Andrew Bartlett
1ca1ddbe27
CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
...
These are added for the uncommon cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
d375c5fea5
CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
e460730574
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
...
In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
60a136bcc6
CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
...
This shares the lookup of the tokenGroups attribute.
There will be a new caller that does not want to do this step,
so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list()
rather than part of it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
0619d4eb4f
CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
91415e7b52
CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
...
While these checks were not in the NETLOGON case, there is no sense where
an RODC should be resetting a bad password count on either a
UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
55fdf0f63c
CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
de34a5bb53
CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
...
This will allow the creation of a common helper routine that
takes the token SID list (from tokenGroups or struct auth_user_info_dc)
and returns the allowed/denied result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
b57045193a
CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
...
This is instead of an array of struct dom_sid *.
The reason is that auth_user_info_dc has an array of struct dom_sid
(the user token) and for checking if an RODC should be allowed
to print a particular ticket, we want to reuse that a rather
then reconstruct it via tokenGroups.
This also avoids a lot of memory allocation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
649c9d1577
CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Joseph Sutton
289a526bfd
CVE-2020-25719 heimdal:kdc: Require authdata to be present
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Joseph Sutton
30fb296a38
CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
d15ace2d81
CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
36a1c87654
CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
3ba4cf29e7
CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
1fcd10069f
CVE-2020-25719 mit_samba: Create the talloc context earlier
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
048c400e02
CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
...
This does the same check as the hdb plugin now. The client check is already
done earlier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
7d27aed01a
CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
d29c0d94dc
CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
481d47e242
CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
171162bb5e
CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported due to support for MIT KDB < 10
in Samba 4.14]
2021-11-08 10:46:44 +01:00
Andreas Schneider
c888bbe632
CVE-2020-25719 mit-samba: Add ks_free_principal()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
[abartlet@samba.org As submitted in patch to Samba bugzilla
to address this issue as https://attachments.samba.org/attachment.cgi?id=16724
on overall bug https://bugzilla.samba.org/show_bug.cgi?id=14725 ]
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-08 10:46:44 +01:00
Andreas Schneider
41ff051f8b
CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
694b16b516
CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
4ecd2f5b8e
CVE-2020-25719 s4/torture: Expect additional PAC buffers
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
473f1b6481
CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
a2de8b1c17
CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
bccbedcee2
CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
2465874ef8
CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
9d5d2d0ae4
CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
1c8fbb41c2
CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
...
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.
It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
08c388112f
CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
c8f445ad6b
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
a9a3783182
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
c813b12d0f
CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
...
https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
e875ebd31d
CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
c6ca9b34ad
CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
30e11e0d22
CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
8eeeececd2
CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
85f43f2ccb
CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
78b7f477d5
CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
e4a06fdb47
CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
8693af19e0
CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
169a4d4d14
CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
ef65925a41
CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
a680362a12
CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
c22162544b
CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
9165ba3575
CVE-2020-25718 tests/krb5: Fix indentation
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
ccb22bac0b
CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Douglas Bagnall
ca84774f9a
CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
...
Nobody uses it now. It never really did what it said it did. Almost
every use was wrong. It was a trap.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00