The branch, v4-13-test has been updated via 959fb5a4c69 VERSION: Bump version up to Samba 4.13.15... via db11778b576 VERSION: Disable GIT_SNAPSHOT for the 4.13.14 release. via 6c14ac876b6 WHATSNEW: Add release notes for Samba 4.13.14. via 0203330e2fa CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper via 08b6c8fda59 CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper via 79d62d83e23 CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper via caf3d32f68f CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper via 061c125c612 CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers via 7c3b0376000 CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers via 6925a53a290 CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info() via 5337dc5eaeb CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests via ec1ea05e8f1 CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials via 3db47b076d0 CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials via f7636fb7215 CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind() via 721e40dd379 CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos via 4290223ed40 CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos via ec712adf500 CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts via f4492f9309f CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests via 1f66e3f97e1 CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False) via adcd0d76132 CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places via 6afefee92ce CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual() via 714cf311ab2 CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE via 6b371124410 CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect() via 4a893891951 CVE-2021-23192 librpc: Remove the gensec dependency from library dcerpc-binding via 83a9fb52f3e CVE-2021-23192 rpc: Give dcerpc_util.c its own header via 3ed16e74292 CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation via 26a1bd5cc75 CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation via 9ac2254c50d CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs via 2b28b9c3be2 CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal via 1c5a0ef89c9 Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present" via a803247a1dc CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC via c05ea4568fc CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account via 06a46f79dd6 CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary via 864623d873f CVE-2020-25719 heimdal:kdc: Require PAC to be present via b6ab45da636 CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC via 1fb0c6b5ff9 CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication via 2eaf906f926 CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT via 5f1aeeee089 CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name via c493ff06c68 CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection via 73f6a615455 CVE-2020-25719 heimdal:kdc: Check return code via 60ac2ff31f0 CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer via 8513fe9e30a CVE-2020-25722 Ensure the structural objectclass cannot be changed via c59f5762ead CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values via 8d94ec0d3f7 CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check via aa66df26021 CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid via 1566a68a3dc CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket via 4cb7155917e CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c via a12d50c5334 CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing via 65b170366ac CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check via 944d1af2826 CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check via 27629a5a662 CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to() via 69b14a883a2 CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit via d15ffe1ba20 CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common via 43f321dce53 CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function via 0a3ebd1d1b9 CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier via 4b78fe5c13b CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid via 8c1092d8ec0 CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob() via 4d92c401a99 CVE-2020-25719 heimdal:kdc: Require authdata to be present via 706004d0267 CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer via 6b7d62e87eb CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it via 8ae2a8740ce CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob() via ff747922c11 CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c via fe94c4bc71b CVE-2020-25719 mit_samba: Create the talloc context earlier via d86977088cd CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry via f99cff8c051 CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data() via f0b9f23fa25 CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac() via 0e09aaa3e64 CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac() via 940ddac4572 CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry via 9902f1b0bf3 CVE-2020-25719 mit-samba: Add ks_free_principal() via 4754bf4daf3 CVE-2020-25719 mit-samba: Make ks_get_principal() internally public via 0954b59e85e CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test via 103a6ebbbed CVE-2020-25719 s4/torture: Expect additional PAC buffers via 3c832b5a8ab CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user via d151c2528d1 CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname via 9990c478bf4 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer via 9e29510f3e1 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata via 8bd96fc1aeb CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer via 2895186282e CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets via 241d3956af9 CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets via 04ceb10cbb4 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer via e496c04a6c2 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer via 5ad45816684 CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets via 51890d84286 CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets via 837e153c74f CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests via 05c3582eaee CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests via 97e5b765f28 CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer via fad4159de4b CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests via 80a8c900ebc CVE-2020-25719 tests/krb5: Return ticket from _tgs_req() via a01303f07c4 CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT via 5d83f3ba83f CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user via e60e6301ad8 CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present via 4dfa0a77ce0 CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt() via 13d066a83b1 CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type via b4ac46d376e CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type via decb2883d77 CVE-2020-25718 tests/krb5: Fix indentation via dd176b4f8df CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions via 223179aaa5e CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr() via bed2ea1d378 CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass via b8424fad423 CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values via 2a57c6e2f6a CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value via 3f413fb5813 CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values via fdd25972d26 CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values via 485db903ed2 CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values via 1deb16de4d1 CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values via 63de509875b CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values via 96fbfe0edd6 CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value via 2991eedefc1 CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values via 18e4c639dfc CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values via 57f7b13f70d CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values via 466620563bd CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values via 437465a90ef CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values via 7913ec038f2 CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values via 208bbf8cfda CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values() via 3a4095aec5e CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components via b121b1920f9 CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases via 9be11622765 CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters via 4439ac7bb6e CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames via 90957fba9ff CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr() via 935997b92eb CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper via 4b5a370e896 CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling via 38e858b12c1 CVE-2020-25722 pytest: test setting servicePrincipalName over ldap via 40a3b71e05c CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap via 26bfddd4390 CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp via 50f5069a73a CVE-2020-25722 s4/provision: add host/ SPNs at the start via 5650323f79c CVE-2020-25722 tests: blackbox samba-tool spn non-admin test via 47279630f17 CVE-2020-25722 samba-tool spn add: remove --force option via 55c6c01a65e CVE-2020-25722 samba-tool spn: accept -H for database url via 3e349608853 CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context via c1973cedbaa CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias via f64fe0b1e74 CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy via a65866a6c73 CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes via ef7f582772a CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn() via f1c64ed29ea CVE-2020-25722 Check all elements in acl_check_spn() not just the first one via ae9eb6c7d85 CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute via 038767ae9c2 CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute via 7cbf3940757 CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls via 0bb53df9253 CVE-2020-25722 Add test for SPN deletion followed by addition via ef4df24b472 CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments via 27d719174b7 CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument via 9f807fdd8d1 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode via 6a1f5f57971 CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid via a152f36b057 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() via 131d5ceb9de CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only via 9f73360e17d CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() via e95392aa08f CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() via eba5e132183 CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) via 39cf01d0d26 CVE-2020-25717: Add FreeIPA domain controller role