[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 38c5bad4a85 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs via 9bd26804852 heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket via ee4aa21c487 selftest: Properly check extra PAC buffers with Heimdal via 1f4f3018c50 heimdal:kdc: Always generate a PAC for S4U2Self via 192d6edfe91 tests/krb5: Add a test for S4U2Self with no authorization data required via 4b60e951649 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets via 90025b6a4d2 kdc: Don't include extra PAC buffers in service tickets via e61983c7f2c Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers" via 73a48063469 tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests via 690a00a40c0 kdc: Always add the PAC if the header TGT is from an RODC via b6a25f5f016 kdc: Match Windows error code for mismatching sname via bac5f750594 tests/krb5: Add test for S4U2Self with wrong sname via d5d22bf84a7 kdc: Adjust SID mismatch error code to match Windows via f7a2fef8f49 heimdal:kdc: Adjust no-PAC error code to match Windows via 9cfb88ba048 s4:torture: Fix typo via 11fb9476ad3 heimdal:kdc: Fix error message for user-to-user via 749349efab9 tests/krb5: Add comments for tests that fail against Windows via ca80c47406e tests/krb5: Add tests for validation with requester SID PAC buffer via ebc9137cee9 tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2 via ec823c2a83c tests/krb5: Add TGS-REQ tests with FAST via 778029c1dc4 tests/krb5: Add tests for TGS requests with a non-TGT via 7574ba9f580 tests/krb5: Add tests for invalid TGTs via 28d501875a9 tests/krb5: Remove unnecessary expect_pac arguments via d95705172bc tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2 via e930274aa43 tests/krb5: Split out methods to create renewable or invalid tickets via a560c2e9ad8 tests/krb5: Allow PasswordKey_create() to use s2kparams via 167bd207048 tests/krb5: Run test_rpc against member server via f0b222e3ecf tests/krb5: Deduplicate AS-REQ tests via 57b1b76154d tests/krb5: Remove unused variable via ad4d6fb01fd selftest: Check received LDB error code when STRICT_CHECKING=0 from cbf312f02bc s3:winbind: Fix possible NULL pointer dereference https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 38c5bad4a853b19fe9a51fb059e150b153c4632a Author: Joseph Sutton Date: Wed Nov 24 20:41:54 2021 +1300 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184 commit 9bd26804852d957f81cb311e5142f9190f9afa65 Author: Joseph Sutton Date: Tue Nov 23 19:38:35 2021 +1300 heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but when generating a service ticket for S4U2Self, we want to avoid adding the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ee4aa21c487fa80082a548b2e4f115a791e30340 Author: Joseph Sutton Date: Thu Nov 25 09:29:42 2021 +1300 selftest: Properly check extra PAC buffers with Heimdal Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1 Author: Joseph Sutton Date: Tue Nov 23 17:30:50 2021 +1300 heimdal:kdc: Always generate a PAC for S4U2Self If we decided not to put a PAC into the ticket, mspac would be NULL here, and the resulting ticket would not contain a PAC. This could happen if there was a request to omit the PAC or the service did not require authorization data. Ensure that we always generate a PAC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 192d6edfe912105ec344dc554f872a24c03540a3 Author: Joseph Sutton Date: Thu Nov 25 12:46:40 2021 +1300 tests/krb5: Add a test for S4U2Self with no authorization data required Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4b60e9516497c2e7f1545fe50887d0336b9893f2 Author: Joseph Sutton Date: Thu Nov 25 10:53:49 2021 +1300 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when presented with an RODC-issued TGT. By removing this PAC buffer from RODC-issued tickets, we ensure that an RODC-issued ticket will still
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via cbf312f02bc s3:winbind: Fix possible NULL pointer dereference
from 90febd2a33b s4:mit-kdb: Force canonicalization for looking up
principals
