1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

49 Commits

Author SHA1 Message Date
Joseph Sutton
bbfa98ec05 s4:kdc: Remove support code for older versions of MIT Kerberos
The oldest version we now support is 1.21. For every supported version
we can be certain that KRB5_KDB_API_VERSION >= 10 and
KRB5_KDB_DAL_MAJOR_VERSION >= 9.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
8479622096 lib:krb5_wrap: Add helper functions to make krb5_data structure
These will be used in following commits.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-05 04:23:33 +00:00
Joseph Sutton
3e773a3954 CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
This matches the behaviour of Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Andreas Schneider
2a79a5eef8 s4:mit-samba: Pass flags to mit_samba_get_pac()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-04-13 12:59:30 +00:00
Andreas Schneider
c29d5fcbea s4:mit-samba: Pass flags to ks_get_pac()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-04-13 12:59:30 +00:00
Andreas Schneider
59d1044e55 Add missing final newline to end of c file
find $(pwd) -type f -name "*.c" | xargs sed -i -e '$a\'

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-04-01 10:29:31 +00:00
Stefan Metzmacher
c2eb50861d s4:kdc: let samba_kdc_entry take references to sdb_entry and kdc_entry
kdc_entry can be hdb_entry or krb5_db_entry.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-24 09:19:33 +00:00
Andreas Schneider
d0e4b612c2 s4:mitkdc: Implement support for Resource Based Constrained Delegation (RBCD)
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Andreas Schneider
b20606b291 s4:mitkdc: Add support for S4U2Self & S4U2Proxy
Pair-Programmed-With: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Andreas Schneider
f1ca16f309 s4:mitkdc: Add support for MIT Kerberos 1.20
This also addresses CVE-2020-17049.

MIT Kerberos 1.20 is in pre-release state at the time writing this commit. It
will be released in autumn 2022. We need to support MIT Kerberos 1.19 till
enough distributions have been released with MIT Kerberos 1.20.

Pair-Programmed-With: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Andreas Schneider
abbeb5c217 s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
731d9c42d0 s4:mitkdc: Pass NULL to ks_get_pac() as the client_key
This is unused with MIT KRB5 < 1.20 as this is probably not the right key.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
e95fb04c5d s4:mitkdc: Add support for pac_attrs and requester_sid
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
b46a942f95 s4:mitkdc: Reset errno to 0 for com_err messages
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
c69bfa0939 s4:mitkdc: Use talloc_get_type_abort() in ks_get_context()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
d128a85f99 s4:mit-kdb: Reduce includes to only what's needed
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-11-29 08:39:37 +00:00
Andreas Schneider
435719185c CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Andreas Schneider
d14a6a8846 CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Andreas Schneider
4ef445a1f3 CVE-2020-25719 mit-samba: Add ks_free_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

[abartlet@samba.org As submitted in patch to Samba bugzilla
 to address this issue as https://attachments.samba.org/attachment.cgi?id=16724
 on overall bug https://bugzilla.samba.org/show_bug.cgi?id=14725]

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Andreas Schneider
d0fb22ee85 CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
9b9fd2a0d9 mit-kdc: Remove build time support for KDB_API < 10
The previous commits restricted to MIT KDC build to MIT 1.19 and this removes the
 #ifdef in the code of what will become untested code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 26 07:05:44 UTC 2021 on sn-devel-184
2021-08-26 07:05:44 +00:00
Andreas Schneider
104fc35390 mit-samba: Only set the function opening bracket once
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug  5 10:33:18 UTC 2021 on sn-devel-184
2021-08-05 10:33:18 +00:00
Andreas Schneider
41d906301b mit-samba: Define debug class for kdb module
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-05 09:46:30 +00:00
Isaac Boukris
0982980dc6 mit-kdc: Explicitly reject S4U requests
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184
2020-03-10 14:46:04 +00:00
Isaac Boukris
3434758637 Sign and verify PAC with ticket principal instead of canon principal
With MIT library 1.18 the KDC no longer set
KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
us to not canonicalize them (like in Windows / Heimdal).

