The branch, v4-20-test has been updated
via 7b4629ef84a libcli/auth: make use of
netlogon_creds_cli_check_transport() in more places
via aa4add0053b libcli/auth: split out
netlogon_creds_cli_check_transport()
via 21e93556300 libcli/auth: let netlogon_creds_copy() copy all scalar
elements
via 75e62cc19be s4:librpc/rpc: make use of
netlogon_creds_client_verify()
via 77a02d6e79b libcli/auth: make use of netlogon_creds_client_verify()
via 1de6cffa683 libcli/auth: split out netlogon_creds_client_verify()
that takes auth_{type,level}
via 0c61920c887 libcli/auth: pass auth_{type,level} to
netlogon_creds_server_step_check()
via 200fc14fb8e libcli/auth: pass auth_{type,level} to
schannel_check_creds_state()
via 270499b1c9e libcli/auth: return INVALID_PARAMETER for DES in
netlogon_creds_{de,en}crypt_samlogon_logon
via 6b32dcf6ea2 s4:rpc_server/netlogon: make use of
netlogon_creds_decrypt_SendToSam
via dc7ab826ef3 s4:rpc_server/netlogon: make use of
netlogon_creds_decrypt_samr_CryptPassword
via 3aefe6a54a7 s4:rpc_server/netlogon: make use of
netlogon_creds_{de,en}crypt_samr_Password()
via cb5ed3bf75b s3:rpc_server/netlogon: make use of
netlogon_creds_decrypt_samr_CryptPassword()
via 27ae047ba55 s3:rpc_server/netlogon: make use of
netlogon_creds_{de,en}crypt_samr_Password
via 5792c2ce9d4 s4:torture/rpc: make use of
netlogon_creds_{de,en}crypt_samr_Password
via 3768134cae8 s4:torture/rpc: make use of
netlogon_creds_encrypt_samr_CryptPassword()
via 78ff2be8592 s4:torture/rpc: make use of
netlogon_creds_decrypt_samlogon_validation()
via c9c23c1a96b s4:torture/rpc: make use of
netlogon_creds_encrypt_samlogon_logon()
via 856aaaf881f libcli/auth: make use of
netlogon_creds_{de,en}crypt_samr_Password
via 8f035b80223 libcli/auth: make use of
netlogon_creds_encrypt_SendToSam
via b85a1d526ca libcli/auth: make use of
netlogon_creds_encrypt_samr_CryptPassword
via a03fb784134 libcli/auth: make
netlogon_creds_des_{de,en}crypt_LMKey() static
via 10da7c803b1 python/tests: use encrypt_netr_PasswordInfo in
KDCBaseTest._test_samlogon()
via 254440c71a8 pycredentials: add py_creds_encrypt_netr_PasswordInfo
helper
via 7f1db18b446 pycredentials: make use of
netlogon_creds_encrypt_samr_CryptPassword in
py_creds_encrypt_netr_crypt_password
via a616dcc89d9 libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()
via 536080d084e libcli/auth: add
netlogon_creds_{de,en}crypt_samr_CryptPassword()
via 1aa11e2af6e libcli/auth: add
netlogon_creds_{de,en}crypt_samr_Password()
via 838e5257d2a libcli/auth: pass auth_{type,level} to
netlogon_creds_{de,en}crypt_samlogon_logon()
via 91154188e28 libcli/auth: pass auth_{type,level} to
netlogon_creds_{de,en}crypt_samlogon_validation()
via 1637e23c35d netlogon.idl: add netr_ServerAuthenticateKerberos() and
related stuff
via 86ebe5e4e6d s3:rpc_server: add DCESRV_COMPAT_NOT_USED_ON_WIRE()
helper macro
via 447a9c782b9 dcesrv_core: add DCESRV_NOT_USED_ON_WIRE() helper macro
via 6a50b1aea3a s4:rpc_server/netlogon: split out
dcesrv_netr_ServerAuthenticateGeneric()
via 6bd5d4d204a s4:dsdb/common: dsdb_trust_get_incoming_passwords only
needs a const ldb_message
via c3b5697dd2e libcli/auth: split out netlogon_creds_alloc()
via 4419fc6c48f libcli/auth: let netlogon_creds_cli_store_internal
check netlogon_creds_CredentialState_legacy
via bc8dcaa109e libcli/auth: let netlogon_creds_cli_store_internal()
use talloc_stackframe()
via 1debb3d3743 libcli/auth: also use
netlogon_creds_CredentialState_extra_info for the client
via 4aa40fd5be0 s4:torture/rpc: let test_netlogon_capabilities() fail
on legacy servers
via fa49a8ad2b0 s4:rpc_server/netlogon: implement
netr_LogonGetCapabilities query_level=2
via 1acd16876bb s3:rpc_server/netlogon: implement
netr_LogonGetCapabilities query_level=2
via 5c74014ae82 libcli/auth: remember client_requested_flags and
auth_time in netlogon_creds_server_init()
via 71c0e187665 libcli/auth: remove unused creds->sid
via 0b85452df0f s4:rpc_server/netlogon: make use of
creds->ex->client_sid
via 6d117ea4c8b s3:rpc_server/netlogon: make use of
creds->ex->client_sid
via 9ff331f9b9c librpc/rpc: make use of creds->ex->client_sid in
dcesrv_netr_check_schannel_get_state()
via 02bc35458be libcli/auth: split out
netlogon_creds_CredentialState_extra_info
via 878482663eb libcli/auth: pass client_sid to
netlogon_creds_server_init()
via dcb07d4504c s4:rpc_server/netlogon: add client_sid helper variables
via ca97536d7d2 s3:rpc_server/netlogon: add client_sid helper variables
via a3b8c49a998 s4:dsdb/common: samdb_confirm_rodc_allowed_to_repl_to()
only needs a const sid
via 8d4d6fc8d21 s3:cli_netlogon: let rpccli_connect_netlogon() use
force_reauth = true on retry
via adcd2436bf0 s4:torture/rpc/netlogon: adjust
test_netlogon_capabilities query_level=2 to request_flags
via d0b2469385f s4:librpc/rpc: use netr_LogonGetCapabilities
query_level=2 to verify the proposed capabilities
via 620065e13df s4:librpc/rpc: define required schannel flags and
enforce them
via a73571c0747 s4:librpc/rpc: don't allow any unexpected upgrades of
negotiate_flags
via 20661a24ff2 s4:librpc/rpc: do LogonControl after
LogonGetCapabilities downgrade
via 560aa3e3db1 libcli/auth: use netr_LogonGetCapabilities
query_level=2 to verify the proposed capabilities
via 3a33457f23c libcli/auth: use a LogonControl after a
LogonGetCapabilities downgrade
via 28a7372c58d libcli/auth: if we require aes we don't need to require
arcfour nor strong key
via 84f4313aa9b libcli/auth: don't allow any unexpected upgrades of
negotiate_flags
via b3fd6d36e99 libcli/auth: make use of
netlogon_creds_cli_store_internal() in netlogon_creds_cli_auth_srvauth_done()
via 1dcb72dcac2 libcli/auth: remove unused
netlogon_creds_client_init_session_key()
via e476b15d1bd netlogon.idl: the capabilities in query_level=2 are the
ones send by the client
via 92fc4f2b683 s4:rpc_server/netlogon: if we require AES there's no
need to remove the ARCFOUR flag
via 41a60326a3d s3:rpc_server/netlogon: if we require AES there's no
need to remove the ARCFOUR flag
via e39ca0ed85e s3:rpc_server/netlogon: correctly negotiate flags in
ServerAuthenticate2/3
