The branch, v4-14-test has been updated
via a1dae6a208a VERSION: Bump version up to Samba 4.14.11...
via 9312b1832e5 VERSION: Disable GIT_SNAPSHOT for the 4.14.10 release.
via b643df361ed WHATSNEW: Add release notes for Samba 4.14.10.
via 25c944643f3 CVE-2021-3738 s4:rpc_server/samr: make use of
dcesrv_samdb_connect_as_*() helper
via b1aba4e2bc7 CVE-2021-3738 s4:rpc_server/netlogon: make use of
dcesrv_samdb_connect_as_*() helper
via 57959216435 CVE-2021-3738 s4:rpc_server/lsa: make use of
dcesrv_samdb_connect_as_user() helper
via f583cda95ab CVE-2021-3738 s4:rpc_server/dnsserver: make use of
dcesrv_samdb_connect_as_user() helper
via 215fb2275f0 CVE-2021-3738 s4:rpc_server/drsuapi: make use of
assoc_group aware dcesrv_samdb_connect_as_*() helpers
via 0200d5ab2f4 CVE-2021-3738 s4:rpc_server/common: provide assoc_group
aware dcesrv_samdb_connect_as_{system,user}() helpers
via 258710a9f21 CVE-2021-3738 auth_util: avoid talloc_tos() in
copy_session_info()
via 50c0ac89d52 CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup*
tests
via 5d212fb77f5 CVE-2021-3738 s4:torture/drsuapi: maintain
priv->admin_credentials
via 61c8272b27c CVE-2021-3738 s4:torture/drsuapi: maintain
priv->dc_credentials
via a8fbaf0c96d CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate
to test_DsBind()
via 279f057f23d CVE-2016-2124: s3:libsmb: don't fallback to non spnego
authentication if we require kerberos
via d1cf8259c52 CVE-2016-2124: s4:libcli/sesssetup: don't fallback to
non spnego authentication if we require kerberos
via e6a1fbbf605 CVE-2021-23192: dcesrv_core: only the first fragment
specifies the auth_contexts
via 396b19acac7 CVE-2021-23192: python/tests/dcerpc: add tests to check
how security contexts relate to fragmented requests
via f2de7ce5004 CVE-2021-23192: python/tests/dcerpc: fix
do_single_request(send_req=False)
via 5b96c3f932d CVE-2021-23192: python/tests/dcerpc: let
generate_request_auth() use g_auth_level in all places
via ce2a20fa4b1 CVE-2021-23192: python/tests/dcerpc: change
assertNotEquals() into assertNotEqual()
via 793cdac7d38 CVE-2021-23192: dcesrv_core: add
dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
via a106cfd0920 CVE-2021-23192: dcesrv_core: add better debugging to
dcesrv_fault_disconnect()
via e10f8c1d99c CVE-2021-23192 librpc: Remove the gensec dependency
from library dcerpc-binding
via cc63aa0f6fc CVE-2021-23192 rpc: Give dcerpc_util.c its own header
via bb154cc15a6 CVE-2020-25722 selftest: Ensure check for duplicate
servicePrincipalNames is not bypassed for an add operation
via c1dd80a0aa8 CVE-2020-25722 selftest: Add test for duplicate
servicePrincipalNames on an add operation
via 2d5fef5e222 CVE-2020-25722 pytests: Give computer accounts unique
(and valid) sAMAccountNames and SPNs
via 77a36f23fac CVE-2020-25719 selftest: Always expect a PAC in TGS
replies with Heimdal
via 3a4326f2b59 Revert "CVE-2020-25719 heimdal:kdc: Require authdata to
be present"
via 4dbe9d5b8ce CVE-2020-25718 heimdal:kdc: Add comment about tests for
tickets of users not revealed to an RODC
via 1a24abc3554 CVE-2020-25719 tests/krb5: Add tests for using a ticket
with a renamed account
via b28a7db8a43 CVE-2020-25718 tests/krb5: Only fetch RODC account
credentials when necessary
via 50e11804fad CVE-2020-25719 heimdal:kdc: Require PAC to be present
via 355c4509e5c CVE-2020-25722 kdc: Do not honour a request for a
3-part SPN (ending in our domain/realm) unless a DC
via 0535afe7fa4 CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided
for user-to-user authentication
via 675b1bf5c9e CVE-2020-25719 heimdal:kdc: Check name in request
against name in user-to-user TGT
via edb967359a4 CVE-2020-25719 heimdal:kdc: Use sname from request
rather than user-to-user TGT client name
via 73aa72843b2 CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry
to before enctype selection
via 46aeacff8a0 CVE-2020-25719 heimdal:kdc: Check return code
via 45ff2b32361 CVE-2020-25719 s4:kdc: Add KDC support for
PAC_REQUESTER_SID PAC buffer
via 07f9a85a161 CVE-2020-25722 Ensure the structural objectclass cannot
be changed
via eac75fb3b60 CVE-2020-25721 auth: Fill in the new
HAS_SAM_NAME_AND_SID values
via d68a530c66c CVE-2020-25719 kdc: Avoid races and multiple DB lookups
in s4u2self check
via 033009044eb CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt
account is invalid
via b8a81c06357 CVE-2020-25718 kdc: Confirm the RODC was allowed to
issue a particular ticket
via d3bd072c0e9 CVE-2020-25718 dsdb: Bring sid_helper.c into common
code as rodc_helper.c
via 1ca1ddbe277 CVE-2020-25718 s4-rpc_server: Add in debug messages
into RODC processing
via d375c5fea5d CVE-2020-25718 s4-rpc_server: Explain why we use
DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
via e4607305748 CVE-2020-25718 s4-rpc_server: Remove unused attributes
in RODC check
via 60a136bcc6c CVE-2020-25718 s4-rpc_server: Provide wrapper
samdb_confirm_rodc_allowed_to_repl_to()
via 0619d4eb4fc CVE-2020-25718 s4-rpc_server: Confirm that the RODC has
the UF_PARTIAL_SECRETS_ACCOUNT bit
via 91415e7b524 CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and
UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
via 55fdf0f63c2 CVE-2020-25718 s4-rpc_server: Put RODC reveal/never
reveal logic into a single helper function
