diff --git a/SOURCES/samba-4.10-redhat.patch b/SOURCES/samba-4.10-redhat.patch index 81724cd..a248091 100644 --- a/SOURCES/samba-4.10-redhat.patch +++ b/SOURCES/samba-4.10-redhat.patch @@ -1,7 +1,7 @@ From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 7 Jan 2020 19:25:53 +0200 -Subject: [PATCH 01/48] s3-rpcserver: fix security level check for +Subject: [PATCH 01/88] s3-rpcserver: fix security level check for DsRGetForestTrustInformation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -80,13 +80,13 @@ index d799ba4feef..87613b99fde 100644 } -- -2.30.2 +2.33.1 From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 16:50:45 +0200 -Subject: [PATCH 02/48] Add a test to check dNSHostName with netbios aliases +Subject: [PATCH 02/88] Add a test to check dNSHostName with netbios aliases BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -132,13 +132,13 @@ index 95c0cf76f90..6073ea972f9 100755 # Test createcomputer option of 'net ads join' # -- -2.30.2 +2.33.1 From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:52:46 +0200 -Subject: [PATCH 03/48] Fix accidental overwrite of dnsHostName by the last +Subject: [PATCH 03/88] Fix accidental overwrite of dnsHostName by the last netbios alias BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -186,13 +186,13 @@ index 9d4f656ffec..a31011b0ff8 100644 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); goto done; -- -2.30.2 +2.33.1 From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 24 Oct 2019 19:04:51 +0300 -Subject: [PATCH 04/48] Refactor ads_keytab_add_entry() to make it iterable +Subject: [PATCH 04/88] Refactor ads_keytab_add_entry() to make it iterable so we can more easily add msDS-AdditionalDnsHostName entries. @@ -453,13 +453,13 @@ index 97d5535041c..0f450a09df5 100644 out: SAFE_FREE(salt_princ_s); -- -2.30.2 +2.33.1 From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 17:55:12 +0200 -Subject: [PATCH 05/48] Add a test for msDS-AdditionalDnsHostName entries in +Subject: [PATCH 05/88] Add a test for msDS-AdditionalDnsHostName entries in keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -501,13 +501,13 @@ index 6073ea972f9..a40b477a173 100755 testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -- -2.30.2 +2.33.1 From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:36:28 +0200 -Subject: [PATCH 06/48] Add msDS-AdditionalDnsHostName entries to the keytab +Subject: [PATCH 06/88] Add msDS-AdditionalDnsHostName entries to the keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -648,13 +648,13 @@ index db2b72ab1b5..02a628ee0e6 100644 { LDAPMessage *res = NULL; -- -2.30.2 +2.33.1 From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:54:12 +0200 -Subject: [PATCH 07/48] Add net-ads-join dnshostname=fqdn option +Subject: [PATCH 07/88] Add net-ads-join dnshostname=fqdn option BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -794,13 +794,13 @@ index a40b477a173..85257f445d8 100755 exit $failed -- -2.30.2 +2.33.1 From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:04:57 +0200 -Subject: [PATCH 08/48] CVE-2020-1472(ZeroLogon): libcli/auth: add +Subject: [PATCH 08/88] CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge() It's good to have just a single isolated function that will generate @@ -851,13 +851,13 @@ index 82febe74440..82797d453ed 100644 void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); -- -2.30.2 +2.33.1 From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:07:30 +0200 -Subject: [PATCH 09/48] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of +Subject: [PATCH 09/88] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of netlogon_creds_random_challenge() This will avoid getting flakey tests once our server starts to @@ -1007,13 +1007,13 @@ index 026d86d50e4..e11014922f8 100644 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), "ServerReqChallenge"); -- -2.30.2 +2.33.1 From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:08:38 +0200 -Subject: [PATCH 10/48] CVE-2020-1472(ZeroLogon): libcli/auth: make use of +Subject: [PATCH 10/88] CVE-2020-1472(ZeroLogon): libcli/auth: make use of netlogon_creds_random_challenge() in netlogon_creds_cli.c This will avoid getting rejected by the server if we generate @@ -1041,13 +1041,13 @@ index 817d2cd041a..0f6ca11ff96 100644 subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, state->binding_handle, -- -2.30.2 +2.33.1 From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 11/48] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make +Subject: [PATCH 11/88] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. @@ -1074,13 +1074,13 @@ index 87613b99fde..86b2f343e82 100644 *r->out.return_credentials = pipe_state->server_challenge; -- -2.30.2 +2.33.1 From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 12/48] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make +Subject: [PATCH 12/88] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. @@ -1107,13 +1107,13 @@ index 023adfd99e9..de260d8051d 100644 *r->out.return_credentials = pipe_state->server_challenge; -- -2.30.2 +2.33.1 From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:15:26 +0200 -Subject: [PATCH 13/48] CVE-2020-1472(ZeroLogon): libcli/auth: add +Subject: [PATCH 13/88] CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_is_random_challenge() to avoid weak values This is the check Windows is using, so we won't generate challenges, @@ -1177,13 +1177,13 @@ index 82797d453ed..ad768682b9f 100644 void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); -- -2.30.2 +2.33.1 From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:17:29 +0200 -Subject: [PATCH 14/48] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak +Subject: [PATCH 14/88] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init() This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: @@ -1262,13 +1262,13 @@ index d319d9b879e..394505d166d 100644 ) -- -2.30.2 +2.33.1 From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 19:20:25 +0200 -Subject: [PATCH 15/48] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 15/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -1357,13 +1357,13 @@ index de260d8051d..acbf077c6c7 100644 ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, -- -2.30.2 +2.33.1 From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 Sep 2020 12:53:50 -0700 -Subject: [PATCH 16/48] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 16/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -1502,13 +1502,13 @@ index 86b2f343e82..fd9127b386f 100644 p->session_info, p->msg_ctx, -- -2.30.2 +2.33.1 From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 10:18:45 +0200 -Subject: [PATCH 17/48] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 17/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() We should debug more details about the failing request. @@ -1585,13 +1585,13 @@ index acbf077c6c7..b4326a4ecaa 100644 /* -- -2.30.2 +2.33.1 From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 10:56:53 +0200 -Subject: [PATCH 18/48] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 18/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" This allows to add expections for individual workstations, when using "server schannel = yes". @@ -1632,13 +1632,13 @@ index b4326a4ecaa..e7bafb31e83 100644 *creds_out = creds; return NT_STATUS_OK; -- -2.30.2 +2.33.1 From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 17 Sep 2020 13:37:26 +0200 -Subject: [PATCH 19/48] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log +Subject: [PATCH 19/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1759,13 +1759,13 @@ index e7bafb31e83..7668a9eb923 100644 return NT_STATUS_OK; } -- -2.30.2 +2.33.1 From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:57:22 +0200 -Subject: [PATCH 20/48] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 20/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1860,13 +1860,13 @@ index fd9127b386f..8541571b459 100644 -- -2.30.2 +2.33.1 From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:23:16 +0200 -Subject: [PATCH 21/48] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 21/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1911,13 +1911,13 @@ index 8541571b459..f9b10103bd5 100644 *creds_out = creds; return NT_STATUS_OK; -- -2.30.2 +2.33.1 From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:42:52 +0200 -Subject: [PATCH 22/48] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log +Subject: [PATCH 22/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about unsecure configurations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -2039,13 +2039,13 @@ index f9b10103bd5..7f6704adbda 100644 return NT_STATUS_OK; } -- -2.30.2 +2.33.1 From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 17 Sep 2020 17:27:54 +0200 -Subject: [PATCH 23/48] CVE-2020-1472(ZeroLogon): docs-xml: document 'server +Subject: [PATCH 23/88] CVE-2020-1472(ZeroLogon): docs-xml: document 'server require schannel:COMPUTERACCOUNT' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -2141,13 +2141,13 @@ index 489492d79b1..b682d086f76 100644 + -- -2.30.2 +2.33.1 From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 18 Sep 2020 12:39:54 +1200 -Subject: [PATCH 24/48] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty +Subject: [PATCH 24/88] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd Ensure that an empty machine account password can't be set by @@ -2240,13 +2240,13 @@ index e11014922f8..0ba45f0c1da 100644 /* now try a random password */ password = generate_random_password(tctx, 8, 255); -- -2.30.2 +2.33.1 From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 18 Sep 2020 15:57:34 +1200 -Subject: [PATCH 25/48] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated +Subject: [PATCH 25/88] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge Ensure that client challenges with the first 5 bytes identical are @@ -2615,13 +2615,13 @@ index 0ba45f0c1da..97c16688bc9 100644 } -- -2.30.2 +2.33.1 From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 10 Jul 2020 15:09:33 -0700 -Subject: [PATCH 26/48] s4: torture: Add smb2.notify.handle-permissions test. +Subject: [PATCH 26/88] s4: torture: Add smb2.notify.handle-permissions test. Add knownfail entry. @@ -2744,13 +2744,13 @@ index ebb4f8a4f8e..b017491c8fb 100644 suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); -- -2.30.2 +2.33.1 From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Jul 2020 18:25:23 -0700 -Subject: [PATCH 27/48] s3: smbd: Ensure change notifies can't get set unless +Subject: [PATCH 27/88] s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Remove knownfail entry. @@ -2795,13 +2795,13 @@ index 44c0b09432e..d23c03bce41 100644 DEBUG(1, ("change_notify_create: fsp->notify != NULL, " "fname = %s\n", fsp->fsp_name->base_name)); -- -2.30.2 +2.33.1 From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 9 Jul 2020 21:49:25 +0200 -Subject: [PATCH 28/48] CVE-2020-14323 winbind: Fix invalid lookupsids DoS +Subject: [PATCH 28/88] CVE-2020-14323 winbind: Fix invalid lookupsids DoS A lookupsids request without extra_data will lead to "state->domain==NULL", which makes winbindd_lookupsids_recv trying to dereference it. @@ -2829,13 +2829,13 @@ index d28b5fa9f01..a289fd86f0f 100644 } if (request->extra_data.data[request->extra_len-1] != '\0') { -- -2.30.2 +2.33.1 From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 9 Jul 2020 21:48:57 +0200 -Subject: [PATCH 29/48] CVE-2020-14323 torture4: Add a simple test for invalid +Subject: [PATCH 29/88] CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call We can't add this test before the fix, add it to knownfail and have the fix @@ -2897,13 +2897,13 @@ index 9745b621ca9..71f248c0d61 100644 suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests"); -- -2.30.2 +2.33.1 From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001 From: Laurent Menase Date: Wed, 20 May 2020 12:31:53 +0200 -Subject: [PATCH 30/48] winbind: Fix a memleak +Subject: [PATCH 30/88] winbind: Fix a memleak Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388 Signed-off-by: Laurent Menase @@ -2931,13 +2931,13 @@ index 556b4523866..325ba1abd82 100644 } -- -2.30.2 +2.33.1 From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 17 Aug 2020 13:39:58 +0200 -Subject: [PATCH 31/48] s3:tests: Add test for 'valid users = DOMAIN\%U' +Subject: [PATCH 31/88] s3:tests: Add test for 'valid users = DOMAIN\%U' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467 @@ -2989,13 +2989,13 @@ index 1a46f11c85d..c813a8f9def 100755 + exit $failed -- -2.30.2 +2.33.1 From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 17 Aug 2020 14:12:48 +0200 -Subject: [PATCH 32/48] s3:smbd: Fix %U substitutions if it contains a domain +Subject: [PATCH 32/88] s3:smbd: Fix %U substitutions if it contains a domain name 'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer @@ -3050,13 +3050,13 @@ index 3cbf7f318a2..0705e197975 100644 if (sharename != NULL) { name = talloc_string_sub(mem_ctx, name, "%S", sharename); -- -2.30.2 +2.33.1 From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 9 Jul 2020 11:48:26 +0200 -Subject: [PATCH 33/48] docs: Fix documentation for require_membership_of of +Subject: [PATCH 33/88] docs: Fix documentation for require_membership_of of pam_winbind BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 @@ -3088,13 +3088,13 @@ index a9a227f1647..a61fb2d58e5 100644 -- -2.30.2 +2.33.1 From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 17 Jul 2020 12:14:16 +0200 -Subject: [PATCH 34/48] docs: Fix documentation for require_membership_of of +Subject: [PATCH 34/88] docs: Fix documentation for require_membership_of of pam_winbind.conf BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 @@ -3127,13 +3127,13 @@ index fcac1ee7036..d81a0bd6eba 100644 This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login). -- -2.30.2 +2.33.1 From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 11 Jun 2020 21:05:07 +0300 -Subject: [PATCH 35/48] Fix a typo in recent net man page changes +Subject: [PATCH 35/88] Fix a typo in recent net man page changes BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 @@ -3158,13 +3158,13 @@ index 69e18df8b6c..9b1d4458acc 100644 -- -2.30.2 +2.33.1 From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 16 Jun 2020 22:01:49 +0300 -Subject: [PATCH 36/48] selftest: add tests for binary +Subject: [PATCH 36/88] selftest: add tests for binary msDS-AdditionalDnsHostName