via f467f83fbda s4:torture/rpc: without weak crypto we should require
AES
via e463774b7cc s4:torture/rpc: check that DOWNGRADE_DETECTED has no
bits negotiated
via 568ebd48af4 s4:rpc_server: Make some arrays static
from cc3a1195855 s3:winbindd: call process_set_title() for locator child
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 7b4629ef84a8e9ce80d1740720928309a0f9d565
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 6 17:18:58 2024 +0100
libcli/auth: make use of netlogon_creds_cli_check_transport() in more places
This was somehow missing in commit
7a5ad9f64a905f5744430c6e0796c646baf9432e
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Thu Nov 7 09:14:33 UTC 2024 on atb-devel-224
(cherry picked from commit f340dce6546a22d857cad440f8afaee9815dbdb1)
Autobuild-User(v4-20-test): Jule Anger <[email protected]>
Autobuild-Date(v4-20-test): Wed Nov 13 11:36:37 UTC 2024 on atb-devel-224
commit aa4add0053b55f506a34e329293d37b094d093f7
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 29 13:42:06 2024 +0100
libcli/auth: split out netlogon_creds_cli_check_transport()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 7a5ad9f64a905f5744430c6e0796c646baf9432e)
commit 21e9355630016bac79c4260bdaa371e5142c814f
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jul 19 21:02:23 2023 +0200
libcli/auth: let netlogon_creds_copy() copy all scalar elements
This version is good for now, as we want it to be backportable.
For master we'll add a ndr_deepcopy_struct() helper in order
to avoid future problems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 8edbdd65ef78e3f26357d0254b58db3120a32880)
commit 75e62cc19bed300696ddcbd7617ff86283032ef0
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 29 10:31:52 2024 +0100
s4:librpc/rpc: make use of netlogon_creds_client_verify()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 132629ee3a9b73d0888d1110e4d0a45ded778e5a)
commit 77a02d6e79b077fc0b88172ae6d7832c43fefd1c
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 29 10:02:40 2024 +0100
libcli/auth: make use of netlogon_creds_client_verify()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 1a5984ac6312b204b51590057b8327cf4698383b)
commit 1de6cffa6836a70d3bcbdf57bd6ce93d59417c0c
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 29 09:54:42 2024 +0100
libcli/auth: split out netlogon_creds_client_verify() that takes
auth_{type,level}
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 45faf6c35a033ec46a546dfb9d5d6aeb2fb2b83c)
commit 0c61920c887d14f7f83df70c543b95b5ff7f4d64
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 29 09:46:07 2024 +0100
libcli/auth: pass auth_{type,level} to netlogon_creds_server_step_check()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 2956c7eb3c9fc2161fd2748e5aac1fc94478e8c7)
commit 200fc14fb8ee59b89abc41985f6c7ee721003dc2
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 29 09:44:52 2024 +0100
libcli/auth: pass auth_{type,level} to schannel_check_creds_state()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 7b02fb50143ba5044605ec67ed41180391835dcb)
commit 270499b1c9ed4a010da265954314bfb5ffcd9eca
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 16:54:48 2024 +0100
libcli/auth: return INVALID_PARAMETER for DES in
netlogon_creds_{de,en}crypt_samlogon_logon
For the NetlogonGenericInformation case we want an error instead of no
encryption if only DES was negotiated...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 131f5c0b251e456c466eaca744525504e1d69492)
commit 6b32dcf6ea2af0949fd283dd497b08e3a1ca6b26
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 16:30:19 2024 +0100
s4:rpc_server/netlogon: make use of netlogon_creds_decrypt_SendToSam
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 834197dafef0f3779ba69c8e350cbd7bb9333284)
commit dc7ab826ef37d46d0bb852e049c0ab03a704e439
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 16:30:19 2024 +0100
s4:rpc_server/netlogon: make use of
netlogon_creds_decrypt_samr_CryptPassword
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit f1c1b8661a9121e1ff02784955c98d9f33bca8bd)
commit 3aefe6a54a7020b266b390f6e53a9c95efada750
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 16:28:47 2024 +0100
s4:rpc_server/netlogon: make use of
netlogon_creds_{de,en}crypt_samr_Password()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 7a7cb0d0426a891185f5acf825573d98360e98e1)
commit cb5ed3bf75bf7967a49f5fbfa5832c27dffe393a
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 16:25:11 2024 +0100
s3:rpc_server/netlogon: make use of
netlogon_creds_decrypt_samr_CryptPassword()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit a359b4139c8043ee3c3277b7559cb6d4f58f4044)
commit 27ae047ba552650e780ec0c1c9c077b26ecccab3
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 17:12:16 2024 +0100
s3:rpc_server/netlogon: make use of
netlogon_creds_{de,en}crypt_samr_Password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 550d20fd3dd04397b3a38f8b9e0cfa574453eea1)
commit 5792c2ce9d45a5e2f0b454776ebadcad6aaf466a
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 17:43:40 2024 +0100
s4:torture/rpc: make use of netlogon_creds_{de,en}crypt_samr_Password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 172ce406d48916c57f0742b6a0e064ac170ec8ff)
commit 3768134cae889f39065515a3393ef5cfd187572d
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 16:22:36 2024 +0100
s4:torture/rpc: make use of netlogon_creds_encrypt_samr_CryptPassword()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 2d7a47a175337729f4c671d7a6223f6e0ea23ebe)
commit 78ff2be8592fa48f3889e5aae934b7acb7fa08f3
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 16:57:53 2024 +0100
s4:torture/rpc: make use of netlogon_creds_decrypt_samlogon_validation()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit a177d15c875030dfc6c11ead3ec3a3ec851261cb)
commit c9c23c1a96bf07f11f9ed41c7d04c183d085fc8f
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 12:58:11 2024 +0100
s4:torture/rpc: make use of netlogon_creds_encrypt_samlogon_logon()
This will make it easier to catch all places where we need to