via de34a5bb534 CVE-2020-25718 s4-rpc_server: Obtain the user
tokenGroups earlier
via b57045193a9 CVE-2020-25718 s4-rpc_server: Change sid list functions
to operate on a array of struct dom_sid
via 649c9d1577a CVE-2020-25718 kdc: Remove unused
samba_kdc_get_pac_blob()
via 289a526bfd8 CVE-2020-25719 heimdal:kdc: Require authdata to be
present
via 30fb296a38a CVE-2020-25719 s4:kdc: Add KDC support for
PAC_ATTRIBUTES_INFO PAC buffer
via d15ace2d817 CVE-2020-25719 s4:kdc: Check if the pac is valid before
updating it
via 36a1c87654c CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
via 3ba4cf29e7f CVE-2020-25719 s4:kdc: Remove trailing spaces in
pac-glue.c
via 1fcd10069f7 CVE-2020-25719 mit_samba: Create the talloc context
earlier
via 048c400e02c CVE-2020-25719 mit_samba: The samba_princ_needs_pac
check should be on the server entry
via 7d27aed01ac CVE-2020-25719 mit-samba: Rework PAC handling in
kdb_samba_db_sign_auth_data()
via d29c0d94dc3 CVE-2020-25719 mit-samba: Handle no DB entry in
mit_samba_get_pac()
via 481d47e2428 CVE-2020-25719 mit-samba: Add
mit_samba_princ_needs_pac()
via 171162bb5e4 CVE-2020-25719 mit-samba: If we use client_princ,
always lookup the db entry
via c888bbe632d CVE-2020-25719 mit-samba: Add ks_free_principal()
via 41ff051f8b9 CVE-2020-25719 mit-samba: Make ks_get_principal()
internally public
via 694b16b516a CVE-2020-25722 pytest: Raise an error when adding a
dynamic test that would overwrite an existing test
via 4ecd2f5b8e4 CVE-2020-25719 s4/torture: Expect additional PAC buffers
via 473f1b64812 CVE-2020-25719 tests/krb5: Add tests for mismatched
names with user-to-user
via a2de8b1c172 CVE-2020-25719 tests/krb5: Add test for user-to-user
with no sname
via bccbedcee29 CVE-2020-25719 tests/krb5: Add tests for requester SID
PAC buffer
via 2465874ef8b CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST
padata
via 9d5d2d0ae4b CVE-2020-25719 tests/krb5: Add tests for PAC attributes
buffer
via 1c8fbb41c24 CVE-2020-25719 tests/krb5: Add expected parameters to
cache key for obtaining tickets
via 08c388112f8 CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment
variable to expect pac from all TGS tickets
via c8f445ad6bc CVE-2020-25719 tests/krb5: Add testing for
PAC_TYPE_REQUESTER_SID PAC buffer
via a9a3783182c CVE-2020-25719 tests/krb5: Add testing for
PAC_TYPE_ATTRIBUTES_INFO PAC buffer
via c813b12d0f8 CVE-2020-25719 tests/krb5: Add _modify_tgt() method for
modifying already obtained tickets
via e875ebd31d1 CVE-2020-25719 tests/krb5: Extend _get_tgt() method to
allow more modifications to tickets
via c6ca9b34ade CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected
error code for S4U2Self no-PAC tests
via 30e11e0d227 CVE-2020-25719 tests/krb5: Adjust expected error codes
for user-to-user tests
via 8eeeececd28 CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare
for new PAC_ATTRIBUTES_INFO buffer
via 85f43f2ccb4 CVE-2020-25719 tests/krb5: Use correct credentials for
user-to-user tests
via 78b7f477d59 CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
via e4a06fdb47c CVE-2020-25719 tests/krb5: Expect 'renew-till' element
when renewing a TGT
via 8693af19e06 CVE-2020-25719 tests/krb5: Don't expect a kvno for
user-to-user
via 169a4d4d140 CVE-2020-25719 tests/krb5: Allow
update_pac_checksums=True if the PAC is not present
via ef65925a41e CVE-2020-25719 tests/krb5: Provide expected parameters
for both AS-REQs in get_tgt()
via a680362a129 CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
buffer type
via c22162544b7 CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC
buffer type
via 9165ba35757 CVE-2020-25718 tests/krb5: Fix indentation
via ccb22bac0b2 CVE-2020-25722 selftest: Adapt ldap.py tests to new
objectClass restrictions
via ca84774f9a1 CVE-2020-25722 s4/dsdb/util: remove unused
dsdb_get_single_valued_attr()
via f22bb71047d CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet
bypass
via a45d6b3a334 CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass
gets all values
via 78c1ab6d766 CVE-2020-25722 s4/dsdb/samldb:
samldb_fsmo_role_owner_check() wants one value
via 3b5444b055a CVE-2020-25722 s4/dsdb/samldb:
samldb_fsmo_role_owner_check checks values
via d5658cdc670 CVE-2020-25722 s4/dsdb/samldb:
samldb_service_principal_names_change checks values
via fc2bb65e330 CVE-2020-25722 s4/dsdb/samldb:
samldb_group_type_change() checks all values
via fd28cfa2654 CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time()
checks all values
via d8c9cea65bd CVE-2020-25722 s4/dsdb/samldb:
samldb_pwd_last_set_change() checks all values
via 6ca2f55676c CVE-2020-25722 s4/dsdb/samldb
_user_account_control_change() always add final value
via 577b9650964 CVE-2020-25722 s4/dsdb/samldb:
samldb_user_account_control_change() checks all values
via 94e91f35a8d CVE-2020-25722 s4/dsdb/samldb:
samldb_prim_group_change() checks all values
via 9d45b3bb978 CVE-2020-25722 s4/dsdb/samldb:
samldb_schema_add_handle_mapiid() checks all values
via b77df708e52 CVE-2020-25722 s4/dsdb/samldb:
samldb_schema_add_handle_linkid() checks all values
via 41fcff4b799 CVE-2020-25722 s4/dsdb/samldb:
samldb_sam_accountname_valid_check() check all values
via 74b549b9511 CVE-2020-25722 s4/dsdb/samldb:
samldb_get_single_valued_attr() check all values