Like the short names added implicitly by Windows DC. @@ -3236,13 +3236,13 @@ index 85257f445d8..eef4a31a6a7 100755 rm -f $dedicated_keytab_file -- -2.30.2 +2.33.1 From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 11 Jun 2020 16:51:27 +0300 -Subject: [PATCH 37/48] Properly handle msDS-AdditionalDnsHostName returned +Subject: [PATCH 37/88] Properly handle msDS-AdditionalDnsHostName returned from Windows DC Windows DC adds short names for each specified msDS-AdditionalDnsHostName @@ -3330,13 +3330,13 @@ index 02a628ee0e6..2684bba63ec 100644 DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n", machine_name)); -- -2.30.2 +2.33.1 From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 20 Jun 2020 17:17:33 +0200 -Subject: [PATCH 38/48] Fix usage of ldap_get_values_len for +Subject: [PATCH 38/88] Fix usage of ldap_get_values_len for msDS-AdditionalDnsHostName BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 @@ -3372,13 +3372,13 @@ index 2684bba63ec..d1ce9cee2f0 100644 return NULL; } -- -2.30.2 +2.33.1 From ec4cfe786d8c3cb67bb0e9224ae1822902c672d3 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 15 Dec 2020 15:17:04 +0100 -Subject: [PATCH 39/48] HACK:s3:winbind: Rely on the domain child for online +Subject: [PATCH 39/88] HACK:s3:winbind: Rely on the domain child for online check --- @@ -3435,13 +3435,13 @@ index 6e3277e5529..35b76a367aa 100644 /* Handle online/offline messages. */ -- -2.30.2 +2.33.1 From 958bed1a1e5c9f334a1859bef14f4fe1657c3e49 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 9 Sep 2020 16:00:52 +0200 -Subject: [PATCH 40/48] s3:smbd: Use fsp al the talloc memory context +Subject: [PATCH 40/88] s3:smbd: Use fsp al the talloc memory context Somehow the lck pointer gets freed before we call TALLOC_FREE(). @@ -3466,13 +3466,13 @@ index de557f53a20..9a24e331ab1 100644 &mtimespec); -- -2.30.2 +2.33.1 From 2591ae5d6a1dbd71391801b7bdf20bd37c8e8375 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 12:58:31 +0100 -Subject: [PATCH 41/48] Revert "s3:smbd: Use fsp al the talloc memory context" +Subject: [PATCH 41/88] Revert "s3:smbd: Use fsp al the talloc memory context" This reverts commit 958bed1a1e5c9f334a1859bef14f4fe1657c3e49. --- @@ -3493,13 +3493,13 @@ index 9a24e331ab1..de557f53a20 100644 &mtimespec); -- -2.30.2 +2.33.1 From 2438619ec7ef18816f6b92c87a094851223d2bb1 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Wed, 22 Jul 2020 22:42:09 -0700 -Subject: [PATCH 42/48] nsswitch/nsstest.c: Avoid nss function conflicts with +Subject: [PATCH 42/88] nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h glibc 2.32 will define these varibles [1] which results in conflicts @@ -3596,13 +3596,13 @@ index 6d92806cffc..46f96795f39 100644 static void nss_test_errors(void) -- -2.30.2 +2.33.1 From d5410b038bb3b1d31783c0d825dc933497f6eeaa Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 10:30:08 +0100 -Subject: [PATCH 43/48] lib:util: Add basic memcache unit test +Subject: [PATCH 43/88] lib:util: Add basic memcache unit test BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 @@ -3772,13 +3772,13 @@ index e7639c4da27..e3f7d9acb4a 100644 [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) plantestsuite("samba.unittests.test_registry_regfio", "none", -- -2.30.2 +2.33.1 From 7f6661b3c60319073d7fd58906b9a3728f421fed Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 10:37:12 +0100 -Subject: [PATCH 44/48] lib:util: Add cache oversize test for memcache +Subject: [PATCH 44/88] lib:util: Add cache oversize test for memcache BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 @@ -3856,13 +3856,13 @@ index 00000000000..0a74ace3003 @@ -0,0 +1 @@ +^samba.unittests.memcache.torture_memcache_add_oversize -- -2.30.2 +2.33.1 From 53c7f00510556aea15b640254934e514c1d88c25 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 2 Feb 2021 18:10:38 +0100 -Subject: [PATCH 45/48] lib:util: Avoid free'ing our own pointer +Subject: [PATCH 45/88] lib:util: Avoid free'ing our own pointer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -3932,13 +3932,13 @@ index 0a74ace3003..00000000000 @@ -1 +0,0 @@ -^samba.unittests.memcache.torture_memcache_add_oversize -- -2.30.2 +2.33.1 From 138662453fb421609b4fa30487a53a50c085895f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Nov 2020 15:48:08 -0800 -Subject: [PATCH 46/48] s3: spoolss: Make parameters in call to user_ok_token() +Subject: [PATCH 46/88] s3: spoolss: Make parameters in call to user_ok_token() match all other uses. We already have p->session_info->unix_info->unix_name, we don't @@ -3972,13 +3972,13 @@ index f32b465afb6..c0f1803c2fa 100644 !W_ERROR_IS_OK(print_access_check(p->session_info, p->msg_ctx, -- -2.30.2 +2.33.1 From 9550eb620ff23fb9f9414c9de596789aae64aef1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 11 Nov 2020 13:42:06 +0100 -Subject: [PATCH 47/48] s3:smbd: Fix possible null pointer dereference in +Subject: [PATCH 47/88] s3:smbd: Fix possible null pointer dereference in token_contains_name() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572 @@ -4008,13 +4008,13 @@ index 0705e197975..64276c79fbe 100644 /* Check if username starts with domain name */ if (domain_len > 0) { -- -2.30.2 +2.33.1 From 49a19805c6837df04dce449841d011fc67e0a7df Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 20 Feb 2021 15:50:12 +0100 -Subject: [PATCH 48/48] passdb: Simplify sids_to_unixids() +Subject: [PATCH 48/88] passdb: Simplify sids_to_unixids() Best reviewed with "git show -b", there's a "continue" statement that changes subsequent indentation. @@ -4238,5 +4238,3232 @@ index 1bb15ccb8b4..186ba17fda6 100644 } break; -- -2.30.2 +2.33.1 + + +From 8b39b14dcaf104a2f3172917ef926a3fec5db891 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 24 Nov 2016 09:12:59 +0100 +Subject: [PATCH 49/88] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to + non spnego authentication if we require kerberos + +We should not send NTLM[v2] data on the wire if the user asked for kerberos +only. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 + +Signed-off-by: Stefan Metzmacher +--- + source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c +index 6ee4929e8d7..a0a1f4baa56 100644 +--- a/source4/libcli/smb_composite/sesssetup.c ++++ b/source4/libcli/smb_composite/sesssetup.c +@@ -620,6 +620,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se + struct composite_context *c; + struct sesssetup_state *state; + NTSTATUS status; ++ enum credentials_use_kerberos krb5_state = ++ cli_credentials_get_kerberos_state(io->in.credentials); + + c = composite_create(session, session->transport->ev); + if (c == NULL) return NULL; +@@ -635,6 +637,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se + + /* no session setup at all in earliest protocol varients */ + if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) { ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ return c; ++ } + ZERO_STRUCT(io->out); + composite_done(c); + return c; +@@ -642,9 +648,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se + + /* see what session setup interface we will use */ + if (session->transport->negotiate.protocol < PROTOCOL_NT1) { ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ return c; ++ } + status = session_setup_old(c, session, io, &state->req); + } else if (!session->transport->options.use_spnego || + !(io->in.capabilities & CAP_EXTENDED_SECURITY)) { ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ return c; ++ } + status = session_setup_nt1(c, session, io, &state->req); + } else { + struct tevent_req *subreq = NULL; +-- +2.33.1 + + +From 41cc796909aeade44c4f1e88923936ba4444278e Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 27 Oct 2016 10:40:28 +0200 +Subject: [PATCH 50/88] CVE-2016-2124: s3:libsmb: don't fallback to non spnego + authentication if we require kerberos + +We should not send NTLM[v2] nor plaintext data on the wire if the user +asked for kerberos only. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 + +Signed-off-by: Stefan Metzmacher +--- + source3/libsmb/cliconnect.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index 9bba2665663..9a69d4b7217 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -1455,6 +1455,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, + return req; + } + ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ DBG_WARNING("Kerberos authentication requested, but " ++ "the server does not support SPNEGO authentication\n"); ++ tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ return tevent_req_post(req, ev); ++ } ++ + if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) { + /* + * SessionSetupAndX was introduced by LANMAN 1.0. So we skip +-- +2.33.1 + + +From 3c1688714ea93cdb7c3088b8a5e5da3025e43b42 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Sat, 18 Jan 2020 08:06:45 +0100 +Subject: [PATCH 51/88] s3/auth: use set_current_user_info() in + auth3_generate_session_info_pac() + +This delays reloading config slightly, but I don't see how could affect +observable behaviour other then log messages coming from the functions in +between the different locations for lp_load_with_shares() like +make_session_info_krb5() are sent to a different logfile if "log file" uses %U. + +Signed-off-by: Ralph Boehme +Reviewed-by: Andreas Schneider +(cherry picked from commit dc4b1e39ce1f2201a2d6ae2d4cffef2448f69a62) + +[scabrero@samba.org Prerequisite for CVE-2020-25717 backport] +--- + source3/auth/auth_generic.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 167d4e00367..0e9c423efef 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -159,12 +159,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + } + } + +- /* setup the string used by %U */ +- sub_set_smb_name(username); +- +- /* reload services so that the new %U is taken into account */ +- lp_load_with_shares(get_dyn_CONFIGFILE()); +- + status = make_session_info_krb5(mem_ctx, + ntuser, ntdomain, username, pw, + info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, +@@ -176,6 +170,14 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + goto done; + } + ++ /* setup the string used by %U */ ++ set_current_user_info((*session_info)->unix_info->sanitized_username, ++ (*session_info)->unix_info->unix_name, ++ (*session_info)->info->domain_name); ++ ++ /* reload services so that the new %U is taken into account */ ++ lp_load_with_shares(get_dyn_CONFIGFILE()); ++ + DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n", + ntuser, ntdomain, rhost)); + +-- +2.33.1 + + +From cf43f0a90b3025077479d37ad905fe730695e739 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 4 Nov 2021 11:51:08 +0100 +Subject: [PATCH 52/88] selftest: Fix ktest usermap file + +The user was not mapped: + +user_in_list: checking user |KTEST/administrator| against |KTEST\Administrator| +The user 'KTEST/administrator' has no mapping. Skip it next time. + +Signed-off-by: Samuel Cabrero + +[scabrero@samba.org Once smb_getpswnam() fallbacks are removed the user + has to be mapped] +--- + selftest/target/Samba3.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 9e4da0e6a08..2eb5003112e 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1124,7 +1124,7 @@ sub setup_ktest + + open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); + print USERMAP " +-$ret->{USERNAME} = KTEST\\Administrator ++$ret->{USERNAME} = KTEST/Administrator + "; + close(USERMAP); + +-- +2.33.1 + + +From 703f43ea7817fa0ab423134a4c40bf9c37f90274 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 5 Oct 2021 16:42:00 +0200 +Subject: [PATCH 53/88] selftest/Samba3: replace (winbindd => "yes", skip_wait + => 1) with (winbindd => "offline") + +This is much more flexible and concentrates the logic in a single place. + +We'll use winbindd => "offline" in other places soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de) +(cherry picked from commit 89b9cb8b786c3e4eb8691b5363390b68d8228a2d) + +[scabrero@samba.org Backported to 4.10] +--- + selftest/target/Samba3.pm | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 2eb5003112e..bbbefea44b7 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1333,7 +1333,7 @@ sub check_or_start($$$$$) { + + $ENV{ENVNAME} = "$ENV{ENVNAME}.winbindd"; + +- if ($winbindd ne "yes") { ++ if ($winbindd ne "yes" and $winbindd ne "offline") { + $SIG{USR1} = $SIG{ALRM} = $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub { + my $signame = shift; + print("Skip winbindd received signal $signame"); +@@ -2564,13 +2564,17 @@ sub wait_for_start($$$$$) + } + } + +- if ($winbindd eq "yes") { ++ if ($winbindd eq "yes" or $winbindd eq "offline") { + print "checking for winbindd\n"; + my $count = 0; + $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' "; + $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' "; + $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' "; +- $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc"; ++ if ($winbindd eq "yes") { ++ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc"; ++ } elsif ($winbindd eq "offline") { ++ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping"; ++ } + + do { + if ($ret != 0) { +-- +2.33.1 + + +From eadbcf608a98c8ff90b2d5d91b61fc8100d2cc71 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 22 Oct 2021 16:20:36 +0200 +Subject: [PATCH 54/88] CVE-2020-25719 CVE-2020-25717: selftest: remove + "gensec:require_pac" settings + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + selftest/selftest.pl | 2 -- + selftest/target/Samba4.pm | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/selftest/selftest.pl b/selftest/selftest.pl +index f2968139cfd..8c273951ab3 100755 +--- a/selftest/selftest.pl ++++ b/selftest/selftest.pl +@@ -637,8 +637,6 @@ sub write_clientconf($$$) + client lanman auth = Yes + log level = 1 + torture:basedir = $clientdir +-#We don't want to pass our self-tests if the PAC code is wrong +- gensec:require_pac = true + #We don't want to run 'speed' tests for very long + torture:timelimit = 1 + winbind separator = / +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index a7a6c4c9587..0f644661176 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -777,8 +777,6 @@ sub provision_raw_step1($$) + notify:inotify = false + ldb:nosync = true + ldap server require strong auth = yes +-#We don't want to pass our self-tests if the PAC code is wrong +- gensec:require_pac = true + log file = $ctx->{logdir}/log.