1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

128 Commits

Author SHA1 Message Date
Joseph Sutton
6a10e890a0 CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Andrew Bartlett
f161e3f18f dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute
This means Samba will essentially ignore this attribute, not even attempting
to read it from the AD DC sam.ldb

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andreas Schneider
41ffba1302 s4:auth: Also look up msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Andreas Schneider
1a4d43d38e s4:auth: Remove trailing spaces in sam.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Stefan Metzmacher
f6fe86924c s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 17:11:35 +00:00
Andrew Bartlett
b176ddba2a CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Douglas Bagnall
0586395701 s4/auth/sam: silence CID 1435849
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Isaac Boukris
d94c8992f9 sam.c: allocate account_sid on tmp_ctx
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar  6 04:30:22 UTC 2019 on sn-devel-144
2019-03-06 04:30:22 +00:00
Isaac Boukris
ce83b21be8 sam.c: fix incorrect check of talloc_new() allocation
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-03-06 03:16:15 +00:00
Volker Lendecke
186fff5fc3 auth4: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-01-08 03:40:28 +01:00
Volker Lendecke
602d247e0b auth4: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-02 21:21:15 +01:00
Volker Lendecke
831ee63f54 lib: Add error checks in dom_sid_string_buf
Also, avoid casts by using PRIxxx macros

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-02 17:03:26 +01:00
Tim Beale
2fa2f132ae dsdb: Avoid calculating the PSO multiple times
In a typical user login query, the code tries to work out the PSO 2-3
times - once for the msDS-ResultantPSO attribute, and then again for the
msDS-User-Account-Control-Computed & msDS-UserPasswordExpiryTimeComputed
constructed attributes.

The PSO calculation is reasonably expensive, mostly due to the nested
groups calculation. If we've already constructed the msDS-ResultantPSO
attribute, then we can save ourselves extra work by just re-fetching the
result directly, rather than expanding the nested groups again from
scratch.

The previous patch improves efficiency when there are no PSOs in the
system. This should improve the case where there are PSOs that apply to
the users. (Unfortunately, it won't help where there are some PSOs in
the system, but no PSO applies to the user being queried).

Also updated sam.c so the msDS-ResultantPSO gets calculated first,
before the other constructed attributes.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed May 23 10:09:11 CEST 2018 on sn-devel-144
2018-05-23 10:09:10 +02:00
Tim Beale
442a38c918 dsdb/auth: Use PSO settings for lockOutThreshold/Duration
If a PSO applies to a user, use its lockOutThreshold/Duration settings
instead of the domain setting. When we lookup a user, we now include the
msDS-ResultantPSO attribute. If the attribute is present for a user,
then we lookup the corresponding PSO object to get the lockOutThreshold/
Duration settings.

Note: This is not quite enough to make the PSO lockout tests pass, as
msDS-User-Account-Control-Computed is still constructed based on the
domain lockoutDuration setting rather than the PSO.

Updating the password_hash.c code properly will be done in a subsequent
commit.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-23 06:55:30 +02:00
Andrew Bartlett
20fda4f600 auth: Use DBGC_AUTH as DBGC_CLASS for AD DC auth session code.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 22 02:42:32 CEST 2018 on sn-devel-144
2018-05-22 02:42:32 +02:00
Stefan Metzmacher
4565ac5998 s4:auth: add authsam_update_user_info_dc() that implements SID expanding for the local domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:51 +01:00
Stefan Metzmacher
d6ee065119 s4:auth: split out a authsam_domain_group_filter() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:51 +01:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
b50a147a7e auth_winbind: Allow badPwdCount to be set to 0 with this auth method
We rely on the other SAM modules to increment the badPwdCount locally,
but we must reset to 0 if the remote sends a success (to override our
failure).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
94256c9606 password-lockout: Allow RODC to ensure lockout and lockout reset
Prior to this, the modification of lockoutTime triggered referrals.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:18 +02:00
Garming Sam
de26e2f87a sam.c: Make NTLM login set logonCount when unset
Previously, it only bothered if it was being incremented. Now on first
logon, it should turn the unset logonCount to 0.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:17 +02:00
Garming Sam
12c7373e94 auth/sam: Remove lastLogonTimestamp from RODC success accounting
This is because it cannot be updated here (only SendToSAM) and prevents
RODC from resetting the badPwdCount (as well as lockoutTime, which needs
to be fixed to allow RODC local modification).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-27 20:08:18 +02:00
Stefan Metzmacher
6257003dff s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
432e83bf5b s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal()
This is more generic and matches all other places.

