The branch, master has been updated
via 74f10bab066 selftest: force 'client use krb5 netlogon = yes' for
admem_idmap_autorid
via 0d8ff826472 s4:torture/rpc: add rpc.pac tests with
DCERPC_SCHANNEL_KRB5/ServerAuthenticateKerberos()
via 13b12235751 selftest: add 'server support krb5 netlogon = yes' for
fl2008r2dc
via 1b578bba09b s4:torture/rpc: let rpc.samlogon also test
DCERPC_SCHANNEL_KRB5/ServerAuthenticateKerberos()
via e057c0543c0 s4:torture/rpc: let rpc.samlogon test credential_flags
again...
via 8ae6f06cff3 s4:torture/rpc: let rpc.schannel also use of
DCERPC_SCHANNEL_KRB5
via 2070586afac s4:torture/rpc: prepare test_lsa_ops for
ServerAuthenticateKerberos
via 847ddfe5e8f s4:torture/rpc: use expected_{account,authority}_name
variables in test_lsa_ops
via 1fa67395df4 s4:torture/rpc: prepare netlogon tests for
ServerAuthenticateKerberos
via e66ca2fde1a s4:torture/rpc: prepare lsa lookup tests for
ServerAuthenticateKerberos
via 5241fa9b481 s4:torture/rpc: make more use of
netlogon_creds_client_verify()
via bd6c718a2b1 s4:librpc/rpc: implement DCERPC_SCHANNEL_KRB5
via 9da8396ff1a s3:tests: let test_update_keytab.sh use rpc
changetrustpw --server
via 9a4c2280e9f python:tests: let s3_net_join.py avoid
kerberos_state=DONT_USE_KERBEROS
via 14e8af1fab5 testprogs/blackbox: let test_rpcclient_schannel.sh
explicitly use --option=clientusekrb5netlogon
via 0ca38918f6c python:tests: let auth_log.py also test
--option=clientusekrb5netlogon=yes
via b84aa14c99f python:tests: let auth_log.py explicitly use
--option=clientusekrb5netlogon=no
via 2a4f0911e92 python:tests: let auth_log.py use
self.assertIn(received, [4, 5]
via 2ad984207d8 selftest: add 'server support krb5 netlogon = yes' for
ad_dc_ntvfs
via 87b1679c6ff libcli/auth: add support for
ServerAuthenticateKerberos()
via e9be4ed8724 s3:winbindd: split out cm_connect_schannel_or_krb5()
helper
via bc14818cf87 s3:cli_netlogon: prepare for
netr_ServerAuthenticateKerberos()
via 04d78cc7ce8 s3:winbindd: use GENSEC_FEATURE_NO_DELEGATION for trust
credentials for netlogon
via 3abece600f9 s3:rpcclient: use GENSEC_FEATURE_NO_DELEGATION for
trust credentials
via b99f03eec2a s3:libnet_join: use GENSEC_FEATURE_NO_DELEGATION for
trust credentials
via f14493d086f s3:cli_netlogon: use GENSEC_FEATURE_NO_DELEGATION for
trust credentials
via 473893738a4 libcli/auth: add netlogon_creds_cli_use_kerberos()
helper
via 41b46cdff19 docs-xml/smbdotconf: add "client use krb5 netlogon"
option
via 33ddd29f6be docs-xml/smbdotconf: add "reject aes netlogon servers"
option
via fcca3122cf7 s3:libads: prepare trust_pw_change() for
ServerAuthenticateKerberos()
via 6e21dbce125 s3:libads: rename variables in trust_pw_change()
from fcd3fc34b2e vfs_ceph_new: add profiling support
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 74f10bab06626372f66c9a88e5a10016574525f2
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 8 10:49:42 2025 +0100
selftest: force 'client use krb5 netlogon = yes' for admem_idmap_autorid
With 'reject aes netlogon servers = yes' we prevent any fallback.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Tue Jan 14 00:37:34 UTC 2025 on atb-devel-224
commit 0d8ff8264727bc9bfb16e0c810ee44a31b4dc084
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 11 19:32:48 2024 +0100
s4:torture/rpc: add rpc.pac tests with
DCERPC_SCHANNEL_KRB5/ServerAuthenticateKerberos()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 13b122357514c41535c6d21f421db51b6de0d038
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 12:32:27 2024 +0100
selftest: add 'server support krb5 netlogon = yes' for fl2008r2dc
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 1b578bba09b221d82f2f7dcb4be6ac11152aeacf
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 12:21:57 2024 +0100
s4:torture/rpc: let rpc.samlogon also test
DCERPC_SCHANNEL_KRB5/ServerAuthenticateKerberos()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit e057c0543c0dfece20b611288d442c5464dfe1a9
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 12:17:27 2024 +0100
s4:torture/rpc: let rpc.samlogon test credential_flags again...
