The branch, master has been updated via dbba6c22a41 auth/credentials: Read managed_password.passwords.query_interval only after parsing via 811c184bbb3 smbd: Simplify an if-condition via 51c950c1629 smbd: Save 3 lines via f573a513415 smbd: Remove an obsolete comment via 798826d4f1a smbXsrv_session: Remove a "can't happen" NULL check via 89981987379 smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB via 292c2645468 smbXsrv_session: Remove two implicit NULL initializations via c5f98c0d95c smbXsrv_session: Use struct initialization via 005ce15aab3 python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change via 50f424e8d35 s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3() via 8df1728e124 s3:rpc_server: Implement lsa_CreateTrustedDomain_common() via 3385c2fe44a s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck() via 8f52b649799 s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2() via 56e1051ad7e s3:rpc_client: Implement createtrustdomex3 command via bb4d8de9a80 s3:rpc_client: Implement createtrustdomex2 command via d078ee6af61 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes() via 97499a47550 s4:torture: Add test for lsa_CreateTrustedDomainEx3 via f390981c1a7 s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3() via 933ba496073 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3() via 87595140c34 s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA via 0177cd898ef s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain via b957cb34d44 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx via 1790828bc5f s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2 via 6d90397ff28 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common() via dad8c78edc7 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck() via 18af510bd50 s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain() via 8b1c0bd718b s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c via 354f61d868d s4:torture: Use dcerpc_lsa_OpenPolicy3_r() via 8e35e5f5675 s4:torture: Use rpc_lsa_encrypt_trustdom_info() via 05e9cb36b77 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info() via dbe9e9a8393 s4:torture: Use init_lsa_String() from init_lsa.h via 84d51503630 librpc:rpc: Add dcerpc_lsa.h via 2d60d1b96aa python: Use OpenPolicyFallback() in trust.py via 859e7f8c5f1 python: Implement CreateTrustedDomainFallback() via 812d4e0d6cc python: Add aead_aes_256_cbc_hmac_sha512() via 23e61d2cebc python: Use secrets.token_bytes instead of random via decacb0e7e1 python: Set parameter types for CreateTrustedDomainRelax() via 9e5fc815644 python:tests: Clean lsa_utils.py code according to Python standards via e32be2ade4f python:tests: Rename createtrustrelax.py to lsa_utils.py via 00ed209e483 python: Implement OpenPolicyFallback() via 85d0ab38f7c python:samba: Rename trust_utils.py to lsa_utils.py via 01940ae7afa buildtools: Fix PYTHONPATH and print it from be2ade2d88b netcmd: fix broken shell command missing Model
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit dbba6c22a41ab12bd9804f10a878c965100ac7c0 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Apr 9 16:11:16 2024 +1200 auth/credentials: Read managed_password.passwords.query_interval only after parsing The code previously read the uninitialised stack not the parsed structure, and so could segfault if the stack was not zero. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jo Sutton <josut...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Apr 9 23:59:54 UTC 2024 on atb-devel-224 commit 811c184bbb30f8364a6c2f1835732d0c25e1b9c7 Author: Volker Lendecke <v...@samba.org> Date: Fri Feb 9 12:37:53 2024 +0100 smbd: Simplify an if-condition current_sid == NULL is true if and only if we could not assign current_sid because num_sids was too small. Make that more explicit. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 51c950c16297ce45aeec85dff53af04f7f3b620f Author: Volker Lendecke <v...