[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c91af5f1a8b tests/krb5: Simplify logic via a9025b68b24 tests/krb5: Improve mock RODC creation via e729606631b selftest: Simplify krb5 test environments via 80b22a7869f python: Restore SDDL abbreviations for SIDs via 1137ebc654e sddl: Remove SDDL SID strings unsupported by Windows via 732d17a129a sddl: Add new SDDL SID strings via e61fa573fe1 sddl: Fix incorrect SDDL SID strings via 9b913fcb0f4 s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation via d55b717fd62 python: Use explicit SIDs instead of SDDL abbreviations via c26ee3ba966 python:tests: Add tests for SDDL SID strings from ef1dbcdc6cb torture: Allow Samba as an AD DC to use zeros for LM key https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c91af5f1a8b666cdd305165937bf28c551b88134 Author: Joseph Sutton Date: Mon Mar 7 17:07:48 2022 +1300 tests/krb5: Simplify logic This code can be made part of the previous 'else' branch. Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Fri Mar 18 00:11:25 UTC 2022 on sn-devel-184 commit a9025b68b24956bf543ef85c96a7a8fe91784630 Author: Joseph Sutton Date: Mon Mar 7 17:01:40 2022 +1300 tests/krb5: Improve mock RODC creation Use a unique name for the mock RODC. Don't assign to _rodc_ctx until the RODC has been created, so we don't try to use a mock RODC that failed to create. Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider commit e729606631b5bfaf7c4ad8c1e70697adf8274777 Author: Joseph Sutton Date: Fri Mar 4 16:57:27 2022 +1300 selftest: Simplify krb5 test environments It's not necessary to repeat the required environment variables for every test. Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider commit 80b22a7869f4ec8320a634810a10d3f058526aa7 Author: Joseph Sutton Date: Tue Mar 15 10:20:59 2022 +1300 python: Restore SDDL abbreviations for SIDs This time we use the correct values. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 1137ebc654e4dfd91601abd20262024063a495c8 Author: Joseph Sutton Date: Mon Mar 14 18:18:39 2022 +1300 sddl: Remove SDDL SID strings unsupported by Windows Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 732d17a129ab0f48d0025f5992af38d442b1fc6a Author: Joseph Sutton Date: Mon Mar 14 18:18:09 2022 +1300 sddl: Add new SDDL SID strings Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit e61fa573fe1a911460cfb3b64ba05b031d124256 Author: Joseph Sutton Date: Mon Mar 14 18:14:15 2022 +1300 sddl: Fix incorrect SDDL SID strings Change the values to match those used by Windows. Verified with PowerShell commands of the form: New-Object Security.Principal.SecurityIdentifier ER Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 9b913fcb0f4e69b9fd7db1c974d7534ef356a318 Author: Joseph Sutton Date: Mon Mar 14 19:40:45 2022 +1300 s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation This is to prepare for the SDDL string being removed. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit d55b717fd62a17b424400af0de2bac41c3ae80f5 Author: Joseph Sutton Date: Mon Mar 14 19:40:16 2022 +1300 python: Use explicit SIDs instead of SDDL abbreviations This is to prepare for changing the SDDL string values. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit c26ee3ba9662d03f0c32ee518d7a0a69d3bc8401 Author: Joseph Sutton Date: Tue Mar 15 19:24:38 2022 +1300 python:tests: Add tests for SDDL SID strings We get the server to decode the SDDL by putting the SID strings in the defaultSecurityDescriptor of a new class and making an object of that class. We then check that the resulting SID is what we expect. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher --- Summary of changes: libcli/security/sddl.c | 43 +- librpc/idl/security.idl | 30 python/samba/descriptor.py | 16 +- python/samba/schema.py | 6 +- python/samba/tests/krb5/kdc_base_test.py | 20 +-- python/samba/tests/krb5/raw_testcase.py | 10 +- python/samba/tests/sid_strings.py| 235 ++ selftest/knownfail.d/sid-strings | 3 + source4/rpc_server/lsa/lsa_init.c| 2 +- source4/selftest/tests.py| 241 +-- 10 files changed, 373 insertions(+), 233
