The branch, v4-9-stable has been updated via 40c057c900a VERSION: Disable GIT_SNAPSHOT for the 4.9.3 release. via bec29625127 WHATSNEW: Add release notes for Samba 4.9.3. via 60b2cd50f4d CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow via d12b02c7884 CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs via 4f86beeaf34 CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int via ec9cc4ed5a0 CVE-2018-16857 tests: Sanity-check password lockout works with default values via 9cb6b4e9131 CVE-2018-16857 PEP8: fix E251: unexpected spaces around keyword / parameter equals via fe8e05a9ea8 CVE-2018-16857 PEP8: fix E127: continuation line over-indented for visual indent via 4d0fd1a421a CVE-2018-16857 selftest: Split up password_lockout into tests with and without a call to sleep() via 31198d39a76 CVE-2018-16857 PEP8: fix E305: expected 2 blank lines after class or function definition, found 1 via 862d4909ecc CVE-2018-16857 selftest: Prepare to allow override of lockout duration in password_lockout tests via 4aabfecd290 CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental via f33f52c366f CVE-2018-16851 ldap_server: Check ret before manipulating blob via c78ca8b9b48 CVE-2018-16852 dcerpc dnsserver: refactor common properties handling via 05f867db81f CVE-2018-16852 dcerpc dnsserver: Ensure properties are handled correctly via f40e1b3b42c CVE-2018-16852 dcerpc dnsserver: Verification tests via 4783b9d6a43 CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ via 6e84215d4aa CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal via bf596c14c24 CVE-2018-14629 dns: CNAME loop prevention using counter via a96d403ff30 VERSION: Bump version up to 4.9.3... from 865cc283d1b VERSION: Disable GIT_SNAPSHOT for the 4.9.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-stable - Log ----------------------------------------------------------------- commit 40c057c900a9367e8020c943d29547ea8942212f Author: Karolin Seeger <ksee...@samba.org> Date: Sun Nov 25 15:24:31 2018 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.9.3 release. o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server) o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers) o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) o CVE-2018-16857 (Bad password count in AD DC not always effective) Signed-off-by: Karolin Seeger <ksee...@samba.org> commit bec29625127fc62ae2f023ea43d918638dd4156e Author: Karolin Seeger <ksee...@samba.org> Date: Sun Nov 25 15:23:23 2018 +0100 WHATSNEW: Add release notes for Samba 4.9.3. o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server) o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers) o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) o CVE-2018-16857 (Bad password count in AD DC not always effective) Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 60b2cd50f4d0554cc5ca8c53b2d1fa89e56a6d06 Author: Tim Beale <timbe...@catalyst.net.nz> Date: Tue Nov 13 13:22:41 2018 +1300 CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow Clearly the lockOutObservationWindow value is important, and using a default value of zero doesn't work very well. This patch adds a better default value (the domain default setting of 30 minutes). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by: Tim Beale <timbe...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d12b02c78842786969557b9be7c953e9594d90dd Author: Tim Beale <timbe...@catalyst.net.nz> Date: Tue Nov 13 13:19:04 2018 +1300 CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs Fix a remaining place where we were trying to read the msDS-LockoutObservationWindow as an int instead of an int64. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by: Tim Beale <timbe...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4f86beeaf3408383385ee99a74520a805dd63c0f Author: Tim Beale <timbe...