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 8ae6f06cff3da2787924a98e0b895b63a2212392
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 8 15:56:45 2024 +0100
s4:torture/rpc: let rpc.schannel also use of DCERPC_SCHANNEL_KRB5
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 2070586afac76202ada469687d2d3264215f24a8
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 11 20:30:25 2024 +0100
s4:torture/rpc: prepare test_lsa_ops for ServerAuthenticateKerberos
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 847ddfe5e8f37027a058feab2618ba5a781f1444
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 11 20:26:55 2024 +0100
s4:torture/rpc: use expected_{account,authority}_name variables in
test_lsa_ops
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 1fa67395df4c2d41223e83c8ecfa515970bbf85d
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 12:21:12 2024 +0100
s4:torture/rpc: prepare netlogon tests for ServerAuthenticateKerberos
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit e66ca2fde1a117b31a22f740d90b1599603d6523
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 12:18:36 2024 +0100
s4:torture/rpc: prepare lsa lookup tests for ServerAuthenticateKerberos
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 5241fa9b481fbeddb98a78349e2998334be152ff
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 12:15:42 2024 +0100
s4:torture/rpc: make more use of netlogon_creds_client_verify()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit bd6c718a2b1ceb6c4c39b40f663d4026da0a6a06
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 8 17:48:31 2024 +0100
s4:librpc/rpc: implement DCERPC_SCHANNEL_KRB5
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 9da8396ff1a99bde0a9850a2c0be877a204d4f26
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 20:00:08 2024 +0100
s3:tests: let test_update_keytab.sh use rpc changetrustpw --server
If we pass the server name via -I/--ipaddress means we internally loose
the server name and fail to use kerberos with just the ip address.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 9a4c2280e9f42bf0263ebe3bf2cfe65a8089c52f
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 19:09:26 2024 +0100
python:tests: let s3_net_join.py avoid kerberos_state=DONT_USE_KERBEROS
We may use ServerAuthenticateKerberos in future and that needed to
use kerberos.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 14e8af1fab56365ebd7c006200d4e46db379b0b5
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 18:31:25 2024 +0100
testprogs/blackbox: let test_rpcclient_schannel.sh explicitly use
--option=clientusekrb5netlogon
This also tests lsa over kerberos
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 0ca38918f6cc0f47c81599340c62d504d22148cd
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 17:37:05 2024 +0100
python:tests: let auth_log.py also test --option=clientusekrb5netlogon=yes
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit b84aa14c99f5b2fc3b093271cec7966ba6c647b9
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 16:41:00 2024 +0100
python:tests: let auth_log.py explicitly use
--option=clientusekrb5netlogon=no
It also add some additional checks to make sure netlogon with AES was
used.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 2a4f0911e92d1f24459d3aefc99919f1767e654b
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 16:37:56 2024 +0100
python:tests: let auth_log.py use self.assertIn(received, [4, 5]
This will simplify further changes.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 2ad984207d815b3baecdf84348d81121ae2f7ebb
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 12:32:27 2024 +0100
selftest: add 'server support krb5 netlogon = yes' for ad_dc_ntvfs
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 87b1679c6ff32f746d4b20a1f2bec15efbc04f5d
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 6 14:07:15 2024 +0200
