The branch, v4-19-test has been updated via fab04efa325 s3:libads: avoid changing ADS->server.workgroup via b6253028b30 s3:libsmb: allow store_cldap_reply() to work with a ipv6 response via 3b922dd5759 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() via 92a0533a9ea s3:utils: let smbstatus report anonymous signing/encryption explicitly via 45b9b63283d s3:smbd: allow anonymous encryption after one authenticated session setup via 1925abda4c4 s3:utils: let smbstatus also report partial tcon signing/encryption via 70969d8da5a s3:utils: let smbstatus also report AES-256 encryption types for tcons via 8cc6ccb54a3 s3:utils: let connections_forall_read() report if the session was authenticated via 8b6b837eb7d s3:lib: let sessionid_traverse_read() report if the session was authenticated via c9c83fb691f s3:utils: remove unused signing_flags in connections_forall() via a6c549db3d8 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} via 3f476fd8bf3 s4:libcli/smb2: add hack to test anonymous signing and encryption via 7a75e6bdaf0 smbXcli_base: add hacks to test anonymous signing and encryption via 98adde991bf tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative via 11edf47d3c3 .gitlab-ci-main.yml: debug kernel details of the current runner via 5502aa893cc .gitlab-ci: Remove tags no longer provided by gitlab.com from b00c09bee3b s3:utils: Fix Inherit-Only flag being automatically propagated to children
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log ----------------------------------------------------------------- commit fab04efa32564a47191c775d1b51362bf0c5658a Author: Stefan Metzmacher <me...@samba.org> Date: Fri Oct 15 03:34:11 2021 +0200 s3:libads: avoid changing ADS->server.workgroup ads_find_dc() uses c_domain = ads->server.workgroup and don't expect it to get out of scope deep in resolve_and_ping_dns(). The result are corrupted domain values in the debug output. Valgrind shows this: Invalid read of size 1 at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688) by 0x609ED49: __vasprintf_internal (vasprintf.c:57) by 0x5D2EC0F: __dbgtext_va (debug.c:1860) by 0x5D2ED3F: dbgtext (debug.c:1881) by 0x4BFFB50: ads_find_dc (ldap.c:570) by 0x4C001F4: ads_connect (ldap.c:704) by 0x4C1DC12: ads_dc_name (namequery_dc.c:84) Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4BFF0AF: ads_try_connect (ldap.c:299) by 0x4BFF40E: cldap_ping_list (ldap.c:367) by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468) by 0x4BFFA91: ads_find_dc (ldap.c:556) by 0x4C001F4: ads_connect (ldap.c:704) by 0x4C1DC12: ads_dc_name (namequery_dc.c:84) Block was alloc'd at at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x60B250E: strdup (strdup.c:42) by 0x4FF1492: smb_xstrdup (util.c:743) by 0x4C10E62: ads_init (ads_struct.c:148) by 0x4C1DB68: ads_dc_name (namequery_dc.c:73) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit ca859e55d28f421196bc2660cfa84595ec5b57c6) Autobuild-User(v4-19-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-19-test): Wed May 29 19:25:10 UTC 2024 on atb-devel-224 commit b6253028b303f4bd59b399e43417c7b050969363 Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 7 14:53:24 2024 +0000 s3:libsmb: allow store_cldap_reply() to work with a ipv6 response BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224 (cherry picked from commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2) commit 3b922dd575919fd08c2b98249691ea11cb7ffe56 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 6 21:09:58 2024 +0100 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() I have customer backtraces showing that 'drsuapi' is NULL in dreplsrv_op_pull_source_get_changes_trigger() called from the WERR_DS_DRA_SCHEMA_MISMATCH retry case of dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was a valid pointer there. From reading the code I don't understand how this can happen, but it does very often on RODCs. And this fix prevents the problem. