1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

1486 Commits

Author SHA1 Message Date
Volker Lendecke
6071220fcb libcli: Make debug_unix_user_token() use just one DEBUG statement
This avoids messing up the debug logs when multiple processes are
writing into the same file.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct 11 00:24:58 UTC 2023 on atb-devel-224
2023-10-11 00:24:58 +00:00
Andrew Bartlett
e2cc29d132 libcli/security: Pass in claims evaluation state when building any security token
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:35 +00:00
Joseph Sutton
9e2a93d54b s3:auth: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
29b2dcb4f5 s3:auth: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Andreas Schneider
ef5ab45be7 s3:auth: Use new debug macros for logging
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-05 06:34:32 +00:00
Andreas Schneider
e57f034f01 s3:auth: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-05 06:34:32 +00:00
Joseph Sutton
ca9d27ae99 auth: Add functionality to log client and server policy information
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
2a8db07293 auth: Return status code if configuration prohibits NTLM
Currently, we rely on ‘stored_nt’ being NULL to give an
NT_STATUS_WRONG_PASSWORD error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
5147f011d9 auth: Shorten long SID flags combinations
The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very
commonly used, and introducing a shorter alias for it makes the code
clearer.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
e3fdb2d001 s4:kdc: Add resource SID compression
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.

In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
14d94460ca auth: Pass through entire PAC flags value in auth_user_info
Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
94cda2dfd5 auth: Exclude resource groups from a TGT
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Joseph Sutton
7050e05742 auth: Store group attributes in auth_user_info_dc
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.

Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Stefan Metzmacher
370b777202 s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-01-19 18:47:35 +00:00
Volker Lendecke
b73ecb28a7 lib: Remove idtree from samba_util.h
No need to recompile the world when only a few files need this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-01-10 00:28:37 +00:00
Volker Lendecke
3f7c646774 lib: Remove fstring_sub() that was used just once
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-12 21:16:33 +00:00
Stefan Metzmacher
32df5e4961 s3:auth_samba4: make use of imessaging_init_discard_incoming()
Otherwise we'll generate a memory leak of imessaging_post_state/
tevent_immediate structures per incoming message!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-10-13 12:30:37 +00:00
Andreas Schneider
9ef2f7345f s3:auth: Flush the GETPWSID in memory cache for NTLM auth
Example valgrind output:

==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075
==22502==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==22502==    by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16)
==22502==    by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0)
==22502==    by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502==    by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502==    by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so)
==22502==    by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so)
==22502==    by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so)
==22502==    by 0x14E464: ??? (in /usr/sbin/winbindd)
==22502==    by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd)
==22502==    by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd)
==22502==    by 0x167DE0: ??? (in /usr/sbin/winbindd)
==22502==    by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x16A243: ??? (in /usr/sbin/winbindd)
==22502==    by 0x16AA04: ??? (in /usr/sbin/winbindd)
==22502==    by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F4C7: main (in /usr/sbin/winbindd)

You can find one for each string in pdb_copy_sam_account(), in total
this already has 67 MB in total for this valgrind run.

pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184
2022-09-16 20:30:31 +00:00
Jeremy Allison
8587734bf9 CVE-2021-20251 s3: ensure bad password count atomic updates
The bad password count is supposed to limit the number of failed login
attempt a user can make before being temporarily locked out, but race
conditions between processes have allowed determined attackers to make
many more than the specified number of attempts.  This is especially
bad on constrained or overcommitted hardware.

To fix this, once a bad password is detected, we reload the sam account
information under a user-specific mutex, ensuring we have an up to
date bad password count.

Discovered by Nathaniel W. Turner.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:38 +00:00
Pavel Filipenský
ccae2a4ab5 s3:auth: Zero memory in sam_password_ok()
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-08-26 07:59:32 +00:00
listout
fb937ddc83 lib/util/access: source3/auth/user_util: Check for INNETGR
Checking for presence of both netgroup and innetgr. INNETGR is not
defined on libc's such as musl so not checking results in a build error.

Signed-off-by: listout <brahmajit.xyz@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Aug  8 07:28:31 UTC 2022 on sn-devel-184
2022-08-08 07:28:31 +00:00
Samuel Cabrero
ef1d04762a s3:smbd: Free allocated strings before leaving user_in_netgroup() function
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun  9 22:40:43 UTC 2022 on sn-devel-184
2022-06-09 22:40:43 +00:00
Samuel Cabrero
21796ef8f8 Revert "s3:smbd: Remove NIS support"
This partly reverts commit edda7a329e.

Revert the chunks related to netgroups and skip NIS support related ones.
Use getdomainname() from glibc instead of yp_get_default_domain() from
libnsl to get the NIS domain name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15087

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-06-09 21:45:28 +00:00
Samuel Cabrero
dbf3d217e3 Revert "s3:auth: Fix user_in_list() for UNIX groups"
This partly reverts commit 6dc463d3e2.