libcli/auth: add support for ServerAuthenticateKerberos()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit e9be4ed8724e1ab9735839c30c2a77156c5b58e4
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 6 14:00:58 2024 +0100
s3:winbindd: split out cm_connect_schannel_or_krb5() helper
This will allow us to use ServerAuthenticateKerberos() later.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit bc14818cf87da277953f6a2369f589063ceda8bb
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 30 12:13:36 2024 +0100
s3:cli_netlogon: prepare for netr_ServerAuthenticateKerberos()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 04d78cc7ce876f3bdb9ad2e1ffaf91c6771ca316
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 10:59:58 2024 +0100
s3:winbindd: use GENSEC_FEATURE_NO_DELEGATION for trust credentials for
netlogon
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 3abece600f9c944bb4bd061fe4062370a6e08080
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 10:59:58 2024 +0100
s3:rpcclient: use GENSEC_FEATURE_NO_DELEGATION for trust credentials
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit b99f03eec2a0eb3601c88b9c10d696e19513ca81
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 27 10:59:58 2024 +0100
s3:libnet_join: use GENSEC_FEATURE_NO_DELEGATION for trust credentials
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit f14493d086fcdb3919e2abf4113c9778bb9f690e
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 30 12:13:36 2024 +0100
s3:cli_netlogon: use GENSEC_FEATURE_NO_DELEGATION for trust credentials
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 473893738a4c9381207204b1b35770599193411e
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 6 14:07:15 2024 +0200
libcli/auth: add netlogon_creds_cli_use_kerberos() helper
This allows the calling code to decide if a krb5 or anonymous
netlogon connection should be tried.
Currently we don't try ServerAuthenticateKerberos, but that will change
in a few commits. But before we need to prepare the callers...
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 41b46cdff19f5ccc67017189b85592035df4a623
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 13:25:37 2024 +0100
docs-xml/smbdotconf: add "client use krb5 netlogon" option
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 33ddd29f6be5a63bdd1d0ee60c86b56f619abaf8
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 12:41:05 2024 +0100
docs-xml/smbdotconf: add "reject aes netlogon servers" option
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit fcca3122cf758a2abc49dc02de50713e62b10ca2
Author: Stefan Metzmacher <[email protected]>
Date: Thu Oct 31 18:32:52 2024 +0100
s3:libads: prepare trust_pw_change() for ServerAuthenticateKerberos()
We use kerberos_kinit_passwords_ext() to check the password before
and after ServerPasswordSet2() as ServerAuthenticateKerberos()
does not check it. We use the ip address of the dcerpc connection
in order to use a fixed KDC, so that we talk to the same server
that also received the ServerPasswordSet2().
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 6e21dbce1258f9967135eaaf56b9eb8d85d987a0
Author: Stefan Metzmacher <[email protected]>
Date: Tue Nov 5 12:42:37 2024 +0100
s3:libads: rename variables in trust_pw_change()
We'll have more than nt_hashes soon.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
.../smbdotconf/winbind/clientusekrb5netlogon.xml | 48 ++++
.../winbind/rejectaesnetlogonservers.xml | 30 +++
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 +
lib/param/loadparm.c | 13 +
lib/param/param.h | 1 +
lib/param/param_table.c | 12 +
libcli/auth/netlogon_creds_cli.c | 219 ++++++++++++++-
libcli/auth/netlogon_creds_cli.h | 5 +
librpc/rpc/rpc_common.h | 2 +
python/samba/tests/auth_log.py | 241 ++++++++++++++---
python/samba/tests/s3_net_join.py | 3 +-