via 14d3ce25574 CVE-2020-25722 s4/dsdb modules: add
dsdb_get_expected_new_values()
via 59e17459b2d CVE-2020-25722 s4/dsdb/samldb: reject SPN with too
few/many components
via ce588b348db CVE-2020-25722 s4/dsdb/samldb: check for SPN
uniqueness, including aliases
via 57dafb48b1e CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for
illegal characters
via a87278b69c2 CVE-2020-25722 s4/dsdb/samldb: check for clashes in
UPNs/samaccountnames
via 083813b6355 CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses
samldb_get_single_valued_attr()
via 3e22df9e6c1 CVE-2020-25722 s4/dsdb/samldb: add
samldb_get_single_valued_attr() helper
via 58fc20e1011 CVE-2020-25722 s4/cracknames: add comment pointing to
samldb spn handling
via 503106c6b34 CVE-2020-25722 pytest: test setting
servicePrincipalName over ldap
via f1b6fe0097d CVE-2020-25722 pytest: test
sAMAccountName/userPrincipalName over ldap
via 82ea0d52b0d CVE-2020-25722 blackbox/upgrades tests: ignore SPN for
ldapcmp
via f832d937516 CVE-2020-25722 s4/provision: add host/ SPNs at the start
via cb04abae1fe CVE-2020-25722 tests: blackbox samba-tool spn non-admin
test
via 87d003ad564 CVE-2020-25722 samba-tool spn add: remove --force option
via 848843db970 CVE-2020-25722 samba-tool spn: accept -H for database
url
via 98bdd95203d CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't
need krb5 context
via 62d1f79acfc CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx
in spn_alias
via db401161cf9 CVE-2020-25722 pytest: assertRaisesLdbError invents a
message if you're lazy
via 25790f26c6f CVE-2020-25722 pytests: add reverse lookup dict for LDB
error codes
via 4c1ba7dd427 CVE-2020-25722 Check for all errors from
acl_check_extended_right() in acl_check_spn()
via 0198f682d40 CVE-2020-25722 Check all elements in acl_check_spn()
not just the first one
via 161b8fd92b4 CVE-2020-25722: s4-acl: Make sure Control Access Rights
honor the Applies-to attribute
via 47d0a332219 CVE-2020-25722: s4-acl: test Control Access Rights
honor the Applies-to attribute
via 874e91944b7 CVE-2020-25722 s4:dsdb:tests: Add missing self.fail()
calls
via 8fb38f5b47d CVE-2020-25722 Add test for SPN deletion followed by
addition
via af11f643f50 CVE-2020-25717: s3:auth: simplify
make_session_info_krb5() by removing unused arguments
via da61668c8a0 CVE-2020-25717: s3:auth: simplify
get_user_from_kerberos_info() by removing the unused logon_info argument
via cf3de54d6d6 CVE-2020-25717: s3:auth: let
auth3_generate_session_info_pac() reject a PAC in standalone mode
via 182db923a1d CVE-2020-25717: selftest: configure 'ktest' env with
winbindd and idmap_autorid
via d5b302e674f CVE-2020-25717: s3:auth: let
auth3_generate_session_info_pac() delegate everything to
make_server_info_wbcAuthUserInfo()
via e5f10558e08 CVE-2020-25717: s3:ntlm_auth: let
ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
via 3cceba46aa5 CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
ntlm_auth_generate_session_info_pac()
via f2aafe55629 CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused
auth_generate_session_info_principal()
via 151b6145e1c CVE-2020-25719 CVE-2020-25717: auth/gensec: always
require a PAC in domain mode (DC or member)
via c219b832d96 CVE-2020-25717: Add FreeIPA domain controller role
via cc1c47f1679 CVE-2020-25717: s3:auth: don't let create_local_token
depend on !winbind_ping()
via 9c66eacf637 CVE-2020-25717: s3:lib: add lp_allow_trusted_domains()
logic to is_allowed_domain()
via 6280d99de7d CVE-2020-25717: s3:auth: remove fallbacks in
smb_getpwnam()
via c3c49ceeb79 CVE-2020-25717: s3:auth: no longer let check_account()
autocreate local users
via 8aeac144220 CVE-2020-25717: s3:auth: we should not try to
autocreate the guest account
via 39c834af938 CVE-2020-25717: s3:auth: Check minimum domain uid
via a624a73ce46 CVE-2020-25717: s3:auth: let
auth3_generate_session_info_pac() forward the low level errors
via 7ca428223f5 CVE-2020-25717: selftest: Add a test for the new 'min
domain uid' parameter
via e43275fc182 CVE-2020-25717: selftest: Add ad_member_no_nss_wb
environment
via adb6620043d CVE-2020-25717: loadparm: Add new parameter "min domain
uid"
via 76859f7926c CVE-2020-25717: auth/ntlmssp: start with authoritative
= 1
via 4414546589b CVE-2020-25717: s3:auth: start with authoritative = 1
via a5e515b9637 CVE-2020-25717: s3:rpcclient: start with authoritative
= 1
via bfd89cdbaa4 CVE-2020-25717: s3:torture: start with authoritative = 1
via 0420b616035 CVE-2020-25717: s3:ntlm_auth: start with authoritative
= 1
via c01d19f7f99 CVE-2020-25717: s4:auth_simple: start with
authoritative = 1
via f9e3774dbf0 CVE-2020-25717: s4:smb_server: start with authoritative
= 1
via 6b2ea12fe47 CVE-2020-25717: s4:torture: start with authoritative = 1
via 68e093683c7 CVE-2020-25717: s4:auth/ntlm: make sure
auth_check_password() defaults to r->out.authoritative = true
via 1e84bcbe4cb CVE-2020-25717: s3:winbindd: make sure we default to
r->out.authoritative = true
via cc26ffe5866 CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests
for connecting without a PAC to new error codes
via f111e42082a CVE-2020-25719 CVE-2020-25717: selftest: remove
"gensec:require_pac" settings
via e31b6f60944 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for