@catalyst.net.nz> Date: Tue Nov 13 12:24:16 2018 +1300 CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int Commit 442a38c918ae1666b35 refactored some code into a new get_lockout_observation_window() function. However, in moving the code, an ldb_msg_find_attr_as_int64() inadvertently got converted to a ldb_msg_find_attr_as_int(). ldb_msg_find_attr_as_int() will only work for values up to -2147483648 (about 3.5 minutes in MS timestamp form). Unfortunately, the automated tests used a low enough timeout that they still worked, however, password lockout would not work with the Samba default settings. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by: Tim Beale <timbe...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ec9cc4ed5a05490297cde3fcaac50eeeaaca8469 Author: Tim Beale <timbe...@catalyst.net.nz> Date: Tue Nov 13 11:49:56 2018 +1300 CVE-2018-16857 tests: Sanity-check password lockout works with default values Sanity-check that when we use the default lockOutObservationWindow that user lockout actually works. The easiest way to do this is to reuse the _test_login_lockout() test-case, but stop at the point where we wait for the lockout duration to expire (because we don't want the test to wait 30 mins). This highlights a problem currently where the default values don't work. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by: Tim Beale <timbe...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9cb6b4e9131afac71a39a2f6a3c142723cb6ca19 Author: Joe Guo <j...@catalyst.net.nz> Date: Mon Jul 30 18:19:21 2018 +1200 CVE-2018-16857 PEP8: fix E251: unexpected spaces around keyword / parameter equals Signed-off-by: Joe Guo <j...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Partial backport of commit 1ccc36b4010cd63 (only password_lockout_base.py change) as a dependency for: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 commit fe8e05a9ea8185325ff87ac73ef0106a85cd662a Author: Joe Guo <j...@catalyst.net.nz> Date: Mon Jul 30 18:15:34 2018 +1200 CVE-2018-16857 PEP8: fix E127: continuation line over-indented for visual indent Signed-off-by: Joe Guo <j...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Partial backport of commit bbb9f57603d (only password_lockout_base.py change) as a dependency for: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 commit 4d0fd1a421ad4a3ca19ed954ee91fcc36413b017 Author: Andrew Bartlett <abart...@samba.org> Date: Sun Sep 2 18:03:06 2018 +1200 CVE-2018-16857 selftest: Split up password_lockout into tests with and without a call to sleep() This means we can have a long observation window for many of the tests and so make them much more reliable. Many of these cause frustrating flapping failures in our CI systems. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Sep 3 06:14:55 CEST 2018 on sn-devel-144 (cherry picked from commit 74357bf347348d3a8b7483c58e5250e98f7e8810) Backported as a dependency for: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 commit 31198d39a76474d55c3d391e04d76758ee115d8e Author: Joe Guo <j...@catalyst.net.nz> Date: Mon Jul 30 18:21:29 2018 +1200 CVE-2018-16857 PEP8: fix E305: expected 2 blank lines after class or function definition, found 1 Signed-off-by: Joe Guo <j...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Partial backport of commit 115f2a71b88 (only password_lockout.py change) as a dependency for: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 commit 862d4909eccd18942e3de8e8b0dc6e1594ec27f1 Author: Andrew Bartlett <abart...@samba.org> Date: Sun Sep 2 17:34:03 2018 +1200 CVE-2018-16857 selftest: Prepare to allow override of lockout duration in password_lockout tests This will make it easier to avoid flapping tests. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> (cherry picked from commit a740a6131c967f9640b19a6964fd5d6f85ce853a) Backported as a dependency for: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 commit 4aabfecd290cd2769376abf7f170e832becc4112 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 6 13:32:05 2018 +1300 CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit f33f52c366f7cf140f470de44579dcb7eb832629 Author: Garming Sam <garm...@catalyst.net.nz> Date: Mon Nov 5 16:18:18 2018 +1300 CVE-2018-16851 ldap_server: Check ret before manipulating blob In the case of hitting the talloc ~256MB limit, this causes a crash in the server. Note that you would actually need to load >256MB of data into the LDAP. Although there is some generated/hidden data which would help you reach that limit (descriptors and RMD blobs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674 Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c78ca8b9b48a19e71f4d6ddd2e300f282fb0b247 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Wed Nov 7 15:08:04 2018 +1300 CVE-2018-16852 dcerpc dnsserver: refactor common properties handling dnsserver_common.c and dnsutils.c both share similar code to process zone properties. This patch extracts the common code and moves it to dnsserver_common.c. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 05f867db81f118215445f2c49eda4b9c3451d14a Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Nov 6 12:16:30 2018 +1300 CVE-2018-16852 dcerpc dnsserver: Ensure properties are handled correctly Fixes for Bug 13669 - (CVE-2018-16852) NULL pointer de-reference in Samba AD DC DNS management The presence of the ZONE_MASTER_SERVERS property or the ZONE_SCAVENGING_SERVERS property in a zone record causes the server to follow a null pointer and terminate. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f40e1b3b42ce23b574a4c530545ff8170ddc7330 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Nov 6 12:10:07 2018 +1300 CVE-2018-16852 dcerpc dnsserver: Verification tests Tests to verify Bug 13669 - (CVE-2018-16852) NULL pointer de-reference in Samba AD DC DNS management The presence of the ZONE_MASTER_SERVERS property or the ZONE_SCAVENGING_SERVERS property in a zone record causes the server to follow a null pointer and terminate. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 Reviewed-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> commit 4783b9d6a43287a938b18e15f146e6895b689956 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 24 15:41:28 2018 +1300 CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit 6e84215d4aa7ef51096db3b187adbe22cacdd921 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Oct 23 17:33:46 2018 +1300 CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free mem_ctx. This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the MIT KDC effort. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit bf596c14c2462b9a15ea738ef4f32b3abb8b63d1 Author: Aaron Haslett <aaronhasl...@catalyst.net.nz> Date: Tue Oct 23 17:25:51 2018 +1300 CVE-2018-14629 dns: CNAME loop prevention using counter Count number of answers generated by internal DNS query routine and stop at 20 to match Microsoft's loop prevention mechanism. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Aaron Haslett <aaronhasl...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> commit a96d403ff304b917195c9536a8a109779daf7d2e Author: Karolin Seeger <ksee...@samba.org> Date: Thu Nov 8 08:56:10 2018 +0100 VERSION: Bump version up to 4.9.3... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <ksee...