selftest/expectedfail.d/samba4.rpc.pac.krb5 | 5 +
selftest/target/Samba3.pm | 3 +
selftest/target/Samba4.pm | 3 +
source3/libads/trusts_util.c | 294 +++++++++++++++++++--
source3/libnet/libnet_join.c | 9 +
source3/param/loadparm.c | 1 +
source3/rpc_client/cli_netlogon.c | 76 ++++++
source3/rpc_client/cli_pipe_schannel.c | 24 +-
source3/rpcclient/rpcclient.c | 5 +
source3/script/tests/test_update_keytab.sh | 2 +-
source3/winbindd/winbindd_cm.c | 127 ++++++++-
source4/librpc/rpc/dcerpc_auth.c | 6 +
source4/librpc/rpc/dcerpc_schannel.c | 280 +++++++++++++++++++-
source4/librpc/rpc/dcerpc_util.c | 16 +-
source4/torture/rpc/lsa.c | 11 +-
source4/torture/rpc/netlogon.c | 73 ++++-
source4/torture/rpc/remote_pac.c | 74 +++++-
source4/torture/rpc/samlogon.c | 111 +++++++-
source4/torture/rpc/schannel.c | 50 +++-
testprogs/blackbox/test_rpcclient_schannel.sh | 51 +++-
31 files changed, 1675 insertions(+), 122 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
create mode 100644 docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
create mode 100644 selftest/expectedfail.d/samba4.rpc.pac.krb5
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
b/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
new file mode 100644
index 00000000000..ad0fc907903
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
@@ -0,0 +1,48 @@
+<samba:parameter name="client use krb5 netlogon"
+ context="G"
+ type="enum"
+ enumlist="enum_bool_auto_default"
+ function="_client_use_krb5_netlogon"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para><emphasis>This option is experimental for now!</emphasis>
+ </para>
+
+ <para>This option controls whether winbindd (and other client tools)
+ try to use ServerAuthenticateKerberos for the netlogon secure
channel.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'client use krb5 netlogon:NETBIOSDOMAIN = yes|no' as
option.</para>
+
+ <para>This option is over-ridden by the <smbconfoption name="reject aes
netlogon servers"/> option (if it is effectively on)
+ and lets <smbconfoption name="client use krb5 netlogon"/> be yes as
well.</para>
+
+ <para>
+ The 'default' currently maps to 'no'.
+ </para>
+
+ <para>
+ A meaning of 'auto' depends on the used kerberos library
+ and the trust/domain type.
+ </para>
+
+ <para>
+ If samba was compiled using '--without-ads' or
+ '--with-system-heimdalkrb5' it is not possible to
+ activate the ServerAuthenticateKerberos feature,
+ as the krb5_init_creds_step() function is not available.
+ This forces 'auto' to behave as 'no'.
+ </para>
+
+ <para>
+ The value of 'auto' maps to 'yes' if the domain
+ is detected as active directory domain, e.g.
+ with 'SECURITY = ADS' or on an active directory domain controller.
+ </para>
+</description>
+
+<value type="default">default</value>
+<value type="example">no</value>
+<value type="example">auto</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
b/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
new file mode 100644
index 00000000000..6810bed2896
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="reject aes netlogon servers"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>This option controls whether winbindd requires support
+ for ServerAuthenticateKerberos support for the netlogon secure
channel.</para>
+
+ <para>Support for ServerAuthenticateKerberos was added in Windows
+ starting with Server 2025, it's available in Samba active directory
domain controllers
+ starting with 4.22 with the '<smbconfoption name="server support krb5
netlogon">yes</smbconfoption>' option,
+ which is disabled by default.
+ </para>
+
+ <para>The following flags will be required: NETLOGON_NEG_PASSWORD_SET2,
+ NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH and
NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+ <para>You can set this to yes if all domain controllers support
+ ServerAuthenticateKerberos.