connecting to services anonymously and without a PAC
via 6dda0f61bb9 CVE-2020-25721 tests/krb5: Add tests for extended
PAC_UPN_DNS_INFO PAC buffer
via 61fcb75251c CVE-2020-25719 tests/krb5: Add tests for including
authdata without a PAC
via 8b92d9a36c8 CVE-2020-25718 tests/krb5: Add tests for RODC-printed
and invalid TGTs
via faba235a343 CVE-2020-25719 tests/krb5: Add principal aliasing test
via 62de092e86f CVE-2020-25719 tests/krb5: Add a test for making an
S4U2Self request without a PAC
via 888c6fbce8f CVE-2020-25719 tests/krb5: Add tests for requiring and
issuing a PAC
via adea7022c78 CVE-2020-25721 ndrdump: Add tests for PAC with
UPN_DNS_INFO
via 1d70752e750 CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
via 1dda66e97d3 CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow
create_ccache_with_user() to return a ticket without a PAC
via d1777f8e02c CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor
create_ccache_with_user() to take credentials of target service
via 1c440ea6575 CVE-2020-25721 tests/krb5: Check PAC buffer types when
STRICT_CHECKING=0
via 09bd4f4104a MS CVE-2020-17049 tests/krb5: Allow tests to pass if
ticket signature checksum type is wrong
via 02e37110354 CVE-2020-25719 tests/krb5: Add method to get unique
username for test accounts
via 4b012b23eb4 CVE-2020-25719 tests/krb5: Add is_tgt() helper method
via 59c218f1b81 CVE-2020-25722 tests/krb5: Allow creating server
accounts
via 89c88b9627b CVE-2020-25719 CVE-2020-25717 tests/krb5: Add
pac_request parameter to get_service_ticket()
via 139d1a36f91 CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify
get_service_ticket() to use _generic_kdc_exchange()
via 824f17096ed CVE-2020-25718 tests/krb5: Allow tests accounts to
replicate to RODC
via df9bbb3e730 CVE-2020-25721 krb5pac: Add new buffers for
samAccountName and objectSID
via 9bbde0cdc39 CVE-2020-25722 selftest/user_account_control: more work
to cope with UAC/objectclass defaults and lock
via 37d53b95d79 CVE-2020-25722 selftest/user_account_control: Allow a
broader set of possible errors
via bcd8f88fe5e CVE-2020-25722 selftest: Allow
self.assertRaisesLdbError() to take a list of errors to match with
via 7196ae9d9af CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all
tests to new default computer behaviour
via 67bb9043758 CVE-2020-25722 selftest: Adapt sam.py test to
userAccountControl/objectclass restrictions
via ab70916f296 CVE-2020-25722 selftest: New objects of
objectclass=computer are workstations by default now
via cafbb2fd60b CVE-2020-25722 selftest: Adjust sam.py
test_userAccountControl_computer_add_trust to new reality
via 0cdfa6aa607 CVE-2020-25722 selftest: Split test_userAccountControl
into unit tests
via 9e515f095e7 CVE-2020-25722 samdb: Fill in isCriticalSystemObject on
any account type change
via c52e0c06591 CVE-2020-25722 selftest: Adapt sam.py
test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
via 7f4a73a46ec CVE-2020-25722 dsdb: Add restrictions on computer
accounts without a trailing $
via 2a991280343 CVE-2020-25722 dsdb: samldb_objectclass_trigger() is
only called on ADD, so remove indentation
via 856c34fec0c CVE-2020-25722 selftest: Adapt selftest to restriction
on swapping account types
via 80ff13f19c0 CVE-2020-25722 selftest/priv_attrs: Mention that these
knownfails are OK (for now)
via 2dddaa5d3a5 CVE-2020-25722 dsdb: Prohibit mismatch between UF_
account types and objectclass.
via 2439f3c242a CVE-2020-25722 dsdb: Add tests for modifying
objectClass, userAccountControl and sAMAccountName
via 45a7506af62 CVE-2020-25722 dsdb: Improve privileged and
unprivileged tests for objectclass/doller/UAC
via a32ff3ba268 CVE-2020-25722 dsdb: objectclass computer becomes
UF_WORKSTATION_TRUST by default
via cd0747d1913 CVE-2020-25722 selftest: Catch errors from
samdb.modify() in user_account_control tests
via c1056e7a900 CVE-2020-25722 selftest: Catch possible errors in
PasswordSettingsTestCase.test_pso_none_applied()
via 0459578510a CVE-2020-25722 selftest: allow for future failures in
BindTests.test_virtual_email_account_style_bind
via ba97d5c59ce CVE-2020-25722 selftest: Test combinations of account
type and objectclass for creating a user
via 762ef653b9d CVE-2020-25722 selftest: Extend priv_attrs test - work
around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or
a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
via e90034d9182 CVE-2020-25722 dsdb: Restrict the setting of privileged
attributes during LDAP add/modify
via 7bd4145daa7 CVE-2020-25722 dsdb: Move krbtgt password setup after
the point of checking if any passwords are changed
via 6bdda2d93ed CVE-2020-25722 dsdb: Tests for our known set of
privileged attributes
via b49fd977462 CVE-2020-17049 tests/krb5: Check account name and SID
in PAC for S4U tests
via 8ad19dda2ec CVE-2020-25722 selftest: Use
self.assertRaisesLdbError() in user_account_control.py test
via cb89e352cf4 CVE-2020-25722 selftest: Update user_account_control
tests to pass against Windows 2019
via c1fdd2d7508 CVE-2020-25722 selftest: Replace internal loop in
test_uac_bits_set() using @DynamicTestClass
via 1723d89f2ec CVE-2020-25722 selftest: Replace internal loop in
test_uac_bits_add() using @DynamicTestClass
via ce958b960f3 CVE-2020-25722 selftest: Use @DynamicTestCase in