@samba.org> Date: Fri Feb 9 12:47:48 2024 +0100 smbd: Save 3 lines Just cosmetic Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f573a5134151e029329f19f292e6d6a324e291b8 Author: Volker Lendecke <v...@samba.org> Date: Thu Feb 8 18:16:39 2024 +0100 smbd: Remove an obsolete comment This looks like a cut&paste from other smbXsrv files. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 798826d4f1a826086b8bac6568672ad11ceeed9d Author: Volker Lendecke <v...@samba.org> Date: Thu Feb 8 12:51:32 2024 +0100 smbXsrv_session: Remove a "can't happen" NULL check This should really not happen, crashing would be the right response. Align with fdca0558efa. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8998198737973252518a4db47c72d5488b81f713 Author: Volker Lendecke <v...@samba.org> Date: Thu Feb 8 12:47:07 2024 +0100 smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB Use the toplevel talloc pool, align with 0c709cb6b70. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 292c2645468b131365414f2ff2bc6daa820d0533 Author: Volker Lendecke <v...@samba.org> Date: Thu Feb 8 12:23:21 2024 +0100 smbXsrv_session: Remove two implicit NULL initializations Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c5f98c0d95ca750bf2df879ccc6caea793cd9ade Author: Volker Lendecke <v...@samba.org> Date: Thu Feb 8 11:50:42 2024 +0100 smbXsrv_session: Use struct initialization Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 005ce15aab35bb0981e694cc12580cf31b135b0a Author: Andrew Bartlett <abart...@samba.org> Date: Wed Apr 10 09:53:00 2024 +1200 python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 50f424e8d3592f22fd6ab28c63f65f874edde212 Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 4 16:08:46 2024 +0100 s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8df1728e124f0fa0e7d2891f5373d806226a21f3 Author: Andreas Schneider <a...@samba.org> Date: Thu Feb 29 10:02:16 2024 +0100 s3:rpc_server: Implement lsa_CreateTrustedDomain_common() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3385c2fe44a19c621527127722454245ccfe82ca Author: Andreas Schneider <a...@samba.org> Date: Fri Jan 5 11:16:58 2024 +0100 s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8f52b649799196709ee17928ccd4f772c72717f7 Author: Andreas Schneider <a...@samba.org> Date: Wed Feb 28 14:50:19 2024 +0100 s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 56e1051ad7e3be2273ca3e5af5a8ca7836511e26 Author: Andreas Schneider <a...@samba.org> Date: Thu Feb 29 09:34:10 2024 +0100 s3:rpc_client: Implement createtrustdomex3 command Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bb4d8de9a800ea76900bbd685a0105f59e872b84 Author: Andreas Schneider <a...@samba.org> Date: Tue Feb 27 09:08:28 2024 +0100 s3:rpc_client: Implement createtrustdomex2 command Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d078ee6af61528f509c4242c19b64591fe897549 Author: Andreas Schneider <a...@samba.org> Date: Tue Feb 27 09:24:52 2024 +0100 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 97499a475501f6bdb78d1c4105cc85fe3c45a1d8 Author: Andreas Schneider <a...@samba.org> Date: Tue Nov 28 15:46:54 2023 +0100 s4:torture: Add test for lsa_CreateTrustedDomainEx3 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f390981c1a7c0e6edf74c414209e6b55f810af50 Author: Andreas Schneider <a...@samba.org> Date: Thu Dec 21 11:51:02 2023 +0100 s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 933ba496073064e0518a58463d1b3a1d949b7a6b Author: Andreas Schneider <a...@samba.org> Date: Thu Dec 21 10:32:45 2023 +0100 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 87595140c34cc186c930a29ffa4850f688e15a79 Author: Andreas Schneider <a...@samba.org> Date: Thu Dec 21 10:32:25 2023 +0100 s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0177cd898ef4d30f3accde1516a3a3fac8f21d90 Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 22 15:07:54 2023 +0100 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain This also removes dcesrv_lsa_CreateTrustedDomain_base() as it is unused with this commit. We need to do it here or the compiler will complain about an unused function. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b957cb34d4402abe79ed8bb24d82f90151be4317 Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 22 15:00:20 2023 +0100 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1790828bc5fc33ba975b78f5f269c309aa505a2a Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 22 14:58:26 2023 +0100 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6d90397ff28a8dc924292f3593d970e7bf5e57ab Author: Andreas Schneider <a...@samba.org> Date: Wed Dec 20 18:56:14 2023 +0100 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dad8c78edc7fa72d379ff640659f35ccc2689614 Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 15 16:21:32 2023 +0100 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 18af510bd50ec2c5c6b47c8ca8b9b9cfde315d63 Author: Andreas Schneider <a...@samba.org> Date: Thu Dec 21 08:12:22 2023 +0100 s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8b1c0bd718b511c985e3b31dc5871befa6ad2c05 Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 15 16:21:15 2023 +0100 s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 354f61d868db1193fce0516adeaed23dbc49206e Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 18 18:45:19 2024 +0100 s4:torture: Use dcerpc_lsa_OpenPolicy3_r() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8e35e5f56757f2ece5f5415fad0be56c5bceb941 Author: Andreas Schneider <a...@samba.org> Date: Tue Feb 27 09:15:01 2024 +0100 s4:torture: Use rpc_lsa_encrypt_trustdom_info() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 05e9cb36b779bb70a0dbee2a66dfeac9d53f3c6d Author: Andreas Schneider <a...@samba.org> Date: Tue Feb 27 09:07:57 2024 +0100 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dbe9e9a839307c7fd9a270355ab40ca50d615def Author: Andreas Schneider <a...@samba.org> Date: Tue Feb 27 09:14:24 2024 +0100 s4:torture: Use init_lsa_String() from init_lsa.h Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 84d5150363014a2f81a5dbc725bccd9107a25bb9 Author: Andreas Schneider <a...@samba.org> Date: Tue Nov 28 15:30:38 2023 +0100 librpc:rpc: Add dcerpc_lsa.h This adds AES constants by MS. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2d60d1b96aa249c83a0a1169ebc51c91d8520d43 Author: Andreas Schneider <a...@samba.org> Date: Wed Apr 3 11:26:50 2024 +0200 python: Use OpenPolicyFallback() in trust.py Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 859e7f8c5f1bc65361e3da9dee38db5307a4438f Author: Andreas Schneider <a...@samba.org> Date: Wed Apr 3 11:16:19 2024 +0200 python: Implement CreateTrustedDomainFallback() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 812d4e0d6cc0ce37a423a22483ba963e2540ca4b Author: Andreas Schneider <a...@samba.org> Date: Wed Apr 3 11:15:14 2024 +0200 python: Add aead_aes_256_cbc_hmac_sha512() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 23e61d2cebc999bfdd68628f2140bc81b6633132 Author: Andreas Schneider <a...@samba.org> Date: Wed Apr 3 10:54:41 2024 +0200 python: Use secrets.token_bytes instead of random random should not be used to create secure random numbers for tokens. The secrets module is exactly for this. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit decacb0e7e11b347b1a3a8172250a51258295b7f Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 21 14:45:41 2024 +0100 python: Set parameter types for CreateTrustedDomainRelax() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9e5fc815644deec3fa3a8f3653bd0e7632548da2 Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 21 14:44:21 2024 +0100 python:tests: Clean lsa_utils.py code according to Python standards Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e32be2ade4f2a6df736571efe555f74a4a6d4d9f Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 21 14:06:46 2024 +0100 python:tests: Rename createtrustrelax.py to lsa_utils.py Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 