+ This will prevent downgrade attacks.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'reject aes netlogon servers:NETBIOSDOMAIN = no' as
option.</para>
+
+ <para>This option overrides the <smbconfoption name="reject md5
servers"/> option.</para>
+ <para>This option overrides the <smbconfoption name="client use krb5
netlogon"/> option (if it is effectively off).</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
index 3bc4eaf7b02..1d6e0c8ad6d 100644
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -18,6 +18,8 @@
<para>The default changed from 'no' to 'yes, with the patches for
CVE-2022-38023,
see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
+ <para>This option is over-ridden by the <smbconfoption name="reject aes
netlogon servers"/> option.</para>
+
<para>This option overrides the <smbconfoption name="require strong
key"/> option.</para>
</description>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index aecde4ab8bd..7d7c7493eb2 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2932,6 +2932,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");
+ lpcfg_do_global_parameter(lp_ctx, "client use krb5 netlogon",
"default");
+
lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
lpcfg_do_global_parameter(lp_ctx, "max log size", "5000");
@@ -3681,6 +3683,17 @@ bool lpcfg_server_signing_allowed(struct
loadparm_context *lp_ctx, bool *mandato
return allowed;
}
+int lpcfg_client_use_krb5_netlogon(struct loadparm_context *lp_ctx)
+{
+ int val = lpcfg__client_use_krb5_netlogon(lp_ctx);
+
+ if (val == LP_ENUM_Default) {
+ val = false;
+ }
+
+ return val;
+}
+
int lpcfg_tdb_hash_size(struct loadparm_context *lp_ctx, const char *name)
{
const char *base;
diff --git a/lib/param/param.h b/lib/param/param.h
index aed48c1660c..02a21280d80 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -41,6 +41,7 @@ struct param_context;
struct smbsrv_connection;
#define Auto (2)
+#define LP_ENUM_Default (-2)
struct loadparm_context;
struct loadparm_service;
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index f2a5a7ec40d..0283569882a 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -91,6 +91,18 @@ static const struct enum_list enum_bool_auto[] = {
{-1, NULL}
};
+static const struct enum_list enum_bool_auto_default[] = {
+ {false, "No"},
+ {false, "False"},
+ {false, "0"},
+ {true, "Yes"},
+ {true, "True"},
+ {true, "1"},
+ {Auto, "Auto"},
+ {LP_ENUM_Default, "default"},
+ {-1, NULL}
+};
+
static const struct enum_list enum_csc_policy[] = {
{CSC_POLICY_MANUAL, "manual"},
{CSC_POLICY_DOCUMENTS, "documents"},
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 2ac5eefc6e7..879f79c5400 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -358,8 +358,17 @@ NTSTATUS netlogon_creds_cli_context_global(struct
loadparm_context *lp_ctx,
uint32_t required_flags = 0;
bool reject_md5_servers = true;
bool require_strong_key = true;
+ bool reject_aes_servers = true;
int require_sign_or_seal = true;
bool seal_secure_channel = true;
+ bool trust_support_kerberos = false;
+#if defined(HAVE_ADS) && defined(HAVE_KRB5_INIT_CREDS_STEP)
+ const bool support_krb5_netlogon = true;
+#else
+ const bool support_krb5_netlogon = false;
+#endif
+ int global_client_use_krb5_netlogon = true;
+ bool client_use_krb5_netlogon = true;
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
bool neutralize_nt4_emulation = false;
@@ -426,6 +435,24 @@ NTSTATUS netlogon_creds_cli_context_global(struct
loadparm_context *lp_ctx,
server_netbios_domain,
neutralize_nt4_emulation);
+ /*
+ * allow overwrite per domain
+ * reject aes netlogon servers:<netbios_domain>
+ */
+ reject_aes_servers = lpcfg_reject_aes_netlogon_servers(lp_ctx);
+ reject_aes_servers = lpcfg_parm_bool(lp_ctx, NULL,
+ "reject aes netlogon servers",
+ server_netbios_domain,
+ reject_aes_servers);
+
+ /*
+ * allow overwrite per domain
+ * client use krb5 netlogon:<netbios_domain>
+ *
+ * See further below!
