Fix trust relationship between workstation and DC
resolves: rhbz#2222883
This commit is contained in:
parent
05d787ca22
commit
81bef6480f
@ -1,77 +0,0 @@
|
|||||||
From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Mon, 4 Apr 2022 11:24:04 +0200
|
|
||||||
Subject: [PATCH 1/2] waf: Check for GnuTLS earlier
|
|
||||||
|
|
||||||
As GnuTLS is an essential part we need to check for it early so we can react on
|
|
||||||
GnuTLS features in other wscripts.
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
wscript | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/wscript b/wscript
|
|
||||||
index d8220b35095..5b85d9a1682 100644
|
|
||||||
--- a/wscript
|
|
||||||
+++ b/wscript
|
|
||||||
@@ -189,6 +189,8 @@ def configure(conf):
|
|
||||||
conf.RECURSE('dynconfig')
|
|
||||||
conf.RECURSE('selftest')
|
|
||||||
|
|
||||||
+ conf.PROCESS_SEPARATE_RULE('system_gnutls')
|
|
||||||
+
|
|
||||||
conf.CHECK_CFG(package='zlib', minversion='1.2.3',
|
|
||||||
args='--cflags --libs',
|
|
||||||
mandatory=True)
|
|
||||||
@@ -297,8 +299,6 @@ def configure(conf):
|
|
||||||
if not conf.CONFIG_GET('KRB5_VENDOR'):
|
|
||||||
conf.PROCESS_SEPARATE_RULE('embedded_heimdal')
|
|
||||||
|
|
||||||
- conf.PROCESS_SEPARATE_RULE('system_gnutls')
|
|
||||||
-
|
|
||||||
conf.RECURSE('source4/dsdb/samdb/ldb_modules')
|
|
||||||
conf.RECURSE('source4/ntvfs/sysdep')
|
|
||||||
conf.RECURSE('lib/util')
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
||||||
|
|
||||||
From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Mon, 4 Apr 2022 11:25:31 +0200
|
|
||||||
Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS
|
|
||||||
provides the cipher
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
third_party/wscript | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/third_party/wscript b/third_party/wscript
|
|
||||||
index 1f4bc1ce1d7..a17c15bcaa7 100644
|
|
||||||
--- a/third_party/wscript
|
|
||||||
+++ b/third_party/wscript
|
|
||||||
@@ -5,7 +5,8 @@ from waflib import Options
|
|
||||||
def configure(conf):
|
|
||||||
conf.RECURSE('cmocka')
|
|
||||||
conf.RECURSE('popt')
|
|
||||||
- conf.RECURSE('aesni-intel')
|
|
||||||
+ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
|
|
||||||
+ conf.RECURSE('aesni-intel')
|
|
||||||
if conf.CONFIG_GET('ENABLE_SELFTEST'):
|
|
||||||
conf.RECURSE('socket_wrapper')
|
|
||||||
conf.RECURSE('nss_wrapper')
|
|
||||||
@@ -18,7 +19,8 @@ def configure(conf):
|
|
||||||
def build(bld):
|
|
||||||
bld.RECURSE('cmocka')
|
|
||||||
bld.RECURSE('popt')
|
|
||||||
- bld.RECURSE('aesni-intel')
|
|
||||||
+ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
|
|
||||||
+ bld.RECURSE('aesni-intel')
|
|
||||||
if bld.CONFIG_GET('SOCKET_WRAPPER'):
|
|
||||||
bld.RECURSE('socket_wrapper')
|
|
||||||
if bld.CONFIG_GET('NSS_WRAPPER'):
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
@ -1,540 +0,0 @@
|
|||||||
From a3e3d05f35d6082ea48450060b39084e3d0e4056 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Mon, 10 Oct 2022 15:15:20 +0200
|
|
||||||
Subject: [PATCH 1/5] s3:librpc: Improve GSE error message
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Noel Power <noel.power@suse.com>
|
|
||||||
---
|
|
||||||
source3/librpc/crypto/gse.c | 21 +++++++++++++++++++--
|
|
||||||
1 file changed, 19 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
|
|
||||||
index c50a8a036df..c2cac7abf82 100644
|
|
||||||
--- a/source3/librpc/crypto/gse.c
|
|
||||||
+++ b/source3/librpc/crypto/gse.c
|
|
||||||
@@ -546,11 +546,28 @@ init_sec_context_done:
|
|
||||||
goto done;
|
|
||||||
case GSS_S_FAILURE:
|
|
||||||
switch (gss_min) {
|
|
||||||
- case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
|
|
||||||
- DBG_NOTICE("Server principal not found\n");
|
|
||||||
+ case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: {
|
|
||||||
+ gss_buffer_desc name_token = {
|
|
||||||
+ .length = 0,
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ gss_maj = gss_display_name(&gss_min,
|
|
||||||
+ gse_ctx->server_name,
|
|
||||||
+ &name_token,
|
|
||||||
+ NULL);
|
|
||||||
+ if (gss_maj == GSS_S_COMPLETE) {
|
|
||||||
+ DBG_NOTICE("Server principal %.*s not found\n",
|
|
||||||
+ (int)name_token.length,
|
|
||||||
+ (char *)name_token.value);
|
|
||||||
+ gss_release_buffer(&gss_maj, &name_token);
|
|
||||||
+ } else {
|
|
||||||
+ DBG_NOTICE("Server principal not found\n");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Make SPNEGO ignore us, we can't go any further here */
|
|
||||||
status = NT_STATUS_INVALID_PARAMETER;
|
|
||||||
goto done;
|
|
||||||
+ }
|
|
||||||
case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED:
|
|
||||||
DBG_NOTICE("Ticket expired\n");
|
|
||||||
/* Make SPNEGO ignore us, we can't go any further here */
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From d2e2e9acd717e45806f1b19378e09f39c8fe3da8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Fri, 7 Oct 2022 14:35:15 +0200
|
|
||||||
Subject: [PATCH 2/5] s3:rpcclient: Pass salt down to
|
|
||||||
init_samr_CryptPasswordAES()
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Noel Power <noel.power@suse.com>
|
|
||||||
---
|
|
||||||