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 83030780285290ecf64b57c1744634379b68ea01) commit 92a0533a9ea31f40a0a38f78e2b63c8e250972b0 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 3 15:14:38 2023 +0200 s3:utils: let smbstatus report anonymous signing/encryption explicitly We should mark sessions/tcons with anonymous encryption or signing in a special way, as the value of it is void, all based on a session key with 16 zero bytes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224 (cherry picked from commit 5a54c9b28abb1464c84cb4be15a49718d8ae6795) commit 45b9b63283de002d9d524518ad4fe5d8cdaf38d9 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 30 18:05:51 2023 +0200 s3:smbd: allow anonymous encryption after one authenticated session setup I have captures where a client tries smb3 encryption on an anonymous session, we used to allow that before commit da7dcc443f45d07d9963df9daae458fbdd991a47 was released with samba-4.15.0rc1. Testing against Windows Server 2022 revealed that anonymous signing is always allowed (with the session key derived from 16 zero bytes) and anonymous encryption is allowed after one authenticated session setup on the tcp connection. https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> (cherry picked from commit f3ddfb828e66738ca461c3284c423defb774547c) commit 1925abda4c44421aabdb92a3fa1e9a97ec2e1898 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 3 15:12:38 2023 +0200 s3:utils: let smbstatus also report partial tcon signing/encryption We already do that for sessions and also for the json output, but it was missing in the non-json output for tcons. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> (cherry picked from commit 551756abd2c9e4922075bc3037db645355542363) commit 70969d8da5ae893a50b2d0ecfc0f163e960aaf04 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 3 15:12:38 2023 +0200 s3:utils: let smbstatus also report AES-256 encryption types for tcons We already do that for sessions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> (cherry picked from commit 8119fd6d6a49b869bd9e8ff653b500e194b070de) commit 8cc6ccb54a37680aa8a1f91b2ca871a405daf59d Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 3 15:10:08 2023 +0200 s3:utils: let connections_forall_read() report if the session was authenticated BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> (cherry picked from commit 5089d8550640f72b1e0373f8ac321378ccaa8bd5) commit 8b6b837eb7dff229ac4659ea7681738badcb3bd5 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 3 15:08:31 2023 +0200 s3:lib: let sessionid_traverse_read() report if the session was authenticated BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> (cherry picked from commit 596a10d1079f5c4a954108c81efc862c22a11f28) commit c9c83fb691f557d570e2f2ad32b2340e06d82978 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 3 15:05:59 2023 +0200 s3:utils: remove unused signing_flags in connections_forall() We never use the signing flags from the session, as the tcon has its own signing flags. https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> (cherry picked from commit a9f84593f44f15a19c4cdde1e7ad53cd5e03b4d9) commit a6c549db3d85d358e1e99b90230d1cd50da6646e Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 15 10:02:00 2024 +0200 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} These demonstrate how anonymous encryption and signing work. They pass against Windows 2022 as ad dc. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> (cherry picked from commit 6c5781b5f154857f1454f41133687fba8c4c9df9) commit 3f476fd8bf34209f9e74041f8254250aed59fb2f Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 15 10:51:42 2024 +0200 s4:libcli/smb2: add hack to test anonymous signing and encryption This will be used in torture tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> (cherry picked from commit 6a89615d78119c0bff2fb07bd0c62e4c31ea8441) commit 7a75e6bdaf0c8fa7aed25f50198de18b84b5ed5e Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 14 18:21:33 2024 +0200 smbXcli_base: add hacks to test anonymous signing and encryption BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> (cherry picked from commit 14d6e2672126adee85997dc3d3c64607c987e8b9) commit 98adde991bf382be654ada6a3283d473c1f7f7e0 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 8 18:03:54 2024 +0200 tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative This expects PermissionError: [Errno 1] Operation not permitted, but it seems that setxattr() for security.NTACL works on gitlab runners without being root. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 237d9d0228cfed6d2e08b41b888d30aac5ab89e3) commit 11edf47d3c33a4b1a618f1f300c112934552fc46 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 8 16:12:06 2024 +0200 .gitlab-ci-main.yml: debug kernel details of the current runner Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 380d9c5a7392741ff2134ef1e83df45a29293db3) commit 5502aa893cc02a7c8583113f67f2b22cac9804ee Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 7 22:32:08 2024 +1200 .gitlab-ci: Remove tags no longer provided by gitlab.com GitLab.com removed a number of tags from their hosted runners and this meant our CI was being redirected to our private runners at a larger cost to the Samba Team. The new infrastructure is much larger than when we last selected runners so we can just use the default, even for the code coverage build. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15638 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue May 7 13:40:55 UTC 2024 on atb-devel-224 (cherry picked from commit d58a72c572f63619111f43f6ea39ff84ae0df16e) ----------------------------------------------------------------------- Summary of changes: .gitlab-ci-coverage-runners.yml | 8 +- .gitlab-ci-default-runners.yml | 46 +- .gitlab-ci-main.yml | 6 + libcli/smb/smbXcli_base.c | 104 ++++- libcli/smb/smbXcli_base.h | 5 + python/samba/tests/ntacls.py | 2 +- selftest/flapping.d/gitlab-setxattr-security | 18 + source3/include/session.h | 1 + source3/lib/sessionid_tdb.c | 8 + source3/libads/ldap.c | 16 +- source3/librpc/idl/ads.idl | 1 + source3/libsmb/dsgetdcname.c | 24 +- source3/smbd/globals.h | 5 + source3/smbd/smb2_server.c | 11 + source3/smbd/smb2_sesssetup.c | 18 +- source3/smbd/smb2_tcon.c | 4 + source3/utils/conn_tdb.c | 12 +- source3/utils/conn_tdb.h | 1 + source3/utils/net_ads.c | 6 + source3/utils/status.c | 82 +++- source3/utils/status.h | 1 + source3/utils/status_json.c | 2 + source4/dsdb/repl/drepl_out_helpers.c | 26 +- source4/libcli/smb2/session.c | 16 +- source4/libcli/smb2/smb2.h | 2 + source4/torture/smb2/session.c | 629 +++++++++++++++++++++++++++ 26 files changed, 977 insertions(+), 77 deletions(-) create mode 100644 selftest/flapping.d/gitlab-setxattr-security Changeset truncated at 500 lines: diff --git a/.gitlab-ci-coverage-runners.yml b/.gitlab-ci-coverage-runners.yml index 0f6b2ec1581..331c5d2399c 100644 --- a/.gitlab-ci-coverage-runners.yml +++ b/.gitlab-ci-coverage-runners.yml @@ -1,10 +1,4 @@ include: - /.gitlab-ci-default-runners.yml -.shared_runner_test: - # We need the more powerful n1-standard-2 runners - # in order to handle the lcov overhead. - # - # See .gitlab-ci-default-runners.yml for more details - tags: - - gitlab-org-docker +# Currently we're happy with the defaults diff --git a/.gitlab-ci-default-runners.yml b/.gitlab-ci-default-runners.yml index 2dea6e82c49..bdc504aff21 100644 --- a/.gitlab-ci-default-runners.yml +++ b/.gitlab-ci-default-runners.yml @@ -1,48 +1,26 @@ -# From https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners: +# From https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html # # ... # -# All your CI/CD jobs run on n1-standard-1 instances with 3.75GB of RAM, CoreOS -# and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB of -# HDD disk space. The default region of the VMs is US East1. Each instance is -# used only for one job, this ensures any sensitive data left on the system can’t -# be accessed by other people their CI jobs. -# -# The gitlab-shared-runners-manager-X.gitlab.com fleet of runners are dedicated -# for GitLab projects as well as community forks of them. They use a slightly -# larger machine type (n1-standard-2) and have a bigger SSD disk size. They don’t -# run untagged jobs and unlike the general fleet of shared runners, the instances -# are re-used up to 40 times. -# -# ... -# -# The n1-standard-1 runners seem to be tagged with 'docker' together with 'gce'. -# -# The more powerful n1-standard-2 runners seem to be tagged with -# 'gitlab-org-docker' or some with just 'gitlab-org'. -# +# Runner Tag vCPUs Memory Storage +# saas-linux-small-amd64 2 8 GB 25 GB # # Our current private runner 'docker', 'samba-ci-private', 'shared' and -# 'ubuntu1804'. It runs with an ubuntu1804 kernel and privides an ext4 filesystem -# and similar RAM as the n1-standard-2 runners. +# 'ubuntu2204'. It runs with an ubuntu2204 kernel (5.15) and provides an +# ext4 filesystem, 2 CPU and 4 GB (shared tag) 8G (samba-ci-private tag) RAM. # .shared_runner_build: - # We use n1-standard-1 shared runners by default. - # - # There are currently 5 shared runners with 'docker' and 'gce', - # while there are only 2 provising 'docker' together with 'shared'. + # We