The branch, master has been updated via 90febd2a33b s4:mit-kdb: Force canonicalization for looking up principals via 8b83758b7c5 s4:kdc: Remove trailing spaces in db-glue.c via d128a85f999 s4:mit-kdb: Reduce includes to only what's needed via 28be1acd8eb mit-kdc: Use more strict KDC default settings from 3507e96b3dc CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b Author: Isaac Boukris <ibouk...@gmail.com> Date: Sat Sep 19 14:16:20 2020 +0200 s4:mit-kdb: Force canonicalization for looking up principals See also https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184 commit 8b83758b7c51e4effc57c6130abb38bd53d74bb9 Author: Andreas Schneider <a...@cryptomilk.org> Date: Tue Oct 19 09:59:54 2021 +0200 s4:kdc: Remove trailing spaces in db-glue.c Signed-off-by: Andreas Schneider <a...@cryptomilk.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit d128a85f999afb002b510ad6ec8c94f7df006195 Author: Andreas Schneider <a...@samba.org> Date: Tue Nov 23 07:43:05 2021 +0100 s4:mit-kdb: Reduce includes to only what's needed Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 28be1acd8eb921c15cbd1260711cbbdd48595e6c Author: Andreas Schneider <a...@samba.org> Date: Mon Oct 11 10:55:52 2021 +0200 mit-kdc: Use more strict KDC default settings As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/provision/kerberos.py | 7 +++++++ selftest/knownfail_mit_kdc | 14 -------------- selftest/target/Samba.pm | 7 +++++++ source4/heimdal/lib/hdb/hdb.h | 1 + source4/kdc/db-glue.c | 15 ++++++++++----- source4/kdc/mit-kdb/kdb_samba_policies.c | 9 ++++++--- source4/kdc/mit_samba.c | 8 ++++++++ source4/kdc/sdb.h | 1 + 8 files changed, 40 insertions(+), 22 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/provision/kerberos.py b/python/samba/provision/kerberos.py index 6b8ceb28733..665c031ffa5 100644 --- a/python/samba/provision/kerberos.py +++ b/python/samba/provision/kerberos.py @@ -52,19 +52,26 @@ def create_kdc_conf(kdcconf, realm, domain, logdir): f.write("\tkdc_ports = 88\n") f.write("\tkdc_tcp_ports = 88\n") f.write("\tkadmind_port = 464\n") + f.write("\trestrict_anonymous_to_tgt = true\n") f.write("\n") f.write("[realms]\n") f.write("\t%s = {\n" % realm) + f.write("\t\tmaster_key_type = aes256-cts\n") + f.write("\t\tdefault_principal_flags = +preauth\n") f.write("\t}\n") f.write("\n") f.write("\t%s = {\n" % realm.lower()) + f.write("\t\tmaster_key_type = aes256-cts\n") + f.write("\t\tdefault_principal_flags = +preauth\n") f.write("\t}\n") f.write("\n") f.write("\t%s = {\n" % domain) + f.write("\t\tmaster_key_type = aes256-cts\n") + f.write("\t\tdefault_principal_flags = +preauth\n") f.write("\t}\n") f.write("\n") diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index cc7b501c6bf..c046a46a4f3 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -379,8 +379,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_allowed_denied ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_denied @@ -408,8 +406,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_other_sname -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_req ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_allowed_denied ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_denied ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_no_krbtgt_link @@ -422,10 +418,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_cname_host -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_correct_cname -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_correct_realm -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_other_cname -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_wrong_realm ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm @@ -471,12 +463,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_none ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_true -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_false -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_none -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_true -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_false -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_none -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_true # # PAC requester SID tests # diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index c4f8eb5d4f9..ab6d8edc2cc 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -457,15 +457,22 @@ sub mk_mitkdc_conf($$) [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 + restrict_anonymous_to_tgt = true [realms] $ctx->{realm} = { + master_key_type = aes256-cts + default_principal_flags = +preauth } $ctx->{dnsname} = { + master_key_type = aes256-cts + default_principal_flags = +preauth } $ctx->{domain} = { + master_key_type = aes256-cts + default_principal_flags = +preauth } [dbmodules] diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index 5ef9d9565f3..dafaffc6c2d 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ +#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ /* hdb_capability_flags */ #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index aff74f2ee71..bfde2baf0b5 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -870,13 +870,13 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, userAccountControl |= msDS_User_Account_Control_Computed; } - /* + /* * If we are set to canonicalize, we get back the fixed UPPER * case realm, and the real username (ie matching LDAP - * samAccountName) + * samAccountName) * * Otherwise, if we are set to enterprise, we - * get back the whole principal as-sent + * get back the whole principal as-sent * * Finally, if we are not set to canonicalize, we get back the * fixed UPPER case realm, but the as-sent username @@ -922,11 +922,16 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, krb5_clear_error_message(context); goto out; } - } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { + } else if ((flags & SDB_F_FORCE_CANON) || + ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { /* * SDB_F_CANON maps from the canonicalize flag in the * packet, and has a different meaning between AS-REQ * and TGS-REQ. We only change the principal in the AS-REQ case + * + * The SDB_F_FORCE_CANON if for new MIT KDC code that wants + * the canonical name in all lookups, and takes care to + * canonicalize only when appropriate. */ ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); if (ret) { @@ -946,7 +951,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * the client-specified realm. This code attempts to * replace the client principal's realm with the one * we determine from our records */ - + /* this has to be with malloc() */ ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); if (ret) { diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index f35210669c2..336aa3f711a 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -20,9 +20,12 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ -#include "includes.h" - -#include "system/kerberos.h" +#include "lib/replace/replace.h" +#include "lib/replace/system/kerberos.h" +#include "lib/util/data_blob.h" +#include "lib/util/debug.h" +#include "lib/util/fault.h" +#include "lib/util/memory.h" #include <profile.h> #include <kdb.h> diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 4239332f0d9..53c137de2fd 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -221,6 +221,14 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, return ENOMEM; } +#if KRB5_KDB_API_VERSION >= 10 + /* + * The MIT KDC code that wants the canonical name in all lookups, and + * takes care to canonicalize only when appropriate. + */ + sflags |= SDB_F_FORCE_CANON; +#endif + if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { sflags |= SDB_F_CANON; } diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h index c929acccce6..a9115ec23d7 100644 --- a/source4/kdc/sdb.h +++ b/source4/kdc/sdb.h @@ -116,6 +116,7 @@ struct sdb_entry_ex { #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ +#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ void sdb_free_entry(struct sdb_entry_ex *e); void free_sdb_entry(struct sdb_entry *s); -- Samba Shared Repository