[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 38c5bad4a85 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs via 9bd26804852 heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket via ee4aa21c487 selftest: Properly check extra PAC buffers with Heimdal via 1f4f3018c50 heimdal:kdc: Always generate a PAC for S4U2Self via 192d6edfe91 tests/krb5: Add a test for S4U2Self with no authorization data required via 4b60e951649 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets via 90025b6a4d2 kdc: Don't include extra PAC buffers in service tickets via e61983c7f2c Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers" via 73a48063469 tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests via 690a00a40c0 kdc: Always add the PAC if the header TGT is from an RODC via b6a25f5f016 kdc: Match Windows error code for mismatching sname via bac5f750594 tests/krb5: Add test for S4U2Self with wrong sname via d5d22bf84a7 kdc: Adjust SID mismatch error code to match Windows via f7a2fef8f49 heimdal:kdc: Adjust no-PAC error code to match Windows via 9cfb88ba048 s4:torture: Fix typo via 11fb9476ad3 heimdal:kdc: Fix error message for user-to-user via 749349efab9 tests/krb5: Add comments for tests that fail against Windows via ca80c47406e tests/krb5: Add tests for validation with requester SID PAC buffer via ebc9137cee9 tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2 via ec823c2a83c tests/krb5: Add TGS-REQ tests with FAST via 778029c1dc4 tests/krb5: Add tests for TGS requests with a non-TGT via 7574ba9f580 tests/krb5: Add tests for invalid TGTs via 28d501875a9 tests/krb5: Remove unnecessary expect_pac arguments via d95705172bc tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2 via e930274aa43 tests/krb5: Split out methods to create renewable or invalid tickets via a560c2e9ad8 tests/krb5: Allow PasswordKey_create() to use s2kparams via 167bd207048 tests/krb5: Run test_rpc against member server via f0b222e3ecf tests/krb5: Deduplicate AS-REQ tests via 57b1b76154d tests/krb5: Remove unused variable via ad4d6fb01fd selftest: Check received LDB error code when STRICT_CHECKING=0 from cbf312f02bc s3:winbind: Fix possible NULL pointer dereference https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 38c5bad4a853b19fe9a51fb059e150b153c4632a Author: Joseph Sutton Date: Wed Nov 24 20:41:54 2021 +1300 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184 commit 9bd26804852d957f81cb311e5142f9190f9afa65 Author: Joseph Sutton Date: Tue Nov 23 19:38:35 2021 +1300 heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but when generating a service ticket for S4U2Self, we want to avoid adding the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ee4aa21c487fa80082a548b2e4f115a791e30340 Author: Joseph Sutton Date: Thu Nov 25 09:29:42 2021 +1300 selftest: Properly check extra PAC buffers with Heimdal Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1 Author: Joseph Sutton Date: Tue Nov 23 17:30:50 2021 +1300 heimdal:kdc: Always generate a PAC for S4U2Self If we decided not to put a PAC into the ticket, mspac would be NULL here, and the resulting ticket would not contain a PAC. This could happen if there was a request to omit the PAC or the service did not require authorization data. Ensure that we always generate a PAC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 192d6edfe912105ec344dc554f872a24c03540a3 Author: Joseph Sutton Date: Thu Nov 25 12:46:40 2021 +1300 tests/krb5: Add a test for S4U2Self with no authorization data required Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4b60e9516497c2e7f1545fe50887d0336b9893f2 Author: Joseph Sutton Date: Thu Nov 25 10:53:49 2021 +1300 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when presented with an RODC-issued TGT. By removing this PAC buffer from RODC-issued tickets, we ensure that an RODC-issued ticket will still