However, it now breaks the PAC signature verification as it was
wrongly done using canonical client rather than ticket client name.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2020-03-10 13:02:27 +00:00
Isaac Boukris
bebad45b29 Adapt sign_authdata in our KDB module for krb5 v1.18
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-10 13:02:27 +00:00
Simo Sorce
2241ce8e86 mit-kdb: Fix license on header file
Signed-off-by: Simo Sorce <idra@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec 17 09:24:56 UTC 2019 on sn-devel-184
2019-12-17 09:24:56 +00:00
Andreas Schneider
7cddbcf039 CVE-2018-16853: Do not segfault if client is not set
This can be triggered with FAST but we don't support this yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-11-28 08:22:24 +01:00
Isaac Boukris
6c453aeb0c CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
This happens when we are called from S4U2Self flow, and in that case
kdcreq->client is NULL.  Use the name from client entry instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-11-28 08:22:24 +01:00
Alexander Bokovoy
7c1c8c6817 mit-kdb: support MIT Kerberos 1.16 KDB API changes
MIT Kerberos 1.16 adds ability to audit local and remote addresses
during AS_REQ processing. As result, audit_as_req callback signature
was changed to include the addresses and KDB API version was increased.

Change mit-kdb code to properly expose audit_as_req signature KDC
expects in 1.16 version. Also update #ifdefs to account for the new
KDB API version.

This commit does not add actual audit of the local and remote IP
addresses, it only makes it possible to compile against MIT Kerberos
1.16.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jan 19 01:36:22 CET 2018 on sn-devel-144
2018-01-19 01:36:22 +01:00
Andreas Schneider
9b64b11c2f mit-kdb: Fix NULL pointer check after malloc
This fixes building with GCC 7.1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 24 18:45:34 CEST 2017 on sn-devel-144
2017-07-24 18:45:33 +02:00
Andreas Schneider
0668c460b4 s4-kdc: Use mit_samba_reget_pac() in ks_verify_pac()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:12 +02:00
Andreas Schneider
bff4311ec4 s4-kdc: Use mit_samba_get_pac() in ks_get_pac()
This adds UPN_DNS_INFO to the PAC.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:11 +02:00
Andreas Schneider
990cca36b1 mit-kdb: Update KDB vtable for DAL version 6
This changed between 1.14 and 1.15. Also the 1.15 change removed the
ability that the KDB module can free memory. This caused issues of
serveral projects. It got fixed with 1.15.1.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:08 +02:00
Andreas Schneider
72fe43f218 mit-kdb: Remove unneeded memset()
The memory has been allocated with calloc() already.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:13 +01:00
Andreas Schneider
adcb8a9197 mit-kdb: Use calloc() to allocate memory
This avoids a memset().

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-01-12 15:35:12 +01:00
Andreas Schneider
bb72aec13f mit-kdb: Add support for KDB version 8
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:29 +01:00
Andreas Schneider
b0f2165901 mit-kdb: Add support for bad password count
This fixes the samba4.ldap.password_lockout.python test.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:29 +01:00
Günther Deschner
05cc9b0af9 mit-kdb: Restrict admin/changepw principal db_entry with some flags
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:29 +01:00
Günther Deschner
b76cf191d9 mit-kdb: Return 0 in kdb_samba_db_put_principal()
This allows the kadmin server to assume an update of a db_entry has
succeeded (while in fact the update_pwd call did the update already).

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:29 +01:00
Andreas Schneider
5a6819dbee mit-kdb: Implement KDB function to change passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:29 +01:00
Günther Deschner
f5e86db147 mit-kdb: Use calloc to initialize master keylists.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:29 +01:00
Andreas Schneider
fab9fe0177 mit-kdb: Add ks_get_admin_principal() and use it for kadmin users.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:29 +01:00
Andreas Schneider
5a4e3adbda mit-kdb: Add ks_create_principal().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:29 +01:00
Andreas Schneider
742b4c3da8 mit-kdb: Do not allow to get a kadmin ticket as a client.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:28 +01:00
Andreas Schneider
e13e9c54f5 mit-kdb: Add more ks_is_kadmin* functions.
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:28 +01:00
Günther Deschner
d787d35d97 mit-kdb: Use calloc so both authdata elements are zeroed
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:28 +01:00
Günther Deschner
1b6a085b7f mit-kdb: Do not overwrite the error code in failure case.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:28 +01:00
Andreas Schneider
ade958e20b mit-kdb: Add initial MIT KDB Samba driver
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Simo Sorce <idra@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:28 +01:00