use saas-linux-small-amd64 shared runners by default. + # We avoid adding explicit tags for them in order + # to work with potential changes in future # - # We used to fallback to our private runner if the docker+shared runners - # were busy, but now that we use the 5 docker+gce runners, we try to only - # use shared runners without a fallback to our private runner! - # Lets see how that will work out. - tags: - - docker - - gce + # In order to generate valid yaml, we define a dummy variable... + variables: + SAMBA_SHARED_RUNNER_BUILD_DUMMY_VARIABLE: shared_runner_build .shared_runner_test: - # Currently we're fine using the n1-standard-1 runners also for testing + # We use saas-linux-small-amd64 shared runners by default. extends: .shared_runner_build .private_runner_test: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 779eedb8255..4e4addf5d1a 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -112,8 +112,14 @@ include: before_script: - uname -a + - ls -l /sys/module/ + - ls -l /sys/kernel/security/ + - if [ -e /sys/kernel/security/lsm ]; then cat /sys/kernel/security/lsm ; echo; fi + - if [ -e /proc/config.gz ]; then sudo zcat /proc/config.gz; echo; fi - lsb_release -a - cat /etc/os-release + - id + - cat /proc/self/status - lscpu - cat /proc/cpuinfo - mount diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index fe422eb83fa..c3960b53381 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -166,6 +166,13 @@ struct smb2cli_session { uint16_t channel_sequence; bool replay_active; bool require_signed_response; + + /* + * The following are just for torture tests + */ + bool anonymous_signing; + bool anonymous_encryption; + bool no_signing_disconnect; }; struct smbXcli_session { @@ -3999,6 +4006,9 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn, if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) || NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) || + (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) && + session != NULL && + session->smb2->no_signing_disconnect) || NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { /* * if the server returns @@ -4042,8 +4052,29 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn, /* * If the signing check fails, we disconnect * the connection. + * + * Unless + * smb2cli_session_torture_no_signing_disconnect + * was called in torture tests */ - return signing_status; + + if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + return signing_status; + } + + if (!NT_STATUS_EQUAL(status, signing_status)) { + return signing_status; + } + + if (session == NULL) { + return signing_status; + } + + if (!session->smb2->no_signing_disconnect) { + return signing_status; + } + + state->smb2.signing_skipped = true; } } @@ -6340,6 +6371,23 @@ void smb2cli_session_require_signed_response(struct smbXcli_session *session, session->smb2->require_signed_response = require_signed_response; } +void smb2cli_session_torture_anonymous_signing(struct smbXcli_session *session, + bool anonymous_signing) +{ + session->smb2->anonymous_signing = anonymous_signing; +} + +void smb2cli_session_torture_anonymous_encryption(struct smbXcli_session *session, + bool anonymous_encryption) +{ + session->smb2->anonymous_encryption = anonymous_encryption; +} + +void smb2cli_session_torture_no_signing_disconnect(struct smbXcli_session *session) +{ + session->smb2->no_signing_disconnect = true; +} + NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session, const struct iovec *iov) { @@ -6440,6 +6488,10 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, conn->protocol, preauth_hash); + if (session->smb2->anonymous_encryption) { + goto skip_signing_key; + } + status = smb2_signing_key_sign_create(session->smb2, conn->smb2.server.sign_algo, &_session_key, @@ -6449,6 +6501,15 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, return status; } + if (session->smb2->anonymous_signing) { + /* + * skip encryption and application keys + */ + goto skip_application_key; + } + +skip_signing_key: + status = smb2_signing_key_cipher_create(session->smb2, conn->smb2.server.cipher, &_session_key, @@ -6467,6 +6528,10 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, return status; } + if (session->smb2->anonymous_encryption) { + goto skip_application_key; + } + status = smb2_signing_key_sign_create(session->smb2, conn->smb2.server.sign_algo, &_session_key, @@ -6476,6 +6541,8 