user_account_control test_uac_bits_unrelated_modify()
via 39d90c85d4d CVE-2020-25722 pydsdb: Add API to return strings of
known UF_ flags
via 131f06517ee CVE-2020-25722 selftest: Use addCleanup rather than
tearDown in user_account_control.py
via 237a961da90 CVE-2020-25722 selftest: Modernise
user_account_control.py tests use a common self.OU
via 025cbda295e CVE-2020-25722 selftest: Move
self.assertRaisesLdbError() to samba.tests.TestCase
via 064c41a7696 CVE-2020-25719 selftest/knownfail_mit_kdc: Add
pointless knownfail to allow a later cherry-pick to apply cleanly
via d92787c05a0 CVE-2020-25717 auth4: Remove sync check_password from
auth_operations
via 3815c92cc87 CVE-2020-25717 auth4: Make auth_sam pseudo-async
via e0ae20193e3 CVE-2020-25717 auth4: Make auth_unix pseudo-async
via 849ef477cb3 CVE-2020-25717 auth4: Make auth_developer pseudo-async
via 16098012df9 CVE-2020-25717 auth4: Make auth_anonymous pseudo-async
via 5a5b1a06d6d CVE-2020-25717 auth: Simplify DEBUG statements in
make_auth3_context_for_ntlm()
via 44270951af6 CVE-2020-25717 auth3: Simplify check_samba4_security()
via 93289e90d6f CVE-2020-25717 selftest: Only set netbios aliases for
the ad_member env
via 6dbc3f11c02 CVE-2020-25717 selftest: Pass down the machine account
name to provision_ad_member
from 5e3b924cb35 ldb: version 2.3.2
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -----------------------------------------------------------------
commit a1dae6a208ad29d4a771a6d4d4f32e188ba2541b
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 9 19:43:02 2021 +0100
VERSION: Bump version up to Samba 4.14.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 113 +-
auth/auth_util.c | 9 +-
auth/credentials/tests/bind.py | 13 +-
auth/gensec/gensec_util.c | 27 +-
auth/ntlmssp/ntlmssp_server.c | 2 +-
docs-xml/smbdotconf/security/mindomainuid.xml | 17 +
docs-xml/smbdotconf/security/serverrole.xml | 7 +
docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 +
lib/param/loadparm.c | 4 +
lib/param/loadparm_server_role.c | 2 +
lib/param/param_table.c | 1 +
lib/param/util.c | 1 +
libcli/auth/wscript_build | 10 +-
libcli/netlogon/netlogon.c | 2 +-
libds/common/flag_mapping.c | 50 +
libds/common/flag_mapping.h | 1 +
libds/common/flags.h | 5 +
libds/common/roles.h | 1 +
librpc/idl/krb5pac.idl | 38 +-
librpc/ndr/ndr_krb5pac.c | 4 +-
librpc/rpc/dcerpc_pkt_auth.c | 500 +++++
librpc/rpc/dcerpc_pkt_auth.h | 59 +
librpc/rpc/dcerpc_util.c | 465 +----
librpc/rpc/dcerpc_util.h | 85 +
librpc/rpc/dcesrv_auth.c | 30 +
librpc/rpc/dcesrv_core.c | 161 +-
librpc/rpc/dcesrv_reply.c | 1 +
librpc/rpc/rpc_common.h | 74 -
librpc/wscript_build | 25 +-
python/samba/netcmd/spn.py | 37 +-
python/samba/tests/__init__.py | 58 +-
python/samba/tests/blackbox/ndrdump.py | 35 +
python/samba/tests/dcerpc/raw_protocol.py | 1561 ++++++++++++++--
python/samba/tests/dcerpc/raw_testcase.py | 57 +-
python/samba/tests/dsdb_api.py | 57 +
python/samba/tests/krb5/alias_tests.py | 201 ++
python/samba/tests/krb5/kdc_base_test.py | 168 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 1922 +++++++++++++++++++-
python/samba/tests/krb5/raw_testcase.py | 239 ++-
python/samba/tests/krb5/rfc4120_constants.py | 3 +
python/samba/tests/krb5/rodc_tests.py | 2 +
python/samba/tests/krb5/s4u_tests.py | 49 +-
python/samba/tests/krb5/spn_tests.py | 212 +++
python/samba/tests/krb5/test_ccache.py | 67 +-
python/samba/tests/krb5/test_ldap.py | 100 +-
python/samba/tests/krb5/test_min_domain_uid.py | 121 ++
python/samba/tests/krb5/test_rpc.py | 70 +-
python/samba/tests/krb5/test_smb.py | 71 +-
python/samba/tests/ldap_spn.py | 917 ++++++++++
python/samba/tests/ldap_upn_sam_account.py | 510 ++++++
python/samba/tests/samba_tool/computer.py | 18 +-
python/samba/tests/usage.py | 3 +
selftest/knownfail.d/ldap_spn | 1 +
selftest/knownfail.d/modify-order | 2 +-
selftest/knownfail.d/priv_attr | 13 +
selftest/knownfail.d/uac_objectclass_restrict | 17 +
selftest/knownfail_heimdal_kdc | 16 +-
selftest/knownfail_mit_kdc | 148 +-
selftest/selftest.pl | 2 -
selftest/target/Samba.pm | 2 +
selftest/target/Samba3.pm | 98 +-
selftest/target/Samba4.pm | 2 -
selftest/tests.py | 1 +
source3/auth/auth.c | 18 +-
source3/auth/auth_generic.c | 160 +-
source3/auth/auth_sam.c | 14 +-
source3/auth/auth_samba4.c | 31 +-
source3/auth/auth_util.c | 105 +-
source3/auth/proto.h | 3 -
source3/auth/user_krb5.c | 79 +-
source3/include/smb_macros.h | 2 +-
source3/lib/netapi/joindomain.c | 1 +
source3/lib/util_names.c | 15 +-
source3/librpc/rpc/dcerpc_helpers.c | 1 +
source3/libsmb/cliconnect.c | 9 +
source3/param/loadparm.c | 6 +-
source3/passdb/lookup_sid.c | 2 +-
source3/passdb/machine_account_secrets.c | 7 +-
source3/registry/reg_backend_prod_options.c | 1 +
source3/rpc_client/cli_pipe.c | 1 +
source3/rpc_client/rpc_transport_np.c | 1 +
source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 +
source3/rpc_server/rpc_ncacn_np.c | 1 +
source3/rpcclient/cmd_netlogon.c | 2 +-
source3/smbd/server.c | 2 +-
source3/torture/pdbtest.c | 2 +-
source3/utils/ntlm_auth.c | 95 +-
source3/utils/ntlm_auth_diagnostics.c | 10 +-
source3/winbindd/winbindd_dual_srv.c | 7 +
source3/winbindd/winbindd_irpc.c | 7 +
source3/winbindd/winbindd_misc.c | 2 +-
source3/winbindd/winbindd_pam.c | 15 +-