@samba.org> (cherry picked from commit 424d4d2b4084e8778d82684d29514b5b45cdfd36) ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 131 ++++++++- python/samba/tests/dns.py | 22 ++ selftest/knownfail.d/dns | 6 + source4/dns_server/dns_query.c | 6 + source4/dns_server/dnsserver_common.c | 129 ++++++--- source4/dns_server/dnsserver_common.h | 3 + source4/dsdb/common/util.c | 20 +- source4/dsdb/tests/python/password_lockout.py | 321 ++++++++++++--------- source4/dsdb/tests/python/password_lockout_base.py | 77 +++-- source4/kdc/db-glue.c | 6 +- source4/ldap_server/ldap_server.c | 4 +- source4/rpc_server/dnsserver/dnsutils.c | 59 +--- .../tests/rpc_dns_server_dnsutils_test.c | 304 +++++++++++++++++++ source4/rpc_server/wscript_build | 17 +- source4/selftest/tests.py | 2 + testprogs/blackbox/test_pkinit_heimdal.sh | 8 + wscript | 17 ++ 18 files changed, 848 insertions(+), 286 deletions(-) create mode 100644 source4/rpc_server/tests/rpc_dns_server_dnsutils_test.c Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 79eda3f7612..808d4f3a318 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=9 -SAMBA_VERSION_RELEASE=2 +SAMBA_VERSION_RELEASE=3 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 978502e8a00..fc1541dbbe5 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,130 @@ + ============================= + Release Notes for Samba 4.9.3 + November 27, 2018 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD + Internal DNS server) +o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) +o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) +o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers) +o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos + configuration (unsupported)) +o CVE-2018-16857 (Bad password count in AD DC not always effective) + + +======= +Details +======= + +o CVE-2018-14629: + All versions of Samba from 4.0.0 onwards are vulnerable to infinite + query recursion caused by CNAME loops. Any dns record can be added via + ldap by an unprivileged user using the ldbadd tool, so this is a + security issue. + +o CVE-2018-16841: + When configured to accept smart-card authentication, Samba's KDC will call + talloc_free() twice on the same memory if the principal in a validly signed + certificate does not match the principal in the AS-REQ. + + This is only possible after authentication with a trusted certificate. + + talloc is robust against further corruption from a double-free with + talloc_free() and directly calls abort(), terminating the KDC process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16851: + During the processing of an LDAP search before Samba's AD DC returns + the LDAP entries to the client, the entries are cached in a single + memory object with a maximum size of 256MB. When this size is + reached, the Samba process providing the LDAP service will follow the + NULL pointer, terminating the process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16852: + During the processing of an DNS zone in the DNS management DCE/RPC server, + the internal DNS server or the Samba DLZ plugin for BIND9, if the + DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS + property is set, the server will follow a NULL pointer and terminate. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16853: + A user in a Samba AD domain can crash the KDC when Samba is built in the + non-default MIT Kerberos configuration. + + With this advisory we clarify that the MIT Kerberos build of the Samba + AD DC is considered experimental. Therefore the Samba Team will not + issue security patches for this configuration. + +o CVE-2018-16857: + AD DC Configurations watching for bad passwords (to restrict brute forcing + of passwords) in a window of more than 3 minutes may not watch for bad + passwords at all. + +For more details and workarounds, please refer to the security advisories. + + +Changes since 4.9.2: +-------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with + mis-matching principal. + * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT + Kerberos is experimental + +o Tim Beale <timbe...@catalyst.net.nz> + * BUG 13683: CVE-2018-16857: dsdb/util: Correctly treat + lockOutObservationWindow as 64-bit int. + +o Joe Guo <j...@catalyst.net.nz> + * BUG 13683: CVE-2018-16857 PEP8: Fix E305: Expected 2 blank lines after + class or function definition, found 1. + +o Aaron Haslett <aaronhasl...