implement the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 1666d1d74dec3978837ab49f8749d59c0abcf595)
commit 856aaaf881f40f05644f6cee63653dbb0186e457
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 17:19:09 2024 +0100
libcli/auth: make use of netlogon_creds_{de,en}crypt_samr_Password
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit e92d0509d6b4d7f86e8626ba8c5efc5b786823f1)
commit 8f035b802236f9276c6edc3c38d0b122ce1d893a
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 16:00:52 2024 +0100
libcli/auth: make use of netlogon_creds_encrypt_SendToSam
This will help when implementing netr_ServerAuthenticateKerberos()...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 2bd77ff7314932dc4116773731a810fe0f7ce4b7)
commit b85a1d526ca491c9a7ceab35c421a1c61f515d86
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 15:56:09 2024 +0100
libcli/auth: make use of netlogon_creds_encrypt_samr_CryptPassword
This will help when implementing netr_ServerAuthenticateKerberos()...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 285ec9ecde712e40e6f0981bcb379ee911bfe9d8)
commit a03fb78413465bfd4f35adcce8fd3137eaa567ad
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 15:52:13 2024 +0100
libcli/auth: make netlogon_creds_des_{de,en}crypt_LMKey() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 1edcd5df80bdbc4d4da5bdd5e534d7a17ec61f77)
commit 10da7c803b1e18163ea16737e23ce5222537b7de
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 15:39:57 2024 +0100
python/tests: use encrypt_netr_PasswordInfo in KDCBaseTest._test_samlogon()
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit e7d57fc6e992ca212b834d5dd4d381244bca55c6)
commit 254440c71a845542dd66d42c162792c2d62864fa
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 15:22:47 2024 +0100
pycredentials: add py_creds_encrypt_netr_PasswordInfo helper
This will replace py_creds_encrypt_samr_password in the next steps
and prepares the introduction of netr_ServerAuthenticateKerberos().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit fac378485f5f15ac0a11c3d82207c4bc780bfb80)
commit 7f1db18b44680e5f91d005db557b20cb081abf13
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 14:06:28 2024 +0100
pycredentials: make use of netlogon_creds_encrypt_samr_CryptPassword in
py_creds_encrypt_netr_crypt_password
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit ea792fa342deebefa75b77832c9057924cdcb6f6)
commit a616dcc89d97a62d870a5e3b50f39659da916ca8
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 13:13:50 2024 +0100
libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit b8681c165731666bb5eed073ab862490c33ea095)
commit 536080d084e1abd088e064c098f8f9807e690387
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 13:12:24 2024 +0100
libcli/auth: add netlogon_creds_{de,en}crypt_samr_CryptPassword()
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 8eb95a155de396981375c7f11221695fd3c7f9d5)
commit 1aa11e2af6e6fd2cdb71d06bf2dc14d45c216846
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 13:03:37 2024 +0100
libcli/auth: add netlogon_creds_{de,en}crypt_samr_Password()
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 851a9b18eccece64c3ae0cedd7c7b26a44f0eec6)
commit 838e5257d2a5cca576549b52b19c3015ec17fdb2
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 12:55:12 2024 +0100
libcli/auth: pass auth_{type,level} to
netlogon_creds_{de,en}crypt_samlogon_logon()
This will be needed when we implement netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 3d4ea276bdf44202250246cd6edae2bc17e92c74)
commit 91154188e28e63b19b9d2b9180b8e72145790ffd
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 28 12:43:44 2024 +0100
libcli/auth: pass auth_{type,level} to
netlogon_creds_{de,en}crypt_samlogon_validation()
This will be needed when we implement netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit a56356e399339d5bce2e699431cd3e6186229170)
commit 1637e23c35dab542a10a855f7648fede2633fc39
Author: Stefan Metzmacher <[email protected]>
Date: Tue Apr 30 15:14:47 2024 +0200
netlogon.idl: add netr_ServerAuthenticateKerberos() and related stuff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit de8de55a5fee573d0718fa8dd13168a4f0a14614)
commit 86ebe5e4e6d23979a679187c6d2eef2d94dbd5ee
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 10 13:56:38 2024 +0200
s3:rpc_server: add DCESRV_COMPAT_NOT_USED_ON_WIRE() helper macro
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 62afadb3ebac49a684fb0e5a1beb6d7db6f5e515)
commit 447a9c782b9509ad8a4ab0f148629d3212cef62d
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 10 13:56:38 2024 +0200
dcesrv_core: add DCESRV_NOT_USED_ON_WIRE() helper macro
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 01577b93cbb0a26aba3209cde69475be2e1c5fb8)
commit 6a50b1aea3a497495047adefd649255f4a746bc9
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 16 17:55:41 2024 +0200
s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticateGeneric()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit e4132c492ded7cadc60371b524e72e41f71f75e9)
commit 6bd5d4d204a468982bf19f8baa494eb412991427
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 16 17:49:26 2024 +0200
s4:dsdb/common: dsdb_trust_get_incoming_passwords only needs a const
ldb_message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit f92def2f943917d8946b03f71fcf676998701815)
commit c3b5697dd2e64c07852d2f2864d04d538f5024c1
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 16 17:47:22 2024 +0200
libcli/auth: split out netlogon_creds_alloc()
Review with: git show --patience
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit e9767315cf06bcb257b40014441dd4cd9aad0fb0)
commit 4419fc6c48f388c5110eac0d7a6ddb22e10b1bde
Author: Stefan Metzmacher <[email protected]>
Date: Thu Oct 10 13:39:38 2024 +0200
libcli/auth: let netlogon_creds_cli_store_internal check
netlogon_creds_CredentialState_legacy
Before storing the structure into a ctdb managed volatile database
we check against netlogon_creds_CredentialState_legacy (the structure
used before recent changes). This makes sure unpatched cluster nodes
would not get a parsing error.