source3/winbindd/winbindd_pam_auth_crap.c | 9 +-
source3/winbindd/winbindd_util.c | 47 +-
source3/wscript_build | 8 +-
source4/auth/auth.h | 12 -
source4/auth/ntlm/auth.c | 99 +-
source4/auth/ntlm/auth_anonymous.c | 66 +-
source4/auth/ntlm/auth_developer.c | 61 +-
source4/auth/ntlm/auth_sam.c | 81 +-
source4/auth/ntlm/auth_simple.c | 2 +-
source4/auth/ntlm/auth_unix.c | 85 +-
source4/auth/ntlm/wscript_build | 4 +-
source4/auth/sam.c | 5 +-
source4/dsdb/common/rodc_helper.c | 284 +++
source4/dsdb/common/util.c | 11 +
source4/dsdb/pydsdb.c | 30 +
source4/dsdb/samdb/cracknames.c | 19 +-
source4/dsdb/samdb/ldb_modules/acl.c | 120 +-
source4/dsdb/samdb/ldb_modules/acl_util.c | 40 +
source4/dsdb/samdb/ldb_modules/dirsync.c | 13 +-
source4/dsdb/samdb/ldb_modules/objectclass.c | 36 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 164 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 1921 ++++++++++++++++---
source4/dsdb/samdb/ldb_modules/util.c | 119 +-
source4/dsdb/tests/python/acl.py | 97 +
source4/dsdb/tests/python/ldap.py | 49 +-
source4/dsdb/tests/python/linked_attributes.py | 21 -
source4/dsdb/tests/python/password_settings.py | 30 +-
source4/dsdb/tests/python/priv_attrs.py | 398 ++++
source4/dsdb/tests/python/sam.py | 94 +-
source4/dsdb/tests/python/subtree_rename.py | 25 -
source4/dsdb/tests/python/user_account_control.py | 855 +++++++--
source4/dsdb/wscript_build | 2 +-
source4/heimdal/kdc/kerberos5.c | 23 +-
source4/heimdal/kdc/krb5tgs.c | 292 ++-
source4/heimdal/kdc/windc.c | 7 +-
source4/heimdal/kdc/windc_plugin.h | 2 +
source4/heimdal/lib/hdb/hdb.h | 2 +-
source4/kdc/db-glue.c | 77 +-
source4/kdc/db-glue.h | 5 +-
source4/kdc/hdb-samba4.c | 43 +-
source4/kdc/kdc-heimdal.c | 1 +
source4/kdc/mit-kdb/kdb_samba.h | 7 +
source4/kdc/mit-kdb/kdb_samba_policies.c | 185 +-
source4/kdc/mit-kdb/kdb_samba_principals.c | 60 +-
source4/kdc/mit_samba.c | 62 +-
source4/kdc/mit_samba.h | 2 +
source4/kdc/pac-glue.c | 473 ++++-
source4/kdc/pac-glue.h | 31 +-
source4/kdc/wdc-samba4.c | 132 +-
source4/libcli/smb_composite/sesssetup.c | 14 +
source4/librpc/rpc/dcerpc.c | 3 +
source4/librpc/rpc/dcerpc_roh_channel_out.c | 1 +
.../librpc/tests/krb5pac_upn_dns_info_ex.b64.txt | 1 +
source4/librpc/tests/krb5pac_upn_dns_info_ex.txt | 220 +++
.../krb5pac_upn_dns_info_ex_not_supported.b64.txt | 1 +
.../krb5pac_upn_dns_info_ex_not_supported.txt | 213 +++
source4/librpc/wscript_build | 21 +-
source4/rpc_server/common/server_info.c | 121 +-
source4/rpc_server/common/sid_helper.c | 134 --
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 11 +-
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 55 +-
source4/rpc_server/drsuapi/getncchanges.c | 71 +-
source4/rpc_server/lsa/lsa_init.c | 7 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 191 +-
source4/rpc_server/samr/dcesrv_samr.c | 21 +-
source4/rpc_server/samr/samr_password.c | 31 +-
source4/rpc_server/wscript_build | 9 +-
source4/selftest/tests.py | 110 +-
source4/setup/provision_self_join.ldif | 9 +-
source4/setup/tests/blackbox_spn.sh | 7 +-
source4/setup/tests/blackbox_upgradeprovision.sh | 8 +-
source4/smb_server/smb/sesssetup.c | 4 +-
source4/torture/rpc/drsuapi.c | 202 +-
source4/torture/rpc/drsuapi.h | 3 +-
source4/torture/rpc/drsuapi_cracknames.c | 2 +-
source4/torture/rpc/remote_pac.c | 24 +-
source4/torture/rpc/samlogon.c | 4 +-
source4/torture/rpc/schannel.c | 2 +-
testprogs/blackbox/dbcheck-oldrelease.sh | 4 +-
testprogs/blackbox/functionalprep.sh | 2 +-
testprogs/blackbox/upgradeprovision-oldrelease.sh | 4 +-
174 files changed, 13968 insertions(+), 2846 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml
create mode 100644 librpc/rpc/dcerpc_pkt_auth.c
create mode 100644 librpc/rpc/dcerpc_pkt_auth.h
create mode 100644 librpc/rpc/dcerpc_util.h
create mode 100644 python/samba/tests/dsdb_api.py
create mode 100755 python/samba/tests/krb5/alias_tests.py
create mode 100755 python/samba/tests/krb5/spn_tests.py
create mode 100755 python/samba/tests/krb5/test_min_domain_uid.py
create mode 100644 python/samba/tests/ldap_spn.py
create mode 100644 python/samba/tests/ldap_upn_sam_account.py
create mode 100644 selftest/knownfail.d/ldap_spn
create mode 100644 selftest/knownfail.d/priv_attr
create mode 100644 selftest/knownfail.d/uac_objectclass_restrict
create mode 100644 source4/dsdb/common/rodc_helper.c
create mode 100644 source4/dsdb/tests/python/priv_attrs.py
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.b64.txt
create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.txt
create mode 100644
source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.b64.txt
create mode 100644
source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.txt
delete mode 100644 source4/rpc_server/common/sid_helper.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 8710c8f64a0..96e3ed0ae96 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=14
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=11
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index e41ee1dabb4..f81a31d49b0 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,112 @@
+ ===============================
+ Release Notes for Samba 4.14.10
+ November 9, 2021
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
+ authentication.