source3/rpc_client/init_samr.c | 15 ++++-----------
|
|
||||||
source3/rpc_client/init_samr.h | 1 +
|
|
||||||
source3/rpcclient/cmd_samr.c | 8 ++++++++
|
|
||||||
source4/libnet/libnet_passwd.c | 13 +++++++------
|
|
||||||
source4/torture/rpc/samr.c | 27 +++++++++++++++++++++++++++
|
|
||||||
5 files changed, 47 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
|
|
||||||
index 68f42b602b3..52fa2f90d6e 100644
|
|
||||||
--- a/source3/rpc_client/init_samr.c
|
|
||||||
+++ b/source3/rpc_client/init_samr.c
|
|
||||||
@@ -79,6 +79,7 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
|
|
||||||
|
|
||||||
NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *password,
|
|
||||||
+ DATA_BLOB *salt,
|
|
||||||
DATA_BLOB *session_key,
|
|
||||||
struct samr_EncryptedPasswordAES *ppwd_buf)
|
|
||||||
{
|
|
||||||
@@ -87,12 +88,6 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
.data = pw_data,
|
|
||||||
.length = sizeof(pw_data),
|
|
||||||
};
|
|
||||||
- size_t iv_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_256_CBC);
|
|
||||||
- uint8_t iv_data[iv_size];
|
|
||||||
- DATA_BLOB iv = {
|
|
||||||
- .data = iv_data,
|
|
||||||
- .length = iv_size,
|
|
||||||
- };
|
|
||||||
DATA_BLOB ciphertext = data_blob_null;
|
|
||||||
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
|
|
||||||
bool ok;
|
|
||||||
@@ -101,8 +96,6 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
return NT_STATUS_INVALID_PARAMETER;
|
|
||||||
}
|
|
||||||
|
|
||||||
- generate_nonce_buffer(iv.data, iv.length);
|
|
||||||
-
|
|
||||||
ok = encode_pwd_buffer514_from_str(pw_data, password, STR_UNICODE);
|
|
||||||
if (!ok) {
|
|
||||||
return NT_STATUS_INTERNAL_ERROR;
|
|
||||||
@@ -114,7 +107,7 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
session_key,
|
|
||||||
&samr_aes256_enc_key_salt,
|
|
||||||
&samr_aes256_mac_key_salt,
|
|
||||||
- &iv,
|
|
||||||
+ salt,
|
|
||||||
&ciphertext,
|
|
||||||
ppwd_buf->auth_data);
|
|
||||||
BURN_DATA(pw_data);
|
|
||||||
@@ -126,8 +119,8 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
ppwd_buf->cipher = ciphertext.data;
|
|
||||||
ppwd_buf->PBKDF2Iterations = 0;
|
|
||||||
|
|
||||||
- SMB_ASSERT(iv.length == sizeof(ppwd_buf->salt));
|
|
||||||
- memcpy(ppwd_buf->salt, iv.data, iv.length);
|
|
||||||
+ SMB_ASSERT(salt->length == sizeof(ppwd_buf->salt));
|
|
||||||
+ memcpy(ppwd_buf->salt, salt->data, salt->length);
|
|
||||||
|
|
||||||
return NT_STATUS_OK;
|
|
||||||
}
|
|
||||||
diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h
|
|
||||||
index 940534e7168..71b4c0e573d 100644
|
|
||||||
--- a/source3/rpc_client/init_samr.h
|
|
||||||
+++ b/source3/rpc_client/init_samr.h
|
|
||||||
@@ -47,6 +47,7 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
|
|
||||||
*/
|
|
||||||
NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *password,
|
|
||||||
+ DATA_BLOB *salt,
|
|
||||||
DATA_BLOB *session_key,
|
|
||||||
struct samr_EncryptedPasswordAES *ppwd_buf);
|
|
||||||
|
|
||||||
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
|
|
||||||
index 9ccd2f78a8d..8106ca90cf2 100644
|
|
||||||
--- a/source3/rpcclient/cmd_samr.c
|
|
||||||
+++ b/source3/rpcclient/cmd_samr.c
|
|
||||||
@@ -3172,6 +3172,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
|
|
||||||
uint8_t nt_hash[16];
|
|
||||||
uint8_t lm_hash[16];
|
|
||||||
DATA_BLOB session_key;
|
|
||||||
+ uint8_t salt_data[16];
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
+ .data = salt_data,
|
|
||||||
+ .length = sizeof(salt_data),
|
|
||||||
+ };
|
|
||||||
uint8_t password_expired = 0;
|
|
||||||
struct dcerpc_binding_handle *b = cli->binding_handle;
|
|
||||||
TALLOC_CTX *frame = NULL;
|
|
||||||
@@ -3198,6 +3203,8 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
+
|
|
||||||
switch(level) {
|
|
||||||
case 18:
|
|
||||||
case 21:
|
|
||||||
@@ -3220,6 +3227,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
|
|
||||||
case 31:
|
|
||||||
status = init_samr_CryptPasswordAES(frame,
|
|
||||||
param,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&pwd_buf_aes);
|
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
|
|
||||||
index 4f662110e55..a1672104824 100644
|
|
||||||
--- a/source4/libnet/libnet_passwd.c
|
|
||||||
+++ b/source4/libnet/libnet_passwd.c
|
|
||||||
@@ -57,13 +57,13 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
struct samr_EncryptedPasswordAES pwd_buf = {
|
|
||||||
.cipher_len = 0
|
|
||||||
};
|
|
||||||
- DATA_BLOB iv = {
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
.data = pwd_buf.salt,
|
|
||||||
.length = sizeof(pwd_buf.salt),
|
|
||||||
};
|
|
||||||
- gnutls_datum_t iv_datum = {
|
|
||||||
- .data = iv.data,
|
|
||||||
- .size = iv.length,
|
|
||||||
+ gnutls_datum_t salt_datum = {
|
|
||||||
+ .data = pwd_buf.salt,
|
|
||||||
+ .size = sizeof(pwd_buf.salt),
|
|
||||||
};
|
|
||||||
uint64_t pbkdf2_iterations = generate_random_u64_range(5000, 1000000);
|
|
||||||
NTSTATUS status;
|
|
||||||
@@ -71,11 +71,11 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
E_md4hash(old_password, old_nt_key_data);
|
|
||||||
|
|
||||||
- generate_nonce_buffer(iv.data, iv.length);
