[SCM] Samba Shared Repository - branch master updated

Andreas Schneider Mon, 29 Nov 2021 01:33:18 -0800

The branch, master has been updated
       via  90febd2a33b s4:mit-kdb: Force canonicalization for looking up 
principals
       via  8b83758b7c5 s4:kdc: Remove trailing spaces in db-glue.c
       via  d128a85f999 s4:mit-kdb: Reduce includes to only what's needed
       via  28be1acd8eb mit-kdc: Use more strict KDC default settings
      from  3507e96b3dc CVE-2021-3670 ldap_server: Clearly log LDAP queries and 
timeouts


https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b
Author: Isaac Boukris <ibouk...@gmail.com>
Date:   Sat Sep 19 14:16:20 2020 +0200

    s4:mit-kdb: Force canonicalization for looking up principals
    
    See also
    https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148
    
    Pair-Programmed-With: Andreas Schneider <a...@samba.org>
    Signed-off-by: Isaac Boukris <ibouk...@gmail.com>
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Alexander Bokovoy <a...@samba.org>
    
    Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
    Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184

commit 8b83758b7c51e4effc57c6130abb38bd53d74bb9
Author: Andreas Schneider <a...@cryptomilk.org>
Date:   Tue Oct 19 09:59:54 2021 +0200

    s4:kdc: Remove trailing spaces in db-glue.c
    
    Signed-off-by: Andreas Schneider <a...@cryptomilk.org>
    Reviewed-by: Alexander Bokovoy <a...@samba.org>

commit d128a85f999afb002b510ad6ec8c94f7df006195
Author: Andreas Schneider <a...@samba.org>
Date:   Tue Nov 23 07:43:05 2021 +0100

    s4:mit-kdb: Reduce includes to only what's needed
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Alexander Bokovoy <a...@samba.org>

commit 28be1acd8eb921c15cbd1260711cbbdd48595e6c
Author: Andreas Schneider <a...@samba.org>
Date:   Mon Oct 11 10:55:52 2021 +0200

    mit-kdc: Use more strict KDC default settings
    
    As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults.
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Alexander Bokovoy <a...@samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/provision/kerberos.py       |  7 +++++++
 selftest/knownfail_mit_kdc               | 14 --------------
 selftest/target/Samba.pm                 |  7 +++++++
 source4/heimdal/lib/hdb/hdb.h            |  1 +
 source4/kdc/db-glue.c                    | 15 ++++++++++-----
 source4/kdc/mit-kdb/kdb_samba_policies.c |  9 ++++++---
 source4/kdc/mit_samba.c                  |  8 ++++++++
 source4/kdc/sdb.h                        |  1 +
 8 files changed, 40 insertions(+), 22 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/provision/kerberos.py 
b/python/samba/provision/kerberos.py
index 6b8ceb28733..665c031ffa5 100644
--- a/python/samba/provision/kerberos.py
+++ b/python/samba/provision/kerberos.py
@@ -52,19 +52,26 @@ def create_kdc_conf(kdcconf, realm, domain, logdir):
         f.write("\tkdc_ports = 88\n")
         f.write("\tkdc_tcp_ports = 88\n")
         f.write("\tkadmind_port = 464\n")
+        f.write("\trestrict_anonymous_to_tgt = true\n")
         f.write("\n")
 
         f.write("[realms]\n")
 
         f.write("\t%s = {\n" % realm)
+        f.write("\t\tmaster_key_type = aes256-cts\n")
+        f.write("\t\tdefault_principal_flags = +preauth\n")
         f.write("\t}\n")
         f.write("\n")
 
         f.write("\t%s = {\n" % realm.lower())
+        f.write("\t\tmaster_key_type = aes256-cts\n")
+        f.write("\t\tdefault_principal_flags = +preauth\n")
         f.write("\t}\n")
         f.write("\n")
 
         f.write("\t%s = {\n" % domain)
+        f.write("\t\tmaster_key_type = aes256-cts\n")
+        f.write("\t\tdefault_principal_flags = +preauth\n")
         f.write("\t}\n")
         f.write("\n")
 
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index cc7b501c6bf..c046a46a4f3 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -379,8 +379,6 @@ 
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_allowed_denied
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_denied
@@ -408,8 +406,6 @@ 
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_other_sname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_req
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_allowed_denied
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_denied
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_no_krbtgt_link
@@ -422,10 +418,6 @@ 
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_cname_host
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_correct_cname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_correct_realm
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_other_cname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_wrong_realm
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm
@@ -471,12 +463,6 @@ 
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_none
 