00ed209e483bae38c31d94033826f03d6d87e69d Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 21 11:24:10 2024 +0100 python: Implement OpenPolicyFallback() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 85d0ab38f7ce4e74854e1f4960de33901bd8904a Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 21 10:08:33 2024 +0100 python:samba: Rename trust_utils.py to lsa_utils.py Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 01940ae7afa21a6b70da5bdd5c4b8c3352c30c06 Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 21 10:31:36 2024 +0100 buildtools: Fix PYTHONPATH and print it Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials_gmsa.c | 21 +- buildtools/devel_env.sh | 4 +- librpc/rpc/dcerpc_lsa.h | 44 +++ python/samba/__init__.py | 11 + python/samba/lsa_utils.py | 193 ++++++++++ python/samba/netcmd/domain/trust.py | 112 ++++-- python/samba/tests/blackbox/gmsa.py | 12 +- python/samba/tests/dcerpc/createtrustrelax.py | 129 ------- python/samba/tests/dcerpc/lsa_utils.py | 247 +++++++++++++ python/samba/trust_utils.py | 62 ---- source3/rpc_client/init_lsa.c | 338 ++++++++++++++++- source3/rpc_client/init_lsa.h | 18 + source3/rpc_server/lsa/srv_lsa_nt.c | 355 ++++++++++++++---- source3/rpcclient/cmd_lsarpc.c | 248 +++++++++++++ source3/smbd/smbXsrv_client.c | 9 - source3/smbd/smbXsrv_open.c | 17 +- source3/smbd/smbXsrv_session.c | 81 ++-- source3/wscript_build | 2 +- source4/rpc_server/lsa/dcesrv_lsa.c | 508 +++++++++++++++++--------- source4/rpc_server/lsa/lsa_init.c | 3 - source4/selftest/tests.py | 4 +- source4/torture/rpc/forest_trust.c | 70 ++-- source4/torture/rpc/lsa.c | 316 ++++++++-------- source4/torture/wscript_build | 1 + 24 files changed, 2090 insertions(+), 715 deletions(-) create mode 100644 librpc/rpc/dcerpc_lsa.h create mode 100644 python/samba/lsa_utils.py delete mode 100644 python/samba/tests/dcerpc/createtrustrelax.py create mode 100644 python/samba/tests/dcerpc/lsa_utils.py delete mode 100644 python/samba/trust_utils.py Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials_gmsa.c b/auth/credentials/credentials_gmsa.c index 86422624f1e..f85f9c65d70 100644 --- a/auth/credentials/credentials_gmsa.c +++ b/auth/credentials/credentials_gmsa.c @@ -40,16 +40,7 @@ NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds, DATA_BLOB previous_managed_pw_utf16; enum ndr_err_code ndr_err; TALLOC_CTX *frame = talloc_stackframe(); - - /* - * We check if this is 'for keytab' as a keytab wants to know - * about a near-future password as it will be on disk for some - * time - */ - bool only_use_previous_pw = - managed_password.passwords.query_interval != NULL - && *managed_password.passwords.query_interval <= gkdi_max_clock_skew - && for_keytab == false; + bool only_use_previous_pw; /* * Group Managed Service Accounts are type @@ -70,6 +61,16 @@ NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds, return NT_STATUS_ILL_FORMED_PASSWORD; } + /* + * We check if this is 'for keytab' as a keytab wants to know + * about a near-future password as it will be on disk for some + * time + */ + only_use_previous_pw = + managed_password.passwords.query_interval != NULL + && *managed_password.passwords.query_interval <= gkdi_max_clock_skew + && for_keytab == false; + /* * We look at the old password first as we might bail out * early if the new password is "too fresh" diff --git a/buildtools/devel_env.sh b/buildtools/devel_env.sh index 9f87a4a1b36..430485ab868 100644 --- a/buildtools/devel_env.sh +++ b/buildtools/devel_env.sh @@ -3,5 +3,7 @@ # source buildtools/devel_env.sh # Setup python path for lsp server -PYTHONPATH="$(pwd)/third_party/waf:$(pwd)/python:$(pwd)/bin/python:$(pwd)/selftest:${PYTHONPATH}" +echo "Old PYTHONPATH: ${PYTHONPATH}" +PYTHONPATH="$(pwd)/third_party/waf:$(pwd)/bin/python:$(pwd)/python:$(pwd)/selftest:${PYTHONPATH}" export PYTHONPATH +echo "New PYTHONPATH: ${PYTHONPATH}" diff --git a/librpc/rpc/dcerpc_lsa.h b/librpc/rpc/dcerpc_lsa.h new file mode 100644 index 00000000000..7049e80ff1e --- /dev/null +++ b/librpc/rpc/dcerpc_lsa.