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
|
|
||||||
rc = gnutls_pbkdf2(GNUTLS_MAC_SHA512,
|
|
||||||
&old_nt_key,
|
|
||||||
- &iv_datum,
|
|
||||||
+ &salt_datum,
|
|
||||||
pbkdf2_iterations,
|
|
||||||
cek.data,
|
|
||||||
cek.length);
|
|
||||||
@@ -86,6 +86,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
status = init_samr_CryptPasswordAES(mem_ctx,
|
|
||||||
new_password,
|
|
||||||
+ &salt,
|
|
||||||
&cek,
|
|
||||||
&pwd_buf);
|
|
||||||
data_blob_clear(&cek);
|
|
||||||
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
|
|
||||||
index de354659067..0b1880efa18 100644
|
|
||||||
--- a/source4/torture/rpc/samr.c
|
|
||||||
+++ b/source4/torture/rpc/samr.c
|
|
||||||
@@ -783,6 +783,11 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
struct samr_SetUserInfo s;
|
|
||||||
union samr_UserInfo u;
|
|
||||||
DATA_BLOB session_key;
|
|
||||||
+ uint8_t salt_data[16];
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
+ .data = salt_data,
|
|
||||||
+ .length = sizeof(salt_data),
|
|
||||||
+ };
|
|
||||||
char *newpass = NULL;
|
|
||||||
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
||||||
struct samr_GetUserPwInfo pwp;
|
|
||||||
@@ -818,8 +823,11 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
+
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info32.password);
|
|
||||||
torture_assert_ntstatus_ok(tctx,
|
|
||||||
@@ -852,6 +860,7 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info32.password);
|
|
||||||
torture_assert_ntstatus_ok(tctx,
|
|
||||||
@@ -896,6 +905,11 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
union samr_UserInfo u;
|
|
||||||
bool ret = true;
|
|
||||||
DATA_BLOB session_key;
|
|
||||||
+ uint8_t salt_data[16];
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
+ .data = salt_data,
|
|
||||||
+ .length = sizeof(salt_data),
|
|
||||||
+ };
|
|
||||||
char *newpass;
|
|
||||||
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
||||||
struct samr_GetUserPwInfo pwp;
|
|
||||||
@@ -931,8 +945,11 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
+
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info31.password);
|
|
||||||
torture_assert_ntstatus_ok(tctx,
|
|
||||||
@@ -959,6 +976,7 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info31.password);
|
|
||||||
torture_assert_ntstatus_ok(tctx,
|
|
||||||
@@ -1381,6 +1399,11 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
|
|
||||||
union samr_UserInfo u;
|
|
||||||
bool ret = true;
|
|
||||||
DATA_BLOB session_key;
|
|
||||||
+ uint8_t salt_data[16];
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
+ .data = salt_data,
|
|
||||||
+ .length = sizeof(salt_data),
|
|
||||||
+ };
|
|
||||||
char *newpass;
|
|
||||||
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
||||||
struct samr_GetUserPwInfo pwp;
|
|
||||||
@@ -1490,6 +1513,8 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
+
|
|
||||||
switch (level) {
|
|
||||||
case 18:
|
|
||||||
{
|
|
||||||
@@ -1561,6 +1586,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
|
|
||||||
case 31:
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info31.password);
|
|
||||||
|
|
||||||
@@ -1568,6 +1594,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
|
|
||||||
case 32:
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info32.password);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From 1d630363c9b2497266e418aad89c55d5b51a63ad Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Mon, 17 Oct 2022 09:02:28 +0200
|
|
||||||
Subject: [PATCH 3/5] s4:libnet: If we successfully changed the password we are
|
|
||||||
done
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Noel Power <noel.power@suse.com>
|
|
||||||
---
|
|
||||||
source4/libnet/libnet_passwd.c | 32 ++++++++++++++++++--------------
|
|
||||||
1 file changed, 18 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
|
|
||||||
index a1672104824..b17614bcd97 100644
|
|
||||||
--- a/source4/libnet/libnet_passwd.c
|
|
||||||
+++ b/source4/libnet/libnet_passwd.c
|
|
||||||
@@ -101,7 +101,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
r.in.password = &pwd_buf;
|
|
||||||
|
|
||||||
status = dcerpc_samr_ChangePasswordUser4_r(h, mem_ctx, &r);
|
|
||||||
- if (NT_STATUS_IS_OK(status)) {
|
|
||||||
+ if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
if (!NT_STATUS_IS_OK(r.out.result)) {
|
|
||||||
@@ -112,6 +112,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
account->string,
|
|
||||||
nt_errstr(status));
|
|
||||||
status = r.out.result;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
done:
|
|
||||||
@@ -424,20 +425,23 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
|
|
||||||
r->samr.in.oldpassword,
|
|
||||||
r->samr.in.newpassword,
|
|
||||||
&(r->samr.out.error_string));
|
|
||||||
- if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
- if (NT_STATUS_EQUAL(status,
|
|
||||||
- NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
|
|
||||||
- NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
|
|
||||||
- NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
|
|
||||||
- /*
|
|
||||||
- * Don't fallback to RC4 based SAMR if weak crypto is not
|
|
||||||
- * allowed.
