From 81bef6480f316685c04c891b3ebce3ce3178785b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 17 Jul 2023 11:39:20 +0200 Subject: [PATCH] Fix trust relationship between workstation and DC resolves: rhbz#2222883 --- samba-4.16-waf-crypto.patch | 77 --- samba-4.17-fix-changeuserpassword4.patch | 540 ------------------- samba-4.18-netlogon.patch | 356 +++++++++++++ samba-s4u.patch | 642 ----------------------- samba.spec | 7 +- 5 files changed, 362 insertions(+), 1260 deletions(-) delete mode 100644 samba-4.16-waf-crypto.patch delete mode 100644 samba-4.17-fix-changeuserpassword4.patch create mode 100644 samba-4.18-netlogon.patch delete mode 100644 samba-s4u.patch diff --git a/samba-4.16-waf-crypto.patch b/samba-4.16-waf-crypto.patch deleted file mode 100644 index 337be97..0000000 --- a/samba-4.16-waf-crypto.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:24:04 +0200 -Subject: [PATCH 1/2] waf: Check for GnuTLS earlier - -As GnuTLS is an essential part we need to check for it early so we can react on -GnuTLS features in other wscripts. - -Signed-off-by: Andreas Schneider ---- - wscript | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/wscript b/wscript -index d8220b35095..5b85d9a1682 100644 ---- a/wscript -+++ b/wscript -@@ -189,6 +189,8 @@ def configure(conf): - conf.RECURSE('dynconfig') - conf.RECURSE('selftest') - -+ conf.PROCESS_SEPARATE_RULE('system_gnutls') -+ - conf.CHECK_CFG(package='zlib', minversion='1.2.3', - args='--cflags --libs', - mandatory=True) -@@ -297,8 +299,6 @@ def configure(conf): - if not conf.CONFIG_GET('KRB5_VENDOR'): - conf.PROCESS_SEPARATE_RULE('embedded_heimdal') - -- conf.PROCESS_SEPARATE_RULE('system_gnutls') -- - conf.RECURSE('source4/dsdb/samdb/ldb_modules') - conf.RECURSE('source4/ntvfs/sysdep') - conf.RECURSE('lib/util') --- -2.35.1 - - -From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:25:31 +0200 -Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS - provides the cipher - -Signed-off-by: Andreas Schneider ---- - third_party/wscript | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/third_party/wscript b/third_party/wscript -index 1f4bc1ce1d7..a17c15bcaa7 100644 ---- a/third_party/wscript -+++ b/third_party/wscript -@@ -5,7 +5,8 @@ from waflib import Options - def configure(conf): - conf.RECURSE('cmocka') - conf.RECURSE('popt') -- conf.RECURSE('aesni-intel') -+ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ conf.RECURSE('aesni-intel') - if conf.CONFIG_GET('ENABLE_SELFTEST'): - conf.RECURSE('socket_wrapper') - conf.RECURSE('nss_wrapper') -@@ -18,7 +19,8 @@ def configure(conf): - def build(bld): - bld.RECURSE('cmocka') - bld.RECURSE('popt') -- bld.RECURSE('aesni-intel') -+ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ bld.RECURSE('aesni-intel') - if bld.CONFIG_GET('SOCKET_WRAPPER'): - bld.RECURSE('socket_wrapper') - if bld.CONFIG_GET('NSS_WRAPPER'): --- -2.35.1 - diff --git a/samba-4.17-fix-changeuserpassword4.patch b/samba-4.17-fix-changeuserpassword4.patch deleted file mode 100644 index 7f1b482..0000000 --- a/samba-4.17-fix-changeuserpassword4.patch +++ /dev/null @@ -1,540 +0,0 @@ -From a3e3d05f35d6082ea48450060b39084e3d0e4056 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 10 Oct 2022 15:15:20 +0200 -Subject: [PATCH 1/5] s3:librpc: Improve GSE error message - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 - -Signed-off-by: Andreas Schneider -Reviewed-by: Noel Power ---- - source3/librpc/crypto/gse.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index c50a8a036df..c2cac7abf82 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -546,11 +546,28 @@ init_sec_context_done: - goto done; - case GSS_S_FAILURE: - switch (gss_min) { -- case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: -- DBG_NOTICE("Server principal not found\n"); -+ case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: { -+ gss_buffer_desc name_token = { -+ .length = 0, -+ }; -+ -+ gss_maj = gss_display_name(&gss_min, -+ gse_ctx->server_name, -+ &name_token, -+ NULL); -+ if (gss_maj == GSS_S_COMPLETE) { -+ DBG_NOTICE("Server principal %.*s not found\n", -+ (int)name_token.length, -+ (char *)name_token.value); -+ gss_release_buffer(&gss_maj, &name_token); -+ } else { -+ DBG_NOTICE("Server principal not found\n"); -+ } -+ - /* Make SPNEGO ignore us, we can't go any further here */ - status = NT_STATUS_INVALID_PARAMETER; - goto done; -+ } - case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED: - DBG_NOTICE("Ticket expired\n"); - /* Make SPNEGO ignore us, we can't go any further here */ --- -2.37.3 - - -From d2e2e9acd717e45806f1b19378e09f39c8fe3da8 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 7 Oct 2022 14:35:15 +0200 -Subject: [PATCH 2/5] s3:rpcclient: Pass salt down to - init_samr_CryptPasswordAES() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 - -Signed-off-by: Andreas Schneider -Reviewed-by: Noel Power ---- - source3/rpc_client/init_samr.c | 15 ++++----------- - source3/rpc_client/init_samr.h | 1 + - source3/rpcclient/cmd_samr.c | 8 ++++++++ - source4/libnet/libnet_passwd.c | 13 +++++++------ - source4/torture/rpc/samr.c | 27 +++++++++++++++++++++++++++ - 5 files changed, 47 insertions(+), 17 deletions(-) - -diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c -index 68f42b602b3..52fa2f90d6e 100644 ---- a/source3/rpc_client/init_samr.c -+++ b/source3/rpc_client/init_samr.c -@@ -79,6 +79,7 @@ NTSTATUS init_samr_CryptPassword(const char *pwd, - - NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx, - const char *password, -+ DATA_BLOB *salt, - DATA_BLOB *session_key, - struct samr_EncryptedPasswordAES *ppwd_buf) - { -@@ -87,12 +88,6 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx, - .data = pw_data, - .length = sizeof(pw_data), - }; -- size_t iv_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_256_CBC); -- uint8_t iv_data[iv_size]; -- DATA_BLOB iv = { -- .data = iv_data, -- .length = iv_size, -- }; - DATA_BLOB ciphertext = data_blob_null; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - bool ok; -@@ -101,8 +96,6 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx, - return NT_STATUS_INVALID_PARAMETER; - } - -- generate_nonce_buffer(iv.data, iv.length); -- - ok = encode_pwd_buffer514_from_str(pw_data, password, STR_UNICODE); - if (!ok) { - return NT_STATUS_INTERNAL_ERROR; -@@ -114,7 +107,7 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx, - session_key, - &samr_aes256_enc_key_salt, - &samr_aes256_mac_key_salt, -- &iv, -+ salt, - &ciphertext, - ppwd_buf->auth_data); - BURN_DATA(pw_data); -@@ -126,8 +119,8 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx, - ppwd_buf->cipher = ciphertext.data; - ppwd_buf->PBKDF2Iterations = 0; - -- SMB_ASSERT(iv.length == sizeof(ppwd_buf->salt)); -- memcpy(ppwd_buf->salt, iv.data, iv.length); -+ SMB_ASSERT(salt->length == sizeof(ppwd_buf->salt)); -+ memcpy(ppwd_buf->salt, salt->data, salt->length); - - return NT_STATUS_OK; - } -diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h -index 940534e7168..71b4c0e573d 100644 ---- a/source3/rpc_client/init_samr.h -+++ b/source3/rpc_client/init_samr.h -@@ -47,6 +47,7 @@ NTSTATUS init_samr_CryptPassword(const char *pwd, - */ - NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx, - const char *password, -+ DATA_BLOB *salt, - DATA_BLOB *session_key, - struct samr_EncryptedPasswordAES *ppwd_buf); - -diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c -index 9ccd2f78a8d..8106ca90cf2 100644 ---- a/source3/rpcclient/cmd_samr.c -+++ b/source3/rpcclient/cmd_samr.c -@@ -3172,6 +3172,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - uint8_t nt_hash[16]; - uint8_t lm_hash[16]; - DATA_BLOB session_key; -+ uint8_t salt_data[16]; -+ DATA_BLOB salt = { -+ .data = salt_data, -+ .length = sizeof(salt_data), -+ }; - uint8_t password_expired = 0; - struct dcerpc_binding_handle *b = cli->binding_handle; - TALLOC_CTX *frame = NULL; -@@ -3198,6 +3203,8 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - goto done; - } - -+ generate_nonce_buffer(salt.data, salt.length); -+ - switch(level) { - case 18: - case 21: -@@ -3220,6 +3227,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - case 31: - status = init_samr_CryptPasswordAES(frame, - param, -+ &salt, - &session_key, - &pwd_buf_aes); - if (!NT_STATUS_IS_OK(status)) { -diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c -index 4f662110e55..a1672104824 100644 ---- a/source4/libnet/libnet_passwd.c -+++ b/source4/libnet/libnet_passwd.c -@@ -57,13 +57,13 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, - struct samr_EncryptedPasswordAES pwd_buf = { - .cipher_len = 0 - }; -- DATA_BLOB iv = { -+ DATA_BLOB salt = { - .data = pwd_buf.salt, - .length = sizeof(pwd_buf.salt), - }; -- gnutls_datum_t iv_datum = { -- .data = iv.data, -- .size = iv.length, -+ gnutls_datum_t salt_datum = { -+ .data = pwd_buf.salt, -+ .size = sizeof(pwd_buf.salt), - }; - uint64_t pbkdf2_iterations = generate_random_u64_range(5000, 1000000); - NTSTATUS status; -@@ -71,11 +71,11 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, - - E_md4hash(old_password, old_nt_key_data); - -- generate_nonce_buffer(iv.data, iv.length); -+ generate_nonce_buffer(salt.data, salt.length); - - rc = gnutls_pbkdf2(GNUTLS_MAC_SHA512, - &old_nt_key, -- &iv_datum, -+ &salt_datum, - pbkdf2_iterations, - cek.data, - cek.length); -@@ -86,6 +86,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, - - status = init_samr_CryptPasswordAES(mem_ctx, - new_password, -+ &salt, - &cek, - &pwd_buf); - data_blob_clear(&cek); -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index de354659067..0b1880efa18 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -783,6 +783,11 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t - struct samr_SetUserInfo s; - union samr_UserInfo u; - DATA_BLOB session_key; -+ uint8_t salt_data[16]; -+ DATA_BLOB salt = { -+ .data = salt_data, -+ .length = sizeof(salt_data), -+ }; - char *newpass = NULL; - struct dcerpc_binding_handle *b = p->binding_handle; - struct samr_GetUserPwInfo pwp; -@@ -818,8 +823,11 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t - return false; - } - -+ generate_nonce_buffer(salt.data, salt.length); -+ - status = init_samr_CryptPasswordAES(tctx, - newpass, -+ &salt, - &session_key, - &u.info32.password); - torture_assert_ntstatus_ok(tctx, -@@ -852,6 +860,7 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t - - status = init_samr_CryptPasswordAES(tctx, - newpass, -+ &salt, - &session_key, - &u.info32.password); - torture_assert_ntstatus_ok(tctx, -@@ -896,6 +905,11 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t - union samr_UserInfo u; - bool ret = true; - DATA_BLOB session_key; -+ uint8_t salt_data[16]; -+ DATA_BLOB salt = { -+ .data = salt_data, -+ .length = sizeof(salt_data), -+ }; - char *newpass; - struct dcerpc_binding_handle *b = p->binding_handle; - struct samr_GetUserPwInfo pwp; -@@ -931,8 +945,11 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t - return false; - } - -+ generate_nonce_buffer(salt.data, salt.length); -+ - status = init_samr_CryptPasswordAES(tctx, - newpass, -+ &salt, - &session_key, - &u.info31.password); - torture_assert_ntstatus_ok(tctx, -@@ -959,6 +976,7 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t - - status = init_samr_CryptPasswordAES(tctx, - newpass, -+ &salt, - &session_key, - &u.info31.password); - torture_assert_ntstatus_ok(tctx, -@@ -1381,6 +1399,11 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - union samr_UserInfo u; - bool ret = true; - DATA_BLOB session_key; -+ uint8_t salt_data[16]; -+ DATA_BLOB salt = { -+ .data = salt_data, -+ .length = sizeof(salt_data), -+ }; - char *newpass; - struct dcerpc_binding_handle *b = p->binding_handle; - struct samr_GetUserPwInfo pwp; -@@ -1490,6 +1513,8 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - return false; - } - -+ generate_nonce_buffer(salt.data, salt.length); -+ - switch (level) { - case 18: - { -@@ -1561,6 +1586,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - case 31: - status = init_samr_CryptPasswordAES(tctx, - newpass, -+ &salt, - &session_key, - &u.info31.password); - -@@ -1568,6 +1594,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - case 32: - status = init_samr_CryptPasswordAES(tctx, - newpass, -+ &salt, - &session_key, - &u.info32.password); - --- -2.37.3 - - -From 1d630363c9b2497266e418aad89c55d5b51a63ad Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 17 Oct 2022 09:02:28 +0200 -Subject: [PATCH 3/5] s4:libnet: If we successfully changed the password we are - done - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 - -Signed-off-by: Andreas Schneider -Reviewed-by: Noel Power ---- - source4/libnet/libnet_passwd.c | 32 ++++++++++++++++++-------------- - 1 file changed, 18 insertions(+), 14 deletions(-) - -diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c -index a1672104824..b17614bcd97 100644 ---- a/source4/libnet/libnet_passwd.c -+++ b/source4/libnet/libnet_passwd.c -@@ -101,7 +101,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, - r.in.password = &pwd_buf; - - status = dcerpc_samr_ChangePasswordUser4_r(h, mem_ctx, &r); -- if (NT_STATUS_IS_OK(status)) { -+ if (!NT_STATUS_IS_OK(status)) { - goto done; - } - if (!NT_STATUS_IS_OK(r.out.result)) { -@@ -112,6 +112,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, - account->string, - nt_errstr(status)); - status = r.out.result; -+ goto done; - } - - done: -@@ -424,20 +425,23 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - r->samr.in.oldpassword, - r->samr.in.newpassword, - &(r->samr.out.error_string)); -- if (!NT_STATUS_IS_OK(status)) { -- if (NT_STATUS_EQUAL(status, -- NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) || -- NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) || -- NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { -- /* -- * Don't fallback to RC4 based SAMR if weak crypto is not -- * allowed. -- */ -- if (lpcfg_weak_crypto(ctx->lp_ctx) == -- SAMBA_WEAK_CRYPTO_DISALLOWED) { -- goto disconnect; -- } -+ if (NT_STATUS_IS_OK(status)) { -+ goto disconnect; -+ } else if (NT_STATUS_EQUAL(status, -+ NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) || -+ NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) || -+ NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { -+ /* -+ * Don't fallback to RC4 based SAMR if weak crypto is not -+ * allowed. -+ */ -+ if (lpcfg_weak_crypto(ctx->lp_ctx) == -+ SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ goto disconnect; - } -+ } else { -+ /* libnet_ChangePassword_samr_aes is implemented and failed */ -+ goto disconnect; - } - - status = libnet_ChangePassword_samr_rc4( --- -2.37.3 - - -From 9a4a169ab34641afb87e7f81708c9a72b321879e Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Fri, 21 Oct 2022 17:40:36 +0100 -Subject: [PATCH 4/5] s4/rpc_server/sambr: don't mutate the return of - samdb_set_password_aes - -prior to this commit return of samdb_set_password_aes was set to -NT_STATUS_WRONG_PASSWORD on failure. Useful status that should be -returned such as NT_STATUS_PASSWORD_RESTRICTION are swallowed here -otherwise (and in this case can be partially responsible for failures -in test samba.tests.auth_log_pass_change (with later gnutls) - -Signed-off-by: Noel Power -Reviewed-by: Andreas Schneider ---- - source4/rpc_server/samr/samr_password.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c -index 4691f9a47a9..b581be6361c 100644 ---- a/source4/rpc_server/samr/samr_password.c -+++ b/source4/rpc_server/samr/samr_password.c -@@ -250,7 +250,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser4(struct dcesrv_call_state *dce_call, - - if (!NT_STATUS_IS_OK(status)) { - ldb_transaction_cancel(sam_ctx); -- status = NT_STATUS_WRONG_PASSWORD; - goto done; - } - --- -2.37.3 - - -From b8b36ecba0f22dbc203c12627ebd629c2437c635 Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Fri, 21 Oct 2022 17:14:44 +0100 -Subject: [PATCH 5/5] python/samba/tests: fix samba.tests.auth_log_pass_change - for later gnutls - -later gnutls that support GNUTLS_PBKDF2 currently fail, -we need to conditionally switch test data to reflect use of -'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4' -depending on whether GNUTLS_PBKDF2 is supported or not - -Signed-off-by: Noel Power -Reviewed-by: Andreas Schneider ---- - python/samba/tests/auth_log_pass_change.py | 20 ++++++++++++++++---- - source4/selftest/tests.py | 9 ++++++--- - 2 files changed, 22 insertions(+), 7 deletions(-) - -diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py -index 972af2158dd..1ca46c586b3 100644 ---- a/python/samba/tests/auth_log_pass_change.py -+++ b/python/samba/tests/auth_log_pass_change.py -@@ -72,6 +72,18 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): - - # discard any auth log messages for the password setup - self.discardMessages() -+ gnutls_pbkdf2_support = samba.tests.env_get_var_value( -+ 'GNUTLS_PBKDF2_SUPPORT', -+ allow_missing=True) -+ if gnutls_pbkdf2_support is None: -+ gnutls_pbkdf2_support = '0' -+ self.