+ */
+ global_client_use_krb5_netlogon =
lpcfg_client_use_krb5_netlogon(lp_ctx);
+
proposed_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
@@ -438,6 +465,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct
loadparm_context *lp_ctx,
required_flags |= NETLOGON_NEG_PASSWORD_SET2;
require_sign_or_seal = true;
require_strong_key = true;
+ trust_support_kerberos = true;
}
break;
@@ -452,12 +480,16 @@ NTSTATUS netlogon_creds_cli_context_global(struct
loadparm_context *lp_ctx,
require_sign_or_seal = true;
require_strong_key = true;
neutralize_nt4_emulation = true;
+ trust_support_kerberos = true;
break;
case SEC_CHAN_BDC:
required_flags |= NETLOGON_NEG_PASSWORD_SET2;
require_sign_or_seal = true;
require_strong_key = true;
+ if (lpcfg_server_role(lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) {
+ trust_support_kerberos = true;
+ }
break;
case SEC_CHAN_RODC:
@@ -466,6 +498,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct
loadparm_context *lp_ctx,
require_sign_or_seal = true;
require_strong_key = true;
neutralize_nt4_emulation = true;
+ trust_support_kerberos = true;
break;
default:
@@ -473,6 +506,32 @@ NTSTATUS netlogon_creds_cli_context_global(struct
loadparm_context *lp_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
+ if (global_client_use_krb5_netlogon == Auto) {
+ if (support_krb5_netlogon) {
+ global_client_use_krb5_netlogon =
trust_support_kerberos;
+ } else {
+ global_client_use_krb5_netlogon = false;
+ }
+ }
+ client_use_krb5_netlogon = global_client_use_krb5_netlogon;
+ client_use_krb5_netlogon = lpcfg_parm_bool(lp_ctx, NULL,
+ "client use krb5 netlogon",
+ server_netbios_domain,
+ client_use_krb5_netlogon);
+
+ if (reject_aes_servers) {
+ client_use_krb5_netlogon = true;
+ }
+
+ if (client_use_krb5_netlogon) {
+ if (!support_krb5_netlogon) {
+ DBG_ERR("No support for ServerAuthenticateKerberos!\n");
+ TALLOC_FREE(frame);
+ return NT_STATUS_DEVICE_FEATURE_NOT_SUPPORTED;
+ }
+ proposed_flags |= NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH;
+ }
+
if (neutralize_nt4_emulation) {
proposed_flags |= NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
}
@@ -497,6 +556,15 @@ NTSTATUS netlogon_creds_cli_context_global(struct
loadparm_context *lp_ctx,
required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
}
+ if (reject_aes_servers) {
+ required_flags |= NETLOGON_NEG_ARCFOUR;
+ required_flags |= NETLOGON_NEG_STRONG_KEYS;
+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
+ required_flags |= NETLOGON_NEG_SUPPORTS_AES;
+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
+ required_flags |= NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH;
+ }
+
/*
* If weak crypto is disabled, do not announce that we support RC4 and
* require AES.
@@ -512,6 +580,14 @@ NTSTATUS netlogon_creds_cli_context_global(struct
loadparm_context *lp_ctx,
required_flags &= ~NETLOGON_NEG_STRONG_KEYS;
}
+ if (required_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+ required_flags &= ~NETLOGON_NEG_SUPPORTS_AES;
+ }
+
+ if (proposed_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+ seal_secure_channel = true;
+ }
+
if (seal_secure_channel) {
auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
} else {
@@ -598,6 +674,24 @@ char *netlogon_creds_cli_debug_string(
context->db.key_name);
}
+void netlogon_creds_cli_use_kerberos(
+ struct netlogon_creds_cli_context *context,
+ bool *client_use_krb5_netlogon,
+ bool *reject_aes_servers)
+{
+ *client_use_krb5_netlogon = false;
+ *reject_aes_servers = false;
+
+ if (context->client.required_flags &
NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+ *client_use_krb5_netlogon = true;
+ *reject_aes_servers = true;
+ }
+
+ if (context->client.proposed_flags &
NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+ *client_use_krb5_netlogon = true;
+ }
+}
+
enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
struct netlogon_creds_cli_context *context)
{
@@ -605,6 +699,7 @@ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
}
static bool netlogon_creds_cli_downgraded(uint32_t negotiated_flags,
+ bool authenticate_kerberos,
uint32_t proposed_flags,
uint32_t required_flags)
{
@@ -612,6 +707,24 @@ static bool netlogon_creds_cli_downgraded(uint32_t