|
|
||||||
- */
|
|
||||||
- if (lpcfg_weak_crypto(ctx->lp_ctx) ==
|
|
||||||
- SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
||||||
- goto disconnect;
|
|
||||||
- }
|
|
||||||
+ if (NT_STATUS_IS_OK(status)) {
|
|
||||||
+ goto disconnect;
|
|
||||||
+ } else if (NT_STATUS_EQUAL(status,
|
|
||||||
+ NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
|
|
||||||
+ NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
|
|
||||||
+ NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
|
|
||||||
+ /*
|
|
||||||
+ * Don't fallback to RC4 based SAMR if weak crypto is not
|
|
||||||
+ * allowed.
|
|
||||||
+ */
|
|
||||||
+ if (lpcfg_weak_crypto(ctx->lp_ctx) ==
|
|
||||||
+ SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
||||||
+ goto disconnect;
|
|
||||||
}
|
|
||||||
+ } else {
|
|
||||||
+ /* libnet_ChangePassword_samr_aes is implemented and failed */
|
|
||||||
+ goto disconnect;
|
|
||||||
}
|
|
||||||
|
|
||||||
status = libnet_ChangePassword_samr_rc4(
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From 9a4a169ab34641afb87e7f81708c9a72b321879e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Noel Power <noel.power@suse.com>
|
|
||||||
Date: Fri, 21 Oct 2022 17:40:36 +0100
|
|
||||||
Subject: [PATCH 4/5] s4/rpc_server/sambr: don't mutate the return of
|
|
||||||
samdb_set_password_aes
|
|
||||||
|
|
||||||
prior to this commit return of samdb_set_password_aes was set to
|
|
||||||
NT_STATUS_WRONG_PASSWORD on failure. Useful status that should be
|
|
||||||
returned such as NT_STATUS_PASSWORD_RESTRICTION are swallowed here
|
|
||||||
otherwise (and in this case can be partially responsible for failures
|
|
||||||
in test samba.tests.auth_log_pass_change (with later gnutls)
|
|
||||||
|
|
||||||
Signed-off-by: Noel Power <noel.power@suse.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
source4/rpc_server/samr/samr_password.c | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
|
|
||||||
index 4691f9a47a9..b581be6361c 100644
|
|
||||||
--- a/source4/rpc_server/samr/samr_password.c
|
|
||||||
+++ b/source4/rpc_server/samr/samr_password.c
|
|
||||||
@@ -250,7 +250,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser4(struct dcesrv_call_state *dce_call,
|
|
||||||
|
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
ldb_transaction_cancel(sam_ctx);
|
|
||||||
- status = NT_STATUS_WRONG_PASSWORD;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From b8b36ecba0f22dbc203c12627ebd629c2437c635 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Noel Power <noel.power@suse.com>
|
|
||||||
Date: Fri, 21 Oct 2022 17:14:44 +0100
|
|
||||||
Subject: [PATCH 5/5] python/samba/tests: fix samba.tests.auth_log_pass_change
|
|
||||||
for later gnutls
|
|
||||||
|
|
||||||
later gnutls that support GNUTLS_PBKDF2 currently fail,
|
|
||||||
we need to conditionally switch test data to reflect use of
|
|
||||||
'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
|
|
||||||
depending on whether GNUTLS_PBKDF2 is supported or not
|
|
||||||
|
|
||||||
Signed-off-by: Noel Power <noel.power@suse.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
python/samba/tests/auth_log_pass_change.py | 20 ++++++++++++++++----
|
|
||||||
source4/selftest/tests.py | 9 ++++++---
|
|
||||||
2 files changed, 22 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py
|
|
||||||
index 972af2158dd..1ca46c586b3 100644
|
|
||||||
--- a/python/samba/tests/auth_log_pass_change.py
|
|
||||||
+++ b/python/samba/tests/auth_log_pass_change.py
|
|
||||||
@@ -72,6 +72,18 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
|
|
||||||
# discard any auth log messages for the password setup
|
|
||||||
self.discardMessages()
|
|
||||||
+ gnutls_pbkdf2_support = samba.tests.env_get_var_value(
|
|
||||||
+ 'GNUTLS_PBKDF2_SUPPORT',
|
|
||||||
+ allow_missing=True)
|
|
||||||
+ if gnutls_pbkdf2_support is None:
|
|
||||||
+ gnutls_pbkdf2_support = '0'
|
|
||||||
+ self.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support))
|
|
||||||
+
|
|
||||||
+ def _authDescription(self):
|
|
||||||
+ if self.gnutls_pbkdf2_support:
|
|
||||||
+ return "samr_ChangePasswordUser4"
|
|
||||||
+ else:
|
|
||||||
+ return "samr_ChangePasswordUser3"
|
|
||||||