We'll remove this again in master when we try to implement
netr_ServerAuthenticateKerberos() and the related changes
to netlogon_creds_CredentialState, which will break the compat...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 3792fe372884aad6ea2893f2e62629dd1cddc129)
commit bc8dcaa109e4a1ddd04bdb3d4aaf9841fbac8673
Author: Stefan Metzmacher <[email protected]>
Date: Thu Oct 10 13:24:37 2024 +0200
libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 17394ed7bbf8fa50570a5732f1ce84ccd5e69393)
commit 1debb3d3743e583020cca91c1292717164df47c2
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 19:06:59 2024 +0200
libcli/auth: also use netlogon_creds_CredentialState_extra_info for the
client
In order to allow backports and cluster updates we simulate a
dom_sid, so that the old code is able to parse the blob.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 8b972fea0978101575f847eac33b09d2fd8d02e7)
commit 4aa40fd5be03db4430ed82c84f589fdb13bfbca3
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 29 09:27:30 2024 +0100
s4:torture/rpc: let test_netlogon_capabilities() fail on legacy servers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 498fc88c155b57a0de6150c3b1e3cfcac181d45b)
commit fa49a8ad2b0cb74f7c7252f5f8b9a40b99789384
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jul 19 18:00:31 2023 +0200
s4:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit fd4b027511b18615e215b66183f95b54bcab683e)
commit 1acd16876bb99ff59231122dba70c4d1f9d86ac2
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jul 19 18:03:09 2023 +0200
s3:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 484a046d8e179a3b21ead8b5bc3660095314e816)
commit 5c74014ae821d8de9fad54a632498a91f8003815
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 19:06:59 2024 +0200
libcli/auth: remember client_requested_flags and auth_time in
netlogon_creds_server_init()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit dfbc5e5a19420311eac3db5ede1c665a9198395d)
commit 71c0e187665bc17c4d8b3d1d6e7b6fd3aeb30185
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 19:04:02 2024 +0200
libcli/auth: remove unused creds->sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit a9308c490cb5ec8908a3e4c13e2ce8a08b9027e9)
commit 0b85452df0f7546dd6935ec4bfbef9655e87919c
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 19:01:39 2024 +0200
s4:rpc_server/netlogon: make use of creds->ex->client_sid
creds->sid will be removed soon...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 4533afc9e12c4dbbc7d11c13e775888c113d497c)
commit 6d117ea4c8b3c6c142acd2a5b11d9b4be7171978
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 19:01:39 2024 +0200
s3:rpc_server/netlogon: make use of creds->ex->client_sid
creds->sid will be removed soon...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 88a84d9330d2bb03176f888a0d8e5066e1e21bf6)
commit 9ff331f9b9cda45109677b07ab153040f8a3780b
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 19:00:45 2024 +0200
librpc/rpc: make use of creds->ex->client_sid in
dcesrv_netr_check_schannel_get_state()
creds->sid will be removed soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 453587fbc1ef74a3b997235e84040553261fa13e)
commit 02bc35458be666330cde1ebbd1eaa38858dd0bc9
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 18:54:05 2024 +0200
libcli/auth: split out netlogon_creds_CredentialState_extra_info
As server we are free to change the netlogon_creds_CredentialState
database record format at will as it uses CLEAR_IF_FIRST.
For now that format doesn't really changes, because we
only move dom_sid into a wrapper structure.
In order to avoid changing all callers in this commit,
we maintain creds->sid as in memory pointer.