Reverted to allow next revert commits to apply cleanly. Do not recreate
selftest/knownfail.d/usernamemap file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15087

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-06-09 21:45:28 +00:00
Pavel Filipenský
6dc463d3e2 s3:auth: Fix user_in_list() for UNIX groups
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Apr  7 09:49:44 UTC 2022 on sn-devel-184
2022-04-07 09:49:44 +00:00
Stefan Metzmacher
c56cb12f34 s3:auth: make_user_info_map() should not set mapped_state
mapped_state is only evaluated in authsam_check_password_internals()
of auth_sam.c in source4, so setting it in the auth3 code
doesn't make any difference. I've proved that with
an SMB_ASSERT() and a full pipeline not triggering it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Stefan Metzmacher
012bd9f5b7 s3:auth: let make_user_info_netlogon_interactive() set USER_INFO_INTERACTIVE_LOGON
This is not really relevant for now, as USER_INFO_INTERACTIVE_LOGON is
not evaluated in the source3/auth stack. But better add it to
be consistent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Ralph Boehme
1e61de8306 CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.

As a quick solution it might be possible to use the username map script based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
sure this behaves identical, but it might work in the standalone server case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922

Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2021-12-03 12:05:42 +00:00
Andrew Bartlett
0a546be052 CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.

Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.

This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.

In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[metze@samba.org moved the new logic into the fallback codepath only
 in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
2021-11-15 19:01:56 +00:00
Ralph Boehme
25043ebb2e source3: move lib/substitute.c functions out of proto.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-11 13:49:32 +00:00
Stefan Metzmacher
757f1d20e4 CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
This is only ever be called in standalone mode with an MIT realm,
so we don't have a PAC/info3 structure.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
e8bb009009 CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
This code is only every called in standalone mode on a MIT realm,
it means we never have a PAC and we also don't have winbindd arround.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
2609e4297e CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
without a PAC in order to keep the code sane.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
566c2b296d CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!

I checked what we were already doing for NTLMSSP, which is this:

a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
   otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
   calls make_server_info_info3()
d) auth_check_ntlm_password() calls
   smb_pam_accountcheck(unix_username, rhost), where rhost
   is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
   server_returned_info will be passed to auth3_generate_session_info(),
   triggered by gensec_session_info(), which means we'll call into
   create_local_token() in order to transform auth_serversupplied_info
   into auth_session_info.

For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:

a) gensec_generate_session_info_pac() is the function that
   evaluates the 'gensec:require_pac', which defaulted to 'no'
   before.
b) auth3_generate_session_info_pac() called
   wbcAuthenticateUserEx() in order to pass the PAC blob
   to winbindd, but only to prime its cache, e.g. netsamlogon cache
   and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
   from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
   - It uses a first part of the tickets principal name (before the @)
     as username and combines that with the 'logon_info->base.logon_domain'
     if the logon_info (PAC) is present.
   - As a fallback without a PAC it's tries to ask winbindd for a mapping
     from realm to netbios domain name.
   - Finally is falls back to using the realm as netbios domain name
   With this information is builds 'userdomain+winbind_separator+useraccount'
   and calls map_username() followed by smb_getpwnam() with create=true,
   Note this is similar to the make_server_info_info3() => check_account()
   => smb_getpwnam() logic under 3.
   - It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
     instead of the ip address as rhost.
   - It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
     guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
   - If get_user_from_kerberos_info() mapped to guest, it calls
     make_server_info_guest()
   - If create_info3_from_pac_logon_info() created a info3 from logon_info,
     it calls make_server_info_info3()
   - Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
     a fallback to make_server_info_pw()
   From there it calls create_local_token()

I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:

a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
   and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
   calls make_server_info_info3(). Note make_server_info_info3()
   handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
   internally.
c) Similar to auth_check_ntlm_password() we now call
   smb_pam_accountcheck(unix_username, rhost), where rhost
   is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()

As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
   also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
   actually no PAC in this mode, which means we can
   remove unused and confusing code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Alexander Bokovoy
e2d5b4d709 CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
57abb7f8f8 CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Ralph Boehme
8f79ee99a6 CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!

As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!

For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().

The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]")  mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.

Note: use 'git show -w'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
dd0423bfbb CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).

This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
28fae9c221 CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
We should avoid autocreation of users as much as possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Samuel Cabrero
4b78ad7346 CVE-2020-25717: s3:auth: Check minimum domain uid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Removed knownfail on advice from metze]
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
97d5402791 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Stefan Metzmacher
27d20fc335 CVE-2020-25717: s3:auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Jeremy Allison
91c024dfd8 s3: auth: Andrew noticed f585f01148 doesn't keep the same logic.
This should make it identical.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Sep  8 06:38:21 UTC 2021 on sn-devel-184
2021-09-08 06:38:21 +00:00
Volker Lendecke
ba237d9403 auth: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-07 18:26:33 +00:00
Volker Lendecke
f585f01148 auth: Simplify is_our_machine_account()
Use strnequal instead of duplicating a string

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-07 18:26:33 +00:00
Andreas Schneider
ced8390c95 s3:auth: Check return code of cli_credentials_set_conf()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Andreas Schneider
521f77c667 auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Volker Lendecke
c9508b971c auth3: talloc_strackframe() panics on failure
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 27 14:14:22 UTC 2021 on sn-devel-184
2021-04-27 14:14:22 +00:00
Volker Lendecke
4e034e8f8f auth3: if (ret==False) just looks weird
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-27 13:24:35 +00:00
Volker Lendecke
ee431a2987 auth3: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-27 13:24:35 +00:00