|
|
||||||
def tearDown(self):
|
|
||||||
super(AuthLogPassChangeTests, self).tearDown()
|
|
||||||
@@ -83,7 +95,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
(msg["Authentication"]["serviceDescription"] ==
|
|
||||||
"SAMR Password Change") and
|
|
||||||
(msg["Authentication"]["authDescription"] ==
|
|
||||||
- "samr_ChangePasswordUser3") and
|
|
||||||
+ self._authDescription()) and
|
|
||||||
(msg["Authentication"]["eventId"] ==
|
|
||||||
EVT_ID_SUCCESSFUL_LOGON) and
|
|
||||||
(msg["Authentication"]["logonType"] ==
|
|
||||||
@@ -109,7 +121,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
(msg["Authentication"]["serviceDescription"] ==
|
|
||||||
"SAMR Password Change") and
|
|
||||||
(msg["Authentication"]["authDescription"] ==
|
|
||||||
- "samr_ChangePasswordUser3") and
|
|
||||||
+ self._authDescription()) and
|
|
||||||
(msg["Authentication"]["eventId"] ==
|
|
||||||
EVT_ID_UNSUCCESSFUL_LOGON) and
|
|
||||||
(msg["Authentication"]["logonType"] ==
|
|
||||||
@@ -141,7 +153,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
(msg["Authentication"]["serviceDescription"] ==
|
|
||||||
"SAMR Password Change") and
|
|
||||||
(msg["Authentication"]["authDescription"] ==
|
|
||||||
- "samr_ChangePasswordUser3") and
|
|
||||||
+ self._authDescription()) and
|
|
||||||
(msg["Authentication"]["eventId"] ==
|
|
||||||
EVT_ID_UNSUCCESSFUL_LOGON) and
|
|
||||||
(msg["Authentication"]["logonType"] ==
|
|
||||||
@@ -174,7 +186,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
(msg["Authentication"]["serviceDescription"] ==
|
|
||||||
"SAMR Password Change") and
|
|
||||||
(msg["Authentication"]["authDescription"] ==
|
|
||||||
- "samr_ChangePasswordUser3") and
|
|
||||||
+ self._authDescription()) and
|
|
||||||
(msg["Authentication"]["eventId"] ==
|
|
||||||
EVT_ID_UNSUCCESSFUL_LOGON) and
|
|
||||||
(msg["Authentication"]["logonType"] ==
|
|
||||||
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
|
|
||||||
index a803d4704ea..c92105586a7 100755
|
|
||||||
--- a/source4/selftest/tests.py
|
|
||||||
+++ b/source4/selftest/tests.py
|
|
||||||
@@ -1094,9 +1094,11 @@ if have_heimdal_support:
|
|
||||||
environ={'CLIENT_IP': '10.53.57.11',
|
|
||||||
'SOCKET_WRAPPER_DEFAULT_IFACE': 11})
|
|
||||||
planoldpythontestsuite("ad_dc_smb1", "samba.tests.auth_log_pass_change",
|
|
||||||
- extra_args=['-U"$USERNAME%$PASSWORD"'])
|
|
||||||
+ extra_args=['-U"$USERNAME%$PASSWORD"'],
|
|
||||||
+ environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
|
|
||||||
planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.auth_log_pass_change",
|
|
||||||
- extra_args=['-U"$USERNAME%$PASSWORD"'])
|
|
||||||
+ extra_args=['-U"$USERNAME%$PASSWORD"'],
|
|
||||||
+ environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
|
|
||||||
|
|
||||||
# these tests use a NCA local RPC connection, so always run on the
|
|
||||||
# :local testenv, and so don't need to fake a client connection
|
|
||||||
@@ -1113,7 +1115,8 @@ if have_heimdal_support:
|
|
||||||
"samba.tests.auth_log_winbind",
|
|
||||||
extra_args=['-U"$DC_USERNAME%$DC_PASSWORD"'])
|
|
||||||
planoldpythontestsuite("ad_dc", "samba.tests.audit_log_pass_change",
|
|
||||||
- extra_args=['-U"$USERNAME%$PASSWORD"'])
|
|
||||||
+ extra_args=['-U"$USERNAME%$PASSWORD"'],
|
|
||||||
+ environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
|
|
||||||
planoldpythontestsuite("ad_dc", "samba.tests.audit_log_dsdb",
|
|
||||||
extra_args=['-U"$USERNAME%$PASSWORD"'])
|
|
||||||
planoldpythontestsuite("ad_dc", "samba.tests.group_audit",
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
356
samba-4.18-netlogon.patch
Normal file
356
samba-4.18-netlogon.patch
Normal file
@ -0,0 +1,356 @@
|
|||||||
|
From e66efc77d8ecbe7cb42a7a8063b01906d7c49515 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Date: Sat, 15 Jul 2023 17:20:32 +0200
|
||||||
|
Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities
|
||||||
|
response level 2
|
||||||
|
|
||||||
|
We don't have any documentation about this yet, but tests against
|
||||||
|
a Windows Server 2022 patched with KB5028166 revealed that
|
||||||
|
the response for query_level=2 is exactly the same as
|
||||||
|
for querey_level=1.