In the following patches we'll also use it in order
to store client related information...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 518f57b93bdb84900d3b58cd94bdf1046f82a5a6)
commit 878482663eb75b914155ed6b225778a0c2ae39a3
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 18:46:43 2024 +0200
libcli/auth: pass client_sid to netlogon_creds_server_init()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit c2ef866fca296c8f3eb1620fdd2bb9bf289d96fc)
commit dcb07d4504c80cc6c1a172168836673177497f39
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 18:06:44 2024 +0200
s4:rpc_server/netlogon: add client_sid helper variables
This will make the following changes simpler...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 2e8949495f601d3fd117cceccd1b464a6ae43251)
commit ca97536d7d224a4569ef16ae79623b881b8c08a5
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 18:06:44 2024 +0200
s3:rpc_server/netlogon: add client_sid helper variables
This will make the following changes simpler...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit eda3728a4079c5399f693b1d68e64e5660647c72)
commit a3b8c49a9982da45fe1e4a1f32848c4e554fd165
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 18:04:27 2024 +0200
s4:dsdb/common: samdb_confirm_rodc_allowed_to_repl_to() only needs a const
sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit c9eaf5e22de730f1e7575f6697f32dbb377eae06)
commit 8d4d6fc8d21dac9600995826fc0eb23dc03faa73
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 30 12:10:49 2024 +0100
s3:cli_netlogon: let rpccli_connect_netlogon() use force_reauth = true on
retry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 7f478656dcf08619bc3a7ad390c7db3bfdef924e)
commit adcd2436bf0a770d2f0c7a584d0ecec377e6262a
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jul 20 13:29:12 2023 +0200
s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to
request_flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit d174b6595a962230bf71cc5c2f512a2c93a4cc1b)
commit d0b2469385fbee91c6753cf7496f8d1eee6422e8
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 16:38:53 2024 +0200
s4:librpc/rpc: use netr_LogonGetCapabilities query_level=2 to verify the
proposed capabilities
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 0b6ac4b082ddec5dae1392537727f3a7123ec279)
commit 620065e13dfc24464ee9806e36bf37f5fcf828ac
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 16:38:53 2024 +0200
s4:librpc/rpc: define required schannel flags and enforce them
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 25294685b1c2c8652f0ca0220e8f3729e0b347e2)
commit a73571c0747c7531824478ed9d4439cb08d176d8
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 16:44:26 2024 +0200
s4:librpc/rpc: don't allow any unexpected upgrades of negotiate_flags
Only remove the unsupported flags from local_negotiate_flags for
the next try...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 69b0cbd13d06fa640a900acab6757425b5b77cac)
commit 20661a24ff2b6abc9288fce32d6900bb645593b2
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 16:15:46 2024 +0200
s4:librpc/rpc: do LogonControl after LogonGetCapabilities downgrade
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 24de5d1cbd25fabae6b01565907b53f5e51ea06d)
commit 560aa3e3db142a184183c92fe2bdbf94839b5ac1
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 13:43:36 2024 +0200
libcli/auth: use netr_LogonGetCapabilities query_level=2 to verify the
proposed capabilities
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 25a2105ca7816c47a9c4a7fded88a922e4ccf88b)
commit 3a33457f23c7b9bfc8d9affd0f7b1fdc7f40542e
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 14:25:19 2024 +0200
libcli/auth: use a LogonControl after a LogonGetCapabilities downgrade
If LogonGetCapabilities was downgraded by an DCERPC Fault, we
rely on the schannel message ordering to detect failures.
Instead of letting any real winbindd request trigger this,
we do it directly in netlogon_creds_cli_check() with
a LogonControl that is also used for 'wbinfo --ping-dc'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 276137e950696fbf36450dceebd6c0250c6242d0)
commit 28a7372c58d35a1d9e4b7bbcac14549b637e36bd
Author: Stefan Metzmacher <[email protected]>
Date: Thu Oct 10 12:31:18 2024 +0200
libcli/auth: if we require aes we don't need to require arcfour nor strong
key
But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 3da40f1c6818550eb08a6d7d680c213c3f1d0649)
commit 84f4313aa9b86b4ceada42d6a3d80821d6fc7d0b
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 15:03:21 2024 +0200
libcli/auth: don't allow any unexpected upgrades of negotiate_flags
Only remove the unsupported flags from state->current_flags for
the next try...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit a9040c8ce76cb9911c4c0c5d623cc479e49f460d)
commit b3fd6d36e990c1be611e2c449d027c9b91981772
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jul 19 17:43:00 2023 +0200
libcli/auth: make use of netlogon_creds_cli_store_internal() in
netlogon_creds_cli_auth_srvauth_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 69cb9aea67de0613f467f7ce2d460364ff2be241)
commit 1dcb72dcac27dff8ad999bada4a053460db88034
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 19:06:59 2024 +0200
libcli/auth: remove unused netlogon_creds_client_init_session_key()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit cf0e07a3d2a085d31f7d682633af9ec57c155e57)
commit e476b15d1bd01ba4acc2d0d6d9f64ef316d2c611
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jul 19 09:27:48 2023 +0200
netlogon.idl: the capabilities in query_level=2 are the ones send by the
client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 86176598eee4c83dc63a9dac163f32c886477129)
commit 92fc4f2b6832cdaced71bf3e3afb33cae6f71a44
Author: Stefan Metzmacher <[email protected]>
Date: Thu Oct 10 12:34:33 2024 +0200
s4:rpc_server/netlogon: if we require AES there's no need to remove the
ARCFOUR flag
With SAMBA_WEAK_CRYPTO_DISALLOWED
dcesrv_netr_ServerAuthenticate3_check_downgrade()
will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not
negotiated...
And if AES was negotiated there's no harm in returning the ARCFOUR
flag...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit a0bc372dee68ad255da005d2e2078da754bbef2a)
commit 41a60326a3d5df174225318e5b0eb1f7ee8235bf
Author: Stefan Metzmacher <[email protected]>
Date: Thu Oct 10 12:34:33 2024 +0200
s3:rpc_server/netlogon: if we require AES there's no need to remove the
ARCFOUR flag
With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED with
negotiate_flags = 0,
if AES was not negotiated...