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2023 Andreas Schneider <a...@samba.org> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _DCERPC_LSA_H +#define _DCERPC_LSA_H + +#include <util/discard.h> +#include "lib/util/data_blob.h" + +#define LSA_AES256_ENC_KEY_STRING \ + "Microsoft LSAD encryption key AEAD-AES-256-CBC-HMAC-SHA512 16" +/* Including terminating null byte */ +#define LSA_AES256_ENC_KEY_STRING_LEN sizeof(LSA_AES256_ENC_KEY_STRING) + +#define LSA_AES256_MAC_KEY_STRING \ + "Microsoft LSAD MAC key AEAD-AES-256-CBC-HMAC-SHA512 16" +/* Including terminating null byte */ +#define LSA_AES256_MAC_KEY_STRING_LEN sizeof(LSA_AES256_MAC_KEY_STRING) + +static const DATA_BLOB lsa_aes256_enc_key_salt = { + .data = discard_const_p(uint8_t, LSA_AES256_ENC_KEY_STRING), + .length = LSA_AES256_ENC_KEY_STRING_LEN, +}; + +static const DATA_BLOB lsa_aes256_mac_key_salt = { + .data = discard_const_p(uint8_t, LSA_AES256_MAC_KEY_STRING), + .length = LSA_AES256_MAC_KEY_STRING_LEN, +}; + +#endif /* _DCERPC_LSA_H */ diff --git a/python/samba/__init__.py b/python/samba/__init__.py index 6d311d2121e..5b1a3f91ba8 100644 --- a/python/samba/__init__.py +++ b/python/samba/__init__.py @@ -357,6 +357,17 @@ def arcfour_encrypt(key, data): return arcfour_crypt_blob(data, key) +def aead_aes_256_cbc_hmac_sha512(plaintext, cek, key_salt, mac_salt, iv): + from samba.crypto import aead_aes_256_cbc_hmac_sha512_blob + return aead_aes_256_cbc_hmac_sha512_blob( + plaintext, + cek, + key_salt, + mac_salt, + iv + ) + + GUID_RE = re.compile( "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}") diff --git a/python/samba/lsa_utils.py b/python/samba/lsa_utils.py new file mode 100644 index 00000000000..a56675d6b63 --- /dev/null +++ b/python/samba/lsa_utils.py @@ -0,0 +1,193 @@ +# trust utils +# +# Copyright Isaac Boukris 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +from samba.dcerpc import lsa, drsblobs, misc +from samba.ndr import ndr_pack +from samba import ( + NTSTATUSError, + aead_aes_256_cbc_hmac_sha512, + arcfour_encrypt, + string_to_byte_array +) +from samba.ntstatus import ( + NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE +) +from samba import crypto +from secrets import token_bytes + + +def OpenPolicyFallback( + conn: lsa.lsarpc, + system_name: str, + in_version: int, + in_revision_info: lsa.revision_info1, + sec_qos: bool = False, + access_mask: int = 0, +): + attr = lsa.ObjectAttribute() + if sec_qos: + qos = lsa.QosInfo() + qos.len = 0xc + qos.impersonation_level = 2 + qos.context_mode = 1 + qos.effective_only = 0 + + attr.sec_qos = qos + + try: + out_version, out_rev_info, policy = conn.OpenPolicy3( + system_name, + attr, + access_mask, + in_version, + in_revision_info + ) + except NTSTATUSError as e: + if e.args[0] == NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE: + out_version = 1 + out_rev_info = lsa.revision_info1() + out_rev_info.revision = 1 + out_rev_info.supported_features = 0 + + policy = conn.OpenPolicy2(system_name, attr, access_mask) + else: + raise + + return out_version, out_rev_info, policy + + +def CreateTrustedDomainRelax( + lsaconn: lsa.lsarpc, + policy: misc.policy_handle, + trust_info: lsa.TrustDomainInfoInfoEx, + mask: int, + in_blob: drsblobs.trustAuthInOutBlob, + out_blob: drsblobs.trustAuthInOutBlob +): + + def generate_AuthInfoInternal(session_key, incoming=None, outgoing=None): + confounder = string_to_byte_array(token_bytes(512)) + + trustpass = drsblobs.trustDomainPasswords() + + trustpass.confounder = confounder + trustpass.outgoing = outgoing + trustpass.incoming = incoming + + trustpass_blob = ndr_pack(trustpass) + + encrypted_trustpass = arcfour_encrypt(session_key, trustpass_blob) + + auth_blob = lsa.DATA_BUF2() + auth_blob.size = len(encrypted_trustpass) + auth_blob.data = string_to_byte_array(encrypted_trustpass) + + auth_info = lsa.TrustDomainInfoAuthInfoInternal() + auth_info.auth_blob = auth_blob + + return auth_info + + session_key = lsaconn.session_key + + try: + if lsaconn.transport_encrypted(): + crypto.set_relax_mode() + auth_info = generate_AuthInfoInternal(session_key, + incoming=in_blob, + outgoing=out_blob) + finally: + crypto.set_strict_mode() + + return lsaconn.CreateTrustedDomainEx2(policy, trust_info, auth_info, mask) + + +def CreateTrustedDomainFallback( + conn: lsa.lsarpc, + policy_handle: misc.policy_handle, + trust_info: lsa.TrustDomainInfoInfoEx, + access_mask: int, + srv_version: int, + srv_revision_info1: lsa.revision_info1, + in_blob: drsblobs.trustAuthInOutBlob, + out_blob: drsblobs.trustAuthInOutBlob +): + def generate_AuthInfoInternalAES( + session_key, + incoming=None, + outgoing=None + ): + trustpass = drsblobs.trustDomainPasswords() + + trustpass.outgoing = outgoing + trustpass.incoming = incoming + + trustpass_blob = ndr_pack(trustpass) + + lsa_aes256_enc_key = ( + "Microsoft LSAD encryption key AEAD-AES-256-CBC-HMAC-SHA512 16".encode() + + b'\x00' + ) + lsa_aes256_mac_key = ( + "Microsoft LSAD MAC key AEAD-AES-256-CBC-HMAC-SHA512 16".encode() + + b'\x00' + ) + + iv = token_bytes(16) + ciphertext, auth_data = aead_aes_256_cbc_hmac_sha512( + trustpass_blob, + session_key, + lsa_aes256_enc_key, + lsa_aes256_mac_key, + iv, + ) + + return ciphertext, iv, auth_data + + if (srv_version == 1 + and srv_revision_info1.revision == 1 + and (srv_revision_info1.supported_features + & lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER)): + + ciphertext, iv, auth_data = generate_AuthInfoInternalAES( + conn.session_key, in_blob, out_blob + ) + + auth_blob = lsa.DATA_BUF2() + auth_blob.size = len(ciphertext) + auth_blob.data = string_to_byte_array(ciphertext) + + auth_info = lsa.TrustDomainInfoAuthInfoInternalAES() + auth_info.cipher = auth_blob + auth_info.salt = string_to_byte_array(iv) + auth_info.auth_data = string_to_byte_array(auth_data) + + return conn.CreateTrustedDomainEx3( + policy_handle, + trust_info, + auth_info, + access_mask + ) + + return CreateTrustedDomainRelax( + conn, + policy_handle, + trust_info, + access_mask, + in_blob, + out_blob + ) diff --git a/python/samba/netcmd/domain/trust.py b/python/samba/netcmd/domain/trust.py index e930f0006bb..20c4ffb9787 100644 --- a/python/samba/netcmd/domain/trust.py +++ b/python/samba/netcmd/domain/trust.py @@ -34,7 +34,7 @@ from samba.dcerpc import drsblobs, lsa, nbt, netlogon, security from samba.net import Net from samba.netcmd import Command, CommandError, Option, SuperCommand from samba.samdb import SamDB -from samba.trust_utils import CreateTrustedDomainRelax +from samba.lsa_utils import OpenPolicyFallback, CreateTrustedDomainFallback class LocalDCCredentialsOptions(options.CredentialsOptions): @@ -210,15 +210,24 @@ class DomainTrustCommand(Command): return netlogon.netlogon(self.remote_binding_string, self.local_lp, self.remote_creds) def get_lsa_info(self, conn, policy_access): - objectAttr = lsa.ObjectAttribute() - objectAttr.sec_qos = lsa.QosInfo() - - policy = conn.OpenPolicy2(b''.decode('utf-8'), - objectAttr, policy_access) + in_version = 1 + in_revision_info1 = lsa.revision_info1() + in_revision_info1.revision = 1 + in_revision_info1.supported_features = ( + lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER + ) + + out_version, out_revision_info1, policy = OpenPolicyFallback( + conn, + b''.decode('utf-8'), + in_version, + in_revision_info1, + policy_access + ) info = conn.QueryInfoPolicy2(policy, lsa.LSA_POLICY_INFO_DNS) - return (policy, info) + return (policy, out_version, out_revision_info1, info) def get_netlogon_dc_unc(self, conn, server, domain): try: @@ -505,7 +514,12 @@ class cmd_domain_trust_show(DomainTrustCommand): try: local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION - (local_policy, local_lsa_info) = self.get_lsa_info(local_lsa, local_policy_access) + ( + local_policy, + local_version, + local_revision_info1, + local_lsa_info + ) = self.get_lsa_info(local_lsa, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -641,8 +655,12 @@ class cmd_domain_trust_modify(DomainTrustCommand): try: local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION - local_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN - (local_policy, local_lsa_info) = self.get_lsa_info(local_lsa, local_policy_access) + ( + local_policy, + local_version, + local_revision_info1, + local_lsa_info + ) = self.get_lsa_info(local_lsa, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -895,7 +913,12 @@ class cmd_domain_trust_create(DomainTrustCommand): raise self.LocalRuntimeError(self, error, "failed to connect lsa server") try: - (local_policy, local_lsa_info) = self.get_lsa_info(local_lsa, local_policy_access) + ( + local_policy, + local_version, + local_revision_info1, + local_lsa_info + ) = self.get_lsa_info(local_lsa, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -915,7 +938,12 @@ class cmd_domain_trust_create(DomainTrustCommand): raise self.RemoteRuntimeError(self, error, "failed to connect lsa server") try: - (remote_policy, remote_lsa_info) = self.get_lsa_info(remote_lsa, remote_policy_access) + ( + remote_policy, + remote_version, + remote_revision_info1, + remote_lsa_info + ) = self.get_lsa_info(remote_lsa, remote_policy_access) except RuntimeError as error: raise self.RemoteRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -1041,12 +1069,16 @@ class cmd_domain_trust_create(DomainTrustCommand): if remote_trust_info: self.outf.write("Creating remote TDO.\n") current_request = {"location": "remote", "name": "CreateTrustedDomainEx2"} - remote_tdo_handle = CreateTrustedDomainRelax(remote_lsa, - remote_policy, - remote_trust_info, - lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS, - outgoing_blob, - incoming_blob) + remote_tdo_handle = CreateTrustedDomainFallback( + remote_lsa, + remote_policy, + remote_trust_info, + lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS, + remote_version, + remote_revision_info1, + outgoing_blob, + incoming_blob + ) self.outf.write("Remote TDO created.\n") if enc_types: self.outf.write("Setting supported encryption types on remote TDO.\n") @@ -1057,12 +1089,16 @@ class cmd_domain_trust_create(DomainTrustCommand): self.outf.write("Creating local TDO.\n") current_request = {"location": "local", "name": "CreateTrustedDomainEx2"} - local_tdo_handle = CreateTrustedDomainRelax(local_lsa, - local_policy, - local_trust_info, - lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS, - incoming_blob, - outgoing_blob) + local_tdo_handle = CreateTrustedDomainFallback( + local_lsa, + local_policy, + local_trust_info, + lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS, + local_version, + local_revision_info1, + incoming_blob, + outgoing_blob + ) self.outf.write("Local TDO created\n") if enc_types: self.outf.write("Setting supported encryption types on local TDO.\n") @@ -1266,7 +1302,12 @@ class cmd_domain_trust_delete(DomainTrustCommand): raise self.LocalRuntimeError(self, error, "failed to connect lsa server") try: - (local_policy, local_lsa_info) = self.get_lsa_info(local_lsa, local_policy_access) + ( + local_policy, + local_version, + local_revision_info1, + local_lsa_info + ) = self.get_lsa_info(local_lsa, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -1302,7 +1343,12 @@ class cmd_domain_trust_delete(DomainTrustCommand): raise self.RemoteRuntimeError(self, error, "failed to connect lsa server") try: - (remote_policy, remote_lsa_info) = self.get_lsa_info(remote_lsa, remote_policy_access) + ( + remote_policy, + remote_version, + remote_revision_info1, + remote_lsa_info + ) = self.get_lsa_info(remote_lsa, remote_policy_access) except RuntimeError as error: raise self.RemoteRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -1409,7 +1455,12 @@ class cmd_domain_trust_validate(DomainTrustCommand): raise self.LocalRuntimeError(self, error, "failed to connect lsa server") -- Samba Shared Repository