|
||||||
|
|
||||||
|
Until we know the reason for query_level=2 we won't
|
||||||
|
use it as client nor support it in the server, but
|
||||||
|
we want ndrdump to work.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e)
|
||||||
|
---
|
||||||
|
librpc/idl/netlogon.idl | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
|
||||||
|
index e563e114900b..c77151af26b1 100644
|
||||||
|
--- a/librpc/idl/netlogon.idl
|
||||||
|
+++ b/librpc/idl/netlogon.idl
|
||||||
|
@@ -1241,6 +1241,7 @@ interface netlogon
|
||||||
|
/* Function 0x15 */
|
||||||
|
typedef [switch_type(uint32)] union {
|
||||||
|
[case(1)] netr_NegotiateFlags server_capabilities;
|
||||||
|
+ [case(2)] netr_NegotiateFlags server_capabilities;
|
||||||
|
} netr_Capabilities;
|
||||||
|
|
||||||
|
NTSTATUS netr_LogonGetCapabilities(
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From bfa6a3e1d816ddcb508e7e0075386a8bf030561d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Date: Sat, 15 Jul 2023 17:25:05 +0200
|
||||||
|
Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check
|
||||||
|
netr_LogonGetCapabilities with different levels
|
||||||
|
|
||||||
|
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
for unsupported query_levels, we allow it to work with servers
|
||||||
|
with or without support for query_level=2.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 404ce08e9088968311c714e756f5d58ce2cef715)
|
||||||
|
---
|
||||||
|
.../knownfail.d/netr_LogonGetCapabilities | 3 +
|
||||||
|
source4/torture/rpc/netlogon.c | 77 ++++++++++++++++++-
|
||||||
|
2 files changed, 79 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
|
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000000..30aadf3bb9d5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||||
|
@@ -0,0 +1,3 @@
|
||||||
|
+^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
||||||
|
+^samba3.rpc.schannel.*\.schannel\(ad_dc
|
||||||
|
+^samba4.rpc.schannel.*\.schannel\(ad_dc
|
||||||
|
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
|
||||||
|
index 1f068eb78265..a3d190f13dd8 100644
|
||||||
|
--- a/source4/torture/rpc/netlogon.c
|
||||||
|
+++ b/source4/torture/rpc/netlogon.c
|
||||||
|
@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
|
||||||
|
r.out.capabilities = &capabilities;
|
||||||
|
r.out.return_authenticator = &return_auth;
|
||||||
|
|
||||||
|
- torture_comment(tctx, "Testing LogonGetCapabilities\n");
|
||||||
|
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
|
||||||
|
|
||||||
|
+ r.in.query_level = 0;
|
||||||
|
+ ZERO_STRUCT(return_auth);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * we need to operate on a temporary copy of creds
|
||||||
|
+ * because dcerpc_netr_LogonGetCapabilities with
|
||||||
|
+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||||
|
+ * without looking a the authenticator.
|
||||||
|
+ */
|
||||||
|
+ tmp_creds = *creds;
|
||||||
|
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
||||||
|
+
|
||||||
|
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
||||||
|
+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
||||||
|
+ "LogonGetCapabilities query_level=0 failed");
|
||||||
|
+
|
||||||
|
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
|
||||||
|
+
|
||||||
|
+ r.in.query_level = 3;
|
||||||
|
+ ZERO_STRUCT(return_auth);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * we need to operate on a temporary copy of creds
|
||||||
|
+ * because dcerpc_netr_LogonGetCapabilities with
|
||||||
|
+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||||
|
+ * without looking a the authenticator.
|
||||||
|
+ */
|
||||||
|
+ tmp_creds = *creds;
|
||||||
|
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
||||||
|
+
|
||||||
|
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
||||||
|
+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
||||||
|
+ "LogonGetCapabilities query_level=0 failed");
|
||||||
|
+
|
||||||
|
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
|
||||||
|
+
|
||||||
|
+ r.in.query_level = 1;
|
||||||
|
ZERO_STRUCT(return_auth);
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
|
||||||
|
|
||||||
|
*creds = tmp_creds;
|
||||||
|
|
||||||
|
+ torture_assert(tctx, netlogon_creds_client_check(creds,
|
||||||
|
+ &r.out.return_authenticator->cred),
|
||||||
|
+ "Credential chaining failed");
|
||||||
|
+
|
||||||
|
+ torture_assert_int_equal(tctx, creds->negotiate_flags,
|
||||||
|
+ capabilities.server_capabilities,
|
||||||
|
+ "negotiate flags");
|
||||||
|
+
|
||||||
|
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
|
||||||
|
+
|
||||||
|
+ r.in.query_level = 2;
|
||||||
|
+ ZERO_STRUCT(return_auth);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * we need to operate on a temporary copy of creds
|
||||||
|
+ * because dcerpc_netr_LogonGetCapabilities with
|
||||||
|
+ * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||||
|
+ * without looking a the authenticator.
|
||||||
|
+ */
|
||||||
|
+ tmp_creds = *creds;
|
||||||
|
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
||||||
|
+
|
||||||
|
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
||||||
|
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
|
||||||
|
+ /*
|
||||||
|
+ * an server without KB5028166 returns
|
||||||
|
+ * DCERPC_NCA_S_FAULT_INVALID_TAG =>
|
||||||
|
+ * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||||
|
+ */
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+ torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
|
||||||
|
+
|
||||||
|
+ *creds = tmp_creds;
|
||||||
|
+
|
||||||
|
torture_assert(tctx, netlogon_creds_client_check(creds,
|
||||||
|
&r.out.return_authenticator->cred),
|
||||||
|
"Credential chaining failed");
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 6f161300093b1b51fc9865155163cf7b3a42d802 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Date: Sat, 15 Jul 2023 16:11:48 +0200
|
||||||
|
Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
|
||||||
|
invalid netr_LogonGetCapabilities levels
|
||||||
|
|
||||||
|
This is important as Windows clients with KB5028166 seem to
|
||||||
|
call netr_LogonGetCapabilities with query_level=2 after
|
||||||
|
a call with query_level=1.
|
||||||
|
|
||||||
|
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
for query_level values other than 1.
|
||||||
|
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
|
||||||
|
later fails to marshall the response, which results
|
||||||
|
in DCERPC_FAULT_BAD_STUB_DATA instead.
|
||||||
|
|
||||||
|
Because we don't have any documentation for level 2 yet,
|
||||||
|
we just try to behave like an unpatched server and
|
||||||
|
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
|
||||||
|
DCERPC_FAULT_BAD_STUB_DATA.