And if AES was negotiated there's no harm in returning the ARCFOUR
flag...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit e5bc5ee3e04138b10c0630640469a08fad847e56)
commit e39ca0ed85e43da19ad3345d367ace7f5324ec71
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jul 19 12:55:33 2023 +0200
s3:rpc_server/netlogon: correctly negotiate flags in ServerAuthenticate2/3
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit b27661f832cc4c56cc582cf7041d90f178736ef7)
commit f467f83fbda136269e47733b21e1919d185f8a7a
Author: Stefan Metzmacher <[email protected]>
Date: Thu Oct 10 15:02:16 2024 +0200
s4:torture/rpc: without weak crypto we should require AES
We should check that we can actually negotiated the strong AES
crypto instead of just checking that NETLOGON_NEG_ARCFOUR is not
there...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 3dcbc8eea5bc53a8332b3ad93ea4c3df99af7830)
commit e463774b7cc1b60a9b61e3d7951250eeb88a4018
Author: Stefan Metzmacher <[email protected]>
Date: Thu Oct 10 15:08:01 2024 +0200
s4:torture/rpc: check that DOWNGRADE_DETECTED has no bits negotiated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 36310650ee7a64603128139f512d3a4e039f8822)
commit 568ebd48af4afba6966b4cb6ac381778401de5a8
Author: Jo Sutton <[email protected]>
Date: Tue Feb 20 16:46:07 2024 +1300
s4:rpc_server: Make some arrays static
Signed-off-by: Jo Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit beaeeaff501b22fdfb3928d788597398fcbbbe29)
Backported for https://bugzilla.samba.org/show_bug.cgi?id=15425
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/pycredentials.c | 92 +++-
libcli/auth/credentials.c | 358 ++++++++++---
libcli/auth/libcli_auth.h | 1 +
libcli/auth/netlogon_creds_cli.c | 744 ++++++++++++++++----------
libcli/auth/proto.h | 59 +-
libcli/auth/schannel_state.h | 2 +
libcli/auth/schannel_state_tdb.c | 15 +-
librpc/idl/netlogon.idl | 33 +-
librpc/idl/schannel.idl | 73 ++-
librpc/rpc/dcesrv_core.h | 8 +
librpc/rpc/server/netlogon/schannel_util.c | 6 +-
python/samba/tests/krb5/kdc_base_test.py | 10 +-
source3/rpc_client/cli_netlogon.c | 1 +
source3/rpc_server/netlogon/srv_netlog_nt.c | 169 ++++--
source3/rpc_server/rpc_pipes.h | 6 +
source4/dsdb/common/rodc_helper.c | 2 +-
source4/dsdb/common/util_trusts.c | 2 +-
source4/librpc/rpc/dcerpc_schannel.c | 333 +++++++++++-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 406 +++++++++-----
source4/torture/ntp/ntp_signd.c | 1 +
source4/torture/rpc/forest_trust.c | 17 +-
source4/torture/rpc/lsa.c | 21 +-
source4/torture/rpc/netlogon.c | 194 +++++--
source4/torture/rpc/netlogon_crypto.c | 7 +-
source4/torture/rpc/remote_pac.c | 42 +-
source4/torture/rpc/samba3rpc.c | 19 +-
source4/torture/rpc/samlogon.c | 38 +-
source4/torture/rpc/samr.c | 21 +-
source4/torture/rpc/schannel.c | 85 ++-
29 files changed, 2049 insertions(+), 716 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index a27e02d1aa5..35869b47478 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -1024,9 +1024,11 @@ static PyObject *py_creds_get_aes256_key(PyObject *self,
PyObject *args)
static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
PyObject *args)
{
- DATA_BLOB data = data_blob_null;
struct cli_credentials *creds = NULL;
struct netr_CryptPassword *pwd = NULL;
+ struct samr_CryptPassword spwd;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
NTSTATUS status;
PyObject *py_cp = Py_None;
@@ -1045,9 +1047,18 @@ static PyObject
*py_creds_encrypt_netr_crypt_password(PyObject *self,
/* pytalloc_get_type sets TypeError */
return NULL;
}
- data.length = sizeof(struct netr_CryptPassword);
- data.data = (uint8_t *)pwd;
- status = netlogon_creds_session_encrypt(creds->netlogon_creds, data);
+
+ memcpy(spwd.data, pwd->data, 512);
+ PUSH_LE_U32(spwd.data, 512, pwd->length);
+
+ status =
netlogon_creds_encrypt_samr_CryptPassword(creds->netlogon_creds,
+ &spwd,
+ auth_type,
+ auth_level);
+
+ memcpy(pwd->data, spwd.data, 512);
+ pwd->length = PULL_LE_U32(spwd.data, 512);
+ ZERO_STRUCT(spwd);
PyErr_NTSTATUS_IS_ERR_RAISE(status);
@@ -1096,6 +1107,68 @@ static PyObject *py_creds_encrypt_samr_password(PyObject
*self,
Py_RETURN_NONE;
}
+static PyObject *py_creds_encrypt_netr_PasswordInfo(PyObject *self,
+ PyObject *args,
+ PyObject *kwargs)
+{
+ const char * const kwnames[] = {
+ "info",
+ "auth_type",
+ "auth_level",
+ NULL
+ };
+ struct cli_credentials *creds = NULL;
+ PyObject *py_info = Py_None;
+ enum netr_LogonInfoClass level = NetlogonInteractiveInformation;
+ union netr_LogonLevel logon = { .password = NULL, };
+ uint8_t auth_type = DCERPC_AUTH_TYPE_NONE;
+ uint8_t auth_level = DCERPC_AUTH_LEVEL_NONE;
+ NTSTATUS status;
+ bool ok;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ if (creds->netlogon_creds == NULL) {
+ PyErr_Format(PyExc_ValueError, "NetLogon credentials not set");
+ return NULL;
+ }
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Obb",
+ discard_const_p(char *, kwnames),
+ &py_info, &auth_type, &auth_level))
+ {
+ return NULL;
+ }
+
+ ok = py_check_dcerpc_type(py_info,
+ "samba.dcerpc.netlogon",
+ "netr_PasswordInfo");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ logon.password = pytalloc_get_type(py_info, struct netr_PasswordInfo);
