb5_cc_new_unique_memory() in krb5_cc_remove_cred_wrap()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
a3c87bf440 auth/gensec: add gensec_get_unparsed_target_principal() helper
This will be useful for debugging.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
996fd13949 auth/gensec: add gensec_kerberos_possible() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Andreas Schneider
b9cf6c8dd4 auth:creds: Add test for cli_credentials_get_username_obtained()
Signed-off-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
f9afd24c90 auth/credentials: add cli_credentials_get_username_obtained()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Andreas Schneider
7f0aff4682 auth:creds: Add test for cli_credentials_get_password_obtained()
Signed-off-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
c14366cce4 auth/credentials: add cli_credentials_get_password_obtained()
It's often useful to know if a password was already explicitly
specified without triggering the password callback function.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
c7d3946659 auth/credentials: add cli_credentials_get_ccache_name_obtained()
It's often good to know if a credential structure already has
a valid kerberos credential cache attached, without the side
effect of doing a kinit and prompt for a password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Andreas Schneider
4723d69560 auth:creds: Add test for cli_credentials_get_principal_obtained()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
1e5546748c auth/credentials: add cli_credentials_get_principal_obtained()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
5d350c1ecd auth/gensec: remove useless client_use_spnego_principal usage
It's off by default and all sane servers use
not_defined_in_RFC4178@please_ignore anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
f1d34a430d auth/ntlmssp: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
e912ba579b auth/gensec: add gensec_set_channel_bindings() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
5af5bf2645 auth/credentials: don't call talloc_free(ccache_name) on callers memory
The internally allocated ccache_name has ccc as parent,
so we don't need to cleanup explicitly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Stefan Metzmacher
d221f930ef auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy()
A simple krb5_cc_close() doesn't remove it from the global memory list.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Douglas Bagnall
acaa1323d0 gensec: sort_gensec uses NUMERIC_CMP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Jo Sutton
faba757175 auth:credentials: Remove unnecessary declaration
This declaration is a hold‐over from the Python 2 module initialization
pattern.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-21 22:10:36 +00:00
Jo Sutton
b6b8f9539b auth:credentials: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-21 22:10:36 +00:00
Volker Lendecke
0baae61e42 lib: Give lib/util/util_file.c its own header file
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-04-16 23:51:45 +00:00
Andrew Bartlett
dbba6c22a4 auth/credentials: Read managed_password.passwords.query_interval only after parsing
The code previously read the uninitialised stack not the parsed
structure, and so could segfault if the stack was not zero.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr  9 23:59:54 UTC 2024 on atb-devel-224
2024-04-09 23:59:54 +00:00
Alexander Bokovoy
8e931fce12 Do not fail checksums for RFC8009 types
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.

[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196,  2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
  check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228,  5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-08 03:00:39 +00:00
Andrew Bartlett
3d1ec5dc67 auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials
This function is based on a flawed premise that the
pointer is a talloc context, but the second element
in an array and any element in a structure is not a
talloc context.

The type has already been checked above.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Jo Sutton
67af86d2ab auth:credentials: Remove unused include
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
8b86174bd3 auth:credentials: Remove trailing line
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Andrew Bartlett
0490aed716 auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords()
This is unused in Samba currently, but is a subtle race that will be difficult
to debug if this is ever used, so this makes things easier for some future
developer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
48affb137f auth/credentials: Allow generation of old Kerberos keys also
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
b8308f3fe0 auth/credentials: Make cli_credentials_get_aes256_key into generic key access
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
13d346ce0c auth/credentials: Add hook to set credentials from msDS-ManagedPassword blob
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
dd993c2170 auth/credentials: Dynamically calculate the salt principal (unless speccified)
This helps pull the salt principal calculation into a single spot.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00