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cbf312f02bc s3:winbind: Fix possible NULL pointer dereference from 90febd2a33b s4:mit-kdb: Force canonicalization for looking up principals https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cbf312f02bc86f9325fb89f6f5441bc61fd3974f Author: Andreas Schneider Date: Tue Nov 23 15:48:57 2021 +0100 s3:winbind: Fix possible NULL pointer dereference BUG: https://bugzilla.redhat.com/show_bug.cgi?id=2019888 Signed-off-by: Andreas Schneider Rewiewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Mon Nov 29 19:40:50 UTC 2021 on sn-devel-184 --- Summary of changes: source3/winbindd/winbindd_util.c | 3 +++ 1 file changed, 3 insertions(+) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index a8c510fafc6..175e05ae3ad 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1784,6 +1784,9 @@ char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx, } tmp_user = talloc_strdup(mem_ctx, user); + if (tmp_user == NULL) { + return NULL; + } if (!strlower_m(tmp_user)) { TALLOC_FREE(tmp_user); return NULL; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 90febd2a33b s4:mit-kdb: Force canonicalization for looking up principals via 8b83758b7c5 s4:kdc: Remove trailing spaces in db-glue.c via d128a85f999 s4:mit-kdb: Reduce includes to only what's needed via 28be1acd8eb mit-kdc: Use more strict KDC default settings from 3507e96b3dc CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b Author: Isaac Boukris Date: Sat Sep 19 14:16:20 2020 +0200 s4:mit-kdb: Force canonicalization for looking up principals See also https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148 Pair-Programmed-With: Andreas Schneider Signed-off-by: Isaac Boukris Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184 commit 8b83758b7c51e4effc57c6130abb38bd53d74bb9 Author: Andreas Schneider Date: Tue Oct 19 09:59:54 2021 +0200 s4:kdc: Remove trailing spaces in db-glue.c Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit d128a85f999afb002b510ad6ec8c94f7df006195 Author: Andreas Schneider Date: Tue Nov 23 07:43:05 2021 +0100 s4:mit-kdb: Reduce includes to only what's needed Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit 28be1acd8eb921c15cbd1260711cbbdd48595e6c Author: Andreas Schneider Date: Mon Oct 11 10:55:52 2021 +0200 mit-kdc: Use more strict KDC default settings As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults. Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy --- Summary of changes: python/samba/provision/kerberos.py | 7 +++ selftest/knownfail_mit_kdc | 14 -- selftest/target/Samba.pm | 7 +++ source4/heimdal/lib/hdb/hdb.h| 1 + source4/kdc/db-glue.c| 15 ++- source4/kdc/mit-kdb/kdb_samba_policies.c | 9 ++--- source4/kdc/mit_samba.c | 8 source4/kdc/sdb.h| 1 + 8 files changed, 40 insertions(+), 22 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/provision/kerberos.py b/python/samba/provision/kerberos.py index 6b8ceb28733..665c031ffa5 100644 --- a/python/samba/provision/kerberos.py +++ b/python/samba/provision/kerberos.py @@ -52,19 +52,26 @@ def create_kdc_conf(kdcconf, realm, domain, logdir): f.write("\tkdc_ports = 88\n") f.write("\tkdc_tcp_ports = 88\n") f.write("\tkadmind_port = 464\n") +f.write("\trestrict_anonymous_to_tgt = true\n") f.write("\n") f.write("[realms]\n") f.write("\t%s = {\n" % realm) +f.write("\t\tmaster_key_type = aes256-cts\n") +f.write("\t\tdefault_principal_flags = +preauth\n") f.write("\t}\n") f.write("\n") f.write("\t%s = {\n" % realm.lower()) +f.write("\t\tmaster_key_type = aes256-cts\n") +f.write("\t\tdefault_principal_flags = +preauth\n") f.write("\t}\n") f.write("\n") f.write("\t%s = {\n" % domain) +f.write("\t\tmaster_key_type = aes256-cts\n") +f.write("\t\tdefault_principal_flags = +preauth\n") f.write("\t}\n") f.write("\n") diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index cc7b501c6bf..c046a46a4f3 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -379,8 +379,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_allowed_denied ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_denied @@ -408,8 +406,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_