+ if (logon.password == NULL) {
+ /* pytalloc_get_type sets TypeError */
+ return NULL;
+ }
+
+ status = netlogon_creds_encrypt_samlogon_logon(creds->netlogon_creds,
+ level,
+ &logon,
+ auth_type,
+ auth_level);
+
+ PyErr_NTSTATUS_IS_ERR_RAISE(status);
+
+ Py_RETURN_NONE;
+}
+
static PyObject *py_creds_get_smb_signing(PyObject *self, PyObject *unused)
{
enum smb_signing_setting signing_state;
@@ -1611,6 +1684,17 @@ static PyMethodDef py_creds_methods[] = {
"the negotiated encryption algorithm in place\n"
"i.e. it overwrites the original data"
},
+ {
+ .ml_name = "encrypt_netr_PasswordInfo",
+ .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
+ py_creds_encrypt_netr_PasswordInfo),
+ .ml_flags = METH_VARARGS | METH_KEYWORDS,
+ .ml_doc = "S.encrypt_netr_PasswordInfo(info, "
+ "auth_type, auth_level) -> None\n"
+ "Encrypt the supplied password info using the
session key and\n"
+ "the negotiated encryption algorithm in place\n"
+ "i.e. it overwrites the original data"
+ },
{
.ml_name = "get_smb_signing",
.ml_meth = py_creds_get_smb_signing,
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 84838be6e73..12f4b1fbb8c 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -290,7 +290,7 @@ static NTSTATUS netlogon_creds_step(struct
netlogon_creds_CredentialState *creds
/*
DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
*/
-NTSTATUS netlogon_creds_des_encrypt_LMKey(struct
netlogon_creds_CredentialState *creds,
+static NTSTATUS netlogon_creds_des_encrypt_LMKey(struct
netlogon_creds_CredentialState *creds,
struct netr_LMSessionKey *key)
{
int rc;
@@ -308,7 +308,7 @@ NTSTATUS netlogon_creds_des_encrypt_LMKey(struct
netlogon_creds_CredentialState
/*
DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
*/
-NTSTATUS netlogon_creds_des_decrypt_LMKey(struct
netlogon_creds_CredentialState *creds,
+static NTSTATUS netlogon_creds_des_decrypt_LMKey(struct
netlogon_creds_CredentialState *creds,
struct netr_LMSessionKey *key)
{
int rc;
@@ -473,6 +473,58 @@ NTSTATUS netlogon_creds_aes_decrypt(struct
netlogon_creds_CredentialState *creds
return NT_STATUS_OK;
}
+static struct netlogon_creds_CredentialState *
+netlogon_creds_alloc(TALLOC_CTX *mem_ctx,
+ const char *client_account,
+ const char *client_computer_name,
+ uint16_t secure_channel_type,
+ uint32_t client_requested_flags,
+ const struct dom_sid *client_sid,
+ uint32_t negotiate_flags)
+{
+ struct netlogon_creds_CredentialState *creds = NULL;
+ struct timeval tv = timeval_current();
+ NTTIME now = timeval_to_nttime(&tv);
+
+ creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
+ if (creds == NULL) {
+ return NULL;
+ }
+
+ if (client_sid == NULL) {
+ creds->sequence = tv.tv_sec;
+ }
+ creds->negotiate_flags = negotiate_flags;
+ creds->secure_channel_type = secure_channel_type;
+
+ creds->computer_name = talloc_strdup(creds, client_computer_name);
+ if (!creds->computer_name) {
+ talloc_free(creds);
+ return NULL;
+ }
+ creds->account_name = talloc_strdup(creds, client_account);
+ if (!creds->account_name) {
+ talloc_free(creds);
+ return NULL;
+ }
+
+ creds->ex = talloc_zero(creds,
+ struct netlogon_creds_CredentialState_extra_info);
+ if (creds->ex == NULL) {
+ talloc_free(creds);
+ return NULL;
+ }
+ creds->ex->client_requested_flags = client_requested_flags;
+ creds->ex->auth_time = now;
+ if (client_sid != NULL) {
+ creds->ex->client_sid = *client_sid;
+ } else {
+ creds->ex->client_sid = global_sid_NULL;
+ }
+
+ return creds;
+}
+
/*****************************************************************
The above functions are common to the client and server interface
next comes the client specific functions
@@ -491,30 +543,23 @@ struct netlogon_creds_CredentialState
*netlogon_creds_client_init(TALLOC_CTX *me
const struct
netr_Credential *server_challenge,
const struct
samr_Password *machine_password,
struct
netr_Credential *initial_credential,
+ uint32_t
client_requested_flags,
uint32_t
negotiate_flags)
{
- struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx,
struct netlogon_creds_CredentialState);
+ struct netlogon_creds_CredentialState *creds = NULL;
NTSTATUS status;
+ creds = netlogon_creds_alloc(mem_ctx,
+ client_account,
+ client_computer_name,
+ secure_channel_type,
+ client_requested_flags,
+ NULL, /* client_sid */
+ negotiate_flags);
if (!creds) {
return NULL;
}
- creds->sequence = time(NULL);
- creds->negotiate_flags = negotiate_flags;
- creds->secure_channel_type = secure_channel_type;
-
- creds->computer_name = talloc_strdup(creds, client_computer_name);
- if (!creds->computer_name) {
- talloc_free(creds);
- return NULL;
- }
- creds->account_name = talloc_strdup(creds, client_account);
- if (!creds->account_name) {
- talloc_free(creds);
- return NULL;
- }
-
dump_data_pw("Client chall", client_challenge->data,
sizeof(client_challenge->data));
dump_data_pw("Server chall", server_challenge->data,
sizeof(server_challenge->data));
dump_data_pw("Machine Pass", machine_password->hash,
sizeof(machine_password->hash));
@@ -563,25 +608,6 @@ struct netlogon_creds_CredentialState
*netlogon_creds_client_init(TALLOC_CTX *me
return creds;
}
-/*
- initialise the credentials structure with only a session key. The caller
better know what they are doing!