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support)) -+ -+ def _authDescription(self): -+ if self.gnutls_pbkdf2_support: -+ return "samr_ChangePasswordUser4" -+ else: -+ return "samr_ChangePasswordUser3" - - def tearDown(self): - super(AuthLogPassChangeTests, self).tearDown() -@@ -83,7 +95,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): - (msg["Authentication"]["serviceDescription"] == - "SAMR Password Change") and - (msg["Authentication"]["authDescription"] == -- "samr_ChangePasswordUser3") and -+ self._authDescription()) and - (msg["Authentication"]["eventId"] == - EVT_ID_SUCCESSFUL_LOGON) and - (msg["Authentication"]["logonType"] == -@@ -109,7 +121,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): - (msg["Authentication"]["serviceDescription"] == - "SAMR Password Change") and - (msg["Authentication"]["authDescription"] == -- "samr_ChangePasswordUser3") and -+ self._authDescription()) and - (msg["Authentication"]["eventId"] == - EVT_ID_UNSUCCESSFUL_LOGON) and - (msg["Authentication"]["logonType"] == -@@ -141,7 +153,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): - (msg["Authentication"]["serviceDescription"] == - "SAMR Password Change") and - (msg["Authentication"]["authDescription"] == -- "samr_ChangePasswordUser3") and -+ self._authDescription()) and - (msg["Authentication"]["eventId"] == - EVT_ID_UNSUCCESSFUL_LOGON) and - (msg["Authentication"]["logonType"] == -@@ -174,7 +186,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): - (msg["Authentication"]["serviceDescription"] == - "SAMR Password Change") and - (msg["Authentication"]["authDescription"] == -- "samr_ChangePasswordUser3") and -+ self._authDescription()) and - (msg["Authentication"]["eventId"] == - EVT_ID_UNSUCCESSFUL_LOGON) and - (msg["Authentication"]["logonType"] == -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index a803d4704ea..c92105586a7 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -1094,9 +1094,11 @@ if have_heimdal_support: - environ={'CLIENT_IP': '10.53.57.11', - 'SOCKET_WRAPPER_DEFAULT_IFACE': 11}) - planoldpythontestsuite("ad_dc_smb1", "samba.tests.auth_log_pass_change", -- extra_args=['-U"$USERNAME%$PASSWORD"']) -+ extra_args=['-U"$USERNAME%$PASSWORD"'], -+ environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support}) - planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.auth_log_pass_change", -- extra_args=['-U"$USERNAME%$PASSWORD"']) -+ extra_args=['-U"$USERNAME%$PASSWORD"'], -+ environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support}) - - # these tests use a NCA local RPC connection, so always run on the - # :local testenv, and so don't need to fake a client connection -@@ -1113,7 +1115,8 @@ if have_heimdal_support: - "samba.tests.auth_log_winbind", - extra_args=['-U"$DC_USERNAME%$DC_PASSWORD"']) - planoldpythontestsuite("ad_dc", "samba.tests.audit_log_pass_change", -- extra_args=['-U"$USERNAME%$PASSWORD"']) -+ extra_args=['-U"$USERNAME%$PASSWORD"'], -+ environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support}) - planoldpythontestsuite("ad_dc", "samba.tests.audit_log_dsdb", - extra_args=['-U"$USERNAME%$PASSWORD"']) - planoldpythontestsuite("ad_dc", "samba.tests.group_audit", --- -2.37.3 - diff --git a/samba-4.18-netlogon.patch b/samba-4.18-netlogon.patch new file mode 100644 index 0000000..d3a361f --- /dev/null +++ b/samba-4.18-netlogon.patch @@ -0,0 +1,356 @@ +From e66efc77d8ecbe7cb42a7a8063b01906d7c49515 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 15 Jul 2023 17:20:32 +0200 +Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities + response level 2 + +We don't have any documentation about this yet, but tests against +a Windows Server 2022 patched with KB5028166 revealed that +the response for query_level=2 is exactly the same as +for querey_level=1. + +Until we know the reason for query_level=2 we won't +use it as client nor support it in the server, but +we want ndrdump to work. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e) +--- + librpc/idl/netlogon.idl | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl +index e563e114900b..c77151af26b1 100644 +--- a/librpc/idl/netlogon.idl ++++ b/librpc/idl/netlogon.idl +@@ -1241,6 +1241,7 @@ interface netlogon + /* Function 0x15 */ + typedef [switch_type(uint32)] union { + [case(1)] netr_NegotiateFlags server_capabilities; ++ [case(2)] netr_NegotiateFlags server_capabilities; + } netr_Capabilities; + + NTSTATUS netr_LogonGetCapabilities( +-- +2.34.1 + + +From bfa6a3e1d816ddcb508e7e0075386a8bf030561d Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 15 Jul 2023 17:25:05 +0200 +Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check + netr_LogonGetCapabilities with different levels + +The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG +for unsupported query_levels, we allow it to work with servers +with or without support for query_level=2. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 404ce08e9088968311c714e756f5d58ce2cef715) +--- + .../knownfail.d/netr_LogonGetCapabilities | 3 + + source4/torture/rpc/netlogon.c | 77 ++++++++++++++++++- + 2 files changed, 79 insertions(+), 1 deletion(-) + create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities + +diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities +new file mode 100644 +index 000000000000..30aadf3bb9d5 +--- /dev/null ++++ b/selftest/knownfail.d/netr_LogonGetCapabilities +@@ -0,0 +1,3 @@ ++^samba3.rpc.schannel.*\.schannel\(nt4_dc ++^samba3.rpc.schannel.*\.schannel\(ad_dc ++^samba4.rpc.schannel.*\.schannel\(ad_dc +diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c +index 1f068eb78265..a3d190f13dd8 100644 +--- a/source4/torture/rpc/netlogon.c ++++ b/source4/torture/rpc/netlogon.c +@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t + r.out.capabilities = &capabilities; + r.out.return_authenticator = &return_auth; + +- torture_comment(tctx, "Testing LogonGetCapabilities\n"); ++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n"); + ++ r.in.query_level = 0; ++ ZERO_STRUCT(return_auth); ++ ++ /* ++ * we need to operate on a temporary copy of creds ++ * because dcerpc_netr_LogonGetCapabilities with ++ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG ++ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE ++ * without looking a the authenticator. ++ */ ++ tmp_creds = *creds; ++ netlogon_creds_client_authenticator(&tmp_creds, &auth); ++ ++ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); ++ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE, ++ "LogonGetCapabilities query_level=0 failed"); ++ ++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n"); ++ ++ r.in.query_level = 3; ++ ZERO_STRUCT(return_auth); ++ ++ /* ++ * we need to operate on a temporary copy of creds ++ * because dcerpc_netr_LogonGetCapabilities with ++ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG ++ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE ++ * without looking a the authenticator. ++ */ ++ tmp_creds = *creds; ++ netlogon_creds_client_authenticator(&tmp_creds, &auth); ++ ++ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); ++ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE, ++ "LogonGetCapabilities query_level=0 failed"); ++ ++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n"); ++ ++ r.in.query_level = 1; + ZERO_STRUCT(return_auth); + + /* +@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t + + *creds = tmp_creds; + ++ torture_assert(tctx, netlogon_creds_client_check(creds, ++ &r.out.return_authenticator->cred), ++ "Credential chaining failed"); ++ ++ torture_assert_int_equal(tctx, creds->negotiate_flags, ++ capabilities.server_capabilities, ++ "negotiate flags"); ++ ++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n"); ++ ++ r.in.query_level = 2; ++ ZERO_STRUCT(return_auth); ++ ++ /* ++ * we need to operate on a temporary copy of creds ++ * because dcerpc_netr_LogonGetCapabilities with ++ * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG ++ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE ++ * without looking a the authenticator. ++ */ ++ tmp_creds = *creds; ++ netlogon_creds_client_authenticator(&tmp_creds, &auth); ++ ++ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); ++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) { ++ /* ++ * an server without KB5028166 returns ++ * DCERPC_NCA_S_FAULT_INVALID_TAG => ++ * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE ++ */ ++ return true; ++ } ++ torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed"); ++ ++ *creds = tmp_creds; ++ + torture_assert(tctx, netlogon_creds_client_check(creds, + &r.out.return_authenticator->cred), + "Credential chaining failed"); +-- +2.34.1 + + +From 6f161300093b1b51fc9865155163cf7b3a42d802 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 15 Jul 2023 16:11:48 +0200 +Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for + invalid netr_LogonGetCapabilities levels + +This is important as Windows clients with KB5028166 seem to +call netr_LogonGetCapabilities with query_level=2 after +a call with query_level=1. + +An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG +for query_level values other than 1. +While Samba tries to return NT_STATUS_NOT_SUPPORTED, but +later fails to marshall the response, which results +in DCERPC_FAULT_BAD_STUB_DATA instead. + +Because we don't have any documentation for level 2 yet, +we just try to behave like an unpatched server and +generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of +DCERPC_FAULT_BAD_STUB_DATA. +Which allows patched Windows clients to keep working +against a Samba DC. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518) +--- + .../knownfail.d/netr_LogonGetCapabilities | 2 -- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++--- + 2 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities +index 30aadf3bb9d5..99c7ac711ede 100644 +--- a/selftest/knownfail.d/netr_LogonGetCapabilities ++++ b/selftest/knownfail.d/netr_LogonGetCapabilities +@@ -1,3 +1 @@ + ^samba3.rpc.schannel.*\.schannel\(nt4_dc +-^samba3.rpc.schannel.*\.schannel\(ad_dc +-^samba4.rpc.schannel.*\.schannel\(ad_dc +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 314b469a718a..e203e04143d7 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -2359,6 +2359,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c + struct netlogon_creds_CredentialState *creds; + NTSTATUS status; + ++ switch (r->in.query_level) { ++ case 1: ++ break; ++ case 2: ++ /* ++ * Until we know the details behind KB5028166 ++ * just return DCERPC_NCA_S_FAULT_INVALID_TAG ++ * like an unpatched Windows Server. ++ */ ++ FALL_THROUGH; ++ default: ++ /* ++ * There would not be a way to marshall the ++ * the response. Which would mean our final ++ * ndr_push would fail an we would return ++ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. ++ * ++ * But it's important to match a Windows server ++ * especially before KB5028166, see also our bug #15418 ++ * Otherwise Windows client would stop talking to us. ++ */ ++ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); ++ } ++ + status = dcesrv_netr_creds_server_step_check(dce_call, + mem_ctx, + r->in.computer_name, +@@ -2370,10 +2394,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c + } + NT_STATUS_NOT_OK_RETURN(status); + +- if (r->in.query_level != 1) { +- return NT_STATUS_NOT_SUPPORTED; +- } +- + r->out.capabilities->server_capabilities = creds->negotiate_flags; + + return NT_STATUS_OK; +-- +2.34.1 + + +From 4611b5bd5bb697a19a67f78624c498cbe952763b Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 15 Jul 2023 16:11:48 +0200 +Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for + invalid netr_LogonGetCapabilities levels + +This is important as Windows clients with KB5028166 seem to +call netr_LogonGetCapabilities with query_level=2 after +a call with query_level=1. + +An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG +for query_level values other than 1. +While Samba tries to return NT_STATUS_NOT_SUPPORTED, but +later fails to marshall the response, which results +in DCERPC_FAULT_BAD_STUB_DATA instead. + +Because we don't have any documentation for level 2 yet, +we just try to behave like an unpatched server and +generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of +DCERPC_FAULT_BAD_STUB_DATA. +Which allows patched Windows clients to keep working +against a Samba DC. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224 + +(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9) +--- + .../knownfail.d/netr_LogonGetCapabilities | 1 - + source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++--- + 2 files changed, 25 insertions(+), 5 deletions(-) + delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities + +diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities +deleted file mode 100644 +index 99c7ac711ede..000000000000 +--- a/selftest/knownfail.d/netr_LogonGetCapabilities ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.rpc.schannel.*\.schannel\(nt4_dc +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 72c50638c729..d19e2be650fb 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, + struct netlogon_creds_CredentialState *creds; + NTSTATUS status; + ++ switch (r->in.query_level) { ++ case 1: ++ break; ++ case 2: ++ /* ++ * Until we know the details behind KB5028166 ++ * just return DCERPC_NCA_S_FAULT_INVALID_TAG ++ * like an unpatched Windows Server. ++ */ ++ FALL_THROUGH; ++ default: ++ /* ++ * There would not be a way to marshall the ++ * the response. Which would mean our final ++ * ndr_push would fail an we would return ++ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. ++ * ++ * But it's important to match a Windows server ++ * especially before KB5028166, see also our bug #15418 ++ * Otherwise Windows client would stop talking to us. ++ */ ++ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; ++ return NT_STATUS_NOT_SUPPORTED; ++ } ++ + become_root(); + status = dcesrv_netr_creds_server_step_check(p->dce_call, + p->mem_ctx, +@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, + return status; + } + +- if (r->in.query_level != 1) { +- return NT_STATUS_NOT_SUPPORTED; +- } +- + r->out.capabilities->server_capabilities = creds->negotiate_flags; + + return NT_STATUS_OK; +-- +2.34.1 + diff --git a/samba-s4u.patch b/samba-s4u.patch deleted file mode 100644 index 5d3cb55..0000000 --- a/samba-s4u.patch +++ /dev/null @@ -1,642 +0,0 @@ -From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:25:03 +0300 -Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------ - source4/kdc/mit_samba.c | 47 ++------- - source4/kdc/mit_samba.h | 6 +- - 3 files changed, 71 insertions(+), 106 deletions(-) - -diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index 793fe366c35..22534c09974 100644 ---- a/source4/kdc/mit-kdb/kdb_samba_policies.c -+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, - krb5_keyblock *krbtgt_key, - krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, -- krb5_pac *pac) -+ krb5_pac *out_pac) - { - struct mit_samba_context *mit_ctx; - krb5_authdata **authdata = NULL; -- krb5_pac ipac = NULL; -- DATA_BLOB logon_data = { NULL, 0 }; -+ krb5_keyblock *header_server_key = NULL; -+ krb5_key_data *impersonator_kd = NULL; -+ krb5_keyblock impersonator_key = {0}; - krb5_error_code code; -+ krb5_pac pac; -+ -+ *out_pac = NULL; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { -@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = krb5_pac_parse(context, - authdata[0]->contents, - authdata[0]->length, -- &ipac); -+ &pac); - if (code != 0) { - goto done; - } - -- /* TODO: verify this is correct -- * -- * In the constrained delegation case, the PAC is from a service -- * ticket rather than a TGT; we must verify the server and KDC -- * signatures to assert that the server did not forge the PAC. -+ /* -+ * For constrained delegation in MIT version < 1.18 we aren't provided -+ * with the 2nd ticket server key to verify the PAC. -+ * We can workaround that by fetching the key from the client db entry, -+ * which is the impersonator account in that version. -+ * TODO: use the provided entry in the new 1.18 version. - */ - if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- server_key, -- krbtgt_key); -+ /* The impersonator must be local. */ -+ if (client == NULL) { -+ code = KRB5KDC_ERR_BADOPTION; -+ goto done; -+ } -+ /* Fetch and decrypt 2nd ticket server's current key. */ -+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0, -+ &impersonator_kd); -+ if (code != 0) { -+ goto done; -+ } -+ code = krb5_dbe_decrypt_key_data(context, NULL, -+ impersonator_kd, -+ &impersonator_key, NULL); -+ if (code != 0) { -+ goto done; -+ } -+ header_server_key = &impersonator_key; - } else { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- krbtgt_key, -- NULL); -- } -- if (code != 0) { -- goto done; -+ header_server_key = krbtgt_key; - } - -- /* check and update PAC */ -- code = krb5_pac_parse(context, -- authdata[0]->contents, -- authdata[0]->length, -- pac); -+ code = krb5_pac_verify(context, pac, authtime, client_princ, -+ header_server_key, NULL); - if (code != 0) { - goto done; - } -@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = mit_samba_reget_pac(mit_ctx, - context, - flags, -- client_princ, - client, - server, - krbtgt, - krbtgt_key, -- pac); -+ &pac); -+ if (code != 0) { -+ goto done; -+ } -+ -+ *out_pac = pac; -+ pac = NULL; - - done: -+ krb5_free_keyblock_contents(context, &impersonator_key); - krb5_free_authdata(context, authdata); -- krb5_pac_free(context, ipac); -- free(logon_data.data); -+ krb5_pac_free(context, pac); - - return code; - } -@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krb5_authdata **pac_auth_data = NULL; - krb5_authdata **authdata = NULL; - krb5_boolean is_as_req; -+ krb5_const_principal pac_client; - krb5_error_code code; - krb5_pac pac = NULL; - krb5_data pac_data; -@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; - krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; - -- /* FIXME: We don't support S4U yet */ -- if (flags & KRB5_KDB_FLAGS_S4U) { -- return KRB5_KDB_DBTYPE_NOSUP; -- } -- - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); - - /* -@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - ks_client_princ = client->princ; - } - -+ /* In protocol transition, we are currently not provided with the tgt -+ * client name to verify the PAC, we could probably skip the name -+ * verification and just verify the signatures, but since we don't -+ * support cross-realm nor aliases, we can just use server->princ */ -+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { -+ pac_client = server->princ; -+ } else { -+ pac_client = ks_client_princ; -+ } -+ - if (client_entry == NULL) { - client_entry = client; - } -@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - - code = ks_verify_pac(context, - flags, -- ks_client_princ, -+ pac_client, - client_entry, - server, - krbtgt, -@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - is_as_req ? "AS-REQ" : "TGS-REQ", - client_name); - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, -- server_key, krbtgt_key, &pac_data); -+ server_key, krbtgt_key, &pac_data); - if (code != 0) { - DBG_ERR("krb5_pac_sign failed: %d\n", code); - goto done; -@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - KRB5_AUTHDATA_IF_RELEVANT, - authdata, - signed_auth_data); -- if (code != 0) { -- goto done; -- } -- -- code = 0; -- - done: - if (client_entry != NULL && client_entry != client) { - ks_free_principal(context, client_entry); -@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, - * server; -> delegating service - * proxy; -> target principal - */ -- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server); -- -- char *target_name = NULL; -- bool is_enterprise; -- krb5_error_code code; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { - return KRB5_KDB_DBNOTINITED; - } - -- code = krb5_unparse_name(context, proxy, &target_name); -- if (code) { -- goto done; -- } -- -- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL); -- -- code = mit_samba_check_s4u2proxy(mit_ctx, -- delegating_service, -- target_name, -- is_enterprise); -- --done: -- free(target_name); -- return code; -+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy); - } - - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index cb72b5de294..03c2c2ea1de 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - context, - *pac, - server->princ, -- discard_const(client_principal), -+ client->princ, - deleg_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Update delegation info failed: %s\n", -@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - } - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name) -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal) - { --#if 1 -- /* -- * This is disabled because mit_samba_update_pac_data() does not handle -- * S4U_DELEGATION_INFO -- */ -- -- return KRB5KDC_ERR_BADOPTION; --#else -- krb5_principal target_principal; -- int flags = 0; -- int ret; -- -- if (is_nt_enterprise_name) { -- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; -- } -- -- ret = krb5_parse_name_flags(ctx->context, target_name, -- flags, &target_principal); -- if (ret) { -- return ret; -- } -- -- ret = samba_kdc_check_s4u2proxy(ctx->context, -- ctx->db_ctx, -- skdc_entry, -- target_principal); -- -- krb5_free_principal(ctx->context, target_principal); -- -- return ret; --#endif -+ struct samba_kdc_entry *server_skdc_entry = -+ talloc_get_type_abort(server->e_data, -+ struct samba_kdc_entry); -+ -+ return samba_kdc_check_s4u2proxy(ctx->context, -+ ctx->db_ctx, -+ server_skdc_entry, -+ target_principal); - } - - static krb5_error_code mit_samba_change_pwd_error(krb5_context context, -diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h -index 4431e82a1b2..9370ab533af 100644 ---- a/source4/kdc/mit_samba.h -+++ b/source4/kdc/mit_samba.h -@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - DATA_BLOB *e_data); - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name); -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal); - - int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, - char *pwd, --- -2.37.1 - - -From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:35:30 +0300 -Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++ - lib/krb5_wrap/krb5_samba.h | 2 - - source4/auth/kerberos/kerberos_util.c | 11 -- - 3 files changed, 185 insertions(+), 13 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 4321f07ca09..3fd95e47fca 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - - return 0; - } -+ -+#else /* MIT */ -+ -+static bool princ_compare_no_dollar(krb5_context ctx, -+ krb5_principal a, -+ krb5_principal b) -+{ -+ bool cmp; -+ krb5_principal mod = NULL; -+ -+ if (a->length == 1 && b->length == 1 && -+ a->data[0].length != 0 && b->data[0].length != 0 && -+ a->data[0].data[a->data[0].length -1] != -+ b->data[0].data[b->data[0].length -1]) { -+ if (a->data[0].data[a->data[0].length -1] == '$') { -+ mod = a; -+ mod->data[0].length--; -+ } else if (b->data[0].data[b->data[0].length -1] == '$') { -+ mod = b; -+ mod->data[0].length--; -+ } -+ } -+ -+ cmp = krb5_principal_compare_flags(ctx, a, b, -+ KRB5_PRINCIPAL_COMPARE_CASEFOLD); -+ -+ if (mod != NULL) { -+ mod->data[0].length++; -+ } -+ -+ return cmp; -+} -+ -+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, -+ krb5_ccache store_cc, -+ krb5_principal init_principal, -+ const char *init_password, -+ krb5_principal impersonate_principal, -+ const char *self_service, -+ const char *target_service, -+ krb5_get_init_creds_opt *krb_options, -+ time_t *expire_time, -+ time_t *kdc_time) -+{ -+ krb5_error_code code; -+ krb5_principal self_princ = NULL; -+ krb5_principal target_princ = NULL; -+ krb5_creds *store_creds; -+ krb5_creds *s4u2self_creds = NULL; -+ krb5_creds *s4u2proxy_creds = NULL; -+ krb5_creds init_creds = {0}; -+ krb5_creds mcreds = {0}; -+ krb5_flags options = KRB5_GC_NO_STORE; -+ krb5_ccache tmp_cc; -+ bool s4u2proxy; -+ -+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc); -+ if (code != 0) { -+ return code; -+ } -+ -+ code = krb5_get_init_creds_password(ctx, &init_creds, -+ init_principal, -+ init_password, -+ NULL, NULL, -+ 0, -+ NULL, -+ krb_options); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* -+ * Check if we also need S4U2Proxy or if S4U2Self is -+ * enough in order to get a ticket for the target. -+ */ -+ if (target_service == NULL) { -+ s4u2proxy = false; -+ } else if (strcmp(target_service, self_service) == 0) { -+ s4u2proxy = false; -+ } else { -+ s4u2proxy = true; -+ } -+ -+ code = krb5_parse_name(ctx, self_service, &self_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt -+ * client and the request server to be the same principal name. */ -+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ mcreds.client = impersonate_principal; -+ mcreds.server = init_creds.client; -+ -+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds, -+ NULL, &s4u2self_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (s4u2proxy) { -+ code = krb5_parse_name(ctx, target_service, &target_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ mcreds.client = init_creds.client; -+ mcreds.server = target_princ; -+ mcreds.second_ticket = s4u2self_creds->ticket; -+ -+ code = krb5_get_credentials(ctx, options | -+ KRB5_GC_CONSTRAINED_DELEGATION, -+ tmp_cc, &mcreds, &s4u2proxy_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* Check KDC support of S4U2Proxy extension */ -+ if (!krb5_principal_compare(ctx, s4u2self_creds->client, -+ s4u2proxy_creds->client)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ store_creds = s4u2proxy_creds; -+ } else { -+ store_creds = s4u2self_creds;; -+ -+ /* We need to save the ticket with the requested server name -+ * or the caller won't be able to find it in cache. */ -+ if (!krb5_principal_compare(ctx, self_princ, -+ store_creds->server)) { -+ krb5_free_principal(ctx, store_creds->server); -+ store_creds->server = NULL; -+ code = krb5_copy_principal(ctx, self_princ, -+ &store_creds->server); -+ if (code != 0) { -+ goto done; -+ } -+ } -+ } -+ -+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, store_cc, store_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (expire_time) { -+ *expire_time = (time_t) store_creds->times.endtime; -+ } -+ -+ if (kdc_time) { -+ *kdc_time = (time_t) store_creds->times.starttime; -+ } -+ -+done: -+ krb5_cc_destroy(ctx, tmp_cc); -+ krb5_free_cred_contents(ctx, &init_creds); -+ krb5_free_creds(ctx, s4u2self_creds); -+ krb5_free_creds(ctx, s4u2proxy_creds); -+ krb5_free_principal(ctx, self_princ); -+ krb5_free_principal(ctx, target_princ); -+ -+ return code; -+} - #endif - - #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) -diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index a66b7465530..c8573f52bd9 100644 ---- a/lib/krb5_wrap/krb5_samba.h -+++ b/lib/krb5_wrap/krb5_samba.h -@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#ifdef SAMBA4_USES_HEIMDAL - krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_ccache store_cc, - krb5_principal init_principal, -@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#endif - - #if defined(HAVE_KRB5_MAKE_PRINCIPAL) - #define smb_krb5_make_principal krb5_make_principal -diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c -index 544d9d853cc..c14d8c72d8c 100644 ---- a/source4/auth/kerberos/kerberos_util.c -+++ b/source4/auth/kerberos/kerberos_util.c -@@ -234,9 +234,7 @@ done: - { - krb5_error_code ret; - const char *password; --#ifdef SAMBA4_USES_HEIMDAL - const char *self_service; --#endif - const char *target_service; - time_t kdc_time = 0; - krb5_principal princ; -@@ -268,9 +266,7 @@ done: - return ret; - } - --#ifdef SAMBA4_USES_HEIMDAL - self_service = cli_credentials_get_self_service(credentials); --#endif - target_service = cli_credentials_get_target_service(credentials); - - password = cli_credentials_get_password(credentials); -@@ -331,7 +327,6 @@ done: - #endif - if (password) { - if (impersonate_principal) { --#ifdef SAMBA4_USES_HEIMDAL - ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context, - ccache, - princ, -@@ -342,12 +337,6 @@ done: - krb_options, - NULL, - &kdc_time); --#else -- talloc_free(mem_ctx); -- (*error_string) = "INTERNAL error: s4u2 ops " -- "are not supported with MIT build yet"; -- return EINVAL; --#endif - } else { - ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, - ccache, --- -2.37.1 - - -From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 19 Sep 2020 14:16:20 +0200 -Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code - ---- - source4/kdc/mit_samba.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 03c2c2ea1de..30fade56531 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, - if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { - sflags |= SDB_F_CANON; - } -+#if KRB5_KDB_API_VERSION >= 10 -+ sflags |= SDB_F_FORCE_CANON; -+#endif - if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | - KRB5_KDB_FLAG_INCLUDE_PAC)) { - /* --- -2.37.1 - diff --git a/samba.spec b/samba.spec index fe063b9..2a448f5 100644 --- a/samba.spec +++ b/samba.spec @@ -138,7 +138,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %global samba_version 4.18.4 -%global baserelease 101 +%global baserelease 102 # This should be rc1 or %%nil %global pre_release %nil @@ -234,6 +234,8 @@ Source17: samba-usershares-systemd-sysusers.conf Source201: README.downgrade Source202: samba.abignore +Patch0: samba-4.18-netlogon.patch + Requires(pre): /usr/sbin/groupadd Requires(pre): %{name}-common = %{samba_depver} @@ -4328,6 +4330,9 @@ fi %endif %changelog +* Mon Jul 17 2023 Pavel Filipenský - 4.18.4-102 +- resolves: rhbz#2222883 - Fix trust relationship between workstation and DC + * Mon Jul 10 2023 Pavel Filipenský - 4.18.4-101 - resolves: rhbz#2216712 - Fix broken symlink for libwbclient - resolves: rhbz#2214327 - Fix segfault of winbind child when listing users with `winbind scan trusted domains = yes`