+ https://www.samba.org/samba/security/CVE-2016-2124.html
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+ https://www.samba.org/samba/security/CVE-2020-25717.html
+ (PLEASE READ! There are important behaviour changes
described)
+
+o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
+ by an RODC.
+ https://www.samba.org/samba/security/CVE-2020-25718.html
+
+o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in
Kerberos
+ tickets.
+ https://www.samba.org/samba/security/CVE-2020-25719.html
+
+o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
+ (eg objectSid).
+ https://www.samba.org/samba/security/CVE-2020-25721.html
+
+o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
+ checking of data stored.
+ https://www.samba.org/samba/security/CVE-2020-25722.html
+
+o CVE-2021-3738: Use after free in Samba AD DC RPC server.
+ https://www.samba.org/samba/security/CVE-2021-3738.html
+
+o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
+ https://www.samba.org/samba/security/CVE-2021-23192.html
+
+
+Changes since 4.14.9
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * CVE-2020-25722
+
+o Andrew Bartlett <abart...@samba.org>
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+
+o Ralph Boehme <s...@samba.org>
+ * CVE-2020-25717
+
+o Alexander Bokovoy <a...@samba.org>
+ * CVE-2020-25717
+
+o Samuel Cabrero <scabr...@samba.org>
+ * CVE-2020-25717
+
+o Nadezhda Ivanova <nivan...@symas.com>
+ * CVE-2020-25722
+
+o Stefan Metzmacher <me...@samba.org>
+ * CVE-2016-2124
+ * CVE-2020-25717
+ * CVE-2020-25719
+ * CVE-2020-25722
+ * CVE-2021-23192
+ * CVE-2021-3738
+ * ldb: version 2.3.2
+
+o Andreas Schneider <a...@samba.org>
+ * CVE-2020-25719
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * CVE-2020-17049
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+ * MS CVE-2020-17049
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
==============================
Release Notes for Samba 4.14.9
October 27, 2021
@@ -97,8 +206,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.14.8
October 05, 2021
diff --git a/auth/auth_util.c b/auth/auth_util.c
index f3586f1fc1e..fe01babd107 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -26,26 +26,28 @@
struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
const struct auth_session_info *src)
{
+ TALLOC_CTX *frame = talloc_stackframe();
struct auth_session_info *dst;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
ndr_err = ndr_push_struct_blob(
&blob,
- talloc_tos(),
+ frame,
src,
(ndr_push_flags_fn_t)ndr_push_auth_session_info);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
+ TALLOC_FREE(frame);
return NULL;
}
dst = talloc(mem_ctx, struct auth_session_info);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
- TALLOC_FREE(blob.data);
+ TALLOC_FREE(frame);
return NULL;
}
@@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX
*mem_ctx,
dst,
dst,
(ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
- TALLOC_FREE(blob.data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
+ TALLOC_FREE(frame);
return NULL;
}
+ TALLOC_FREE(frame);
return dst;
}
diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py
index 8bee6f96c62..b6b65a56c75 100755
--- a/auth/credentials/tests/bind.py
+++ b/auth/credentials/tests/bind.py
@@ -90,7 +90,8 @@ class BindTests(samba.tests.TestCase):
# this test to detect when the LDAP DN is being double-parsed
# but must be in the user@realm style to allow the account to
# be created
- self.ldb.add_ldif("""
+ try:
+ self.ldb.add_ldif("""
dn: """ + self.virtual_user_dn + """
cn: frednurk@""" + self.realm + """
displayName: Fred Nurk
@@ -103,13 +104,21 @@ objectClass: person
objectClass: top
objectClass: user
""")
+ except LdbError as e:
+ (num, msg) = e.args
+ self.fail(f"Failed to create e-mail user: {msg}")
+
self.addCleanup(delete_force, self.ldb, self.virtual_user_dn)
- self.ldb.modify_ldif("""
+ try:
+ self.ldb.modify_ldif("""
dn: """ + self.virtual_user_dn + """
changetype: modify
replace: unicodePwd
unicodePwd:: """ +
base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """
""")
+ except LdbError as e:
+ (num, msg) = e.args
+ self.fail(f"Failed to set password on e-mail user: {msg}")
self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn)
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index e185acc0c20..694661b53b5 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -25,6 +25,8 @@
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
#include "../lib/util/asn1.h"
+#include "param/param.h"
+#include "libds/common/roles.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -46,10 +48,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX
*mem_ctx,
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!pac_blob) {
- if (gensec_setting_bool(gensec_security->settings, "gensec",
"require_pac", false)) {
- DEBUG(1, ("Unable to find PAC in ticket from %s,
failing to allow access\n",
- principal_string));
- return NT_STATUS_ACCESS_DENIED;
+ enum server_role server_role =
+ lpcfg_server_role(gensec_security->settings->lp_ctx);
+
+ /*
+ * For any domain setup (DC or member) we require having
+ * a PAC, as the service ticket comes from an AD DC,
+ * which will always provide a PAC, unless
+ * UF_NO_AUTH_DATA_REQUIRED is configured for our
+ * account, but that's just an invalid configuration,
+ * the admin configured for us!
+ *
+ * As a legacy case, we still allow kerberos tickets from an MIT
+ * realm, but only in standalone mode. In that mode we'll only
+ * ever accept a kerberos authentication with a keytab file
+ * being explicitly configured via the 'keytab method' option.
+ */
+ if (server_role != ROLE_STANDALONE) {
+ DBG_WARNING("Unable to find PAC in ticket from %s, "
+ "failing to allow access\n",
+ principal_string);
+ return NT_STATUS_NO_IMPERSONATION_TOKEN;
}
DBG_NOTICE("Unable to find PAC for %s, resorting to local "
"user lookup\n", principal_string);
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 001238278d7..939aa0ef4aa 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -799,7 +799,7 @@ static void ntlmssp_server_auth_done(struct tevent_req
*subreq)
struct gensec_security *gensec_security = state->gensec_security;
struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp;
struct auth4_context *auth_context = gensec_security->auth_context;
- uint8_t authoritative = 0;
+ uint8_t authoritative = 1;
NTSTATUS status;
status = auth_context->check_ntlm_password_recv(subreq,
diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml
b/docs-xml/smbdotconf/security/mindomainuid.xml
new file mode 100644
index 00000000000..46ae795d730
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mindomainuid.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="min domain uid"
+ type="integer"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>
+ The integer parameter specifies the minimum uid allowed when mapping a
+ local account to a domain account.