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 9d91942913e s3:libads: Fix creating local krb5.conf via 736df42fdf9 s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string() via 9319309ac1a s3:libads: Remove obsolete free's of kdc_str via 3016f01d0c4 s3:libads: Allocate all memory on the talloc stackframe via a76c64f86d8 s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string() via 1f7b6fc56c5 s3:libads: Improve debug messages for get_kdc_ip_string() via 5608804f02d s3:libads: Leave early on error in get_kdc_ip_string() via fd2373c6bcf s3:libads: Remove trailing spaces in kerberos.c via 12c58adffe4 testprogs: Add test that local krb5.conf has been created via 9b6e8ae65e2 s3:libsmb: Fix errno for failed authentication in SMBC_server_internal() via 1f1d6d4e745 s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names via 54fd8eb1aac auth: let auth logging prefer user_info->orig_client.{account,domain}_name if available via 5e81cde9fae s4:auth: rename user_info->mapped_state to user_info->cracknames_called via 2c15a949f5d winbindd: don't set mapped_state in winbindd_dual_auth_passdb() via 2e41cbc8bec nsswitch: let test_wbinfo.sh also test wbinfo -a $USERNAME@$DOMAIN via 8cd57a22283 s3:auth: make_user_info_map() should not set mapped_state via 249b023f2b8 s4:auth: fix confusing DEBUG message in authsam_want_check() via a304052c4fc s4:auth: check for user_info->mapped.account_name if it needs to be filled via 070af6f1fa0 s4:rpc_server/samr: don't set mapped_state in auth_usersupplied_info for audit logging via 63a6fb82a77 s4:kdc: don't set mapped_state in auth_usersupplied_info for audit logging via c6bb5e62776 s4:dsdb: don't set mapped_state in auth_usersupplied_info for audit logging via dffebcba823 s4:smb_server: don't set mapped_state explicitly in auth_usersupplied_info via 240785f4e4f auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_info via db17de0b611 s4:auth: encrypt_user_info() should set password_state instead of mapped_state via 2d425bb116a s4:auth: a simple bind uses the DCs name as workstation via 02824c7942d s3:rpc_client: let rpccli_netlogon_network_logon() fallback to workstation = lp_netbios_name() via e6926484533 rodc: Add tests for simple BIND alongside NTLMSSP binds via af30bd71cd3 s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon via 0fcbfd39583 s3:auth: let make_user_info_netlogon_interactive() set USER_INFO_INTERACTIVE_LOGON via 0da8b2b3683 dsdb/tests: add test_login_basics_simple() via ec84a7acfcc dsdb/tests: prepare BasePasswordTestCase for simple bind tests via 72698f73949 dsdb/tests: introduce assertLoginSuccess via 7b63119267a dsdb/tests: make use of assertLoginFailure helper via 92da29a1136 dsdb/tests: let all BasePasswordTestCase tests provide self.host_url[_ldaps] via 84f7b94852a dsdb/tests: passwords.py don't need to import BasePasswordTestCase via 2bbb9a4298c python:tests: let insta_creds() also copy the bind_dn from the template from 39ae6f10fa6 VERSION: Bump version up to Samba 4.15.7... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 9d91942913e0481cfb4af80eeb5a316f6c9d2c3f Author: Andreas Schneider Date: Tue Mar 15 13:10:06 2022 +0100 s3:libads: Fix creating local krb5.conf We create an KDC ip string entry directly at the beginning, use it if we don't have any additional DCs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner Autobuild-User(master): Günther Deschner Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184 (cherry picked from commit 68d181ee676e17a5cdcfc12c5cc7eef242fdfa6c) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Thu Mar 17 10:35:11 UTC 2022 on sn-devel-184 commit 736df42fdf9b4f7977eb6857ff3ab91a5df62b65 Author: Andreas Schneider Date: Tue Mar 15 13:02:05 2022 +0100 s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 12c843ad0a97fcbaaea738b82941533e5d2aec99) commit 9319309ac1adf42765e9f3bf325000b92585cd3e Author: Andreas Schneider Date: Tue Mar 15 12:57:18 2022 +0100 s3:libads: Remove obsolete free's of kdc_str This is allocated on the stackframe now! BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 Signed-off