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit cbf312f02bc86f9325fb89f6f5441bc61fd3974f
Author: Andreas Schneider
Date: Tue Nov 23 15:48:57 2021 +0100
s3:winbind: Fix possible NULL pointer dereference
BUG: https://bugzilla.redhat.com/show_bug.cgi?id=2019888
Signed-off-by: Andreas Schneider
Rewiewed-by: Jeremy Allison
Autobuild-User(master): Jeremy Allison
Autobuild-Date(master): Mon Nov 29 19:40:50 UTC 2021 on sn-devel-184
---
Summary of changes:
source3/winbindd/winbindd_util.c | 3 +++
1 file changed, 3 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index a8c510fafc6..175e05ae3ad 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1784,6 +1784,9 @@ char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
}
tmp_user = talloc_strdup(mem_ctx, user);
+ if (tmp_user == NULL) {
+ return NULL;
+ }
if (!strlower_m(tmp_user)) {
TALLOC_FREE(tmp_user);
return NULL;
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 90febd2a33b s4:mit-kdb: Force canonicalization for looking up
principals
via 8b83758b7c5 s4:kdc: Remove trailing spaces in db-glue.c
via d128a85f999 s4:mit-kdb: Reduce includes to only what's needed
via 28be1acd8eb mit-kdc: Use more strict KDC default settings
from 3507e96b3dc CVE-2021-3670 ldap_server: Clearly log LDAP queries and
timeouts
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b
Author: Isaac Boukris
Date: Sat Sep 19 14:16:20 2020 +0200
s4:mit-kdb: Force canonicalization for looking up principals
See also
https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148
Pair-Programmed-With: Andreas Schneider
Signed-off-by: Isaac Boukris
Signed-off-by: Andreas Schneider
Reviewed-by: Alexander Bokovoy
Autobuild-User(master): Andreas Schneider
Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184
commit 8b83758b7c51e4effc57c6130abb38bd53d74bb9
Author: Andreas Schneider
Date: Tue Oct 19 09:59:54 2021 +0200
s4:kdc: Remove trailing spaces in db-glue.c
Signed-off-by: Andreas Schneider
Reviewed-by: Alexander Bokovoy
commit d128a85f999afb002b510ad6ec8c94f7df006195
Author: Andreas Schneider
Date: Tue Nov 23 07:43:05 2021 +0100
s4:mit-kdb: Reduce includes to only what's needed
Signed-off-by: Andreas Schneider
Reviewed-by: Alexander Bokovoy
commit 28be1acd8eb921c15cbd1260711cbbdd48595e6c
Author: Andreas Schneider
Date: Mon Oct 11 10:55:52 2021 +0200
mit-kdc: Use more strict KDC default settings
As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults.
Signed-off-by: Andreas Schneider
Reviewed-by: Alexander Bokovoy
---
Summary of changes:
python/samba/provision/kerberos.py | 7 +++
selftest/knownfail_mit_kdc | 14 --
selftest/target/Samba.pm | 7 +++
source4/heimdal/lib/hdb/hdb.h| 1 +
source4/kdc/db-glue.c| 15 ++-
source4/kdc/mit-kdb/kdb_samba_policies.c | 9 ++---
source4/kdc/mit_samba.c | 8
source4/kdc/sdb.h| 1 +
8 files changed, 40 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/provision/kerberos.py
b/python/samba/provision/kerberos.py
index 6b8ceb28733..665c031ffa5 100644
--- a/python/samba/provision/kerberos.py
+++ b/python/samba/provision/kerberos.py
@@ -52,19 +52,26 @@ def create_kdc_conf(kdcconf, realm, domain, logdir):
f.write("\tkdc_ports = 88\n")
f.write("\tkdc_tcp_ports = 88\n")
f.write("\tkadmind_port = 464\n")
+f.write("\trestrict_anonymous_to_tgt = true\n")
f.write("\n")
f.write("[realms]\n")
f.write("\t%s = {\n" % realm)
+f.write("\t\tmaster_key_type = aes256-cts\n")
+f.write("\t\tdefault_principal_flags = +preauth\n")
f.write("\t}\n")
f.write("\n")
f.write("\t%s = {\n" % realm.lower())
+f.write("\t\tmaster_key_type = aes256-cts\n")
+f.write("\t\tdefault_principal_flags = +preauth\n")
f.write("\t}\n")
f.write("\n")
f.write("\t%s = {\n" % domain)
+f.write("\t\tmaster_key_type = aes256-cts\n")
+f.write("\t\tdefault_principal_flags = +preauth\n")
f.write("\t}\n")
f.write("\n")
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index cc7b501c6bf..c046a46a4f3 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -379,8 +379,6 @@
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_allowed_denied
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_denied
@@ -408,8 +406,6 @@
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
