sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code
125,376 Commits 60 Branches 1,145 Tags 452 MiB
b643df361e
Commit Graph

2907 Commits

Author SHA1 Message Date
Stefan Metzmacher
396b19acac CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
 2021-11-08 10:46:45 +01:00
Stefan Metzmacher
f2de7ce500 CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False) 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
 2021-11-08 10:46:45 +01:00
Stefan Metzmacher
5b96c3f932 CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
 2021-11-08 10:46:45 +01:00
Stefan Metzmacher
ce2a20fa4b CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
 2021-11-08 10:46:45 +01:00
Stefan Metzmacher
2d5fef5e22 CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2021-11-08 10:46:45 +01:00
Joseph Sutton
1a24abc355 CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:45 +01:00
Joseph Sutton
b28a7db8a4 CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:45 +01:00
Andrew Bartlett
eac75fb3b6 CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-08 10:46:45 +01:00
Joseph Sutton
694b16b516 CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
473f1b6481 CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
a2de8b1c17 CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
bccbedcee2 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
2465874ef8 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
9d5d2d0ae4 CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
1c8fbb41c2 CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets 
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.

It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
08c388112f CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
c8f445ad6b CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
a9a3783182 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
c813b12d0f CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets 
https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
e875ebd31d CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
c6ca9b34ad CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
30e11e0d22 CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
8eeeececd2 CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
85f43f2ccb CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
78b7f477d5 CVE-2020-25719 tests/krb5: Return ticket from _tgs_req() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
e4a06fdb47 CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
8693af19e0 CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
169a4d4d14 CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
ef65925a41 CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Joseph Sutton
9165ba3575 CVE-2020-25718 tests/krb5: Fix indentation 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Douglas Bagnall
503106c6b3 CVE-2020-25722 pytest: test setting servicePrincipalName over ldap 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Douglas Bagnall
f1b6fe0097 CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap 
Because the sam account name + the dns host name is used as the
default user principal name, we need to check for collisions between
these. Fixes are coming in upcoming patches.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Douglas Bagnall
87d003ad56 CVE-2020-25722 samba-tool spn add: remove --force option 
This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.

It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Douglas Bagnall
848843db97 CVE-2020-25722 samba-tool spn: accept -H for database url 
Following the convention and making testing easier

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Douglas Bagnall
db401161cf CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy 
This makes it easier to convert tests that don't have good messages.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:44 +01:00
Douglas Bagnall
25790f26c6 CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes 
You can give ldb_err() it a number, an LdbError, or a sequence of
numbers, and it will return the corresponding strings. Examples:

ldb_err(68)       # "LDB_ERR_ENTRY_ALREADY_EXISTS"
LDB_ERR_LUT[68]   # "LDB_ERR_ENTRY_ALREADY_EXISTS"

expected = (ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
            ldb.ERR_INVALID_CREDENTIALS)
try:
    foo()
except ldb.LdbError as e:
    self.fail(f"got {ldb_err(e)}, expected one of {ldb_err(expected)}")

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Samuel Cabrero
7ca428223f CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Fixed knowfail per instruction from metze]
 2021-11-08 10:46:43 +01:00
Joseph Sutton
cc26ffe586 CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Stefan Metzmacher
e31b6f6094 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC 
At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if
no PAC is available.

For now we want to look for ACCESS_DENIED as this allows
the test to pass (showing that gensec:require_pac = true
is a useful partial mitigation).

This will also help others doing backports that do not
take the full patch set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
6dda0f61bb CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
61fcb75251 CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
8b92d9a36c CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
faba235a34 CVE-2020-25719 tests/krb5: Add principal aliasing test 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
62de092e86 CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
888c6fbce8 CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
adea7022c7 CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
1d70752e75 CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
1dda66e97d CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
d1777f8e02 CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service 
This allows us to use get_tgt() and get_service_ticket() to obtain
tickets, which simplifies the logic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00
Joseph Sutton
1c440ea657 CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:43 +01:00