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, return status; } +skip_application_key: + status = smb2_signing_key_copy(session, session->smb2->signing_key, &session->smb2_channel.signing_key); @@ -6485,6 +6552,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, check_signature = conn->mandatory_signing; + if (conn->protocol >= PROTOCOL_SMB3_11) { + check_signature = true; + } + + if (session->smb2->anonymous_signing) { + check_signature = false; + } + + if (session->smb2->anonymous_encryption) { + check_signature = false; + } + hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS); if (hdr_flags & SMB2_HDR_FLAG_SIGNED) { /* @@ -6500,10 +6579,6 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, check_signature = true; } - if (conn->protocol >= PROTOCOL_SMB3_11) { - check_signature = true; - } - if (check_signature) { status = smb2_signing_check_pdu(session->smb2_channel.signing_key, recv_iov, 3); @@ -6535,6 +6610,15 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, session->smb2->should_encrypt = false; } + if (session->smb2->anonymous_signing) { + session->smb2->should_sign = true; + } + + if (session->smb2->anonymous_encryption) { + session->smb2->should_encrypt = true; + session->smb2->should_sign = false; + } + /* * CCM and GCM algorithms must never have their * nonce wrap, or the security of the whole @@ -6699,6 +6783,16 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session, NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session) { + if (session->smb2->anonymous_signing) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } + + if (session->smb2->anonymous_encryption) { + SMB_ASSERT(session->smb2->should_encrypt); + SMB_ASSERT(!session->smb2->should_sign); + return NT_STATUS_OK; + } + if (!session->smb2->should_sign) { /* * We need required signing on the session diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h index bf8638711ba..4ce2338b440 100644 --- a/libcli/smb/smbXcli_base.h +++ b/libcli/smb/smbXcli_base.h @@ -525,6 +525,11 @@ void smb2cli_session_start_replay(struct smbXcli_session *session); void smb2cli_session_stop_replay(struct smbXcli_session *session); void smb2cli_session_require_signed_response(struct smbXcli_session *session, bool require_signed_response); +void smb2cli_session_torture_anonymous_signing(struct smbXcli_session *session, + bool anonymous_signing); +void smb2cli_session_torture_anonymous_encryption(struct smbXcli_session *session, + bool anonymous_encryption); +void smb2cli_session_torture_no_signing_disconnect(struct smbXcli_session *session); NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session, const struct iovec *iov); NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, diff --git a/python/samba/tests/ntacls.py b/python/samba/tests/ntacls.py index 4d625768d91..19a2a283037 100644 --- a/python/samba/tests/ntacls.py +++ b/python/samba/tests/ntacls.py @@ -83,5 +83,5 @@ class NtaclsTests(TestCaseInTempDir): lp = LoadParm() open(self.tempf, 'w').write("empty") lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb")) - self.assertRaises(Exception, setntacl, lp, self.tempf, NTACL_SDDL, + self.assertRaises(PermissionError, setntacl, lp, self.tempf, NTACL_SDDL, DOMAIN_SID, self.session_info, "native") diff --git a/selftest/flapping.d/gitlab-setxattr-security b/selftest/flapping.d/gitlab-setxattr-security new file mode 100644 index 00000000000..d7d24032450 --- /dev/null +++ b/selftest/flapping.d/gitlab-setxattr-security @@ -0,0 +1,18 @@ +# gitlab runners with kernel 5.15.109+ +# allow setxattr() on security.NTACL +# +# It's not clear in detail why there's a difference +# between various systems, one reason could be that +# with selinux inode_owner_or_capable() is used to check +# setxattr() permissions: +# it checks for the fileowner too, as well as CAP_FOWNER. +# Otherwise cap_inode_setxattr() is used, which checks for +# CAP_SYS_ADMIN. +# +# But the kernel doesn't have selinux only apparmor... +# +# test_setntacl_forcenative expects +# PermissionError: [Errno 1] Operation not permitted +# +# So for now we allow this to fail... +^samba.tests.ntacls.samba.tests.ntacls.NtaclsTests.test_setntacl_forcenative.none diff --git a/source3/include/session.h b/source3/include/session.h index 268c059a8ed..5a2b24b06a7 100644 --- a/source3/include/session.h +++ b/source3/include/session.h @@ -39,6 +39,7 @@ struct sessionid { fstring ip_addr_str; time_t