via e8e0bea9b33 CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() via b0031f53185 CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain() via 844faf2f0ac CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() via d079628a43f CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users via 885fe6e31b1 CVE-2020-25717: s3:auth: we should not try to autocreate the guest account via ce47a81eb5f CVE-2020-25717: s3:auth: Check minimum domain uid via c703f7a5642 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors via eea64478862 CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter via 37c2f73cc95 CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment via b9d8f8025b7 CVE-2020-25717: loadparm: Add new parameter "min domain uid" via 6ca265b8634 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 via 8a946f2758f CVE-2020-25717: s3:auth: start with authoritative = 1 via 9b977f50510 CVE-2020-25717: s3:rpcclient: start with authoritative = 1 via 04ca59a5129 CVE-2020-25717: s3:torture: start with authoritative = 1 via 25fd512f63b CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 via 49779027293 CVE-2020-25717: s4:auth_simple: start with authoritative = 1 via 38e7562ccdc CVE-2020-25717: s4:smb_server: start with authoritative = 1 via 9b73069dc8e CVE-2020-25717: s4:torture: start with authoritative = 1 via 66cd97e558c CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true via 5966f8c2d47 CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true via 2aa37d595e4 CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes via f507539d822 CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings via 2966b61522e CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC via 718aefaacf4 CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer via 94635645197 CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC via 62af3d24a44 CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs via f839cc40af6 CVE-2020-25719 tests/krb5: Add principal aliasing test via 6b82704c2f7 CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC via 98f570d0841 CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC via f4841ce8c11 CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO via 894be09a93c CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs via 5fc5247aca3 CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC via c2d7c9a87f4 CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service via 49ddf6166b3 CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0 via 5837a12c8d5 MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong via 66d2176a706 CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts via 17a08609b20 CVE-2020-25719 tests/krb5: Add is_tgt() helper method via a61c71a611c CVE-2020-25722 tests/krb5: Allow creating server accounts via 24f759427f5 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket() via e2a1affc03a CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange() via 696ae3cb285 CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC via 52a505512a2 CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID via 1282c823978 CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock via 17c4928b2d3 CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors via 7bba574107d CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with via 46672d19a4b CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour via 4dfc225b0bb CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions via 70b724f6d0c CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now via 71c2d0d61f2 CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality via c212f3fe50c CVE-2020-25722 selftest: Split test_userAccountControl into unit tests via 55d821ca8b5 CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change via 20ce152fa00 CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default via a76d5d62023 CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $ via 08f9f8a9111 CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation via d7187adb616 CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types via cc9259de558 CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now) via f77231f1ae9 CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass. via 761b80e1761 CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName via 8d54b763dc4 CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC via e3021debe82 CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default via 081a7c7ff9b CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests via 9ff11f2a955 CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied() via 20720ec0bb1 CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind via 0e3e5260790 CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user via 20e466c1369 CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION via 448585950bd CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify via 0c20aa465c4 CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed via d82cba0d8c7 CVE-2020-25722 dsdb: Tests for our known set of privileged attributes via d2eee68c8a5 CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests via 4ee7940140e CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test via ff8f61b7e30 CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019 via 884b2d4c3bf CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass via d8762d35ac9 CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass via 52611c7f53e CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify() via 