@catalyst.net.nz> + * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter. + +o Gary Lockyer <g...@catalyst.net.nz> + * BUG 13669: CVE-2018-16852: Fix NULL pointer de-reference in Samba AD DC + DNS management. + +o Garming Sam <garm...@catalyst.net.nz> + * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + ============================= Release Notes for Samba 4.9.2 November 08, 2018 @@ -89,8 +216,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.9.1 diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py index 6771e3bb8c4..3e6306e2be8 100644 --- a/python/samba/tests/dns.py +++ b/python/samba/tests/dns.py @@ -844,6 +844,28 @@ class TestComplexQueries(DNSTest): self.assertEquals(response.answers[1].name, name2) self.assertEquals(response.answers[1].rdata, name0) + def test_cname_loop(self): + cname1 = "cnamelooptestrec." + self.get_dns_domain() + cname2 = "cnamelooptestrec2." + self.get_dns_domain() + cname3 = "cnamelooptestrec3." + self.get_dns_domain() + self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME) + self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME) + self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME) + + p = self.make_name_packet(dns.DNS_OPCODE_QUERY) + questions = [] + + q = self.make_name_question(cname1, + dns.DNS_QTYPE_A, + dns.DNS_QCLASS_IN) + questions.append(q) + self.finish_name_packet(p, questions) + + (response, response_packet) =\ + self.dns_transaction_udp(p, host=self.server_ip) + + max_recursion_depth = 20 + self.assertEquals(len(response.answers), max_recursion_depth) class TestInvalidQueries(DNSTest): def setUp(self): diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns index a5176654cc2..a248432aafa 100644 --- a/selftest/knownfail.d/dns +++ b/selftest/knownfail.d/dns @@ -69,3 +69,9 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) # The SOA override should not pass against the RODC, it must not overstamp samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) + +# +# rodc and vampire_dc require signed dns updates, so the test setup +# fails, but the test does run on fl2003dc +^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\) +^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\) diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index 923f7233eb9..65faeac3b6a 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -40,6 +40,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_DNS +#define MAX_Q_RECURSION_DEPTH 20 struct forwarder_string { const char *forwarder; @@ -419,6 +420,11 @@ static struct tevent_req *handle_dnsrpcrec_send( state->answers = answers; state->nsrecs = nsrecs; + if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + resolve_cname = ((rec->wType == DNS_TYPE_CNAME) && ((question->question_type == DNS_QTYPE_A) || (question->question_type == DNS_QTYPE_AAAA))); diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c index bbbfe920f4e..cc24a6c1b52 100644 --- a/source4/dns_server/dnsserver_common.c +++ b/source4/dns_server/dnsserver_common.c @@ -742,6 +742,94 @@ bool dns_name_is_static(struct dnsp_DnssrvRpcRecord *records, return false; } +/* + * Helper function to copy a dnsp_ip4_array struct to an IP4_ARRAY struct. + * The new structure and it's data are allocated on the supplied talloc context + */ +static struct IP4_ARRAY *copy_ip4_array(TALLOC_CTX *ctx, + const char *name, + struct dnsp_ip4_array array) +{ + + struct IP4_ARRAY *ip4_array = NULL; + unsigned int i; + + ip4_array = talloc_zero(ctx, struct IP4_ARRAY); + if (ip4_array == NULL) { + DBG_ERR("Out of memory copying property [%s]\n", name); + return NULL; + } + + ip4_array->AddrCount = array.addrCount; + if (ip4_array->AddrCount == 0) { + return ip4_array; + } + + ip4_array->AddrArray = + talloc_array(ip4_array, uint32_t, ip4_array->AddrCount); + if (ip4_array->AddrArray == NULL) { + TALLOC_FREE(ip4_array); + DBG_ERR("Out