1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

139208 Commits

Author SHA1 Message Date
Stefan Metzmacher
fac378485f pycredentials: add py_creds_encrypt_netr_PasswordInfo helper
This will replace py_creds_encrypt_samr_password in the next steps
and prepares the introduction of netr_ServerAuthenticateKerberos().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
ea792fa342 pycredentials: make use of netlogon_creds_encrypt_samr_CryptPassword in py_creds_encrypt_netr_crypt_password
These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
b8681c1657 libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()
These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
8eb95a155d libcli/auth: add netlogon_creds_{de,en}crypt_samr_CryptPassword()
These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
851a9b18ec libcli/auth: add netlogon_creds_{de,en}crypt_samr_Password()
These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
3d4ea276bd libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_logon()
This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
a56356e399 libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation()
This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
de8de55a5f netlogon.idl: add netr_ServerAuthenticateKerberos() and related stuff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
62afadb3eb s3:rpc_server: add DCESRV_COMPAT_NOT_USED_ON_WIRE() helper macro
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
01577b93cb dcesrv_core: add DCESRV_NOT_USED_ON_WIRE() helper macro
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
e4132c492d s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticateGeneric()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
f92def2f94 s4:dsdb/common: dsdb_trust_get_incoming_passwords only needs a const ldb_message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
e9767315cf libcli/auth: split out netlogon_creds_alloc()
Review with: git show --patience

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
3792fe3728 libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy
Before storing the structure into a ctdb managed volatile database
we check against netlogon_creds_CredentialState_legacy (the structure
used before recent changes). This makes sure unpatched cluster nodes
would not get a parsing error.

We'll remove this again in master when we try to implement
netr_ServerAuthenticateKerberos() and the related changes
to netlogon_creds_CredentialState, which will break the compat...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
17394ed7bb libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
8b972fea09 libcli/auth: also use netlogon_creds_CredentialState_extra_info for the client
In order to allow backports and cluster updates we simulate a
dom_sid, so that the old code is able to parse the blob.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
498fc88c15 s4:torture/rpc: let test_netlogon_capabilities() fail on legacy servers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
fd4b027511 s4:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
484a046d8e s3:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
dfbc5e5a19 libcli/auth: remember client_requested_flags and auth_time in netlogon_creds_server_init()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
a9308c490c libcli/auth: remove unused creds->sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
4533afc9e1 s4:rpc_server/netlogon: make use of creds->ex->client_sid
creds->sid will be removed soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
88a84d9330 s3:rpc_server/netlogon: make use of creds->ex->client_sid
creds->sid will be removed soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
453587fbc1 librpc/rpc: make use of creds->ex->client_sid in dcesrv_netr_check_schannel_get_state()
creds->sid will be removed soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
518f57b93b libcli/auth: split out netlogon_creds_CredentialState_extra_info
As server we are free to change the netlogon_creds_CredentialState
database record format at will as it uses CLEAR_IF_FIRST.

For now that format doesn't really changes, because we
only move dom_sid into a wrapper structure.

In order to avoid changing all callers in this commit,
we maintain creds->sid as in memory pointer.

In the following patches we'll also use it in order
to store client related information...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
c2ef866fca libcli/auth: pass client_sid to netlogon_creds_server_init()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
2e8949495f s4:rpc_server/netlogon: add client_sid helper variables
This will make the following changes simpler...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
eda3728a40 s3:rpc_server/netlogon: add client_sid helper variables
This will make the following changes simpler...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
c9eaf5e22d s4:dsdb/common: samdb_confirm_rodc_allowed_to_repl_to() only needs a const sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
7f478656dc s3:cli_netlogon: let rpccli_connect_netlogon() use force_reauth = true on retry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
d174b6595a s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:36 +00:00
Stefan Metzmacher
0b6ac4b082 s4:librpc/rpc: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
25294685b1 s4:librpc/rpc: define required schannel flags and enforce them
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
69b0cbd13d s4:librpc/rpc: don't allow any unexpected upgrades of negotiate_flags
Only remove the unsupported flags from local_negotiate_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
24de5d1cbd s4:librpc/rpc: do LogonControl after LogonGetCapabilities downgrade
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
25a2105ca7 libcli/auth: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
276137e950 libcli/auth: use a LogonControl after a LogonGetCapabilities downgrade
If LogonGetCapabilities was downgraded by an DCERPC Fault, we
rely on the schannel message ordering to detect failures.

Instead of letting any real winbindd request trigger this,
we do it directly in netlogon_creds_cli_check() with
a LogonControl that is also used for 'wbinfo --ping-dc'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
3da40f1c68 libcli/auth: if we require aes we don't need to require arcfour nor strong key
But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
a9040c8ce7 libcli/auth: don't allow any unexpected upgrades of negotiate_flags
Only remove the unsupported flags from state->current_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
69cb9aea67 libcli/auth: make use of netlogon_creds_cli_store_internal() in netlogon_creds_cli_auth_srvauth_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
cf0e07a3d2 libcli/auth: remove unused netlogon_creds_client_init_session_key()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
86176598ee netlogon.idl: the capabilities in query_level=2 are the ones send by the client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
a0bc372dee s4:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag
With SAMBA_WEAK_CRYPTO_DISALLOWED dcesrv_netr_ServerAuthenticate3_check_downgrade()
will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not
negotiated...

And if AES was negotiated there's no harm in returning the ARCFOUR
flag...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
e5bc5ee3e0 s3:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag
With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED with negotiate_flags = 0,
if AES was not negotiated...

And if AES was negotiated there's no harm in returning the ARCFOUR
flag...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
b27661f832 s3:rpc_server/netlogon: correctly negotiate flags in ServerAuthenticate2/3
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
3dcbc8eea5 s4:torture/rpc: without weak crypto we should require AES
We should check that we can actually negotiated the strong AES
crypto instead of just checking that NETLOGON_NEG_ARCFOUR is not
there...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Stefan Metzmacher
36310650ee s4:torture/rpc: check that DOWNGRADE_DETECTED has no bits negotiated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30 23:08:35 +00:00
Ralph Boehme
fdd133ae65 smbd: fix sharing access check for directories
This was missing from commit 6140c3177a and causes
all opens of directories to be handled as stat opens, bypassing the sharemode
check.

Not adding a test at this time, as my (hopefully) soon to be merged Directory
Leases branch has a test which actually detected this problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 29 12:44:49 UTC 2024 on atb-devel-224
2024-10-29 12:44:49 +00:00
Ralph Boehme
2065f00656 smbd: convert fsp->posix_flags to fsp->fsp_flags.posix_open
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Oct 25 11:50:01 UTC 2024 on atb-devel-224
2024-10-25 11:50:01 +00:00
Ralph Boehme
149f77b63e smbd: remove seperate flag FSP_POSIX_FLAGS_PATHNAMES
Essentially FSP_POSIX_FLAGS_OPEN implies FSP_POSIX_FLAGS_PATHNAMES, so we can
just remove FSP_POSIX_FLAGS_PATHNAMES and simplify things.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-10-25 10:42:32 +00:00