|
||||||
|
Which allows patched Windows clients to keep working
|
||||||
|
against a Samba DC.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)
|
||||||
|
---
|
||||||
|
.../knownfail.d/netr_LogonGetCapabilities | 2 --
|
||||||
|
source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
|
||||||
|
2 files changed, 24 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||||
|
index 30aadf3bb9d5..99c7ac711ede 100644
|
||||||
|
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||||
|
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||||
|
@@ -1,3 +1 @@
|
||||||
|
^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
||||||
|
-^samba3.rpc.schannel.*\.schannel\(ad_dc
|
||||||
|
-^samba4.rpc.schannel.*\.schannel\(ad_dc
|
||||||
|
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
||||||
|
index 314b469a718a..e203e04143d7 100644
|
||||||
|
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
||||||
|
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
||||||
|
@@ -2359,6 +2359,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
|
||||||
|
struct netlogon_creds_CredentialState *creds;
|
||||||
|
NTSTATUS status;
|
||||||
|
|
||||||
|
+ switch (r->in.query_level) {
|
||||||
|
+ case 1:
|
||||||
|
+ break;
|
||||||
|
+ case 2:
|
||||||
|
+ /*
|
||||||
|
+ * Until we know the details behind KB5028166
|
||||||
|
+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
+ * like an unpatched Windows Server.
|
||||||
|
+ */
|
||||||
|
+ FALL_THROUGH;
|
||||||
|
+ default:
|
||||||
|
+ /*
|
||||||
|
+ * There would not be a way to marshall the
|
||||||
|
+ * the response. Which would mean our final
|
||||||
|
+ * ndr_push would fail an we would return
|
||||||
|
+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
|
||||||
|
+ *
|
||||||
|
+ * But it's important to match a Windows server
|
||||||
|
+ * especially before KB5028166, see also our bug #15418
|
||||||
|
+ * Otherwise Windows client would stop talking to us.
|
||||||
|
+ */
|
||||||
|
+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
status = dcesrv_netr_creds_server_step_check(dce_call,
|
||||||
|
mem_ctx,
|
||||||
|
r->in.computer_name,
|
||||||
|
@@ -2370,10 +2394,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
|
||||||
|
}
|
||||||
|
NT_STATUS_NOT_OK_RETURN(status);
|
||||||
|
|
||||||
|
- if (r->in.query_level != 1) {
|
||||||
|
- return NT_STATUS_NOT_SUPPORTED;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
r->out.capabilities->server_capabilities = creds->negotiate_flags;
|
||||||
|
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 4611b5bd5bb697a19a67f78624c498cbe952763b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Date: Sat, 15 Jul 2023 16:11:48 +0200
|
||||||
|
Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
|
||||||
|
invalid netr_LogonGetCapabilities levels
|
||||||
|
|
||||||
|
This is important as Windows clients with KB5028166 seem to
|
||||||
|
call netr_LogonGetCapabilities with query_level=2 after
|
||||||
|
a call with query_level=1.
|
||||||
|
|
||||||
|
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
for query_level values other than 1.
|
||||||
|
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
|
||||||
|
later fails to marshall the response, which results
|
||||||
|
in DCERPC_FAULT_BAD_STUB_DATA instead.
|
||||||
|
|
||||||
|
Because we don't have any documentation for level 2 yet,
|
||||||
|
we just try to behave like an unpatched server and
|
||||||
|
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
|
||||||
|
DCERPC_FAULT_BAD_STUB_DATA.
|
||||||
|
Which allows patched Windows clients to keep working
|
||||||
|
against a Samba DC.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
|
||||||
|
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
|
||||||
|
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
|
||||||
|
|
||||||
|
(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9)
|
||||||
|
---
|
||||||
|
.../knownfail.d/netr_LogonGetCapabilities | 1 -
|
||||||
|
source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++---
|
||||||
|
2 files changed, 25 insertions(+), 5 deletions(-)
|
||||||
|
delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
|
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||||
|
deleted file mode 100644
|
||||||
|
index 99c7ac711ede..000000000000
|
||||||
|
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1 +0,0 @@
|
||||||
|
-^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
||||||
|
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||||||
|
index 72c50638c729..d19e2be650fb 100644
|
||||||
|
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||||||
|
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||||||
|
@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
|
||||||
|
struct netlogon_creds_CredentialState *creds;
|
||||||
|
NTSTATUS status;
|
||||||
|
|
||||||
|
+ switch (r->in.query_level) {
|
||||||
|
+ case 1:
|
||||||
|
+ break;
|
||||||
|
+ case 2:
|
||||||
|
+ /*
|
||||||
|
+ * Until we know the details behind KB5028166
|
||||||
|
+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
+ * like an unpatched Windows Server.
|
||||||
|
+ */
|
||||||
|
+ FALL_THROUGH;
|
||||||
|
+ default:
|
||||||
|
+ /*
|
||||||
|
+ * There would not be a way to marshall the
|
||||||
|
+ * the response. Which would mean our final
|
||||||
|
+ * ndr_push would fail an we would return
|
||||||
|
+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
|
||||||
|
+ *
|
||||||
|
+ * But it's important to match a Windows server
|
||||||
|
+ * especially before KB5028166, see also our bug #15418
|
||||||
|
+ * Otherwise Windows client would stop talking to us.