\%m + log level = $ctx->{server_loglevel} + lanman auth = Yes +-- +2.33.1 + + +From 628493ea5f0cda3851ab13a41b8018daa228132b Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 4 Oct 2021 17:29:34 +0200 +Subject: [PATCH 55/88] CVE-2020-25717: s3:winbindd: make sure we default to + r->out.authoritative = true + +We need to make sure that temporary failures don't trigger a fallback +to the local SAM that silently ignores the domain name part for users. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported for 4.10 due to no logon_id for +log_authentication() neither is_allowed_domain()] +--- + source3/winbindd/winbindd_dual_srv.c | 7 +++++++ + source3/winbindd/winbindd_irpc.c | 7 +++++++ + source3/winbindd/winbindd_pam.c | 13 ++++++++++--- + source3/winbindd/winbindd_pam_auth_crap.c | 9 ++++++++- + source3/winbindd/winbindd_util.c | 7 +++++++ + 5 files changed, 39 insertions(+), 4 deletions(-) + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index ab14f5d51a0..0842241e02e 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -928,6 +928,13 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p, + union netr_Validation *validation = NULL; + bool interactive = false; + ++ /* ++ * Make sure we start with authoritative=true, ++ * it will only set to false if we don't know the ++ * domain. ++ */ ++ r->out.authoritative = true; ++ + domain = wb_child_domain(); + if (domain == NULL) { + return NT_STATUS_REQUEST_NOT_ACCEPTED; +diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c +index 8cbb0b93086..45615c2dc47 100644 +--- a/source3/winbindd/winbindd_irpc.c ++++ b/source3/winbindd/winbindd_irpc.c +@@ -143,6 +143,13 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg, + const char *target_domain_name = NULL; + const char *account_name = NULL; + ++ /* ++ * Make sure we start with authoritative=true, ++ * it will only set to false if we don't know the ++ * domain. ++ */ ++ req->out.authoritative = true; ++ + switch (req->in.logon_level) { + case NetlogonInteractiveInformation: + case NetlogonServiceInformation: +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 35018fbe284..deed81d0a79 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -1703,7 +1703,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon( + unsigned char local_nt_response[24]; + fstring name_namespace, name_domain, name_user; + NTSTATUS result; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + uint16_t validation_level; + union netr_Validation *validation = NULL; +@@ -2238,6 +2238,13 @@ done: + result = NT_STATUS_NO_LOGON_SERVERS; + } + ++ /* ++ * Here we don't alter ++ * state->response->data.auth.authoritative based ++ * on the servers response ++ * as we don't want a fallback to the local sam ++ * for interactive PAM logons ++ */ + set_auth_errors(state->response, result); + + DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", +@@ -2420,7 +2427,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, + const char *name_user = NULL; + const char *name_domain = NULL; + const char *workstation; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + uint16_t validation_level; + union netr_Validation *validation = NULL; +@@ -2482,7 +2489,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, + &validation_level, + &validation); + if (!NT_STATUS_IS_OK(result)) { +- state->response->data.auth.authoritative = authoritative; + goto done; + } + +@@ -2526,6 +2532,7 @@ done: + } + + set_auth_errors(state->response, result); ++ state->response->data.auth.authoritative = authoritative; + + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; + } +diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c +index b7912db43df..40cab81b5ea 100644 +--- a/source3/winbindd/winbindd_pam_auth_crap.c ++++ b/source3/winbindd/winbindd_pam_auth_crap.c +@@ -24,6 +24,7 @@ + + struct winbindd_pam_auth_crap_state { + struct winbindd_response *response; ++ bool authoritative; + uint32_t flags; + }; + +@@ -45,7 +46,7 @@ struct tevent_req *winbindd_pam_auth_crap_send( + if (req == NULL) { + return NULL; + } +- ++ state->authoritative = true; + state->flags = request->flags; + + if (state->flags & WBFLAG_PAM_AUTH_PAC) { +@@ -124,6 +125,11 @@ struct tevent_req *winbindd_pam_auth_crap_send( + + domain = find_auth_domain(request->flags, auth_domain); + if (domain == NULL) { ++ /* ++ * We don't know the domain so ++ * we're not authoritative ++ */ ++ state->authoritative = false; + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return tevent_req_post(req, ev); + } +@@ -184,6 +190,7 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req, + + if (tevent_req_is_nterror(req, &status)) { + set_auth_errors(response, status); ++ response->data.auth.authoritative = state->authoritative; + return status; + } + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 3245c70bb8e..315eb366a52 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -2062,6 +2062,13 @@ void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain) + + void set_auth_errors(struct winbindd_response *resp, NTSTATUS result) + { ++ /* ++ * Make sure we start with authoritative=true, ++ * it will only set to false if we don't know the ++ * domain. ++ */ ++ resp->data.auth.authoritative = true; ++ + resp->data.auth.nt_status = NT_STATUS_V(result); + fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result)); + +-- +2.33.1 + + +From fc3b3940208c2f03ea3aeb4b6f7e609fa9f90648 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 4 Oct 2021 17:29:34 +0200 +Subject: [PATCH 56/88] CVE-2020-25717: s4:auth/ntlm: make sure + auth_check_password() defaults to r->out.authoritative = true + +We need to make sure that temporary failures don't trigger a fallback +to the local SAM that silently ignores the domain name part for users. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source4/auth/ntlm/auth.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c +index 3a3fa7eaa59..f754bd5cd44 100644 +--- a/source4/auth/ntlm/auth.c ++++ b/source4/auth/ntlm/auth.c +@@ -169,6 +169,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx, + /*TODO: create a new event context here! */ + ev = auth_ctx->event_ctx; + ++ /* ++ * We are authoritative by default ++ */ ++ *pauthoritative = 1; ++ + subreq = auth_check_password_send(mem_ctx, + ev, + auth_ctx, +-- +2.33.1 + + +From ecd3a8af56dcd1aad43999a253175aa04b298eef Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 57/88] CVE-2020-25717: s4:torture: start with authoritative = + 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source4/torture/rpc/samlogon.c | 4 ++-- + source4/torture/rpc/schannel.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c +index e689dfd5e98..957cb410712 100644 +--- a/source4/torture/rpc/samlogon.c ++++ b/source4/torture/rpc/samlogon.c +@@ -1385,7 +1385,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + + union netr_LogonLevel logon; + union netr_Validation validation; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + + ZERO_STRUCT(logon); +@@ -1498,7 +1498,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + + union netr_LogonLevel logon; + union netr_Validation validation; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + struct dcerpc_binding_handle *b = p->binding_handle; + + ZERO_STRUCT(a); +diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c +index c237c82bbe7..72d0bf28fdd 100644 +--- a/source4/torture/rpc/schannel.c ++++ b/source4/torture/rpc/schannel.c +@@ -50,7 +50,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, + struct netr_NetworkInfo ninfo; + union netr_LogonLevel logon; + union netr_Validation validation; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t _flags = 0; + DATA_BLOB names_blob, chal, lm_resp, nt_resp; + int i; +-- +2.33.1 + + +From 3feb493c3dd5383712a41729ed6f770695acb8b7 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 58/88] CVE-2020-25717: s4:smb_server: start with authoritative + = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source4/smb_server/smb/sesssetup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c +index 13f13934412..5e817eecd4b 100644 +--- a/source4/smb_server/smb/sesssetup.c ++++ b/source4/smb_server/smb/sesssetup.c +@@ -102,7 +102,7 @@ static void sesssetup_old_send(struct tevent_req *subreq) + struct auth_session_info *session_info; + struct smbsrv_session *smb_sess; + NTSTATUS status; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags; + + status = auth_check_password_recv(subreq, req, &user_info_dc, +@@ -243,7 +243,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq) + struct auth_user_info_dc *user_info_dc = NULL; + struct auth_session_info *session_info; + struct smbsrv_session *smb_sess; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags; + NTSTATUS status; + +-- +2.33.1 + + +From e1a1787d1d3b64adc743eab4f626068b438d0e5c Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 59/88] CVE-2020-25717: s4:auth_simple: start with + authoritative = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source4/auth/ntlm/auth_simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c +index fcd9050979d..da8f094a838 100644 +--- a/source4/auth/ntlm/auth_simple.c ++++ b/source4/auth/ntlm/auth_simple.c +@@ -150,7 +150,7 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq) + const struct tsocket_address *local_address = user_info->local_host; + const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + struct auth_user_info_dc *user_info_dc = NULL; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + NTSTATUS nt_status; + +-- +2.33.1 + + +From e09409714301455ba7bbed1d80a9c90c05257aaf Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 60/88] CVE-2020-25717: s3:ntlm_auth: start with authoritative + = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/utils/ntlm_auth.c | 4 ++-- + source3/utils/ntlm_auth_diagnostics.c | 10 +++++----- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index 36c32e4a3dc..3f70732a837 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -1766,7 +1766,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod + TALLOC_FREE(mem_ctx); + + } else { +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + if (!domain) { + domain = smb_xstrdup(get_winbind_domain()); +@@ -2235,7 +2235,7 @@ static bool check_auth_crap(void) + char *hex_lm_key; + char *hex_user_session_key; + char *error_string; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + setbuf(stdout, NULL); + +diff --git a/source3/utils/ntlm_auth_diagnostics.c b/source3/utils/ntlm_auth_diagnostics.c +index 41591a8de33..fc0fc19bacb 100644 +--- a/source3/utils/ntlm_auth_diagnostics.c ++++ b/source3/utils/ntlm_auth_diagnostics.c +@@ -54,7 +54,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which) + DATA_BLOB lm_response = data_blob(NULL, 24); + DATA_BLOB nt_response = data_blob(NULL, 24); + DATA_BLOB session_key = data_blob(NULL, 16); +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uchar lm_key[8]; + uchar user_session_key[16]; + uchar lm_hash[16]; +@@ -177,7 +177,7 @@ static bool test_ntlm_in_lm(void) + NTSTATUS nt_status; + uint32_t flags = 0; + DATA_BLOB nt_response = data_blob(NULL, 24); +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uchar lm_key[8]; + uchar lm_hash[16]; + uchar user_session_key[16]; +@@ -245,7 +245,7 @@ static bool test_ntlm_in_both(void) + uint32_t flags = 0; + DATA_BLOB nt_response = data_blob(NULL, 24); + DATA_BLOB session_key = data_blob(NULL, 16); +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint8_t lm_key[8]; + uint8_t lm_hash[16]; + uint8_t user_session_key[16]; +@@ -322,7 +322,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which) + DATA_BLOB lmv2_response = data_blob_null; + DATA_BLOB ntlmv2_session_key = data_blob_null; + DATA_BLOB names_blob = NTLMv2_generate_names_blob(NULL, get_winbind_netbios_name(), get_winbind_domain()); +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uchar user_session_key[16]; + DATA_BLOB chall = get_challenge(); + char *error_string; +@@ -452,7 +452,7 @@ static bool test_plaintext(enum ntlm_break break_which) + char *password; + smb_ucs2_t *nt_response_ucs2; + size_t converted_size; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uchar user_session_key[16]; + uchar lm_key[16]; + static const uchar zeros[8] = { 0, }; +-- +2.33.1 + + +From 26570ee2e981cc5d44eeeed020a051a4771470fe Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 61/88] CVE-2020-25717: s3:torture: start with authoritative = + 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.10 due to missing commit +a5548af018643f2e78c482e33ef0e6073db149e4 to check return value +of SMBOWFencrypt()] +--- + source3/torture/pdbtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c +index 64bc45e6a7c..48190e78bf8 100644 +--- a/source3/torture/pdbtest.c ++++ b/source3/torture/pdbtest.c +@@ -277,7 +277,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) + struct netr_SamInfo6 *info6_wbc = NULL; + NTSTATUS status; + bool ok; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, + local_nt_response); +-- +2.33.1 + + +From 36af26aac042ce48ae912d0ab7ce398280d81c93 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 62/88] CVE-2020-25717: s3:rpcclient: start with authoritative + = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/rpcclient/cmd_netlogon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c +index 631740562c6..30fa1ed7816 100644 +--- a/source3/rpcclient/cmd_netlogon.c ++++ b/source3/rpcclient/cmd_netlogon.c +@@ -496,7 +496,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli, + uint32_t logon_param = 0; + const char *workstation = NULL; + struct netr_SamInfo3 *info3 = NULL; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + uint16_t validation_level; + union netr_Validation *validation = NULL; +-- +2.33.1 + + +From 8eec50d65a10baa4e282c4a833c3cb202cd33255 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 63/88] CVE-2020-25717: s3:auth: start with authoritative = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.10 due to missing commits +7f75dec865256049e99f7fcf46317cd2d53e95d1 and +434030ba711e677fdd167a255d05c1cd4db943b7] +--- + source3/auth/auth_generic.c | 2 +- + source3/auth/auth_samba4.