+ </para>
+
+ <para>
+ Note that this option interacts with the configured <emphasis>idmap
ranges</emphasis>!
+ </para>
+</description>
+
+<value type="default">1000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverrole.xml
b/docs-xml/smbdotconf/security/serverrole.xml
index 9511c61c96d..b8b83a127b5 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -78,6 +78,13 @@
url="http://wiki.samba.org/index.php/Samba4/HOWTO";>Samba4
HOWTO</ulink></para>
+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN
CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs Samba in a hybrid mode for IPA
+ domain controller, providing forest trust to Active Directory.
+ This role requires special configuration performed by IPA installers
+ and should not be used manually by any administrator.
+ </para>
</description>
<related>security</related>
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml
b/docs-xml/smbdotconf/winbind/idmapconfig.xml
index 1374040fb29..f70f11df757 100644
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -80,6 +80,9 @@
authoritative for a unix ID to SID mapping, so it must be set
for each individually configured domain and for the default
configuration. The configured ranges must be mutually disjoint.
+ </para>
+ <para>
+ Note that the low value interacts with the <smbconfoption
name="min domain uid"/> option!
</para></listitem>
</varlistentry>
@@ -115,4 +118,5 @@
</programlisting>
</description>
+<related>min domain uid</related>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 3548c47d857..eedfa00bcb0 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3090,6 +3090,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
"client smb encrypt",
"default");
+ lpcfg_do_global_parameter(lp_ctx,
+ "min domain uid",
+ "1000");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
index 7a6bc770723..a78d1ab9cf3 100644
--- a/lib/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -42,6 +42,7 @@ static const struct srv_role_tab {
{ ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
{ ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
{ ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
+ { ROLE_IPA_DC, "ROLE_IPA_DC"},
{ 0, NULL }
};
@@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role,
int security)
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
if (security == SEC_USER) {
valid = true;
}
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index e2f737279dc..3dc5fc59991 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -111,6 +111,7 @@ static const struct enum_list enum_server_role[] = {
{ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
{ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
{ROLE_ACTIVE_DIRECTORY_DC, "dc"},
+ {ROLE_IPA_DC, "IPA primary domain controller"},
{-1, NULL}
};
diff --git a/lib/param/util.c b/lib/param/util.c
index cd8e74b9d8f..9a0fc102de8 100644
--- a/lib/param/util.c
+++ b/lib/param/util.c
@@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
return lpcfg_workgroup(lp_ctx);
default:
return lpcfg_netbios_name(lp_ctx);
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 2a6a7468e45..24ab68fac1e 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -30,7 +30,15 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
source='netlogon_creds_cli.c',
- deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON
NDR_NETLOGON'
+ deps='''
+ dbwrap
+ util_tdb
+ tevent-util
+ samba-hostconfig
+ gensec
+ RPC_NDR_NETLOGON
+ NDR_NETLOGON
+ '''
)
bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c
index 239503e85b6..59af460dc4e 100644
--- a/libcli/netlogon/netlogon.c
+++ b/libcli/netlogon/netlogon.c
@@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data,
TALLOC_CTX *mem_ctx,
if (ndr->offset < ndr->data_size) {
TALLOC_FREE(ndr);
/*
- * We need to handle a bug in FreeIPA (at least <=
4.1.2).
+ * We need to handle a bug in IPA (at least <= 4.1.2).
*
* They include the ip address information without
setting
* NETLOGON_NT_VERSION_5EX_WITH_IP, while using
diff --git a/libds/common/flag_mapping.c b/libds/common/flag_mapping.c
index ddc8ec5c198..020922db659 100644
--- a/libds/common/flag_mapping.c
+++ b/libds/common/flag_mapping.c
@@ -164,3 +164,53 @@ uint32_t ds_uf2prim_group_rid(uint32_t uf)
return prim_group_rid;
}
+
+#define FLAG(x) { .name = #x, .uf = x }
+struct {
+ const char *name;
+ uint32_t uf;
+} user_account_control_name_map[] = {
+ FLAG(UF_SCRIPT),
+ FLAG(UF_ACCOUNTDISABLE),
+ FLAG(UF_00000004),
+ FLAG(UF_HOMEDIR_REQUIRED),
+ FLAG(UF_LOCKOUT),
+ FLAG(UF_PASSWD_NOTREQD),
+ FLAG(UF_PASSWD_CANT_CHANGE),
+ FLAG(UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED),
+
+ FLAG(UF_TEMP_DUPLICATE_ACCOUNT),
+ FLAG(UF_NORMAL_ACCOUNT),
+ FLAG(UF_00000400),
+ FLAG(UF_INTERDOMAIN_TRUST_ACCOUNT),
+
+ FLAG(UF_WORKSTATION_TRUST_ACCOUNT),
+ FLAG(UF_SERVER_TRUST_ACCOUNT),
+ FLAG(UF_00004000),
+ FLAG(UF_00008000),
+
+ FLAG(UF_DONT_EXPIRE_PASSWD),
+ FLAG(UF_MNS_LOGON_ACCOUNT),
+ FLAG(UF_SMARTCARD_REQUIRED),
+ FLAG(UF_TRUSTED_FOR_DELEGATION),
+
+ FLAG(UF_NOT_DELEGATED),
+ FLAG(UF_USE_DES_KEY_ONLY),
+ FLAG(UF_DONT_REQUIRE_PREAUTH),
+ FLAG(UF_PASSWORD_EXPIRED),
+ FLAG(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION),
+ FLAG(UF_NO_AUTH_DATA_REQUIRED),
+ FLAG(UF_PARTIAL_SECRETS_ACCOUNT),
+ FLAG(UF_USE_AES_KEYS)
+};
+
+const char *dsdb_user_account_control_flag_bit_to_string(uint32_t uf)
+{
+ int i;
+ for (i=0; i < ARRAY_SIZE(user_account_control_name_map); i++) {
+ if (uf == user_account_control_name_map[i].uf) {
+ return user_account_control_name_map[i].name;
+ }
+ }
+ return NULL;
--
Samba Shared Repository