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_none
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_none
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_true
 #
 # PAC requester SID tests
 #
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index c4f8eb5d4f9..ab6d8edc2cc 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -457,15 +457,22 @@ sub mk_mitkdc_conf($$)
 [kdcdefaults]
        kdc_ports = 88
        kdc_tcp_ports = 88
+       restrict_anonymous_to_tgt = true
 
 [realms]
        $ctx->{realm} = {
+               master_key_type = aes256-cts
+               default_principal_flags = +preauth
        }
 
        $ctx->{dnsname} = {
+               master_key_type = aes256-cts
+               default_principal_flags = +preauth
        }
 
        $ctx->{domain} = {
+               master_key_type = aes256-cts
+               default_principal_flags = +preauth
        }
 
 [dbmodules]
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 5ef9d9565f3..dafaffc6c2d 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_ALL_KVNOS                2048    /* we want all the keys, live 
or not */
 #define HDB_F_FOR_AS_REQ       4096    /* fetch is for a AS REQ */
 #define HDB_F_FOR_TGS_REQ      8192    /* fetch is for a TGS REQ */
+#define HDB_F_FORCE_CANON      16384   /* force canonicalition */
 
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aff74f2ee71..bfde2baf0b5 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -870,13 +870,13 @@ static krb5_error_code 
samba_kdc_message2entry(krb5_context context,
                userAccountControl |= msDS_User_Account_Control_Computed;
        }
 
-       /* 
+       /*
         * If we are set to canonicalize, we get back the fixed UPPER
         * case realm, and the real username (ie matching LDAP
-        * samAccountName) 
+        * samAccountName)
         *
         * Otherwise, if we are set to enterprise, we
-        * get back the whole principal as-sent 
+        * get back the whole principal as-sent
         *
         * Finally, if we are not set to canonicalize, we get back the
         * fixed UPPER case realm, but the as-sent username
@@ -922,11 +922,16 @@ static krb5_error_code 
samba_kdc_message2entry(krb5_context context,
                        krb5_clear_error_message(context);
                        goto out;
                }
-       } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
+       } else if ((flags & SDB_F_FORCE_CANON) ||
+                  ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) {
                /*
                 * SDB_F_CANON maps from the canonicalize flag in the
                 * packet, and has a different meaning between AS-REQ
                 * and TGS-REQ.  We only change the principal in the AS-REQ case
+                *
+                * The SDB_F_FORCE_CANON if for new MIT KDC code that wants
+                * the canonical name in all lookups, and takes care to
+                * canonicalize only when appropriate.
                 */
                ret = smb_krb5_make_principal(context, 
&entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
                if (ret) {
@@ -946,7 +951,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context 
context,
                         * the client-specified realm.  This code attempts to
                         * replace the client principal's realm with the one
                         * we determine from our records */
-                       
+
                        /* this has to be with malloc() */
                        ret = smb_krb5_principal_set_realm(context, 
entry_ex->entry.principal, lpcfg_realm(lp_ctx));
                        if (ret) {
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c 
b/source4/kdc/mit-kdb/kdb_samba_policies.c
index f35210669c2..336aa3f711a 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -20,9 +20,12 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#include "includes.h"
-
-#include "system/kerberos.h"
+#include "lib/replace/replace.h"
+#include "lib/replace/system/kerberos.h"
+#include "lib/util/data_blob.h"
+#include "lib/util/debug.h"
+#include "lib/util/fault.h"
+#include "lib/util/memory.h"
 
 #include <profile.h>
 #include <kdb.h>
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 4239332f0d9..53c137de2fd 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -221,6 +221,14 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
                return ENOMEM;
        }
 
+#if KRB5_KDB_API_VERSION >= 10
+       /*
+        * The MIT KDC code that wants the canonical name in all lookups, and
+        * takes care to canonicalize only when appropriate.
+        */
+       sflags |= SDB_F_FORCE_CANON;
+#endif
+
        if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
                sflags |= SDB_F_CANON;
        }
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index c929acccce6..a9115ec23d7 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
 #define SDB_F_KVNO_SPECIFIED   128     /* we want a particular KVNO */
 #define SDB_F_FOR_AS_REQ       4096    /* fetch is for a AS REQ */
 #define SDB_F_FOR_TGS_REQ      8192    /* fetch is for a TGS REQ */
+#define SDB_F_FORCE_CANON      16384   /* force canonicalition */
 
 void sdb_free_entry(struct sdb_entry_ex *e);
 void free_sdb_entry(struct sdb_entry *s);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to