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 0e9c423efef..4ef2270cb34 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -415,7 +415,7 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, + { + NTSTATUS nt_status; + void *server_info; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + if (auth_context->check_ntlm_password_send != NULL) { + struct tevent_context *ev = NULL; +diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c +index a71c75631d7..bf7ccb4348c 100644 +--- a/source3/auth/auth_samba4.c ++++ b/source3/auth/auth_samba4.c +@@ -118,7 +118,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context, + NTSTATUS nt_status; + struct auth_user_info_dc *user_info_dc; + struct auth4_context *auth4_context; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context); + if (!NT_STATUS_IS_OK(nt_status)) { +-- +2.33.1 + + +From 46bc67c24c83940ef56cfa5dbbdb8544c290f200 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 64/88] CVE-2020-25717: auth/ntlmssp: start with authoritative + = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + auth/ntlmssp/ntlmssp_server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c +index 140e89daeb1..eebada670be 100644 +--- a/auth/ntlmssp/ntlmssp_server.c ++++ b/auth/ntlmssp/ntlmssp_server.c +@@ -830,7 +830,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq) + struct gensec_security *gensec_security = state->gensec_security; + struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp; + struct auth4_context *auth_context = gensec_security->auth_context; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + NTSTATUS status; + + status = auth_context->check_ntlm_password_recv(subreq, +-- +2.33.1 + + +From 986642f066c3fdf187a8799898196a23cb9d532c Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 28 Sep 2021 10:43:40 +0200 +Subject: [PATCH 65/88] CVE-2020-25717: loadparm: Add new parameter "min domain + uid" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Samuel Cabrero +Signed-off-by: Stefan Metzmacher + +[abartlet@samba.org Backported from master/4.15 due to + conflicts with other new parameters] +--- + docs-xml/smbdotconf/security/mindomainuid.xml | 17 +++++++++++++++++ + docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 ++++ + lib/param/loadparm.c | 4 ++++ + source3/param/loadparm.c | 2 ++ + 4 files changed, 27 insertions(+) + create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml + +diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml +new file mode 100644 +index 00000000000..46ae795d730 +--- /dev/null ++++ b/docs-xml/smbdotconf/security/mindomainuid.xml +@@ -0,0 +1,17 @@ ++ ++ ++ ++ The integer parameter specifies the minimum uid allowed when mapping a ++ local account to a domain account. ++ ++ ++ ++ Note that this option interacts with the configured idmap ranges! ++ ++ ++ ++1000 ++ +diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml +index 1374040fb29..f70f11df757 100644 +--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml ++++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml +@@ -80,6 +80,9 @@ + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain and for the default + configuration. The configured ranges must be mutually disjoint. ++ ++ ++ Note that the low value interacts with the option! + + + +@@ -115,4 +118,5 @@ + + + ++min domain uid + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 4c3dfff24f3..4aa91f4d404 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -3015,6 +3015,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter( + lp_ctx, "ldap max search request size", "256000"); + ++ lpcfg_do_global_parameter(lp_ctx, ++ "min domain uid", ++ "1000"); ++ + for (i = 0; parm_table[i].label; i++) { + if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { + lp_ctx->flags[i] |= FLAG_DEFAULT; +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 0db44e92d19..57d1d909099 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -963,6 +963,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + Globals.ldap_max_authenticated_request_size = 16777216; + Globals.ldap_max_search_request_size = 256000; + ++ Globals.min_domain_uid = 1000; ++ + /* Now put back the settings that were set with lp_set_cmdline() */ + apply_lp_set_cmdline(); + } +-- +2.33.1 + + +From 16fa6601a3517c723e90dfb8b1a086df2616e668 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 19:57:18 +0200 +Subject: [PATCH 66/88] CVE-2020-25717: s3:auth: let + auth3_generate_session_info_pac() forward the low level errors + +Mapping everything to ACCESS_DENIED makes it hard to debug problems, +which may happen because of our more restrictive behaviour in future. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 4ef2270cb34..26a38f92b30 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -166,7 +166,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", + nt_errstr(status))); +- status = NT_STATUS_ACCESS_DENIED; ++ status = nt_status_squash(status); + goto done; + } + +-- +2.33.1 + + +From 10a4bdbe4a16fec1bd9b212736a9d26500e0981e Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 28 Sep 2021 10:45:11 +0200 +Subject: [PATCH 67/88] CVE-2020-25717: s3:auth: Check minimum domain uid + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Samuel Cabrero +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_util.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index 8ff20c33759..8801d3f0f0b 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -2078,6 +2078,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, + } + } + goto out; ++ } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) && ++ !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) { ++ /* ++ * !is_myname(domain) because when smbd starts tries to setup ++ * the guest user info, calling this function with nobody ++ * username. Nobody is usually uid 65535 but it can be changed ++ * to a regular user with 'guest account' parameter ++ */ ++ nt_status = NT_STATUS_INVALID_TOKEN; ++ DBG_NOTICE("Username '%s%s%s' is invalid on this system, " ++ "it does not meet 'min domain uid' " ++ "restriction (%u < %u): %s\n", ++ nt_domain, lp_winbind_separator(), nt_username, ++ pwd->pw_uid, lp_min_domain_uid(), ++ nt_errstr(nt_status)); ++ goto out; + } + + result = make_server_info(tmp_ctx); +-- +2.33.1 + + +From 58bea3837cfbeba5cd5c56060a42117fffedbda4 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 17:40:30 +0200 +Subject: [PATCH 68/88] CVE-2020-25717: s3:auth: we should not try to + autocreate the guest account + +We should avoid autocreation of users as much as possible. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/user_krb5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index 8998f9c8f8a..074e8c7eb71 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -155,7 +155,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + if (!fuser) { + return NT_STATUS_NO_MEMORY; + } +- pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); ++ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, false); + } + + /* extra sanity check that the guest account is valid */ +-- +2.33.1 + + +From e78afbcff415d78cb29b65204fefeb0355d6651e Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 18:08:20 +0200 +Subject: [PATCH 69/88] CVE-2020-25717: s3:auth: no longer let check_account() + autocreate local users + +So far we autocreated local user accounts based on just the +account_name (just ignoring any domain part). + +This only happens via a possible 'add user script', +which is not typically defined on domain members +and on NT4 DCs local users already exist in the +local passdb anyway. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index 8801d3f0f0b..6ee500493e6 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1873,7 +1873,7 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, + return NT_STATUS_NO_MEMORY; + } + +- passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true ); ++ passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false); + if (!passwd) { + DEBUG(3, ("Failed to find authenticated user %s via " + "getpwnam(), denying access.\n", dom_user)); +-- +2.33.1 + + +From a3ffab81c235aae479262cca73cf4361f76f7f9d Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 8 Oct 2021 12:33:16 +0200 +Subject: [PATCH 70/88] CVE-2020-25717: s3:auth: remove fallbacks in + smb_getpwnam() + +So far we tried getpwnam("DOMAIN\account") first and +always did a fallback to getpwnam("account") completely +ignoring the domain part, this just causes problems +as we mix "DOMAIN1\account", "DOMAIN2\account", +and "account"! + +As we require a running winbindd for domain member setups +we should no longer do a fallback to just "account" for +users served by winbindd! + +For users of the local SAM don't use this code path, +as check_sam_security() doesn't call check_account(). + +The only case where smb_getpwnam("account") happens is +when map_username() via ("username map [script]") mapped +"DOMAIN\account" to something without '\', but that is +explicitly desired by the admin. + +Note: use 'git show -w' + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Ralph Boehme +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_util.c | 77 ++++++++++++++++++++++------------------ + 1 file changed, 42 insertions(+), 35 deletions(-) + +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index 6ee500493e6..161e05c2106 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1908,7 +1908,7 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, + { + struct passwd *pw = NULL; + char *p = NULL; +- char *username = NULL; ++ const char *username = NULL; + + /* we only save a copy of the username it has been mangled + by winbindd use default domain */ +@@ -1927,48 +1927,55 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, + /* code for a DOMAIN\user string */ + + if ( p ) { +- pw = Get_Pwnam_alloc( mem_ctx, domuser ); +- if ( pw ) { +- /* make sure we get the case of the username correct */ +- /* work around 'winbind use default domain = yes' */ +- +- if ( lp_winbind_use_default_domain() && +- !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { +- char *domain; +- +- /* split the domain and username into 2 strings */ +- *p = '\0'; +- domain = username; +- +- *p_save_username = talloc_asprintf(mem_ctx, +- "%s%c%s", +- domain, +- *lp_winbind_separator(), +- pw->pw_name); +- if (!*p_save_username) { +- TALLOC_FREE(pw); +- return NULL; +- } +- } else { +- *p_save_username = talloc_strdup(mem_ctx, pw->pw_name); +- } ++ const char *domain = NULL; + +- /* whew -- done! */ +- return pw; ++ /* split the domain and username into 2 strings */ ++ *p = '\0'; ++ domain = username; ++ p++; ++ username = p; ++ ++ if (strequal(domain, get_global_sam_name())) { ++ /* ++ * This typically don't happen ++ * as check_sam_Security() ++ * don't call make_server_info_info3() ++ * and thus check_account(). ++ * ++ * But we better keep this. ++ */ ++ goto username_only; + } + +- /* setup for lookup of just the username */ +- /* remember that p and username are overlapping memory */ +- +- p++; +- username = talloc_strdup(mem_ctx, p); +- if (!username) { ++ pw = Get_Pwnam_alloc( mem_ctx, domuser ); ++ if (pw == NULL) { + return NULL; + } ++ /* make sure we get the case of the username correct */ ++ /* work around 'winbind use default domain = yes' */ ++ ++ if ( lp_winbind_use_default_domain() && ++ !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { ++ *p_save_username = talloc_asprintf(mem_ctx, ++ "%s%c%s", ++ domain, ++ *lp_winbind_separator(), ++ pw->pw_name); ++ if (!*p_save_username) { ++ TALLOC_FREE(pw); ++ return NULL; ++ } ++ } else { ++ *p_save_username = talloc_strdup(mem_ctx, pw->pw_name); ++ } ++ ++ /* whew -- done! */ ++ return pw; ++ + } + + /* just lookup a plain username */ +- ++username_only: + pw = Get_Pwnam_alloc(mem_ctx, username); + + /* Create local user if requested but only if winbindd +-- +2.33.1 + + +From 9a1bb168388205f5a2bfa459a5da63c5046eaa7a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 4 Oct 2021 18:03:55 +0200 +Subject: [PATCH 71/88] CVE-2020-25717: s3:auth: don't let create_local_token + depend on !winbind_ping() + +We always require a running winbindd on a domain member, so +we should better fail a request instead of silently alter +the behaviour, which results in a different unix token, just +because winbindd might be restarted. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_util.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index 161e05c2106..c0e5cfd7fa8 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -551,13 +551,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, + } + + /* +- * If winbind is not around, we can not make much use of the SIDs the +- * domain controller provided us with. Likewise if the user name was +- * mapped to some local unix user. ++ * If the user name was mapped to some local unix user, ++ * we can not make much use of the SIDs the ++ * domain controller provided us with. + */ +- +- if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || +- (server_info->nss_token)) { ++ if (server_info->nss_token) { + char *found_username = NULL; + status = create_token_from_username(session_info, + server_info->unix_name, +-- +2.33.1 + + +From bbe5c6693ba6954dab5bfef9f8c3778164cd879e Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 11 Nov 2020 18:50:45 +0200 +Subject: [PATCH 72/88] CVE-2020-25717: Add FreeIPA domain controller role + +As we want to reduce use of 'classic domain controller' role but FreeIPA +relies on it internally, add a separate role to mark FreeIPA domain +controller role. + +It means that role won't result in ROLE_STANDALONE. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Alexander Bokovoy +Signed-off-by: Stefan Metzmacher + +[abartlet@samba.org Backported due to conflict with DEBUG + statements and IPA branding changes in comments] +--- + docs-xml/smbdotconf/security/serverrole.xml | 7 ++++ + lib/param/loadparm_server_role.c | 2 ++ + lib/param/param_table.c | 1 + + lib/param/util.c | 1 + + libcli/netlogon/netlogon.c | 2 +- + libds/common/roles.h | 1 + + source3/auth/auth.c | 3 ++ + source3/auth/auth_sam.c | 2 ++ + source3/include/smb_macros.h | 2 +- + source3/lib/netapi/joindomain.c | 1 + + source3/param/loadparm.c | 4 ++- + source3/passdb/lookup_sid.c | 1 - + source3/passdb/machine_account_secrets.c | 7 ++-- + source3/registry/reg_backend_prod_options.c | 1 + + source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 + + source3/smbd/server.c | 2 +- + source3/winbindd/winbindd_misc.c | 2 +- + source3/winbindd/winbindd_util.c | 40 ++++++++++++++++----- + source4/auth/ntlm/auth.c | 1 + + source4/kdc/kdc-heimdal.c | 1 + + source4/rpc_server/samr/dcesrv_samr.c | 2 ++ + 21 files changed, 65 insertions(+), 19 deletions(-) + +diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml +index 9511c61c96d..b8b83a127b5 100644 +--- a/docs-xml/smbdotconf/security/serverrole.xml ++++ b/docs-xml/smbdotconf/security/serverrole.xml +@@ -78,6 +78,13 @@ + url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4 + HOWTO + ++ SERVER ROLE = IPA DOMAIN CONTROLLER ++ ++ This mode of operation runs Samba in a hybrid mode for IPA ++ domain controller, providing forest trust to Active Directory. ++ This role requires special configuration performed by IPA installers ++ and should not be used manually by any administrator. ++ + + + security +diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c +index 7a6bc770723..a78d1ab9cf3 100644 +--- a/lib/param/loadparm_server_role.c ++++ b/lib/param/loadparm_server_role.c +@@ -42,6 +42,7 @@ static const struct srv_role_tab { + { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" }, + { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" }, + { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" }, ++ { ROLE_IPA_DC, "ROLE_IPA_DC"}, + { 0, NULL } + }; + +@@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security) + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + case ROLE_ACTIVE_DIRECTORY_DC: ++ case ROLE_IPA_DC: + if (security == SEC_USER) { + valid = true; + } +diff --git a/lib/param/param_table.c b/lib/param/param_table.c +index f9d3b55adf2..aed205d1944 100644 +--- a/lib/param/param_table.c ++++ b/lib/param/param_table.c +@@ -100,6 +100,7 @@ static const struct enum_list enum_server_role[] = { + {ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"}, + {ROLE_ACTIVE_DIRECTORY_DC, "domain controller"}, + {ROLE_ACTIVE_DIRECTORY_DC, "dc"}, ++ {ROLE_IPA_DC, "IPA primary domain controller"}, + {-1, NULL} + }; + +diff --git a/lib/param/util.c b/lib/param/util.c +index cd8e74b9d8f..9a0fc102de8 100644 +--- a/lib/param/util.c ++++ b/lib/param/util.c +@@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx) + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: ++ case ROLE_IPA_DC: + return lpcfg_workgroup(lp_ctx); + default: + return lpcfg_netbios_name(lp_ctx); +diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c +index 58a331d70ad..838bdf84c87 100644 +--- a/libcli/netlogon/netlogon.c ++++ b/libcli/netlogon/netlogon.c +@@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx, + if (ndr->offset < ndr->data_size) { + TALLOC_FREE(ndr); + /* +- * We need to handle a bug in FreeIPA (at least <= 4.1.2). ++ * We need to handle a bug in IPA (at least <= 4.1.2). + * + * They include the ip address information without setting + * NETLOGON_NT_VERSION_5EX_WITH_IP, while using +diff --git a/libds/common/roles.h b/libds/common/roles.h +index 4772c8d7d3f..03ba1915b21 100644 +--- a/libds/common/roles.h ++++ b/libds/common/roles.h +@@ -33,6 +33,7 @@ enum server_role { + + /* not in samr.idl */ + ROLE_ACTIVE_DIRECTORY_DC = 4, ++ ROLE_IPA_DC = 5, + + /* To determine the role automatically, this is not a valid role */ + ROLE_AUTO = 100 +diff --git a/source3/auth/auth.c b/source3/auth/auth.c +index 0a96d591808..c5bfe9ac626 100644 +--- a/source3/auth/auth.c ++++ b/source3/auth/auth.c +@@ -529,6 +529,7 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx, + break; + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: ++ case ROLE_IPA_DC: + DEBUG(5,("Making default auth method list for DC\n")); + methods = "anonymous sam winbind sam_ignoredomain"; + break; +@@ -557,6 +558,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx, + switch (lp_server_role()) { + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: ++ case ROLE_IPA_DC: + methods = "sam_netlogon3 winbind"; + break; + +@@ -578,6 +580,7 @@ NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx, + case ROLE_DOMAIN_MEMBER: + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: ++ case ROLE_IPA_DC: + methods = "sam"; + break; + case ROLE_ACTIVE_DIRECTORY_DC: +diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c +index f9764d87e3c..d0b29083d46 100644 +--- a/source3/auth/auth_sam.c ++++ b/source3/auth/auth_sam.c +@@ -139,6 +139,7 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context, + break; + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + if ( !is_local_name && !is_my_domain ) { + DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n", + effective_domain)); +@@ -209,6 +210,7 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context, + switch (lp_server_role()) { + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + break; + default: + DBG_ERR("Invalid server role\n"); +diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h +index 06d24744960..346401510c2 100644 +--- a/source3/include/smb_macros.h ++++ b/source3/include/smb_macros.h +@@ -213,7 +213,7 @@ copy an IP address from one buffer to another + Check to see if we are a DC for this domain + *****************************************************************************/ + +-#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) ++#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_server_role() == ROLE_IPA_DC) + #define IS_AD_DC (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) + + /* +diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c +index 8d0752f4531..0344c0e0416 100644 +--- a/source3/lib/netapi/joindomain.c ++++ b/source3/lib/netapi/joindomain.c +@@ -369,6 +369,7 @@ WERROR NetGetJoinInformation_l(struct libnetapi_ctx *ctx, + case ROLE_DOMAIN_MEMBER: + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + *r->out.name_type = NetSetupDomainName; + break; + case ROLE_STANDALONE: +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 57d1d909099..98e05d13d59 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -4321,6 +4321,7 @@ int lp_default_server_announce(void) + default_server_announce |= SV_TYPE_DOMAIN_MEMBER; + break; + case ROLE_DOMAIN_PDC: ++ case ROLE_IPA_DC: + default_server_announce |= SV_TYPE_DOMAIN_CTRL; + break; + case ROLE_DOMAIN_BDC: +@@ -4346,7 +4347,8 @@ int lp_default_server_announce(void) + bool lp_domain_master(void) + { + if (Globals._domain_master == Auto) +- return (lp_server_role() == ROLE_DOMAIN_PDC); ++ return (lp_server_role() == ROLE_DOMAIN_PDC || ++ lp_server_role() == ROLE_IPA_DC); + + return (bool)Globals._domain_master; + } +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index 186ba17fda6..839da5cfbf4 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -117,7 +117,6 @@ bool lookup_name(TALLOC_CTX *mem_ctx, + if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) && + strequal(domain, get_global_sam_name())) + { +- + /* It's our own domain, lookup the name in passdb */ + if (lookup_global_sam_name(name, flags, &rid, &type)) { + sid_compose(&sid, get_global_sam_sid(), rid); +diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c +index dfc21f295a1..b60cf56c490 100644 +--- a/source3/passdb/machine_account_secrets.c ++++ b/source3/passdb/machine_account_secrets.c +@@ -198,7 +198,8 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid) + dyn_guid = (struct GUID *)secrets_fetch(key, &size); + + if (!dyn_guid) { +- if (lp_server_role() == ROLE_DOMAIN_PDC) { ++ if (lp_server_role() == ROLE_DOMAIN_PDC || ++ lp_server_role() == ROLE_IPA_DC) { + new_guid = GUID_random(); + if (!secrets_store_domain_guid(domain, &new_guid)) + return False; +@@ -314,9 +315,7 @@ static const char *trust_keystr(const char *domain) + + enum netr_SchannelType get_default_sec_channel(void) + { +- if (lp_server_role() == ROLE_DOMAIN_BDC || +- lp_server_role() == ROLE_DOMAIN_PDC || +- lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) { ++ if (IS_DC) { + return SEC_CHAN_BDC; + } else { + return SEC_CHAN_WKSTA; +diff --git a/source3/registry/reg_backend_prod_options.c b/source3/registry/reg_backend_prod_options.c +index 655c587ac40..7bd3f324c37 100644 +--- a/source3/registry/reg_backend_prod_options.c ++++ b/source3/registry/reg_backend_prod_options.c +@@ -40,6 +40,7 @@ static int prod_options_fetch_values(const char *key, struct regval_ctr *regvals + switch (lp_server_role()) { + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + value_ascii = "LanmanNT"; + break; + case ROLE_STANDALONE: +diff --git a/source3/rpc_server/dssetup/srv_dssetup_nt.c b/source3/rpc_server/dssetup/srv_dssetup_nt.c +index 7e3efa8504e..aa896e15ac4 100644 +--- a/source3/rpc_server/dssetup/srv_dssetup_nt.c ++++ b/source3/rpc_server/dssetup/srv_dssetup_nt.c +@@ -62,6 +62,7 @@ static WERROR fill_dsrole_dominfo_basic(TALLOC_CTX *ctx, + basic->domain = get_global_sam_name(); + break; + case ROLE_DOMAIN_PDC: ++ case ROLE_IPA_DC: + basic->role = DS_ROLE_PRIMARY_DC; + basic->domain = get_global_sam_name(); + break; +diff --git a/source3/smbd/server.c b/source3/smbd/server.c +index 7d96a5762ec..d263507b22f 100644 +--- a/source3/smbd/server.c ++++ b/source3/smbd/server.c +@@ -1969,7 +1969,7 @@ extern void build_options(bool screen); + exit_daemon("smbd can not open secrets.tdb", EACCES); + } + +- if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { ++ if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC || lp_server_role() == ROLE_IPA_DC) { + struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers()); + if (!open_schannel_session_store(NULL, lp_ctx)) { + exit_daemon("ERROR: Samba cannot open schannel store for secured NETLOGON operations.", EACCES); +diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c +index cc0701e597a..f09b029fd13 100644 +--- a/source3/winbindd/winbindd_misc.c ++++ b/source3/winbindd/winbindd_misc.c +@@ -75,7 +75,7 @@ static char *get_trust_type_string(TALLOC_CTX *mem_ctx, + case SEC_CHAN_BDC: { + int role = lp_server_role(); + +- if (role == ROLE_DOMAIN_PDC) { ++ if (role == ROLE_DOMAIN_PDC || role == ROLE_IPA_DC) { + s = talloc_strdup(mem_ctx, "PDC"); + if (s == NULL) { + return NULL; +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 315eb366a52..04e79e70f6b 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -1225,15 +1225,37 @@ bool init_domain_list(void) + secure_channel_type = SEC_CHAN_LOCAL; + } + +- status = add_trusted_domain(get_global_sam_name(), +- NULL, +- get_global_sam_sid(), +- LSA_TRUST_TYPE_DOWNLEVEL, +- trust_flags, +- 0, /* trust_attribs */ +- secure_channel_type, +- NULL, +- &domain); ++ if ((pdb_domain_info != NULL) && (role == ROLE_IPA_DC)) { ++ /* This is IPA DC that presents itself as ++ * an Active Directory domain controller to trusted AD ++ * forests but in fact is a classic domain controller. ++ */ ++ trust_flags = NETR_TRUST_FLAG_PRIMARY; ++ trust_flags |= NETR_TRUST_FLAG_IN_FOREST; ++ trust_flags |= NETR_TRUST_FLAG_NATIVE; ++ trust_flags |= NETR_TRUST_FLAG_OUTBOUND; ++ trust_flags |= NETR_TRUST_FLAG_TREEROOT; ++ status = add_trusted_domain(pdb_domain_info->name, ++ pdb_domain_info->dns_domain, ++ &pdb_domain_info->sid, ++ LSA_TRUST_TYPE_UPLEVEL, ++ trust_flags, ++ LSA_TRUST_ATTRIBUTE_WITHIN_FOREST, ++ secure_channel_type, ++ NULL, ++ &domain); ++ TALLOC_FREE(pdb_domain_info); ++ } else { ++ status = add_trusted_domain(get_global_sam_name(), ++ NULL, ++ get_global_sam_sid(), ++ LSA_TRUST_TYPE_DOWNLEVEL, ++ trust_flags, ++ 0, /* trust_attribs */ ++ secure_channel_type, ++ NULL, ++ &domain); ++ } + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("Failed to add local SAM to " + "domain to winbindd's internal list\n"); +diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c +index f754bd5cd44..7dab02b5c4d 100644 +--- a/source4/auth/ntlm/auth.c ++++ b/source4/auth/ntlm/auth.c +@@ -773,6 +773,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context * + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: ++ case ROLE_IPA_DC: + auth_methods = str_list_make(mem_ctx, "anonymous sam winbind sam_ignoredomain", NULL); + break; + } +diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c +index b5de5a790d4..49aa560470c 100644 +--- a/source4/kdc/kdc-heimdal.c ++++ b/source4/kdc/kdc-heimdal.c +@@ -276,6 +276,7 @@ static NTSTATUS kdc_task_init(struct task_server *task) + return NT_STATUS_INVALID_DOMAIN_ROLE; + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + task_server_terminate( + task, "Cannot start KDC as a 'classic Samba' DC", false); + return NT_STATUS_INVALID_DOMAIN_ROLE; +diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c +index 51fed4da62b..1f09b721408 100644 +--- a/source4/rpc_server/samr/dcesrv_samr.c ++++ b/source4/rpc_server/samr/dcesrv_samr.c +@@ -568,6 +568,7 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state + break; + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + case ROLE_AUTO: + return NT_STATUS_INTERNAL_ERROR; + case ROLE_DOMAIN_MEMBER: +@@ -675,6 +676,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state, + break; + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + case ROLE_AUTO: + return NT_STATUS_INTERNAL_ERROR; + case ROLE_DOMAIN_MEMBER: +-- +2.33.1 + + +From 3a8b4d3b410508dfb0538376046a5b38c53f9568 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 5 Oct 2021 18:11:57 +0200 +Subject: [PATCH 73/88] CVE-2020-25717: auth/gensec: always require a PAC in + domain mode (DC or member) + +AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set +on the service account, which can only be explicitly configured, +but that's an invalid configuration! + +We still try to support standalone servers in an MIT realm, +as legacy setup. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + auth/gensec/gensec_util.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c +index e185acc0c20..694661b53b5 100644 +--- a/auth/gensec/gensec_util.c ++++ b/auth/gensec/gensec_util.c +@@ -25,6 +25,8 @@ + #include "auth/gensec/gensec_internal.h" + #include "auth/common_auth.h" + #include "../lib/util/asn1.h" ++#include "param/param.h" ++#include "libds/common/roles.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_AUTH +@@ -46,10 +48,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + + if (!pac_blob) { +- if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { +- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", +- principal_string)); +- return NT_STATUS_ACCESS_DENIED; ++ enum server_role server_role = ++ lpcfg_server_role(gensec_security->settings->lp_ctx); ++ ++ /* ++ * For any domain setup (DC or member) we require having ++ * a PAC, as the service ticket comes from an AD DC, ++ * which will always provide a PAC, unless ++ * UF_NO_AUTH_DATA_REQUIRED is configured for our ++ * account, but that's just an invalid configuration, ++ * the admin configured for us! ++ * ++ * As a legacy case, we still allow kerberos tickets from an MIT ++ * realm, but only in standalone mode. In that mode we'll only ++ * ever accept a kerberos authentication with a keytab file ++ * being explicitly configured via the 'keytab method' option. ++ */ ++ if (server_role != ROLE_STANDALONE) { ++ DBG_WARNING("Unable to find PAC in ticket from %s, " ++ "failing to allow access\n", ++ principal_string); ++ return NT_STATUS_NO_IMPERSONATION_TOKEN; + } + DBG_NOTICE("Unable to find PAC for %s, resorting to local " + "user lookup\n", principal_string); +-- +2.33.1 + + +From 15cca0f7ee6f4b8d96b6b650b2d009b030a2bc5f Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 11 Oct 2021 23:17:19 +0200 +Subject: [PATCH 74/88] CVE-2020-25717: s4:auth: remove unused + auth_generate_session_info_principal() + +We'll require a PAC at the main gensec layer already. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[abartlet@samba.org Backported from master/4.15 as + check_password is sync in 4.14] +--- + source4/auth/auth.h | 8 ------ + source4/auth/ntlm/auth.c | 49 ++++-------------------------------- + source4/auth/ntlm/auth_sam.c | 12 --------- + 3 files changed, 5 insertions(+), 64 deletions(-) + +diff --git a/source4/auth/auth.h b/source4/auth/auth.h +index 51895c9259f..f16d0649de2 100644 +--- a/source4/auth/auth.h ++++ b/source4/auth/auth.h +@@ -73,14 +73,6 @@ struct auth_operations { + TALLOC_CTX *mem_ctx, + struct auth_user_info_dc **interim_info, + bool *authoritative); +- +- /* Lookup a 'session info interim' return based only on the principal or DN */ +- NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx, +- struct auth4_context *auth_context, +- const char *principal, +- struct ldb_dn *user_dn, +- struct auth_user_info_dc **interim_info); +- uint32_t flags; + }; + + struct auth_method_context { +diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c +index 7dab02b5c4d..2765fd1b13c 100644 +--- a/source4/auth/ntlm/auth.c ++++ b/source4/auth/ntlm/auth.c +@@ -86,48 +86,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha + return NT_STATUS_OK; + } + +-/**************************************************************************** +-Used in the gensec_gssapi and gensec_krb5 server-side code, where the +-PAC isn't available, and for tokenGroups in the DSDB stack. +- +- Supply either a principal or a DN +-****************************************************************************/ +-static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx, +- TALLOC_CTX *mem_ctx, +- const char *principal, +- struct ldb_dn *user_dn, +- uint32_t session_info_flags, +- struct auth_session_info **session_info) +-{ +- NTSTATUS nt_status; +- struct auth_method_context *method; +- struct auth_user_info_dc *user_info_dc; +- +- for (method = auth_ctx->methods; method; method = method->next) { +- if (!method->ops->get_user_info_dc_principal) { +- continue; +- } +- +- nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc); +- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { +- continue; +- } +- if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; +- } +- +- nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx, +- user_info_dc, +- user_info_dc->info->account_name, +- session_info_flags, session_info); +- talloc_free(user_info_dc); +- +- return nt_status; +- } +- +- return NT_STATUS_NOT_IMPLEMENTED; +-} +- + /** + * Check a user's Plaintext, LM or NTLM password. + * (sync version) +@@ -663,8 +621,11 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx, + TALLOC_CTX *tmp_ctx; + + if (!pac_blob) { +- return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name, +- NULL, session_info_flags, session_info); ++ /* ++ * This should already be catched at the main ++ * gensec layer, but better check twice ++ */ ++ return NT_STATUS_INTERNAL_ERROR; + } + + tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context"); +diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c +index fb88cb87f66..a8c7d8b4b85 100644 +--- a/source4/auth/ntlm/auth_sam.c ++++ b/source4/auth/ntlm/auth_sam.c +@@ -854,28 +854,16 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, + return NT_STATUS_OK; + } + +-/* Wrapper for the auth subsystem pointer */ +-static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx, +- struct auth4_context *auth_context, +- const char *principal, +- struct ldb_dn *user_dn, +- struct auth_user_info_dc **user_info_dc) +-{ +- return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, +- principal, user_dn, user_info_dc); +-} + static const struct auth_operations sam_ignoredomain_ops = { + .name = "sam_ignoredomain", + .want_check = authsam_ignoredomain_want_check, + .check_password = authsam_check_password_internals, +- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, + }; + + static const struct auth_operations sam_ops = { + .name = "sam", + .want_check = authsam_want_check, + .check_password = authsam_check_password_internals, +- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, + }; + + _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *); +-- +2.33.1 + + +From ec14a33f17e638870c997b56d4b5ce9096cbb27a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 21 Sep 2021 12:27:28 +0200 +Subject: [PATCH 75/88] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in + ntlm_auth_generate_session_info_pac() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/utils/ntlm_auth.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index 3f70732a837..fefdd32bf11 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -827,23 +827,27 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + if (!p) { + DEBUG(3, ("[%s] Doesn't look like a valid principal\n", + princ_name)); +- return NT_STATUS_LOGON_FAILURE; ++ status = NT_STATUS_LOGON_FAILURE; ++ goto done; + } + + user = talloc_strndup(mem_ctx, princ_name, p - princ_name); + if (!user) { +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + + realm = talloc_strdup(talloc_tos(), p + 1); + if (!realm) { +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + + if (!strequal(realm, lp_realm())) { + DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); + if (!lp_allow_trusted_domains()) { +- return NT_STATUS_LOGON_FAILURE; ++ status = NT_STATUS_LOGON_FAILURE; ++ goto done; + } + } + +@@ -851,7 +855,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + domain = talloc_strdup(mem_ctx, + logon_info->info3.base.logon_domain.string); + if (!domain) { +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); + } else { +@@ -881,7 +886,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + domain = talloc_strdup(mem_ctx, realm); + } + if (!domain) { +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); + } +-- +2.33.1 + + +From 9e036a77eca721c4ea23c3f629d9e504d5780f79 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 21 Sep 2021 12:44:01 +0200 +Subject: [PATCH 76/88] CVE-2020-25717: s3:ntlm_auth: let + ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO + only + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/utils/ntlm_auth.c | 91 ++++++++++++--------------------------- + 1 file changed, 28 insertions(+), 63 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index fefdd32bf11..ff2fd30a9ae 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -799,10 +799,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + struct PAC_LOGON_INFO *logon_info = NULL; + char *unixuser; + NTSTATUS status; +- char *domain = NULL; +- char *realm = NULL; +- char *user = NULL; +- char *p; ++ const char *domain = ""; ++ const char *user = ""; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { +@@ -819,79 +817,46 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + if (!NT_STATUS_IS_OK(status)) { + goto done; + } +- } +- +- DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); +- +- p = strchr_m(princ_name, '@'); +- if (!p) { +- DEBUG(3, ("[%s] Doesn't look like a valid principal\n", +- princ_name)); +- status = NT_STATUS_LOGON_FAILURE; ++ } else { ++ status = NT_STATUS_ACCESS_DENIED; ++ DBG_WARNING("Kerberos ticket for[%s] has no PAC: %s\n", ++ princ_name, nt_errstr(status)); + goto done; + } + +- user = talloc_strndup(mem_ctx, princ_name, p - princ_name); +- if (!user) { +- status = NT_STATUS_NO_MEMORY; +- goto done; ++ if (logon_info->info3.base.account_name.string != NULL) { ++ user = logon_info->info3.base.account_name.string; ++ } else { ++ user = ""; ++ } ++ if (logon_info->info3.base.logon_domain.string != NULL) { ++ domain = logon_info->info3.base.logon_domain.string; ++ } else { ++ domain = ""; + } + +- realm = talloc_strdup(talloc_tos(), p + 1); +- if (!realm) { +- status = NT_STATUS_NO_MEMORY; ++ if (strlen(user) == 0 || strlen(domain) == 0) { ++ status = NT_STATUS_ACCESS_DENIED; ++ DBG_WARNING("Kerberos ticket for[%s] has invalid " ++ "account_name[%s]/logon_domain[%s]: %s\n", ++ princ_name, ++ logon_info->info3.base.account_name.string, ++ logon_info->info3.base.logon_domain.string, ++ nt_errstr(status)); + goto done; + } + +- if (!strequal(realm, lp_realm())) { +- DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); ++ DBG_NOTICE("Kerberos ticket principal name is [%s] " ++ "account_name[%s]/logon_domain[%s]\n", ++ princ_name, user, domain); ++ ++ if (!strequal(domain, lp_workgroup())) { + if (!lp_allow_trusted_domains()) { + status = NT_STATUS_LOGON_FAILURE; + goto done; + } + } + +- if (logon_info && logon_info->info3.base.logon_domain.string) { +- domain = talloc_strdup(mem_ctx, +- logon_info->info3.base.logon_domain.string); +- if (!domain) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); +- } else { +- +- /* If we have winbind running, we can (and must) shorten the +- username by using the short netbios name. Otherwise we will +- have inconsistent user names. With Kerberos, we get the +- fully qualified realm, with ntlmssp we get the short +- name. And even w2k3 does use ntlmssp if you for example +- connect to an ip address. */ +- +- wbcErr wbc_status; +- struct wbcDomainInfo *info = NULL; +- +- DEBUG(10, ("Mapping [%s] to short name using winbindd\n", +- realm)); +- +- wbc_status = wbcDomainInfo(realm, &info); +- +- if (WBC_ERROR_IS_OK(wbc_status)) { +- domain = talloc_strdup(mem_ctx, +- info->short_name); +- wbcFreeMemory(info); +- } else { +- DEBUG(3, ("Could not find short name: %s\n", +- wbcErrorString(wbc_status))); +- domain = talloc_strdup(mem_ctx, realm); +- } +- if (!domain) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); +- } +- + unixuser = talloc_asprintf(tmp_ctx, "%s%c%s", domain, winbind_separator(), user); + if (!unixuser) { + status = NT_STATUS_NO_MEMORY; +-- +2.33.1 + + +From 4c01fd62e30b8e1137e7de01ecb41c94550dac24 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 4 Oct 2021 19:42:20 +0200 +Subject: [PATCH 77/88] CVE-2020-25717: s3:auth: let + auth3_generate_session_info_pac() delegate everything to + make_server_info_wbcAuthUserInfo() + +This consolidates the code paths used for NTLMSSP and Kerberos! + +I checked what we were already doing for NTLMSSP, which is this: + +a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx() +b) as a domain member we require a valid response from winbindd, + otherwise we'll return NT_STATUS_NO_LOGON_SERVERS +c) we call make_server_info_wbcAuthUserInfo(), which internally + calls make_server_info_info3() +d) auth_check_ntlm_password() calls + smb_pam_accountcheck(unix_username, rhost), where rhost + is only an ipv4 or ipv6 address (without reverse dns lookup) +e) from auth3_check_password_send/auth3_check_password_recv() + server_returned_info will be passed to auth3_generate_session_info(), + triggered by gensec_session_info(), which means we'll call into + create_local_token() in order to transform auth_serversupplied_info + into auth_session_info. + +For Kerberos gensec_session_info() will call +auth3_generate_session_info_pac() via the gensec_generate_session_info_pac() +helper function. The current logic is this: + +a) gensec_generate_session_info_pac() is the function that + evaluates the 'gensec:require_pac', which defaulted to 'no' + before. +b) auth3_generate_session_info_pac() called + wbcAuthenticateUserEx() in order to pass the PAC blob + to winbindd, but only to prime its cache, e.g. netsamlogon cache + and others. Most failures were just ignored. +c) If the PAC blob is available, it extracted the PAC_LOGON_INFO + from it. +d) Then we called the horrible get_user_from_kerberos_info() function: + - It uses a first part of the tickets principal name (before the @) + as username and combines that with the 'logon_info->base.logon_domain' + if the logon_info (PAC) is present. + - As a fallback without a PAC it's tries to ask winbindd for a mapping + from realm to netbios domain name. + - Finally is falls back to using the realm as netbios domain name + With this information is builds 'userdomain+winbind_separator+useraccount' + and calls map_username() followed by smb_getpwnam() with create=true, + Note this is similar to the make_server_info_info3() => check_account() + => smb_getpwnam() logic under 3. + - It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name + instead of the ip address as rhost. + - It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the + guest account. +e) We called create_info3_from_pac_logon_info() +f) make_session_info_krb5() calls gets called and triggers this: + - If get_user_from_kerberos_info() mapped to guest, it calls + make_server_info_guest() + - If create_info3_from_pac_logon_info() created a info3 from logon_info, + it calls make_server_info_info3() + - Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with + a fallback to make_server_info_pw() + From there it calls create_local_token() + +I tried to change auth3_generate_session_info_pac() to behave similar +to auth_winbind.c together with auth3_generate_session_info() as +a domain member, as we now rely on a PAC: + +a) As domain member we require a PAC and always call wbcAuthenticateUserEx() + and require a valid response! +b) we call make_server_info_wbcAuthUserInfo(), which internally + calls make_server_info_info3(). Note make_server_info_info3() + handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest() + internally. +c) Similar to auth_check_ntlm_password() we now call + smb_pam_accountcheck(unix_username, rhost), where rhost + is only an ipv4 or ipv6 address (without reverse dns lookup) +d) From there it calls create_local_token() + +As standalone server (in an MIT realm) we continue +with the already existing code logic, which works without a PAC: +a) we keep smb_getpwnam() with create=true logic as it + also requires an explicit 'add user script' option. +b) In the following commits we assert that there's + actually no PAC in this mode, which means we can + remove unused and confusing code. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[abartlet@samba.org Backported due to change in structure + initialization with { 0 } to zero ] +[abartlet@samba.org backported to 4.12 due to conflict + with code not present to reload shared on krb5 login] +--- + source3/auth/auth_generic.c | 139 ++++++++++++++++++++++++++++-------- + 1 file changed, 110 insertions(+), 29 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 26a38f92b30..3099e8f9057 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -46,6 +46,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + uint32_t session_info_flags, + struct auth_session_info **session_info) + { ++ enum server_role server_role = lp_server_role(); + TALLOC_CTX *tmp_ctx; + struct PAC_LOGON_INFO *logon_info = NULL; + struct netr_SamInfo3 *info3_copy = NULL; +@@ -54,39 +55,59 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + char *ntuser; + char *ntdomain; + char *username; +- char *rhost; ++ const char *rhost; + struct passwd *pw; + NTSTATUS status; +- int rc; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + +- if (pac_blob) { +-#ifdef HAVE_KRB5 +- struct wbcAuthUserParams params = {}; ++ if (tsocket_address_is_inet(remote_address, "ip")) { ++ rhost = tsocket_address_inet_addr_string( ++ remote_address, tmp_ctx); ++ if (rhost == NULL) { ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ } else { ++ rhost = "127.0.0.1"; ++ } ++ ++ if (server_role != ROLE_STANDALONE) { ++ struct wbcAuthUserParams params = { 0 }; + struct wbcAuthUserInfo *info = NULL; + struct wbcAuthErrorInfo *err = NULL; ++ struct auth_serversupplied_info *server_info = NULL; ++ char *original_user_name = NULL; ++ char *p = NULL; + wbcErr wbc_err; + ++ if (pac_blob == NULL) { ++ /* ++ * This should already be catched at the main ++ * gensec layer, but better check twice ++ */ ++ status = NT_STATUS_INTERNAL_ERROR; ++ goto done; ++ } ++ + /* + * Let winbind decode the PAC. + * This will also store the user + * data in the netsamlogon cache. + * +- * We need to do this *before* we +- * call get_user_from_kerberos_info() +- * as that does a user lookup that +- * expects info in the netsamlogon cache. +- * +- * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259 ++ * This used to be a cache prime ++ * optimization, but now we delegate ++ * all logic to winbindd, as we require ++ * winbindd as domain member anyway. + */ + params.level = WBC_AUTH_USER_LEVEL_PAC; + params.password.pac.data = pac_blob->data; + params.password.pac.length = pac_blob->length; + ++ /* we are contacting the privileged pipe */ + become_root(); + wbc_err = wbcAuthenticateUserEx(¶ms, &info, &err); + unbecome_root(); +@@ -99,18 +120,90 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + */ + + switch (wbc_err) { +- case WBC_ERR_WINBIND_NOT_AVAILABLE: + case WBC_ERR_SUCCESS: + break; ++ case WBC_ERR_WINBIND_NOT_AVAILABLE: ++ status = NT_STATUS_NO_LOGON_SERVERS; ++ DBG_ERR("winbindd not running - " ++ "but required as domain member: %s\n", ++ nt_errstr(status)); ++ goto done; + case WBC_ERR_AUTH_ERROR: + status = NT_STATUS(err->nt_status); + wbcFreeMemory(err); + goto done; ++ case WBC_ERR_NO_MEMORY: ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + default: + status = NT_STATUS_LOGON_FAILURE; + goto done; + } + ++ status = make_server_info_wbcAuthUserInfo(tmp_ctx, ++ info->account_name, ++ info->domain_name, ++ info, &server_info); ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n", ++ nt_errstr(status))); ++ goto done; ++ } ++ ++ /* We skip doing this step if the caller asked us not to */ ++ if (!(server_info->guest)) { ++ const char *unix_username = server_info->unix_name; ++ ++ /* We might not be root if we are an RPC call */ ++ become_root(); ++ status = smb_pam_accountcheck(unix_username, rhost); ++ unbecome_root(); ++ ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] " ++ "FAILED with error %s\n", ++ unix_username, nt_errstr(status))); ++ goto done; ++ } ++ ++ DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] " ++ "succeeded\n", unix_username)); ++ } ++ ++ DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); ++ ++ p = strchr_m(princ_name, '@'); ++ if (!p) { ++ DEBUG(3, ("[%s] Doesn't look like a valid principal\n", ++ princ_name)); ++ status = NT_STATUS_LOGON_FAILURE; ++ goto done; ++ } ++ ++ original_user_name = talloc_strndup(tmp_ctx, princ_name, p - princ_name); ++ if (original_user_name == NULL) { ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ ++ status = create_local_token(mem_ctx, ++ server_info, ++ NULL, ++ original_user_name, ++ session_info); ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(10, ("create_local_token failed: %s\n", ++ nt_errstr(status))); ++ goto done; ++ } ++ ++ goto session_info_ready; ++ } ++ ++ /* This is the standalone legacy code path */ ++ ++ if (pac_blob != NULL) { ++#ifdef HAVE_KRB5 + status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, + NULL, NULL, 0, &logon_info); + #else +@@ -121,22 +214,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + } + } + +- rc = get_remote_hostname(remote_address, +- &rhost, +- tmp_ctx); +- if (rc < 0) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- if (strequal(rhost, "UNKNOWN")) { +- rhost = tsocket_address_inet_addr_string(remote_address, +- tmp_ctx); +- if (rhost == NULL) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- } +- + status = get_user_from_kerberos_info(tmp_ctx, rhost, + princ_name, logon_info, + &is_mapped, &is_guest, +@@ -170,6 +247,8 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + goto done; + } + ++session_info_ready: ++ + /* setup the string used by %U */ + set_current_user_info((*session_info)->unix_info->sanitized_username, + (*session_info)->unix_info->unix_name, +@@ -179,7 +258,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + lp_load_with_shares(get_dyn_CONFIGFILE()); + + DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n", +- ntuser, ntdomain, rhost)); ++ (*session_info)->info->account_name, ++ (*session_info)->info->domain_name, ++ rhost)); + + status = NT_STATUS_OK; + +-- +2.33.1 + + +From 2d7cd152d95e091447731b3699be9654ca13cffc Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 5 Oct 2021 17:14:01 +0200 +Subject: [PATCH 78/88] CVE-2020-25717: selftest: configure 'ktest' env with + winbindd and idmap_autorid + +The 'ktest' environment was/is designed to test kerberos in an active +directory member setup. It was created at a time we wanted to test +smbd/winbindd with kerberos without having the source4 ad dc available. + +This still applies to testing the build with system krb5 libraries +but without relying on a running ad dc. + +As a domain member setup requires a running winbindd, we should test it +that way, in order to reflect a valid setup. + +As a side effect it provides a way to demonstrate that we can accept +smb connections authenticated via kerberos, but no connection to +a domain controller! In order get this working offline, we need an +idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which +should be the default choice. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.11 Run winbindd in offline mode + but keep the user name mapping to avoid having to backport fixes + for bso#14539] +--- + selftest/target/Samba3.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index bbbefea44b7..7034127ef0b 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1176,7 +1176,7 @@ $ret->{USERNAME} = KTEST/Administrator + # access the share for tests. + chmod 0777, "$prefix/share"; + +- if (not $self->check_or_start($ret, "yes", "no", "yes")) { ++ if (not $self->check_or_start($ret, "yes", "offline", "yes")) { + return undef; + } + return $ret; +-- +2.33.1 + + +From 6b4c3693d4ae3c54fd4c890b71829ac582436dee Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 5 Oct 2021 18:12:49 +0200 +Subject: [PATCH 79/88] CVE-2020-25717: s3:auth: let + auth3_generate_session_info_pac() reject a PAC in standalone mode + +We should be strict in standalone mode, that we only support MIT realms +without a PAC in order to keep the code sane. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[abartlet@samba.org Backported to Samba 4.12 has conflcits + as the share reload code is in a different spot] +--- + source3/auth/auth_generic.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 3099e8f9057..23f746c078e 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -48,8 +48,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + { + enum server_role server_role = lp_server_role(); + TALLOC_CTX *tmp_ctx; +- struct PAC_LOGON_INFO *logon_info = NULL; +- struct netr_SamInfo3 *info3_copy = NULL; + bool is_mapped; + bool is_guest; + char *ntuser; +@@ -203,19 +201,20 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + /* This is the standalone legacy code path */ + + if (pac_blob != NULL) { +-#ifdef HAVE_KRB5 +- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, +- NULL, NULL, 0, &logon_info); +-#else +- status = NT_STATUS_ACCESS_DENIED; +-#endif ++ /* ++ * In standalone mode we don't expect a PAC! ++ * we only support MIT realms ++ */ ++ status = NT_STATUS_BAD_TOKEN_TYPE; ++ DBG_WARNING("Unexpected PAC for [%s] in standalone mode - %s\n", ++ princ_name, nt_errstr(status)); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + } + + status = get_user_from_kerberos_info(tmp_ctx, rhost, +- princ_name, logon_info, ++ princ_name, NULL, + &is_mapped, &is_guest, + &ntuser, &ntdomain, + &username, &pw); +@@ -226,19 +225,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + goto done; + } + +- /* Get the info3 from the PAC data if we have it */ +- if (logon_info) { +- status = create_info3_from_pac_logon_info(tmp_ctx, +- logon_info, +- &info3_copy); +- if (!NT_STATUS_IS_OK(status)) { +- goto done; +- } +- } +- + status = make_session_info_krb5(mem_ctx, + ntuser, ntdomain, username, pw, +- info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, ++ NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, + session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", +-- +2.33.1 + + +From 6f6a1fedb97d119a7f15831f7295b1774e806ba8 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 17:59:59 +0200 +Subject: [PATCH 80/88] CVE-2020-25717: s3:auth: simplify + get_user_from_kerberos_info() by removing the unused logon_info argument + +This code is only every called in standalone mode on a MIT realm, +it means we never have a PAC and we also don't have winbindd arround. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_generic.c | 2 +- + source3/auth/proto.h | 1 - + source3/auth/user_krb5.c | 57 +++++++------------------------------ + 3 files changed, 11 insertions(+), 49 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 23f746c078e..a11aae713f5 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -214,7 +214,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + } + + status = get_user_from_kerberos_info(tmp_ctx, rhost, +- princ_name, NULL, ++ princ_name, + &is_mapped, &is_guest, + &ntuser, &ntdomain, + &username, &pw); +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index fcfd1f36ca2..1ed3f4a2f77 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -416,7 +416,6 @@ struct PAC_LOGON_INFO; + NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + const char *cli_name, + const char *princ_name, +- struct PAC_LOGON_INFO *logon_info, + bool *is_mapped, + bool *mapped_to_guest, + char **ntuser, +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index 074e8c7eb71..7b69ca6c222 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -31,7 +31,6 @@ + NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + const char *cli_name, + const char *princ_name, +- struct PAC_LOGON_INFO *logon_info, + bool *is_mapped, + bool *mapped_to_guest, + char **ntuser, +@@ -40,8 +39,8 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + struct passwd **_pw) + { + NTSTATUS status; +- char *domain = NULL; +- char *realm = NULL; ++ const char *domain = NULL; ++ const char *realm = NULL; + char *user = NULL; + char *p; + char *fuser = NULL; +@@ -62,55 +61,16 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- realm = talloc_strdup(talloc_tos(), p + 1); +- if (!realm) { +- return NT_STATUS_NO_MEMORY; +- } ++ realm = p + 1; + + if (!strequal(realm, lp_realm())) { + DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); + if (!lp_allow_trusted_domains()) { + return NT_STATUS_LOGON_FAILURE; + } +- } +- +- if (logon_info && logon_info->info3.base.logon_domain.string) { +- domain = talloc_strdup(mem_ctx, +- logon_info->info3.base.logon_domain.string); +- if (!domain) { +- return NT_STATUS_NO_MEMORY; +- } +- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); ++ domain = realm; + } else { +- +- /* If we have winbind running, we can (and must) shorten the +- username by using the short netbios name. Otherwise we will +- have inconsistent user names. With Kerberos, we get the +- fully qualified realm, with ntlmssp we get the short +- name. And even w2k3 does use ntlmssp if you for example +- connect to an ip address. */ +- +- wbcErr wbc_status; +- struct wbcDomainInfo *info = NULL; +- +- DEBUG(10, ("Mapping [%s] to short name using winbindd\n", +- realm)); +- +- wbc_status = wbcDomainInfo(realm, &info); +- +- if (WBC_ERROR_IS_OK(wbc_status)) { +- domain = talloc_strdup(mem_ctx, +- info->short_name); +- wbcFreeMemory(info); +- } else { +- DEBUG(3, ("Could not find short name: %s\n", +- wbcErrorString(wbc_status))); +- domain = talloc_strdup(mem_ctx, realm); +- } +- if (!domain) { +- return NT_STATUS_NO_MEMORY; +- } +- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); ++ domain = lp_workgroup(); + } + + fuser = talloc_asprintf(mem_ctx, +@@ -175,7 +135,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + *ntuser = user; +- *ntdomain = domain; ++ *ntdomain = talloc_strdup(mem_ctx, domain); ++ if (*ntdomain == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ + *_pw = pw; + + return NT_STATUS_OK; +@@ -282,7 +246,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + const char *cli_name, + const char *princ_name, +- struct PAC_LOGON_INFO *logon_info, + bool *is_mapped, + bool *mapped_to_guest, + char **ntuser, +-- +2.33.1 + + +From 8fd8d952c4396484f822c51f71667baaf49402b4 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 18:03:04 +0200 +Subject: [PATCH 81/88] CVE-2020-25717: s3:auth: simplify + make_session_info_krb5() by removing unused arguments + +This is only ever be called in standalone mode with an MIT realm, +so we don't have a PAC/info3 structure. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_generic.c | 2 +- + source3/auth/proto.h | 2 -- + source3/auth/user_krb5.c | 20 +------------------- + 3 files changed, 2 insertions(+), 22 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index a11aae713f5..4dd1af784bf 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -227,7 +227,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + + status = make_session_info_krb5(mem_ctx, + ntuser, ntdomain, username, pw, +- NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, ++ is_guest, is_mapped, + session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 1ed3f4a2f77..c00ac70fd3f 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -427,9 +427,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + char *ntdomain, + char *username, + struct passwd *pw, +- const struct netr_SamInfo3 *info3, + bool mapped_to_guest, bool username_was_mapped, +- DATA_BLOB *session_key, + struct auth_session_info **session_info); + + /* The following definitions come from auth/auth_samba4.c */ +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index 7b69ca6c222..b8f37cbeee0 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -150,9 +150,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + char *ntdomain, + char *username, + struct passwd *pw, +- const struct netr_SamInfo3 *info3, + bool mapped_to_guest, bool username_was_mapped, +- DATA_BLOB *session_key, + struct auth_session_info **session_info) + { + NTSTATUS status; +@@ -166,20 +164,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + return status; + } + +- } else if (info3) { +- /* pass the unmapped username here since map_username() +- will be called again in make_server_info_info3() */ +- +- status = make_server_info_info3(mem_ctx, +- ntuser, ntdomain, +- &server_info, +- info3); +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(1, ("make_server_info_info3 failed: %s!\n", +- nt_errstr(status))); +- return status; +- } +- + } else { + /* + * We didn't get a PAC, we have to make up the user +@@ -231,7 +215,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + + server_info->nss_token |= username_was_mapped; + +- status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info); ++ status = create_local_token(mem_ctx, server_info, NULL, ntuser, session_info); + talloc_free(server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("failed to create local token: %s\n", +@@ -261,9 +245,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + char *ntdomain, + char *username, + struct passwd *pw, +- const struct netr_SamInfo3 *info3, + bool mapped_to_guest, bool username_was_mapped, +- DATA_BLOB *session_key, + struct auth_session_info **session_info) + { + return NT_STATUS_NOT_IMPLEMENTED; +-- +2.33.1 + + +From bf0696ec4f3080ebd0b61cac5a05a9284ccabda8 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 1 Sep 2021 15:39:19 +1200 +Subject: [PATCH 82/88] krb5pac.idl: Add ticket checksum PAC buffer type + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +Reviewed-by: Isaac Boukris +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 +(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce) +--- + librpc/idl/krb5pac.idl | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl +index f27e7243ee4..711b7f94b6c 100644 +--- a/librpc/idl/krb5pac.idl ++++ b/librpc/idl/krb5pac.idl +@@ -112,7 +112,8 @@ interface krb5pac + PAC_TYPE_KDC_CHECKSUM = 7, + PAC_TYPE_LOGON_NAME = 10, + PAC_TYPE_CONSTRAINED_DELEGATION = 11, +- PAC_TYPE_UPN_DNS_INFO = 12 ++ PAC_TYPE_UPN_DNS_INFO = 12, ++ PAC_TYPE_TICKET_CHECKSUM = 16 + } PAC_TYPE; + + typedef struct { +@@ -128,6 +129,7 @@ interface krb5pac + [case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)] + PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation; + [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info; ++ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum; + /* when new PAC info types are added they are supposed to be done + in such a way that they are backwards compatible with existing + servers. This makes it safe to just use a [default] for +-- +2.33.1 + + +From 7a9f618fdbf32872594f47dd4bc83ce087af4bbc Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 1 Sep 2021 15:40:59 +1200 +Subject: [PATCH 83/88] security.idl: Add well-known SIDs for FAST + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +Reviewed-by: Isaac Boukris +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 +(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12) +--- + librpc/idl/security.idl | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl +index 5930f448955..e6065a35691 100644 +--- a/librpc/idl/security.idl ++++ b/librpc/idl/security.idl +@@ -292,6 +292,9 @@ interface security + const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1"; + const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2"; + ++ const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496"; ++ const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497"; ++ + /* + * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx + */ +-- +2.33.1 + + +From 7713b56a8a8b26e05aa9a517348e3f95da1144a7 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 29 Sep 2021 16:15:26 +1300 +Subject: [PATCH 84/88] krb5pac.idl: Add missing buffer type values + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +Backported-by: Andreas Schneider +--- + librpc/idl/krb5pac.idl | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl +index 711b7f94b6c..141894ec5f1 100644 +--- a/librpc/idl/krb5pac.idl ++++ b/librpc/idl/krb5pac.idl +@@ -113,6 +113,9 @@ interface krb5pac + PAC_TYPE_LOGON_NAME = 10, + PAC_TYPE_CONSTRAINED_DELEGATION = 11, + PAC_TYPE_UPN_DNS_INFO = 12, ++ PAC_TYPE_CLIENT_CLAIMS_INFO = 13, ++ PAC_TYPE_DEVICE_INFO = 14, ++ PAC_TYPE_DEVICE_CLAIMS_INFO = 15, + PAC_TYPE_TICKET_CHECKSUM = 16 + } PAC_TYPE; + +-- +2.33.1 + + +From a85bf1d86d6e081c781cc93a8e7aaa049c3818d0 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 26 Oct 2021 20:33:38 +1300 +Subject: [PATCH 85/88] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC + buffer type + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + librpc/idl/krb5pac.idl | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl +index 141894ec5f1..4bfec2de5e6 100644 +--- a/librpc/idl/krb5pac.idl ++++ b/librpc/idl/krb5pac.idl +@@ -97,6 +97,16 @@ interface krb5pac + PAC_UPN_DNS_FLAGS flags; + } PAC_UPN_DNS_INFO; + ++ typedef [bitmap32bit] bitmap { ++ PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001, ++ PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002 ++ } PAC_ATTRIBUTE_INFO_FLAGS; ++ ++ typedef struct { ++ uint32 flags_length; /* length in bits */ ++ PAC_ATTRIBUTE_INFO_FLAGS flags; ++ } PAC_ATTRIBUTES_INFO; ++ + typedef [public] struct { + PAC_LOGON_INFO *info; + } PAC_LOGON_INFO_CTR; +@@ -116,7 +126,8 @@ interface krb5pac + PAC_TYPE_CLIENT_CLAIMS_INFO = 13, + PAC_TYPE_DEVICE_INFO = 14, + PAC_TYPE_DEVICE_CLAIMS_INFO = 15, +- PAC_TYPE_TICKET_CHECKSUM = 16 ++ PAC_TYPE_TICKET_CHECKSUM = 16, ++ PAC_TYPE_ATTRIBUTES_INFO = 17 + } PAC_TYPE; + + typedef struct { +@@ -133,6 +144,7 @@ interface krb5pac + PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation; + [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info; + [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum; ++ [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info; + /* when new PAC info types are added they are supposed to be done + in such a way that they are backwards compatible with existing + servers. This makes it safe to just use a [default] for +-- +2.33.1 + + +From 57e4c415ecae66ee984a30eb66d5d248e0e8587d Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 26 Oct 2021 20:33:49 +1300 +Subject: [PATCH 86/88] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC + buffer type + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + librpc/idl/krb5pac.idl | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl +index 4bfec2de5e6..f750359a069 100644 +--- a/librpc/idl/krb5pac.idl ++++ b/librpc/idl/krb5pac.idl +@@ -107,6 +107,10 @@ interface krb5pac + PAC_ATTRIBUTE_INFO_FLAGS flags; + } PAC_ATTRIBUTES_INFO; + ++ typedef struct { ++ dom_sid sid; ++ } PAC_REQUESTER_SID; ++ + typedef [public] struct { + PAC_LOGON_INFO *info; + } PAC_LOGON_INFO_CTR; +@@ -127,7 +131,8 @@ interface krb5pac + PAC_TYPE_DEVICE_INFO = 14, + PAC_TYPE_DEVICE_CLAIMS_INFO = 15, + PAC_TYPE_TICKET_CHECKSUM = 16, +- PAC_TYPE_ATTRIBUTES_INFO = 17 ++ PAC_TYPE_ATTRIBUTES_INFO = 17, ++ PAC_TYPE_REQUESTER_SID = 18 + } PAC_TYPE; + + typedef struct { +@@ -145,6 +150,7 @@ interface krb5pac + [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info; + [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum; + [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info; ++ [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid; + /* when new PAC info types are added they are supposed to be done + in such a way that they are backwards compatible with existing + servers. This makes it safe to just use a [default] for +-- +2.33.1 + + +From 7782a97868ead29b6e87fa98dcef8dbc2706b67d Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Mon, 27 Sep 2021 11:20:19 +1300 +Subject: [PATCH 87/88] CVE-2020-25721 krb5pac: Add new buffers for + samAccountName and objectSID + +These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835 + +Signed-off-by: Andrew Bartlett +Reviewed-by: Joseph Sutton +--- + librpc/idl/krb5pac.idl | 18 ++++++++++++++++-- + librpc/ndr/ndr_krb5pac.c | 4 ++-- + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl +index f750359a069..94b9160d6eb 100644 +--- a/librpc/idl/krb5pac.idl ++++ b/librpc/idl/krb5pac.idl +@@ -86,15 +86,29 @@ interface krb5pac + } PAC_CONSTRAINED_DELEGATION; + + typedef [bitmap32bit] bitmap { +- PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001 ++ PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001, ++ PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002 + } PAC_UPN_DNS_FLAGS; + ++ typedef struct { ++ [value(2*strlen_m(samaccountname))] uint16 samaccountname_size; ++ [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname; ++ [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size; ++ [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid; ++ } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID; ++ ++ typedef [nodiscriminant] union { ++ [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid; ++ [default]; ++ } PAC_UPN_DNS_INFO_EX; ++ + typedef struct { + [value(2*strlen_m(upn_name))] uint16 upn_name_size; + [relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name; + [value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size; + [relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name; + PAC_UPN_DNS_FLAGS flags; ++ [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex; + } PAC_UPN_DNS_INFO; + + typedef [bitmap32bit] bitmap { +@@ -160,7 +174,7 @@ interface krb5pac + + typedef [public,nopush,nopull] struct { + PAC_TYPE type; +- [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size; ++ [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size; + /* + * We need to have two subcontexts to get the padding right, + * the outer subcontext uses NDR_ROUND(_ndr_size, 8), while +diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c +index a9ae2c4a789..57b28df9e52 100644 +--- a/librpc/ndr/ndr_krb5pac.c ++++ b/librpc/ndr/ndr_krb5pac.c +@@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_push_align(ndr, 4)); + NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type)); +- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0))); ++ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8))); + { + uint32_t _flags_save_PAC_INFO = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8); +@@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const + { + struct ndr_push *_ndr_info_pad; + struct ndr_push *_ndr_info; +- size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0); ++ size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8); + NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8))); + NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size)); + NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type)); +-- +2.33.1 + + +From 44e8dd1a9a3c02dee31497fe20411758fce1acf9 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 12 Nov 2021 19:06:01 +0200 +Subject: [PATCH 88/88] IPA DC: add missing checks + +When introducing FreeIPA support, two places were forgotten: + + - schannel gensec module needs to be aware of IPA DC + - _lsa_QueryInfoPolicy should treat IPA DC as PDC + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Alexander Bokovoy +Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184 + +(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5) +--- + auth/gensec/schannel.c | 1 + + source3/rpc_server/lsa/srv_lsa_nt.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c +index 71e9afdf48e..f23c1effb23 100644 +--- a/auth/gensec/schannel.c ++++ b/auth/gensec/schannel.c +@@ -740,6 +740,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: ++ case ROLE_IPA_DC: + return NT_STATUS_OK; + default: + return NT_STATUS_NOT_IMPLEMENTED; +diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c +index 57bfc596005..3f77856457e 100644 +--- a/source3/rpc_server/lsa/srv_lsa_nt.c ++++ b/source3/rpc_server/lsa/srv_lsa_nt.c +@@ -672,6 +672,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p, + switch (lp_server_role()) { + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + name = get_global_sam_name(); + sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid()); + if (!sid) { +-- +2.33.1 diff --git a/SPECS/samba.spec b/SPECS/samba.spec index fa9727a..7062f94 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 15 +%define main_release 17 %define samba_version 4.10.16 %define talloc_version 2.1.16 @@ -3305,6 +3305,14 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Mon Nov 15 2021 Andreas Schneider - 4.10.16-17 +- related: #2019673 - Add missing checks for IPA DC server role + +* Mon Nov 08 2021 Andreas Schneider - 4.10.16-16 +- resolves: #2019661 - Fix CVE-2016-2124 +- resolves: #2019673 - Fix CVE-2020-25717 +- resolves: #2021428 - Add missing PAC buffer types to krb5pac.idl + * Mon Apr 26 2021 Andreas Schneider - 4.10.16-15 - resolves: #1949444 - Fix CVE-2021-20254