negotiated_flags,
uint32_t tmp_flags;
req_flags = required_flags;
+ if (authenticate_kerberos) {
+ if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) &&
+ (proposed_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH))
+ {
+ req_flags &= ~NETLOGON_NEG_ARCFOUR;
+ req_flags &= ~NETLOGON_NEG_STRONG_KEYS;
+ req_flags &= ~NETLOGON_NEG_SUPPORTS_AES;
+ } else {
+ return true;
+ }
+ } else {
+ if (req_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+ return true;
+ }
+ if (negotiated_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+ return true;
+ }
+ }
if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_AES) &&
(proposed_flags & NETLOGON_NEG_SUPPORTS_AES))
{
@@ -674,6 +787,7 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key,
TDB_DATA data,
downgraded = netlogon_creds_cli_downgraded(
state->creds->negotiate_flags,
+ state->creds->authenticate_kerberos,
state->proposed_flags,
state->required_flags);
if (downgraded) {
@@ -1227,6 +1341,19 @@ static NTSTATUS netlogon_creds_cli_check_transport(
return NT_STATUS_INVALID_PARAMETER_MIX;
}
+ if (creds->authenticate_kerberos) {
+ if (auth_type == DCERPC_AUTH_TYPE_KRB5) {
+ switch (auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ return NT_STATUS_OK;
+ default:
+ break;
+ }
+ }
+
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
switch (auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
@@ -1275,11 +1402,15 @@ struct netlogon_creds_cli_auth_state {
struct netr_Credential server_credential;
uint32_t negotiate_flags;
uint32_t rid;
+ bool try_krb5;
+ bool require_krb5;
bool try_auth3;
bool try_auth2;
bool require_auth2;
};
+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq);
+
static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req);
struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
@@ -1292,6 +1423,8 @@ struct tevent_req
*netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_req *req;
struct netlogon_creds_cli_auth_state *state;
NTSTATUS status;
+ bool client_use_krb5_netlogon = false;
+ bool reject_aes_servers = false;
req = tevent_req_create(mem_ctx, &state,
struct netlogon_creds_cli_auth_state);
@@ -1337,6 +1470,25 @@ struct tevent_req
*netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
state->require_auth2 = true;
}
+ netlogon_creds_cli_use_kerberos(context,
+ &client_use_krb5_netlogon,
+ &reject_aes_servers);
+ if (client_use_krb5_netlogon) {
+ if (state->auth_type == DCERPC_AUTH_TYPE_KRB5 &&
+ state->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
+ {
+ state->try_krb5 = true;
+ }
+ }
+
+ if (reject_aes_servers) {
+ if (!state->try_krb5) {
+ tevent_req_nterror(req,
NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
+ state->require_krb5 = true;
+ }
+
state->used_nt_hash = state->nt_hashes[state->idx_nt_hashes];
state->current_flags = context->client.proposed_flags;
@@ -1346,6 +1498,40 @@ struct tevent_req
*netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ if (state->try_krb5) {
+ struct tevent_req *subreq = NULL;
+
+ state->creds = netlogon_creds_kerberos_init(state,
+ state->context->client.account,
+ state->context->client.computer,
+ state->context->client.type,
+
state->context->client.proposed_flags,
+ NULL, /* client_sid */
+ state->current_flags);
+ if (tevent_req_nomem(state->creds, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->negotiate_flags = state->context->client.proposed_flags;
+
+ subreq = dcerpc_netr_ServerAuthenticateKerberos_send(state,
+ state->ev,
+ state->binding_handle,
+ state->srv_name_slash,
+ state->context->client.account,
+ state->context->client.type,
+ state->context->client.computer,
+ &state->negotiate_flags,
+ &state->rid);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq,
+ netlogon_creds_cli_auth_srvauth_done,
+ req);
+ return req;
+ }
+
netlogon_creds_cli_auth_challenge_start(req);
if (!tevent_req_is_in_progress(req)) {
return tevent_req_post(req, ev);
@@ -1403,7 +1589,7 @@ static void netlogon_creds_cli_auth_challenge_done(struct
tevent_req *subreq)
return;
}
- if (!state->try_auth3 && !state->try_auth2) {
+ if (!state->try_krb5 && !state->try_auth3 && !state->try_auth2) {
state->current_flags = 0;
}
--
Samba Shared Repository