As this is only used in the KDC it's not a real logic change.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
853c2a6d8a s4:auth/sam: update the logonCount for interactive logons
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
869616ceb9 s4:auth/sam: don't update lastLogon just because it's 0 currently
Non interactive logons doesn't trigger an update
unless the (effective) badPwdCount is not 0 and lockoutTime is 0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
1acd477960 s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already
Non interactive logons doesn't reset badPwdCount to 0
when the effective badPwdCount is already 0
(with (badPasswordTime + lockOutObservationWindows) < now).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
9be4860511 s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Douglas Bagnall
795f4729ca auth: keep track of lastLogon and lastLogonTimestamp
lastLogon is supposed to be updated for every interactive or kerberos
login, and (according to testing against Windows2012r2) when the bad
password count is non-zero but the lockout time is zero. It is not
replicated.

lastLogonTimestamp is updated if the old value is more than 14 -
random.choice([0, 1, 2, 3, 4, 5]) days old, and it is replicated. The
14 in this calculation is the default, stored as
"msDS-LogonTimeSyncInterval", which we offer no interface for
changing.

The authsam_zero_bad_pwd_count() function is a convenient place to
update these values, as it is called upon a successful logon however
that logon is performed. That makes the function's name inaccurate, so
we rename it authsam_logon_success_accounting(). It also needs to be
told whet5her the login is interactive.

The password_lockout tests are extended to test lastLogon and
lasLogonTimestamp.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-12-15 00:08:57 +01:00
Stefan Metzmacher
0deb1d9c4a s4:auth/sam: remove unused sam_get_results_trust()
This is replaced by dsdb_trust_search_tdo() now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Andrew Bartlett
80be6993c9 auth: Split out fetching trusted domain into sam_get_results_trust()
This new helper function will also be used by pdb_samba_dsdb.

Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-01 00:36:42 +02:00
Andrew Bartlett
f557f82acc s4-auth: Support password history correctly, including allowing NTLM logins using the old password
This is only done during a 1 hour allowed period, by default.

We only update bad password count when not one of the last 3 passwords

Andrew Bartlett

Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
8a89f7f4bc dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.c
This allows the password_hash code to call the same update routine.

Andrew Bartlett

Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
26c0eb623f auth: Split out badPwdCount update into a helper function
This will allow password_hash to call this using dsdb_module_*() functions.

Andrew Bartlett

Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
7e653f5ae2 s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on successful login
Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
3f07737fd4 s4:auth: Add password lockout support to the AD DC
Including a fix by Arvid Requate <requate@univention.de>

Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
6f8fb163e0 dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed
This allows us to avoid the domain lookup in the constructed attribute
when not required.

By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.

Andrew Bartlett

Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Stefan Metzmacher
9a36fabde0 s4:auth/sam: use a higher time resolution in authsam_account_ok()
Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:46 +02:00
Stefan Metzmacher
e1d5b8a734 s4:auth: avoid str_list related const warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:43 +02:00
Garming Sam
d2beff59ec Remove the remaining uses of the macro NT_STATUS_HAVE_NO_MEMORY_AND_FREE in the codebase.
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.

Change-Id: Id1b540cde127395a7b27385a7c0fe79f3a145c73
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-05 16:33:21 +01:00
Garming Sam
952bc3cad0 Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.

Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-05 16:33:21 +01:00
Andrew Tridgell
0c944d07dc s4-sam: don't look in GC NCs for user accounts
We need to exclude GC partial replica naming contexts from SAM lookups

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-10-04 15:08:57 +11:00
Stefan Metzmacher
ad45072aaf s4:kdc: implement samba_kdc_check_s4u2proxy()
metze
2011-06-24 19:06:44 +02:00
Andrew Bartlett
a2ce53c1f5 s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
2011-02-09 01:11:06 +01:00
Andrew Bartlett
fbe6d155bf s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett
2011-01-20 23:44:05 +01:00
Andrew Bartlett
ece6eae4d8 s4-auth Add function to obtain any user's session_info from a given LDB
This will be a building block for a tokenGroups test, which can
compare against a remote server (in particular the rootDSE) against
what we would calculate the tokenGroups to be.

(this meant moving some parts out of the auth_sam code into the
containing library)

Andrew Bartlett
2011-01-14 16:39:32 +11:00
Andrew Bartlett
c82269cf86 s4-auth use new dsdb_expand_nested_groups()
This isn't quite as good as using tokenGroups, but that is only
available for BASE searches, and this isn't how the all the callers
work at the moment.

Andrew Bartlett
2011-01-14 16:39:32 +11:00
Matthias Dieter Wallnöfer
f92055f298 s4:dsdb/common/util_samr.c and auth/sam.c - fix error message 2010-12-04 14:27:40 +01:00
Matthias Dieter Wallnöfer
e2a89d6ba7 s4:auth/sam.c - when printing out a string buffer we don't strictly need the width
The precision (maximum numbers of characters) should be enough.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec  3 10:26:39 CET 2010 on sn-devel-104
2010-12-03 10:26:39 +01:00
Matthias Dieter Wallnöfer
4ae9aec17c s4:auth/sam.c - the check for the SAMDB needs to be on the top of the call
Otherwise it's really useless.
2010-12-03 09:19:42 +01:00