- */
-
-struct netlogon_creds_CredentialState
*netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx,
-
const uint8_t session_key[16])
-{
- struct netlogon_creds_CredentialState *creds;
-
- creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
- if (!creds) {
- return NULL;
- }
-
- memcpy(creds->session_key, session_key, 16);
-
- return creds;
-}
-
/*
step the credentials to the next element in the chain, updating the
current client and server credentials and the seed
@@ -631,14 +657,34 @@ netlogon_creds_client_authenticator(struct
netlogon_creds_CredentialState *creds
/*
check that a credentials reply from a server is correct
*/
-bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
- const struct netr_Credential *received_credentials)
+NTSTATUS netlogon_creds_client_verify(struct netlogon_creds_CredentialState
*creds,
+ const struct netr_Credential *received_credentials,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
{
if (!received_credentials ||
!mem_equal_const_time(received_credentials->data,
creds->server.data, 8)) {
DEBUG(2,("credentials check failed\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ return NT_STATUS_OK;
+}
+
+bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *received_credentials)
+{
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+ NTSTATUS status;
+
+ status = netlogon_creds_client_verify(creds,
+ received_credentials,
+ auth_type,
+ auth_level);
+ if (!NT_STATUS_IS_OK(status)) {
return false;
}
+
return true;
}
@@ -676,20 +722,25 @@ struct netlogon_creds_CredentialState
*netlogon_creds_server_init(TALLOC_CTX *me
const struct
samr_Password *machine_password,
const struct
netr_Credential *credentials_in,
struct
netr_Credential *credentials_out,
+ uint32_t
client_requested_flags,
+ const struct
dom_sid *client_sid,
uint32_t
negotiate_flags)
{
-
- struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx,
struct netlogon_creds_CredentialState);
+ struct netlogon_creds_CredentialState *creds = NULL;
NTSTATUS status;
bool ok;
+ creds = netlogon_creds_alloc(mem_ctx,
+ client_account,
+ client_computer_name,
+ secure_channel_type,
+ client_requested_flags,
+ client_sid,
+ negotiate_flags);
if (!creds) {
return NULL;
}
- creds->negotiate_flags = negotiate_flags;
- creds->secure_channel_type = secure_channel_type;
-
dump_data_pw("Client chall", client_challenge->data,
sizeof(client_challenge->data));
dump_data_pw("Server chall", server_challenge->data,
sizeof(server_challenge->data));
dump_data_pw("Machine Pass", machine_password->hash,
sizeof(machine_password->hash));
@@ -708,17 +759,6 @@ struct netlogon_creds_CredentialState
*netlogon_creds_server_init(TALLOC_CTX *me
return NULL;
}
- creds->computer_name = talloc_strdup(creds, client_computer_name);
- if (!creds->computer_name) {
- talloc_free(creds);
- return NULL;
- }
- creds->account_name = talloc_strdup(creds, client_account);
- if (!creds->account_name) {
- talloc_free(creds);
- return NULL;
- }
-
if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
status = netlogon_creds_init_hmac_sha256(creds,
client_challenge,
@@ -778,7 +818,9 @@ struct netlogon_creds_CredentialState
*netlogon_creds_server_init(TALLOC_CTX *me
NTSTATUS netlogon_creds_server_step_check(struct
netlogon_creds_CredentialState *creds,
const struct netr_Authenticator
*received_authenticator,
- struct netr_Authenticator
*return_authenticator)
+ struct netr_Authenticator
*return_authenticator,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
{
NTSTATUS status;
@@ -810,6 +852,8 @@ NTSTATUS netlogon_creds_server_step_check(struct
netlogon_creds_CredentialState
static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct
netlogon_creds_CredentialState *creds,
uint16_t
validation_level,
union netr_Validation
*validation,
+ enum dcerpc_AuthType
auth_type,
+ enum dcerpc_AuthLevel
auth_level,
bool do_encrypt)
{
struct netr_SamBaseInfo *base = NULL;
@@ -925,27 +969,37 @@ static NTSTATUS
netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct
netlogon_creds_CredentialState *creds,
uint16_t validation_level,
- union netr_Validation
*validation)
+ union netr_Validation
*validation,
+ enum dcerpc_AuthType
auth_type,
+ enum dcerpc_AuthLevel
auth_level)
{
return netlogon_creds_crypt_samlogon_validation(creds,
validation_level,
validation,
+ auth_type,
+ auth_level,
false);
}
NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct
netlogon_creds_CredentialState *creds,
uint16_t validation_level,
- union netr_Validation
*validation)
+ union netr_Validation
*validation,
+ enum dcerpc_AuthType
auth_type,
+ enum dcerpc_AuthLevel
auth_level)
{
return netlogon_creds_crypt_samlogon_validation(creds,
validation_level,
validation,
+ auth_type,
+ auth_level,
true);
}
static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct
netlogon_creds_CredentialState *creds,
enum netr_LogonInfoClass
level,
union netr_LogonLevel
*logon,
+ enum dcerpc_AuthType
auth_type,
+ enum dcerpc_AuthLevel
auth_level,
bool do_encrypt)
{
NTSTATUS status;
@@ -1082,6 +1136,7 @@ static NTSTATUS
netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
}
} else {
/* Using DES to verify kerberos tickets makes no sense
*/
+ return NT_STATUS_INVALID_PARAMETER;
}
break;
}
@@ -1091,16 +1146,178 @@ static NTSTATUS
netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
NTSTATUS netlogon_creds_decrypt_samlogon_logon(struct
netlogon_creds_CredentialState *creds,
enum netr_LogonInfoClass level,
- union netr_LogonLevel *logon)
+ union netr_LogonLevel *logon,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
{
- return netlogon_creds_crypt_samlogon_logon(creds, level, logon, false);
+ return netlogon_creds_crypt_samlogon_logon(creds,
+ level,
+ logon,
+ auth_type,
+ auth_level,
+ false);
}
NTSTATUS netlogon_creds_encrypt_samlogon_logon(struct
netlogon_creds_CredentialState *creds,
enum netr_LogonInfoClass level,
- union netr_LogonLevel *logon)
+ union netr_LogonLevel *logon,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
{
- return netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
+ return netlogon_creds_crypt_samlogon_logon(creds,
+ level,
+ logon,
+ auth_type,
+ auth_level,
+ true);
+}
+
+static NTSTATUS netlogon_creds_crypt_samr_Password(
+ struct netlogon_creds_CredentialState *creds,
+ struct samr_Password *pass,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level,
+ bool do_encrypt)
+{
+ if (all_zero(pass->hash, ARRAY_SIZE(pass->hash))) {
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * Even with NETLOGON_NEG_SUPPORTS_AES or
+ * NETLOGON_NEG_ARCFOUR this uses DES
+ */
+
+ if (do_encrypt) {
+ return netlogon_creds_des_encrypt(creds, pass);
+ }
+
+ return netlogon_creds_des_decrypt(creds, pass);
+}
+
+NTSTATUS netlogon_creds_decrypt_samr_Password(struct
netlogon_creds_CredentialState *creds,
+ struct samr_Password *pass,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
+{
+ return netlogon_creds_crypt_samr_Password(creds,
+ pass,
+ auth_type,
+ auth_level,
+ false);
+}
+
+NTSTATUS netlogon_creds_encrypt_samr_Password(struct
netlogon_creds_CredentialState *creds,
+ struct samr_Password *pass,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level)
--
Samba Shared Repository