of memory copying property [%s] values\n", name); + return NULL; + } + + for (i = 0; i < ip4_array->AddrCount; i++) { + ip4_array->AddrArray[i] = array.addr[i]; + } + + return ip4_array; +} + +bool dns_zoneinfo_load_zone_property(struct dnsserver_zoneinfo *zoneinfo, + struct dnsp_DnsProperty *prop) +{ + switch (prop->id) { + case DSPROPERTY_ZONE_TYPE: + zoneinfo->dwZoneType = prop->data.zone_type; + break; + case DSPROPERTY_ZONE_ALLOW_UPDATE: + zoneinfo->fAllowUpdate = prop->data.allow_update_flag; + break; + case DSPROPERTY_ZONE_NOREFRESH_INTERVAL: + zoneinfo->dwNoRefreshInterval = prop->data.norefresh_hours; + break; + case DSPROPERTY_ZONE_REFRESH_INTERVAL: + zoneinfo->dwRefreshInterval = prop->data.refresh_hours; + break; + case DSPROPERTY_ZONE_AGING_STATE: + zoneinfo->fAging = prop->data.aging_enabled; + break; + case DSPROPERTY_ZONE_SCAVENGING_SERVERS: + zoneinfo->aipScavengeServers = copy_ip4_array( + zoneinfo, "ZONE_SCAVENGING_SERVERS", prop->data.servers); + if (zoneinfo->aipScavengeServers == NULL) { + return false; + } + break; + case DSPROPERTY_ZONE_AGING_ENABLED_TIME: + zoneinfo->dwAvailForScavengeTime = + prop->data.next_scavenging_cycle_hours; + break; + case DSPROPERTY_ZONE_MASTER_SERVERS: + zoneinfo->aipLocalMasters = copy_ip4_array( + zoneinfo, "ZONE_MASTER_SERVERS", prop->data.master_servers); + if (zoneinfo->aipLocalMasters == NULL) { + return false; + } + break; + case DSPROPERTY_ZONE_EMPTY: + case DSPROPERTY_ZONE_SECURE_TIME: + case DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME: + case DSPROPERTY_ZONE_AUTO_NS_SERVERS: + case DSPROPERTY_ZONE_DCPROMO_CONVERT: + case DSPROPERTY_ZONE_SCAVENGING_SERVERS_DA: + case DSPROPERTY_ZONE_MASTER_SERVERS_DA: + case DSPROPERTY_ZONE_NS_SERVERS_DA: + case DSPROPERTY_ZONE_NODE_DBFLAGS: + break; + } + return true; +} WERROR dns_get_zone_properties(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *zone_dn, @@ -774,6 +862,7 @@ WERROR dns_get_zone_properties(struct ldb_context *samdb, } for (i = 0; i < element->num_values; i++) { + bool valid_property; prop = talloc_zero(mem_ctx, struct dnsp_DnsProperty); if (prop == NULL) { return WERR_NOT_ENOUGH_MEMORY; @@ -787,42 +876,10 @@ WERROR dns_get_zone_properties(struct ldb_context *samdb, return DNS_ERR(SERVER_FAILURE); } - switch (prop->id) { - case DSPROPERTY_ZONE_AGING_STATE: - zoneinfo->fAging = prop->data.aging_enabled; - break; - case DSPROPERTY_ZONE_NOREFRESH_INTERVAL: - zoneinfo->dwNoRefreshInterval = - prop->data.norefresh_hours; - break; - case DSPROPERTY_ZONE_REFRESH_INTERVAL: - zoneinfo->dwRefreshInterval = prop->data.refresh_hours; - break; - case DSPROPERTY_ZONE_ALLOW_UPDATE: - zoneinfo->fAllowUpdate = prop->data.allow_update_flag; - break; - case DSPROPERTY_ZONE_AGING_ENABLED_TIME: - zoneinfo->dwAvailForScavengeTime = - prop->data.next_scavenging_cycle_hours; - break; - case DSPROPERTY_ZONE_SCAVENGING_SERVERS: - zoneinfo->aipScavengeServers->AddrCount = - prop->data.servers.addrCount; - zoneinfo->aipScavengeServers->AddrArray = - prop->data.servers.addr; - break; - case DSPROPERTY_ZONE_EMPTY: - case DSPROPERTY_ZONE_TYPE: - case DSPROPERTY_ZONE_SECURE_TIME: - case DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME: - case DSPROPERTY_ZONE_MASTER_SERVERS: - case DSPROPERTY_ZONE_AUTO_NS_SERVERS: - case DSPROPERTY_ZONE_DCPROMO_CONVERT: - case DSPROPERTY_ZONE_SCAVENGING_SERVERS_DA: - case DSPROPERTY_ZONE_MASTER_SERVERS_DA: - case DSPROPERTY_ZONE_NS_SERVERS_DA: - case DSPROPERTY_ZONE_NODE_DBFLAGS: - break; + valid_property = + dns_zoneinfo_load_zone_property(zoneinfo, prop); + if (!valid_property) { + return DNS_ERR(SERVER_FAILURE); } } diff --git a/source4/dns_server/dnsserver_common.h b/source4/dns_server/dnsserver_common.h index 380f61b8dbc..60ecde4fa91 100644 --- a/source4/dns_server/dnsserver_common.h +++ b/source4/dns_server/dnsserver_common.h @@ -87,4 +87,7 @@ NTSTATUS dns_common_zones(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *base_dn, struct dns_server_zone **zones_ret); + +bool dns_zoneinfo_load_zone_property(struct dnsserver_zoneinfo *zoneinfo, + struct dnsp_DnsProperty *prop); #endif /* __DNSSERVER_COMMON_H__ */ diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 193fa2ae653..18f700370a3 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -56,6 +56,9 @@ */ #include "dsdb/samdb/ldb_modules/util.h" +/* default is 30 minutes: -1e7 * 30 * 60 */ +#define DEFAULT_OBSERVATION_WINDOW -18000000000 + /* search the sam for the specified attributes in a specific domain, filter on objectSid being in domain_sid. @@ -5361,9 +5364,9 @@ int samdb_result_effective_badPwdCount(struct ldb_context *sam_ldb, if (res != NULL) { lockOutObservationWindow = - ldb_msg_find_attr_as_int(res->msgs[0], - "msDS-LockoutObservationWindow", - 0); + ldb_msg_find_attr_as_int64(res->msgs[0], + "msDS-LockoutObservationWindow", + DEFAULT_OBSERVATION_WINDOW); talloc_free(res); } else { @@ -5400,12 +5403,13 @@ static int64_t get_lockout_observation_window(struct ldb_message *domain_msg, struct ldb_message *pso_msg) { if (pso_msg != NULL) { - return ldb_msg_find_attr_as_int(pso_msg, - "msDS-LockoutObservationWindow", - 0); + return ldb_msg_find_attr_as_int64(pso_msg, + "msDS-LockoutObservationWindow", + DEFAULT_OBSERVATION_WINDOW); } else { - return ldb_msg_find_attr_as_int(domain_msg, - "lockOutObservationWindow", 0); + return ldb_msg_find_attr_as_int64(domain_msg, + "lockOutObservationWindow", + DEFAULT_OBSERVATION_WINDOW); } } diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py index ec6cf13fe66..b09a732e179 100755 --- a/source4/dsdb/tests/python/password_lockout.py +++ b/source4/dsdb/tests/python/password_lockout.py @@ -88,6 +88,42 @@ class PasswordTests(password_lockout_base.BasePasswordTestCase): self.lockout2ntlm_ldb = self._readd_user(self.lockout2ntlm_creds, lockOutObservationWindow=self.lockout_observation_window) + + def use_pso_lockout_settings(self, creds): + + # create a PSO with the lockout settings the test cases normally expect + # + # Some test cases sleep() for self.account_lockout_duration + pso = PasswordSettings("lockout-PSO", self.ldb, lockout_attempts=3, + lockout_duration=self.account_lockout_duration) + self.addCleanup(self.ldb.delete, pso.dn) + + userdn = "cn=%s,cn=users,%s" % (creds.get_username(), self.base_dn) + pso.apply_to(userdn) + + # update the global lockout settings to be wildly different to what + # the test cases normally expect + self.update_lockout_settings(threshold=10, duration=600, + observation_window=600) + + def _reset_samr(self, res): + + # Now reset the lockout, by removing ACB_AUTOLOCK (which removes the lock, despite being a generated attribute) + samr_user = self._open_samr_user(res) + acb_info = self.samr.QueryUserInfo(samr_user, 16) + acb_info.acct_flags &= ~samr.ACB_AUTOLOCK + self.samr.SetUserInfo(samr_user, 16, acb_info) + self.samr.Close(samr_user) + + +class PasswordTestsWithoutSleep(PasswordTests): + def setUp(self): + # The tests in this class do not sleep, so we can have a + # longer window and not flap on slower hosts + self.account_lockout_duration = 30 + self.lockout_observation_window = 30 + super(PasswordTestsWithoutSleep, self).setUp() + def _reset_ldap_lockoutTime(self, res): self.ldb.modify_ldif(""" dn: """ + str(res[0].dn) + """ @@ -615,23 +651,130 @@ userPassword: thatsAcomplPASS2XYZ "samr", initial_lastlogon_relation='greater') - def use_pso_lockout_settings(self, creds): - # create a PSO with the lockout settings the test cases normally expect - pso = PasswordSettings("lockout-PSO", self.ldb, lockout_attempts=3, - lockout_duration=3) - self.addCleanup(self.ldb.delete, pso.dn) + def test_multiple_logon_krb5(self): + self._test_multiple_logon(self.lockout1krb5_creds) -- Samba Shared Repository