10d33e2e8d5 CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags via 0777ea3d660 CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py via 62fe5530de3 CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU via 7f4e179825e CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase via 1bfde439b6c CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly via 4fea58a531e CVE-2020-25717 auth4: Remove sync check_password from auth_operations via 25d6b0c5e48 CVE-2020-25717 auth4: Make auth_sam pseudo-async via 78c76cf5f72 CVE-2020-25717 auth4: Make auth_unix pseudo-async via b64de25abd8 CVE-2020-25717 auth4: Make auth_developer pseudo-async via bba5ff7c4e9 CVE-2020-25717 auth4: Make auth_anonymous pseudo-async via d7a295b97e4 CVE-2020-25717 auth: Simplify DEBUG statements in make_auth3_context_for_ntlm() via ad4192e815d CVE-2020-25717 auth3: Simplify check_samba4_security() via b2e1e518f7e CVE-2020-25717 selftest: Only set netbios aliases for the ad_member env via b2fffcfacbd CVE-2020-25717 selftest: Pass down the machine account name to provision_ad_member via 031fc79834c CVE-2020-25717 auth_generic: fix empty initializer compile warning via 654b09ec8b9 CVE-2020-25717 lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC via eb4123b5cae CVE-2020-25717 auth_sam: use pdb_get_domain_info to look up DNS forest information via 4a39d8a1610 CVE-2020-25717 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send() via 4a68c748e47 CVE-2020-25717 winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send() via 4925a110c4e CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH via bd12ce56f03 CVE-2020-25717 wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE via 04e10a84318 CVE-2020-25717 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE via ed1542b9f37 CVE-2020-25717 wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config via 69c53f9c317 CVE-2020-25717 wb_sids2xids: fill cache as soon as possible via 0ec6beec7da CVE-2020-25717 wb_sids2xids: directly use state->all_ids to collect results via ed766403618 CVE-2020-25717 wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done() via ab4f028db00 CVE-2020-25717 wb_sids2xids: refactor wb_sids2xids_done() a bit via 5e4491e8455 CVE-2020-25717 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix() via ca5cf8d35b9 CVE-2020-25717 wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix() via 27b73f9d343 CVE-2020-25717 wb_sids2xids: rename 'non_cached' to 'lookup_sids' via e226e0a163a CVE-2020-25717 wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache via 713f9c96007 CVE-2020-25717 wb_sids2xids: split out wb_sids2xids_next_sids2unix() via 3812930e641 CVE-2020-25717 winbindd: defer the setup_child() from init_idmap_child() via be816313636 CVE-2020-25717 winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle() via 12fb0f40f60 CVE-2020-25717 wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed via a3cca16fac5 CVE-2020-25717 wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step via 5e04b985acc CVE-2020-25717 wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers via f3957ca5ce2 CVE-2020-25717 winbindd: add generic wb_parent_idmap_setup_send/recv() helpers via aebe4cec6c5 CVE-2020-25717 winbindd: add and use is_idmap_child() via b7b4bb1c55b CVE-2020-25717 winbindd: add and use idmap_child_pid() via 39da0df37c4 CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead via 861bc4ddd8d CVE-2020-25717 wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead via d4c9be23183 CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead via 68a823fd032 CVE-2020-25717 winbindd/idmap: apply const to struct nss_info_methods pointers via 337cb0847bf CVE-2020-25717 winbindd/idmap: apply const to struct idmap_methods pointers via 340e2153c7e CVE-2020-25717 test_idmap_tdb_common: correctly initialize the idmap domain with an init function via 0792d340860 CVE-2020-25717 s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_* via 05b27742da4 CVE-2020-25717 winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint from 20ce74008b3 ldb: version 2.2.3
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log ----------------------------------------------------------------- commit 959fb5a4c69478848d3fbcff7d952a727cef518d Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 9 19:45:46 2021 +0100 VERSION: Bump version up to Samba 4.13.15... and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 113 +- auth/auth_util.c | 9 +- auth/credentials/tests/bind.py | 13 +- auth/gensec/gensec_util.c | 27 +- auth/ntlmssp/ntlmssp_server.c | 2 +- docs-xml/smbdotconf/security/mindomainuid.xml | 17 + docs-xml/smbdotconf/security/serverrole.xml | 7 + docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 + lib/param/loadparm.c | 4 + lib/param/loadparm_server_role.c | 2 + lib/param/param_table.c | 1 + lib/param/util.c | 1 + libcli/auth/wscript_build | 10 +- libcli/netlogon/netlogon.c | 2 +- libds/common/flag_mapping.c | 50 + libds/common/flag_mapping.h | 1 + libds/common/flags.h | 5 + libds/common/roles.h | 1 + librpc/idl/idmap.idl | 23 +- librpc/idl/krb5pac.idl | 38 +- librpc/idl/winbind.idl | 2 +- librpc/ndr/ndr_krb5pac.c | 4 +- librpc/rpc/dcerpc_pkt_auth.c | 500 +++++ librpc/rpc/dcerpc_pkt_auth.h | 59 + librpc/rpc/dcerpc_util.c | 465 +---- librpc/rpc/dcerpc_util.h | 85 + librpc/rpc/dcesrv_auth.c | 30 + librpc/rpc/dcesrv_core.c | 161 +- librpc/rpc/dcesrv_reply.c | 1 + librpc/rpc/rpc_common.h | 74 - librpc/wscript_build | 25 +- python/samba/netcmd/spn.py | 37 +- python/samba/tests/__init__.py | 58 +- python/samba/tests/blackbox/ndrdump.py | 35 + python/samba/tests/dcerpc/raw_protocol.py | 1561 ++++++++++++++-- python/samba/tests/dcerpc/raw_testcase.py | 57 +- python/samba/tests/dsdb_api.py | 57 + python/samba/tests/krb5/alias_tests.py | 201 ++ python/samba/tests/krb5/kdc_base_test.py | 168 +- python/samba/tests/krb5/kdc_tgs_tests.py | 1922 ++++++++++++++++++- python/samba/tests/krb5/raw_testcase.py | 239 ++- python/samba/tests/krb5/rfc4120_constants.py | 3 + python/samba/tests/krb5/rodc_tests.py | 2 + python/samba/tests/krb5/s4u_tests.py | 49 +- python/samba/tests/krb5/spn_tests.py | 212 +++ python/samba/tests/krb5/test_ccache.py | 67 +- python/samba/tests/krb5/test_ldap.py | 100 +- python/samba/tests/krb5/test_min_domain_uid.py | 121 ++ python/samba/tests/krb5/test_rpc.py | 70 +- python/samba/tests/krb5/test_smb.py | 71 +- python/samba/tests/ldap_spn.py | 917 ++++++++++ python/samba/tests/ldap_upn_sam_account.py | 510 ++++++ python/samba/tests/samba_tool/computer.py | 18 +- python/samba/tests/usage.py | 3 + selftest/knownfail.d/ldap_spn | 1 + selftest/knownfail.d/modify-order | 2 +- selftest/knownfail.d/priv_attr | 13 + selftest/knownfail.d/uac_objectclass_restrict | 17 + selftest/knownfail_heimdal_kdc | 16 +- selftest/knownfail_mit_kdc | 148 +- selftest/selftest.pl | 2 - selftest/target/Samba.pm | 2 + selftest/target/Samba3.pm | 98 +- selftest/target/Samba4.pm | 2 - selftest/tests.py | 1 + source3/auth/auth.c | 18 +- source3/auth/auth_generic.c | 162 +- source3/auth/auth_sam.c | 47 +- source3/auth/auth_samba4.c | 31 +- source3/auth/auth_util.c | 105 +- source3/auth/proto.h | 3 - source3/auth/user_krb5.c | 79 +- source3/include/idmap.h | 2 +- source3/include/nss_info.h | 6 +- source3/include/smb_macros.h | 2 +- source3/lib/netapi/joindomain.c | 1 + source3/lib/util_names.c | 15 +- source3/librpc/rpc/dcerpc_helpers.c | 1 + source3/libsmb/cliconnect.c | 9 + source3/param/loadparm.c | 6 +- source3/passdb/lookup_sid.c | 52 +- source3/passdb/machine_account_secrets.c | 7 +- source3/registry/reg_backend_prod_options.c | 1 + source3/rpc_client/cli_pipe.c | 1 + source3/rpc_client/rpc_transport_np.c | 1 + source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 + source3/rpc_server/rpc_ncacn_np.c | 1 + source3/rpcclient/cmd_netlogon.c | 2 +- source3/smbd/server.c | 2 +- source3/torture/pdbtest.c | 2 +- source3/torture/test_idmap_tdb_common.c | 50 +- source3/utils/ntlm_auth.c | 95 +- source3/utils/ntlm_auth_diagnostics.c | 10 +- source3/winbindd/idmap.c | 6 +- source3/winbindd/idmap_ad.c | 2 +- source3/winbindd/idmap_ad_nss.c | 6 +- source3/winbindd/idmap_autorid.c | 8 +- source3/winbindd/idmap_hash/idmap_hash.c | 39 +- source3/winbindd/idmap_ldap.c | 31 +- source3/winbindd/idmap_nss.c | 3 +- source3/winbindd/idmap_passdb.c | 7 +- source3/winbindd/idmap_proto.h | 2 +- source3/winbindd/idmap_rfc2307.c | 2 +- source3/winbindd/idmap_rid.c | 2 +- source3/winbindd/idmap_rw.c | 32 +- source3/winbindd/idmap_script.c | 2 +- source3/winbindd/idmap_tdb.c | 2 +- source3/winbindd/idmap_tdb2.c | 2 +- source3/winbindd/idmap_tdb_common.c | 22 +- source3/winbindd/nss_info.c | 7 +- source3/winbindd/wb_queryuser.c | 66 +- source3/winbindd/wb_sids2xids.c | 561 ++++-- source3/winbindd/wb_xids2sids.c | 267 +-- source3/winbindd/winbindd.h | 13 + source3/winbindd/winbindd_allocate_uid.c | 44 +- source3/winbindd/winbindd_cm.c | 12 +- source3/winbindd/winbindd_dual.c | 10 +- source3/winbindd/winbindd_dual_srv.c | 15 +- source3/winbindd/winbindd_getgroups.c | 7 + source3/winbindd/winbindd_idmap.c | 378 +++- source3/winbindd/winbindd_irpc.c | 7 + source3/winbindd/winbindd_misc.c | 2 +- source3/winbindd/winbindd_pam.c | 15 +- source3/winbindd/winbindd_pam_auth_crap.c | 9 +- source3/winbindd/winbindd_proto.h | 7 + source3/winbindd/winbindd_util.c | 47 +- source3/wscript_build | 8 +- source4/auth/auth.h | 12 - source4/auth/ntlm/auth.c | 99 +- source4/auth/ntlm/auth_anonymous.c | 66 +- source4/auth/ntlm/auth_developer.c | 61 +- source4/auth/ntlm/auth_sam.c | 81 +- source4/auth/ntlm/auth_simple.c | 2 +- source4/auth/ntlm/auth_unix.c | 85 +- source4/auth/ntlm/wscript_build | 4 +- source4/auth/sam.c | 5 +- source4/dsdb/common/rodc_helper.c | 284 +++ source4/dsdb/common/util.c | 11 + source4/dsdb/pydsdb.c | 30 + source4/dsdb/samdb/cracknames.c | 19 +- source4/dsdb/samdb/ldb_modules/acl.c | 120 +- source4/dsdb/samdb/ldb_modules/acl_util.c | 40 + source4/dsdb/samdb/ldb_modules/dirsync.c | 13 +- source4/dsdb/samdb/ldb_modules/objectclass.c | 36 + source4/dsdb/samdb/ldb_modules/password_hash.c | 164 +- source4/dsdb/samdb/ldb_modules/samldb.c | 1923 +++++++++++++++++--- source4/dsdb/samdb/ldb_modules/util.c | 119 +- source4/dsdb/tests/python/acl.py | 97 + source4/dsdb/tests/python/ldap.py | 49 +- source4/dsdb/tests/python/linked_attributes.py | 21 - source4/dsdb/tests/python/password_settings.py | 30 +- source4/dsdb/tests/python/priv_attrs.py | 398 ++++ source4/dsdb/tests/python/sam.py | 94 +- source4/dsdb/tests/python/subtree_rename.py | 25 - source4/dsdb/tests/python/user_account_control.py | 855 +++++++-- source4/dsdb/wscript_build | 2 +- source4/heimdal/kdc/kerberos5.c | 23 +- source4/heimdal/kdc/krb5tgs.c | 292 ++- source4/heimdal/kdc/windc.c | 7 +- source4/heimdal/kdc/windc_plugin.h | 2 + source4/heimdal/lib/hdb/hdb.h | 2 +- source4/kdc/db-glue.c | 77 +- source4/kdc/db-glue.h | 5 +- source4/kdc/hdb-samba4.c | 43 +- source4/kdc/kdc-heimdal.c | 1 + source4/kdc/mit-kdb/kdb_samba.h | 7 + source4/kdc/mit-kdb/kdb_samba_policies.c | 185 +- source4/kdc/mit-kdb/kdb_samba_principals.c | 60 +- source4/kdc/mit_samba.c | 62 +- source4/kdc/mit_samba.h | 2 + source4/kdc/pac-glue.c | 473 ++++- source4/kdc/pac-glue.h | 31 +- source4/kdc/wdc-samba4.c | 132 +- source4/libcli/smb_composite/sesssetup.c | 14 + source4/librpc/rpc/dcerpc.c | 3 + source4/librpc/rpc/dcerpc_roh_channel_out.c | 1 + .../librpc/tests/krb5pac_upn_dns_info_ex.b64.txt | 1 + source4/librpc/tests/krb5pac_upn_dns_info_ex.txt | 220 +++ .../krb5pac_upn_dns_info_ex_not_supported.b64.txt | 1 + .../krb5pac_upn_dns_info_ex_not_supported.txt | 213 +++ source4/librpc/wscript_build | 21 +- source4/rpc_server/common/server_info.c | 121 +- source4/rpc_server/common/sid_helper.c | 134 -- source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 11 +- source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 55 +- source4/rpc_server/drsuapi/getncchanges.c | 71 +- source4/rpc_server/lsa/lsa_init.c | 7 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 191 +- source4/rpc_server/samr/dcesrv_samr.c | 21 +- source4/rpc_server/samr/samr_password.c | 33 +- source4/rpc_server/wscript_build | 9 +- source4/selftest/tests.py | 110 +- source4/setup/provision_self_join.ldif | 9 +- source4/setup/tests/blackbox_spn.sh | 7 +- source4/setup/tests/blackbox_upgradeprovision.sh | 8 +- source4/smb_server/smb/sesssetup.c | 4 +- source4/torture/rpc/drsuapi.c | 202 +- source4/torture/rpc/drsuapi.h | 3 +- source4/torture/rpc/drsuapi_cracknames.c | 2 +- source4/torture/rpc/remote_pac.c | 24 +- source4/torture/rpc/samlogon.c | 4 +- source4/torture/rpc/schannel.c | 2 +- testprogs/blackbox/dbcheck-oldrelease.sh | 4 +- testprogs/blackbox/functionalprep.sh | 2 +- testprogs/blackbox/upgradeprovision-oldrelease.sh | 4 +- 206 files changed, 15176 insertions(+), 3358 deletions(-) create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml create mode 100644 librpc/rpc/dcerpc_pkt_auth.c create mode 100644 librpc/rpc/dcerpc_pkt_auth.h create mode 100644 librpc/rpc/dcerpc_util.h create mode 100644 python/samba/tests/dsdb_api.py create mode 100755 python/samba/tests/krb5/alias_tests.py create mode 100755 python/samba/tests/krb5/spn_tests.py create mode 100755 python/samba/tests/krb5/test_min_domain_uid.py create mode 100644 python/samba/tests/ldap_spn.py create mode 100644 python/samba/tests/ldap_upn_sam_account.py create mode 100644 selftest/knownfail.d/ldap_spn create mode 100644 selftest/knownfail.d/priv_attr create mode 100644 selftest/knownfail.d/uac_objectclass_restrict create mode 100644 source4/dsdb/common/rodc_helper.c create mode 100644 source4/dsdb/tests/python/priv_attrs.py create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.b64.txt create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.txt create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.b64.txt create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.txt delete mode 100644 source4/rpc_server/common/sid_helper.c Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index b2cca84b9c5..15f13761633 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=13 -SAMBA_VERSION_RELEASE=14 +SAMBA_VERSION_RELEASE=15 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 575ae48705f..40753b2b500 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,112 @@ + =============================== + Release Notes for Samba 4.13.14 + November 9, 2021 + =============================== + + +This is a security release in order to address the following defects: + +o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext + authentication. + https://www.samba.org/samba/security/CVE-2016-2124.html + +o CVE-2020-25717: A user on the domain can become root on domain members. + https://www.samba.org/samba/security/CVE-2020-25717.html + (PLEASE READ! There are important behaviour changes described) + +o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued + by an RODC. + https://www.samba.org/samba/security/CVE-2020-25718.html + +o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos + tickets. + https://www.samba.org/samba/security/CVE-2020-25719.html + +o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers + (eg objectSid). + https://www.samba.org/samba/security/CVE-2020-25721.html + +o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance + checking of data stored. + https://www.samba.org/samba/security/CVE-2020-25722.html + +o CVE-2021-3738: Use after free in Samba AD DC RPC server. + https://www.samba.org/samba/security/CVE-2021-3738.html + +o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability. + https://www.samba.org/samba/security/CVE-2021-23192.html + + +Changes since 4.13.13 +--------------------- + +o Douglas Bagnall <douglas.bagn...@catalyst.net.nz> + * CVE-2020-25722 + +o Andrew Bartlett <abart...@samba.org> + * CVE-2020-25718 + * CVE-2020-25719 + * CVE-2020-25721 + * CVE-2020-25722 + +o Ralph Boehme <s...@samba.org> + * CVE-2020-25717 + +o Alexander Bokovoy <a...@samba.org> + * CVE-2020-25717 + +o Samuel Cabrero <scabr...@samba.org> + * CVE-2020-25717 + +o Nadezhda Ivanova <nivan...@symas.com> + * CVE-2020-25722 + +o Stefan Metzmacher <me...@samba.org> + * CVE-2016-2124 + * CVE-2020-25717 + * CVE-2020-25719 + * CVE-2020-25722 + * CVE-2021-23192 + * CVE-2021-3738 + * ldb: version 2.2.3 + +o Andreas Schneider <a...@samba.org> + * CVE-2020-25719 + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * CVE-2020-17049 + * CVE-2020-25718 + * CVE-2020-25719 + * CVE-2020-25721 + * CVE-2020-25722 + * MS CVE-2020-17049 + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.libera.chat or the +#samba-technical:matrix.org matrix channel. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + =============================== Release Notes for Samba 4.13.13 October 29, 2021 @@ -94,8 +203,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + =============================== Release Notes for Samba 4.13.12 September 22, 2021 diff --git a/auth/auth_util.c b/auth/auth_util.c index f3586f1fc1e..fe01babd107 100644 --- a/auth/auth_util.c +++ b/auth/auth_util.c @@ -26,26 +26,28 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, const struct auth_session_info *src) { + TALLOC_CTX *frame = talloc_stackframe(); struct auth_session_info *dst; DATA_BLOB blob; enum ndr_err_code ndr_err; ndr_err = ndr_push_struct_blob( &blob, - talloc_tos(), + frame, src, (ndr_push_flags_fn_t)ndr_push_auth_session_info); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { DBG_ERR("copy_session_info(): ndr_push_auth_session_info " "failed: %s\n", ndr_errstr(ndr_err)); + TALLOC_FREE(frame); return NULL; } dst = talloc(mem_ctx, struct auth_session_info); if (dst == NULL) { DBG_ERR("talloc failed\n"); - TALLOC_FREE(blob.data); + TALLOC_FREE(frame); return NULL; } @@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, dst, dst, (ndr_pull_flags_fn_t)ndr_pull_auth_session_info); - TALLOC_FREE(blob.data); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { DBG_ERR("copy_session_info(): ndr_pull_auth_session_info " "failed: %s\n", ndr_errstr(ndr_err)); TALLOC_FREE(dst); + TALLOC_FREE(frame); return NULL; } + TALLOC_FREE(frame); return dst; } diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py index 8bee6f96c62..b6b65a56c75 100755 --- a/auth/credentials/tests/bind.py +++ b/auth/credentials/tests/bind.py @@ -90,7 +90,8 @@ class BindTests(samba.tests.TestCase): # this test to detect when the LDAP DN is being double-parsed # but must be in the user@realm style to allow the account to # be created - self.ldb.add_ldif(""" + try: + self.ldb.add_ldif(""" dn: """ + self.virtual_user_dn + """ cn: frednurk@""" + self.realm + """ displayName: Fred Nurk @@ -103,13 +104,21 @@ objectClass: person objectClass: top objectClass: user """) + except LdbError as e: + (num, msg) = e.args + self.fail(f"Failed to create e-mail user: {msg}") + self.addCleanup(delete_force, self.ldb, self.virtual_user_dn) - self.ldb.modify_ldif(""" + try: + self.ldb.modify_ldif(""" dn: """ + self.virtual_user_dn + """ changetype: modify replace: unicodePwd unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """ """) + except LdbError as e: + (num, msg) = e.args + self.fail(f"Failed to set password on e-mail user: {msg}") self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn) diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index e185acc0c20..694661b53b5 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -25,6 +25,8 @@ #include "auth/gensec/gensec_internal.h" #include "auth/common_auth.h" #include "../lib/util/asn1.h" +#include "param/param.h" +#include "libds/common/roles.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -46,10 +48,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; if (!pac_blob) { - if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", - principal_string)); - return NT_STATUS_ACCESS_DENIED; + enum server_role server_role = + lpcfg_server_role(gensec_security->settings->lp_ctx); + + /* + * For any domain setup (DC or member) we require having + * a PAC, as the service ticket comes from an AD DC, + * which will always provide a PAC, unless + * UF_NO_AUTH_DATA_REQUIRED is configured for our + * account, but that's just an invalid configuration, + * the admin configured for us! + * + * As a legacy case, we still allow kerberos tickets from an MIT + * realm, but only in standalone mode. In that mode we'll only + * ever accept a kerberos authentication with a keytab file + * being explicitly configured via the 'keytab method' option. + */ + if (server_role != ROLE_STANDALONE) { + DBG_WARNING("Unable to find PAC in ticket from %s, " + "failing to allow access\n", + principal_string); + return NT_STATUS_NO_IMPERSONATION_TOKEN; } DBG_NOTICE("Unable to find PAC for %s, resorting to local " "user lookup\n", principal_string); diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 001238278d7..939aa0ef4aa 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -799,7 +799,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq) struct gensec_security *gensec_security = state->gensec_security; struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp; struct auth4_context *auth_context = gensec_security->auth_context; - uint8_t authoritative = 0; + uint8_t authoritative = 1; NTSTATUS status; status = auth_context->check_ntlm_password_recv(subreq, diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml new file mode 100644 index 00000000000..46ae795d730 --- /dev/null +++ b/docs-xml/smbdotconf/security/mindomainuid.xml @@ -0,0 +1,17 @@ +<samba:parameter name="min domain uid" + type="integer" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + The integer parameter specifies the minimum uid allowed when mapping a + local account to a domain account. + </para> + + <para> + Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>! + </para> +</description> + +<value type="default">1000</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml index 9511c61c96d..b8b83a127b5 100644 --- a/docs-xml/smbdotconf/security/serverrole.xml +++ b/docs-xml/smbdotconf/security/serverrole.xml @@ -78,6 +78,13 @@ url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4 HOWTO</ulink></para> + <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para> + + <para>This mode of operation runs Samba in a hybrid mode for IPA + domain controller, providing forest trust to Active Directory. + This role requires special configuration performed by IPA installers + and should not be used manually by any administrator. + </para> </description> <related>security</related> diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml index 1374040fb29..f70f11df757 100644 --- a/docs-xml/smbdotconf/winbind/idmapconfig.xml +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -80,6 +80,9 @@ authoritative for a unix ID to SID mapping, so it must be set for each individually configured domain and for the default configuration. The configured ranges must be mutually disjoint. + </para> + <para> + Note that the low value interacts with the <smbconfoption name="min domain uid"/> option! </para></listitem> </varlistentry> @@ -115,4 +118,5 @@ </programlisting> </description> +<related>min domain uid</related> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 006caabc092..d2f6e6241ad 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3079,6 +3079,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter( lp_ctx, "ldap max search request size", "256000"); + lpcfg_do_global_parameter(lp_ctx, + "min domain uid", + "1000"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c index 7a6bc770723..a78d1ab9cf3 100644 --- a/lib/param/loadparm_server_role.c +++ b/lib/param/loadparm_server_role.c @@ -42,6 +42,7 @@ static const struct srv_role_tab { { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" }, { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" }, { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" }, + { ROLE_IPA_DC, "ROLE_IPA_DC"}, { 0, NULL } }; @@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security) case ROLE_DOMAIN_PDC: case ROLE_DOMAIN_BDC: case ROLE_ACTIVE_DIRECTORY_DC: + case ROLE_IPA_DC: if (security == SEC_USER) { valid = true; } diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 47b85de1f87..780252017d2 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -111,6 +111,7 @@ static const struct enum_list enum_server_role[] = { {ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"}, {ROLE_ACTIVE_DIRECTORY_DC, "domain controller"}, {ROLE_ACTIVE_DIRECTORY_DC, "dc"}, + {ROLE_IPA_DC, "IPA primary domain controller"}, {-1, NULL} }; diff --git a/lib/param/util.c b/lib/param/util.c index cd8e74b9d8f..9a0fc102de8 100644 --- a/lib/param/util.c +++ b/lib/param/util.c @@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx) case ROLE_DOMAIN_BDC: case ROLE_DOMAIN_PDC: case ROLE_ACTIVE_DIRECTORY_DC: + case ROLE_IPA_DC: return lpcfg_workgroup(lp_ctx); default: return lpcfg_netbios_name(lp_ctx); diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build index 2a6a7468e45..24ab68fac1e 100644 --- a/libcli/auth/wscript_build +++ b/libcli/auth/wscript_build @@ -30,7 +30,15 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL', bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI', source='netlogon_creds_cli.c', - deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON' + deps=''' + dbwrap + util_tdb + tevent-util + samba-hostconfig + gensec + RPC_NDR_NETLOGON + NDR_NETLOGON + ''' ) bld.SAMBA_SUBSYSTEM('PAM_ERRORS', diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c index 239503e85b6..59af460dc4e 100644 --- a/libcli/netlogon/netlogon.c +++ b/libcli/netlogon/netlogon.c @@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx, if (ndr->offset < ndr->data_size) { TALLOC_FREE(ndr); /* - * We need to handle a bug in FreeIPA (at least <= 4.1.2). + * We need to handle a bug in IPA (at least <= 4.1.2). * * They include the ip address information without setting * NETLOGON_NT_VERSION_5EX_WITH_IP, while using diff --git a/libds/common/flag_mapping.c b/libds/common/flag_mapping.c index ddc8ec5c198..020922db659 100644 --- a/libds/common/flag_mapping.c +++ b/libds/common/flag_mapping.c @@ -164,3 +164,53 @@ uint32_t ds_uf2prim_group_rid(uint32_t uf) return prim_group_rid; } + +#define FLAG(x) { .name = #x, .uf = x } +struct { + const char *name; + uint32_t uf; +} user_account_control_name_map[] = { + FLAG(UF_SCRIPT), + FLAG(UF_ACCOUNTDISABLE), + FLAG(UF_00000004), + FLAG(UF_HOMEDIR_REQUIRED), + FLAG(UF_LOCKOUT), + FLAG(UF_PASSWD_NOTREQD), + FLAG(UF_PASSWD_CANT_CHANGE), + FLAG(UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED), + + FLAG(UF_TEMP_DUPLICATE_ACCOUNT), + FLAG(UF_NORMAL_ACCOUNT), + FLAG(UF_00000400), + FLAG(UF_INTERDOMAIN_TRUST_ACCOUNT), + + FLAG(UF_WORKSTATION_TRUST_ACCOUNT), + FLAG(UF_SERVER_TRUST_ACCOUNT), + FLAG(UF_00004000), + FLAG(UF_00008000), + + FLAG(UF_DONT_EXPIRE_PASSWD), + FLAG(UF_MNS_LOGON_ACCOUNT), + FLAG(UF_SMARTCARD_REQUIRED), + FLAG(UF_TRUSTED_FOR_DELEGATION), + + FLAG(UF_NOT_DELEGATED), + FLAG(UF_USE_DES_KEY_ONLY), + FLAG(UF_DONT_REQUIRE_PREAUTH), + FLAG(UF_PASSWORD_EXPIRED), + FLAG(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION), + FLAG(UF_NO_AUTH_DATA_REQUIRED), + FLAG(UF_PARTIAL_SECRETS_ACCOUNT), + FLAG(UF_USE_AES_KEYS) +}; + +const char *dsdb_user_account_control_flag_bit_to_string(uint32_t uf) +{ + int i; + for (i=0; i < ARRAY_SIZE(user_account_control_name_map); i++) { + if (uf == user_account_control_name_map[i].uf) { + return user_account_control_name_map[i].name; + } + } + return NULL; -- Samba Shared Repository