sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
Code
127,874 Commits 60 Branches 1,146 Tags
Commit Graph

67 Commits

Author SHA1 Message Date
Joseph Sutton
ee4aa21c48 selftest: Properly check extra PAC buffers with Heimdal 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
1f4f3018c5 heimdal:kdc: Always generate a PAC for S4U2Self 
If we decided not to put a PAC into the ticket, mspac would be NULL
here, and the resulting ticket would not contain a PAC. This could
happen if there was a request to omit the PAC or the service did not
require authorization data. Ensure that we always generate a PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
192d6edfe9 tests/krb5: Add a test for S4U2Self with no authorization data required 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
4b60e95164 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets 
Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when
presented with an RODC-issued TGT. By removing this PAC buffer from
RODC-issued tickets, we ensure that an RODC-issued ticket will still
result in a PAC if it is first renewed or validated by the main DC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
90025b6a4d kdc: Don't include extra PAC buffers in service tickets 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
e61983c7f2 Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers" 
This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f.

We should not be generating these additional PAC buffers for service
tickets, only for TGTs.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
73a4806346 tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
690a00a40c kdc: Always add the PAC if the header TGT is from an RODC 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
b6a25f5f01 kdc: Match Windows error code for mismatching sname 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
bac5f75059 tests/krb5: Add test for S4U2Self with wrong sname 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
d5d22bf84a kdc: Adjust SID mismatch error code to match Windows 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
f7a2fef8f4 heimdal:kdc: Adjust no-PAC error code to match Windows 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
ca80c47406 tests/krb5: Add tests for validation with requester SID PAC buffer 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
ebc9137cee tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2 
We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
these checks are currently not enforced, which avoids a lot of test
failures.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
ec823c2a83 tests/krb5: Add TGS-REQ tests with FAST 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
d95705172b tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-30 02:42:31 +00:00
Joseph Sutton
fa65ceb3dc CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
756934f14c CVE-2020-25719 heimdal:kdc: Require PAC to be present 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Andrew Bartlett
4888e19811 CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
49a13f0fc9 CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
f08e6ac862 CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
fd50fecbe9 CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
1d3548aeff CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Andrew Bartlett
43983170fc CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
80257fa37c CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Andrew Bartlett
b176ddba2a CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
bacb51d0d3 CVE-2020-25719 heimdal:kdc: Require authdata to be present 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
2f9245f2a5 CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Andreas Schneider
0db5c69d29 CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:34 +00:00
Joseph Sutton
fa4c9bcefd CVE-2020-25719 s4/torture: Expect additional PAC buffers 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
a461b7d4f8 CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
26480ba2aa CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
7ff05eb8d4 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
2e1e57fca8 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
b8c85fe81c CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
faf47b0b6b CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
a236e2cc25 CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:33 +00:00
Joseph Sutton
903ab1a027 CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
24be204834 CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
3af0c36a06 CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
7f7476b08c CVE-2020-25719 tests/krb5: Add principal aliasing test 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
48e5154de6 CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
bd87905cf1 CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
89c88a83da CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
83a654a4ef tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
 2021-10-20 09:22:43 +00:00
Andrew Bartlett
031a828764 kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers 
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.

Tested against Windows 2019

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2021-10-20 08:31:31 +00:00
Andrew Bartlett
92e8ce18a7 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals 
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2021-10-20 08:31:31 +00:00
Joseph Sutton
9d3a691920 tests/krb5: Add tests for requesting a service ticket without a PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
 2021-10-17 23:40:33 +00:00
Joseph Sutton
02fa69c6c7 s4:kdc: Check ticket signature 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:32 +00:00
Joseph Sutton
28a5a586c8 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00