1
0
mirror of https://github.com/samba-team/samba.git synced 2025-03-15 02:50:27 +03:00

125431 Commits

Author SHA1 Message Date
Andrew Bartlett
1ca1ddbe27 CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
These are added for the uncommon cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
d375c5fea5 CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
e460730574 CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
60a136bcc6 CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
This shares the lookup of the tokenGroups attribute.

There will be a new caller that does not want to do this step,
so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list()
rather than part of it

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
0619d4eb4f CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
91415e7b52 CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
While these checks were not in the NETLOGON case, there is no sense where
an RODC should be resetting a bad password count on either a
UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
55fdf0f63c CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
de34a5bb53 CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
This will allow the creation of a common helper routine that
takes the token SID list (from tokenGroups or struct auth_user_info_dc)
and returns the allowed/denied result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
b57045193a CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
This is instead of an array of struct dom_sid *.

The reason is that auth_user_info_dc has an array of struct dom_sid
(the user token) and for checking if an RODC should be allowed
to print a particular ticket, we want to reuse that a rather
then reconstruct it via tokenGroups.

This also avoids a lot of memory allocation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Andrew Bartlett
649c9d1577 CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-08 10:46:45 +01:00
Joseph Sutton
289a526bfd CVE-2020-25719 heimdal:kdc: Require authdata to be present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Joseph Sutton
30fb296a38 CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
d15ace2d81 CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
36a1c87654 CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
3ba4cf29e7 CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
1fcd10069f CVE-2020-25719 mit_samba: Create the talloc context earlier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
048c400e02 CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
This does the same check as the hdb plugin now. The client check is already
done earlier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
7d27aed01a CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
d29c0d94dc CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
481d47e242 CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:45 +01:00
Andreas Schneider
171162bb5e CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org backported due to support for MIT KDB < 10
 in Samba 4.14]
2021-11-08 10:46:44 +01:00
Andreas Schneider
c888bbe632 CVE-2020-25719 mit-samba: Add ks_free_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

[abartlet@samba.org As submitted in patch to Samba bugzilla
 to address this issue as https://attachments.samba.org/attachment.cgi?id=16724
 on overall bug https://bugzilla.samba.org/show_bug.cgi?id=14725]

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-08 10:46:44 +01:00
Andreas Schneider
41ff051f8b CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
694b16b516 CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
4ecd2f5b8e CVE-2020-25719 s4/torture: Expect additional PAC buffers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
473f1b6481 CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
a2de8b1c17 CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
bccbedcee2 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
2465874ef8 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
9d5d2d0ae4 CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
1c8fbb41c2 CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.

It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
08c388112f CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
c8f445ad6b CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
a9a3783182 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
c813b12d0f CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
e875ebd31d CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
c6ca9b34ad CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
30e11e0d22 CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
8eeeececd2 CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
85f43f2ccb CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
78b7f477d5 CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
e4a06fdb47 CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
8693af19e0 CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
169a4d4d14 CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
ef65925a41 CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
a680362a12 CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
c22162544b CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
9165ba3575 CVE-2020-25718 tests/krb5: Fix indentation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Joseph Sutton
ccb22bac0b CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00
Douglas Bagnall
ca84774f9a CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
Nobody uses it now. It never really did what it said it did. Almost
every use was wrong. It was a trap.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:44 +01:00