connect_start; uint16_t connection_dialect; + bool authenticated; uint8_t encryption_flags; uint16_t cipher; uint16_t signing; diff --git a/source3/lib/sessionid_tdb.c b/source3/lib/sessionid_tdb.c index 32962253908..68b178a5233 100644 --- a/source3/lib/sessionid_tdb.c +++ b/source3/lib/sessionid_tdb.c @@ -24,6 +24,7 @@ #include "session.h" #include "util_tdb.h" #include "smbd/globals.h" +#include "../libcli/security/session.h" struct sessionid_traverse_read_state { int (*fn)(const char *key, struct sessionid *session, @@ -47,11 +48,18 @@ static int sessionid_traverse_read_fn(struct smbXsrv_session_global0 *global, }; if (session_info != NULL) { + enum security_user_level ul; + session.uid = session_info->unix_token->uid; session.gid = session_info->unix_token->gid; strncpy(session.username, session_info->unix_info->unix_name, sizeof(fstring)-1); + + ul = security_session_user_level(session_info, NULL); + if (ul >= SECURITY_USER) { + session.authenticated = true; + } } strncpy(session.remote_machine, diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index cc00753ff74..4908df535a1 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -275,12 +275,12 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads, /* Fill in the ads->config values */ + ADS_TALLOC_CONST_FREE(ads->config.workgroup); ADS_TALLOC_CONST_FREE(ads->config.realm); ADS_TALLOC_CONST_FREE(ads->config.bind_path); ADS_TALLOC_CONST_FREE(ads->config.ldap_server_name); ADS_TALLOC_CONST_FREE(ads->config.server_site_name); ADS_TALLOC_CONST_FREE(ads->config.client_site_name); - ADS_TALLOC_CONST_FREE(ads->server.workgroup); if (!check_cldap_reply_required_flags(cldap_reply->server_type, ads->config.flags)) { @@ -296,6 +296,13 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads, goto out; } + ads->config.workgroup = talloc_strdup(ads, cldap_reply->domain_name); + if (ads->config.workgroup == NULL) { + DBG_WARNING("Out of memory\n"); + ret = false; + goto out; + } + ads->config.realm = talloc_asprintf_strupper_m(ads, "%s", cldap_reply->dns_domain); @@ -334,13 +341,6 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads, } } - ads->server.workgroup = talloc_strdup(ads, cldap_reply->domain_name); - if (ads->server.workgroup == NULL) { - DBG_WARNING("Out of memory\n"); - ret = false; - goto out; - } - ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT; ads->ldap.ss = *ss; diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl index 4f3a387556a..d10e5b4dc77 100644 --- a/source3/librpc/idl/ads.idl +++ b/source3/librpc/idl/ads.idl @@ -59,6 +59,7 @@ interface ads typedef [nopull,nopush] struct { nbt_server_type flags; /* cldap flags identifying the services. */ + string workgroup; string realm; string bind_path; string ldap_server_name; diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index 280ccd585b0..864d58ad150 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -196,7 +196,29 @@ static NTSTATUS store_cldap_reply(TALLOC_CTX *mem_ctx, /* FIXME */ r->sockaddr_size = 0x10; /* the w32 winsock addr size */ r->sockaddr.sockaddr_family = 2; /* AF_INET */ - r->sockaddr.pdc_ip = talloc_strdup(mem_ctx, addr); + if (is_ipaddress_v4(addr)) { + r->sockaddr.pdc_ip = talloc_strdup(mem_ctx, addr); + if (r->sockaddr.pdc_ip == NULL) { + return NT_STATUS_NO_MEMORY; + } + } else { + /* + * ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX will + * fail with an ipv6 address. + * + * This matches windows behaviour in the CLDAP + * response when NETLOGON_NT_VERSION_5EX_WITH_IP + * is used. + * + * Windows returns the ipv4 address of the ipv6 + * server interface and falls back to 127.0.0.1 + * if there's no ipv4 address. + */ + r->sockaddr.pdc_ip = talloc_strdup(mem_ctx, "127.0.0.1"); + if (r->sockaddr.pdc_ip == NULL) { + return NT_STATUS_NO_MEMORY; + } + } ndr_err = ndr_push_struct_blob(&blob, mem_ctx, r, (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX); diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 69023fcc50a..f92721a2c18 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -549,6 +549,11 @@ struct smbXsrv_connection { } smbtorture; bool signing_mandatory; + /* + * This is ConstrainedConnection in MS-SMB2, + * but with reversed value... + */ + bool got_authenticated_session; } smb2; }; diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 5a595313cd0..886e6abced8 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c -- Samba Shared Repository