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via e79f04a3179 WHATSNEW for Heimdal upgrade via f4236271500 WHATSNEW: older SMB1 command removal/simpliciation and deprecation from 41054b61231 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit e79f04a317906b1fbd9a53c831800088e2aab680 Author: Andrew Bartlett Date: Wed Mar 16 12:53:47 2022 +1300 WHATSNEW for Heimdal upgrade Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit f42362715008716ed8508645329a9b16995e7db9 Author: Andrew Bartlett Date: Thu Mar 17 07:53:37 2022 +1300 WHATSNEW: older SMB1 command removal/simpliciation and deprecation Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- Summary of changes: WHATSNEW.txt | 118 +++ 1 file changed, 103 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 83d77b5c028..31f656e4095 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -52,6 +52,46 @@ samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. +Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support +-- + +Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos +implementation. This snapshot has now been updated and will closely +match what will be released as Heimdal 8.0 shortly. + +This is a major update, previously we used a snapshot of Heimdal from +2011, and brings important new Kerberos security features such as +Kerberos request armoring, known as FAST. This tunnels ticket +requests and replies that might be encrypted with a weak password +inside a wrapper built with a stronger password, say from a machine +account. + +In Heimdal and MIT modes Samba's KDC now supports FAST, for the +support of non-Windows clients. + +Windows clients will not use this feature however, as they do not +attempt to do so against a server not advertising domain Functional +Level 2012. Samba users are of course free to modify how Samba +advertises itself, but use with Windows clients is not supported "out +of the box". + +Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of +the FAST protocol. A future version will align this more closely with +Microsoft AD behaviour. + +If FAST needs to be disabled on your Samba KDC, set + + kdc enable fast = no + +in the smb.conf. + +The Samba project wishes to thank the numerous developers who have put +in a massive effort to make this possible over many years. In +particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer, +Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank +their employers and in turn their customers who have supported this +effort over many years. + Certificate Auto Enrollment --- @@ -135,21 +175,69 @@ CTDB changes REMOVED FEATURES -SMB1 CORE and LANMAN1 protocol wildcard copy, unlink and rename removed -=== - -In preparation for the removal of the SMB1 server, the unused -SMB1 command SMB_COM_COPY (SMB1 command number 0x29) has been -removed from the Samba smbd server. In addition, the ability -to process file name wildcards in requests using the SMB1 commands -SMB_COM_COPY (SMB1 command number 0x2A), SMB_COM_RENAME (SMB1 command -number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and -SMB_COM_DELETE (SMB1 command number 0x6) have been removed. - -This only affects clients using MS-DOS based versions of -SMB1, the last release of which was Windows 98. Users requiring -support for these features will need to use older versions -of Samba. +Older SMB1 protocol SMBCopy command removed +--- + +SMB is a nearly 30-year old protocol, and some protocol commands that +while supported in all versions, have not seen widespread use. + +One of those is SMBCopy, a feature for a server-side copy of a file. +This feature has been so unmaintained that Samba has no testsuite for +it. + +The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was +introduced in the LAN Manager 1.0 dialect and it was rendered obsolete +in the NT LAN Manager dialect. + +Therefore it has been removed from the Samba smbd server. + +We do note that a fully supported and tested server-side copy is +present in SMB2, and can be accessed with "scopy" subcommand in +smbclient) + +SMB1 server-side wildcard expansion removed +--- +
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via 41054b61231 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit() via 507ececf03d s4-kdc: Handle previously unhandled auth event types via 9272ec1a245 s3:libads: Fix creating local krb5.conf via abe01ca6b21 s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string() via 3c5d0c379d7 s3:libads: Remove obsolete free's of kdc_str via 3c98408be7d s3:libads: Allocate all memory on the talloc stackframe via cfbd47d7b48 s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string() via cce13c772f1 s3:libads: Improve debug messages for get_kdc_ip_string() via 2599f5313bd s3:libads: Leave early on error in get_kdc_ip_string() via c20ca210fb8 s3:libads: Remove trailing spaces in kerberos.c via dd6c50b82ee testprogs: Add test that local krb5.conf has been created via 34771e19315 s3:libsmb: Fix errno for failed authentication in SMBC_server_internal() from bf8f8c592b0 s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit 41054b612311e624fa6a673808118fc319e758d8 Author: Stefan Metzmacher Date: Wed Mar 16 09:21:03 2022 +0100 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit() Otherwise useful information gets lost while converting from NTSTATUS to krb5_error and back to NTSTATUS again. E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as NT_STATUS_ACCOUNT_LOCKED_OUT. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 5294dc80090482d5669126802672eb2c89e269cf) Autobuild-User(v4-16-test): Jule Anger Autobuild-Date(v4-16-test): Thu Mar 17 10:12:38 UTC 2022 on sn-devel-184 commit 507ececf03d8644b93a9ea953f6ab1c4aefb8e47 Author: Joseph Sutton Date: Tue Mar 15 15:34:34 2022 +1300 s4-kdc: Handle previously unhandled auth event types Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in: commit 791be84c3eecb95e03611458e2305bae272ba267 Author: Stefan Metzmacher Date: Wed Mar 2 10:10:08 2022 +1300 s4:kdc: hdb_samba4_audit() is only called once per request Normally these auth event types are overwritten with the KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the pre-authentication check, and happens to fail the client access check (e.g. because the account is disabled), we get error messages of the form: hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR To avoid such errors, use the error code provided in the request structure to obtain a relevant status code in cases not handled explicitly. For unexpected values we return KRB5KRB_ERR_GENERIC in order to hopefully prevent success. And within make test we panic in order let a ci run fail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Joseph Sutton Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit b01388da8a72c11c46bb27e773b354520bc6ac88) commit 9272ec1a2452ecea60b894f649c18d870cf9e2aa Author: Andreas Schneider Date: Tue Mar 15 13:10:06 2022 +0100 s3:libads: Fix creating local krb5.conf We create an KDC ip string entry directly at the beginning, use it if we don't have any additional DCs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner Autobuild-User(master): Günther Deschner Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184 (cherry picked from commit 68d181ee676e17a5cdcfc12c5cc7eef242fdfa6c) commit abe01ca6b215e51dea8328869731d88956bfb2dc Author: Andreas Schneider Date: Tue Mar 15 13:02:05 2022 +0100 s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 12c843ad0a97fcbaaea738b82941533e5d2aec99) commit 3c5d0c379d7882d8c3c45a0dde53a68c7ec8a2a7 Author: Andreas Schneider Date: Tue Mar 15 12:57:18 2022 +0100 s3:libads: Remove obsolete free's of kdc_str This is allocated on the stackframe now! BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit cca189d0934790418e27d9d01282370b1e6a057f) commit 3c98408be7ddfe1d3df45b479
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated via 3ae7ead5fd5 s3:libsmb: Fix errno for failed authentication in SMBC_server_internal() from 2a9a5185553 s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit 3ae7ead5fd53e5ca590cb6bee82afc92b35264f6 Author: Elia Geretto Date: Fri Mar 11 19:32:30 2022 +0100 s3:libsmb: Fix errno for failed authentication in SMBC_server_internal() In SMBC_server_internal(), when authentication fails, the errno value is currently hard-coded to EPERM, while it should be EACCES instead. Use the NT_STATUS map to set the appropriate value. This bug was found because it breaks listing printers protected by authentication in GNOME Control Panel. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14983 Signed-off-by: Elia Geretto Reviewed-by: Jeremy Allison Reviewed-by: Volker Lendecke Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Mar 16 19:44:18 UTC 2022 on sn-devel-184 (cherry picked from commit 70b9977a46e5242174b4461a7f49d5f640c1db62) Autobuild-User(v4-14-test): Jule Anger Autobuild-Date(v4-14-test): Thu Mar 17 09:45:53 UTC 2022 on sn-devel-184 --- Summary of changes: source3/libsmb/libsmb_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c index d5c9fac6f05..4163a29a77a 100644 --- a/source3/libsmb/libsmb_server.c +++ b/source3/libsmb/libsmb_server.c @@ -572,7 +572,7 @@ SMBC_server_internal(TALLOC_CTX *ctx, !NT_STATUS_IS_OK(cli_session_setup_anon(c))) { cli_shutdown(c); -errno = EPERM; + errno = map_errno_from_nt_status(status); return NULL; } } -- Samba Shared Repository