|
||||||
|
+ */
|
||||||
|
+ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
|
||||||
|
+ return NT_STATUS_NOT_SUPPORTED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
become_root();
|
||||||
|
status = dcesrv_netr_creds_server_step_check(p->dce_call,
|
||||||
|
p->mem_ctx,
|
||||||
|
@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (r->in.query_level != 1) {
|
||||||
|
- return NT_STATUS_NOT_SUPPORTED;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
r->out.capabilities->server_capabilities = creds->negotiate_flags;
|
||||||
|
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
642
samba-s4u.patch
642
samba-s4u.patch
@ -1,642 +0,0 @@
|
|||||||
From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Date: Fri, 27 Sep 2019 18:25:03 +0300
|
|
||||||
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
|
|
||||||
|
|
||||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
|
|
||||||
source4/kdc/mit_samba.c | 47 ++-------
|
|
||||||
source4/kdc/mit_samba.h | 6 +-
|
|
||||||
3 files changed, 71 insertions(+), 106 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
|
||||||
index 793fe366c35..22534c09974 100644
|
|
||||||
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
|
|
||||||
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
|
||||||
@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
|
||||||
krb5_keyblock *krbtgt_key,
|
|
||||||
krb5_timestamp authtime,
|
|
||||||
krb5_authdata **tgt_auth_data,
|
|
||||||
- krb5_pac *pac)
|
|
||||||
+ krb5_pac *out_pac)
|
|
||||||
{
|
|
||||||
struct mit_samba_context *mit_ctx;
|
|
||||||
krb5_authdata **authdata = NULL;
|
|
||||||
- krb5_pac ipac = NULL;
|
|
||||||
- DATA_BLOB logon_data = { NULL, 0 };
|
|
||||||
+ krb5_keyblock *header_server_key = NULL;
|
|
||||||
+ krb5_key_data *impersonator_kd = NULL;
|
|
||||||
+ krb5_keyblock impersonator_key = {0};
|
|
||||||
krb5_error_code code;
|
|
||||||
+ krb5_pac pac;
|
|
||||||
+
|
|
||||||
+ *out_pac = NULL;
|
|
||||||
|
|
||||||
mit_ctx = ks_get_context(context);
|
|
||||||
if (mit_ctx == NULL) {
|
|
||||||
@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
|
||||||
code = krb5_pac_parse(context,
|
|
||||||
authdata[0]->contents,
|
|
||||||
authdata[0]->length,
|
|
||||||
- &ipac);
|
|
||||||
+ &pac);
|
|
||||||
if (code != 0) {
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* TODO: verify this is correct
|
|
||||||
- *
|
|
||||||
- * In the constrained delegation case, the PAC is from a service
|
|
||||||
- * ticket rather than a TGT; we must verify the server and KDC
|
|
||||||
- * signatures to assert that the server did not forge the PAC.
|
|
||||||
+ /*
|
|
||||||
+ * For constrained delegation in MIT version < 1.18 we aren't provided
|
|
||||||
+ * with the 2nd ticket server key to verify the PAC.
|
|
||||||
+ * We can workaround that by fetching the key from the client db entry,
|
|
||||||
+ * which is the impersonator account in that version.
|
|
||||||
+ * TODO: use the provided entry in the new 1.18 version.
|
|
||||||
*/
|
|
||||||
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
|
|
||||||
- code = krb5_pac_verify(context,
|
|
||||||
- ipac,
|
|
||||||
- authtime,
|
|
||||||
- client_princ,
|
|
||||||
- server_key,
|
|
||||||
- krbtgt_key);
|
|
||||||
+ /* The impersonator must be local. */
|
|
||||||
+ if (client == NULL) {
|
|
||||||
+ code = KRB5KDC_ERR_BADOPTION;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ /* Fetch and decrypt 2nd ticket server's current key. */
|
|
||||||
+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
|
|
||||||
+ &impersonator_kd);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ code = krb5_dbe_decrypt_key_data(context, NULL,
|
|
||||||
+ impersonator_kd,
|
|
||||||
+ &impersonator_key, NULL);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ header_server_key = &impersonator_key;
|
|
||||||
} else {
|
|
||||||
- code = krb5_pac_verify(context,
|
|
||||||
- ipac,
|
|
||||||
- authtime,
|
|
||||||
- client_princ,
|
|
||||||
- krbtgt_key,
|
|
||||||
- NULL);
|
|
||||||
- }
|
|
||||||
- if (code != 0) {
|
|
||||||
- goto done;
|
|
||||||
+ header_server_key = krbtgt_key;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* check and update PAC */
|
|
||||||
- code = krb5_pac_parse(context,
|
|
||||||
- authdata[0]->contents,
|
|
||||||
- authdata[0]->length,
|
|
||||||
- pac);
|
|
||||||
+ code = krb5_pac_verify(context, pac, authtime, client_princ,
|
|
||||||
+ header_server_key, NULL);
|
|
||||||
if (code != 0) {
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
|
||||||
code = mit_samba_reget_pac(mit_ctx,
|
|
||||||
context,
|
|
||||||
flags,
|
|
||||||
- client_princ,
|
|
||||||
client,
|
|
||||||
server,
|
|
||||||
krbtgt,
|
|
||||||
krbtgt_key,
|
|
||||||
- pac);
|
|
||||||
+ &pac);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *out_pac = pac;
|
|
||||||
+ pac = NULL;
|
|
||||||
|
|
||||||
done:
|
|
||||||
+ krb5_free_keyblock_contents(context, &impersonator_key);
|
|
||||||
krb5_free_authdata(context, authdata);
|
|
||||||
- krb5_pac_free(context, ipac);
|
|
||||||
- free(logon_data.data);
|
|
||||||
+ krb5_pac_free(context, pac);
|
|
||||||
|
|
||||||
return code;
|
|
||||||
}
|
|
||||||
@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
|
||||||
krb5_authdata **pac_auth_data = NULL;
|
|
||||||
krb5_authdata **authdata = NULL;
|
|
||||||
krb5_boolean is_as_req;
|
|
||||||
+ krb5_const_principal pac_client;
|
|
||||||
krb5_error_code code;
|
|
||||||
krb5_pac pac = NULL;
|
|
||||||
krb5_data pac_data;
|
|
||||||
@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
|
||||||
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
|
|
||||||
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
|
|
||||||
|
|
||||||
- /* FIXME: We don't support S4U yet */
|
|
||||||
- if (flags & KRB5_KDB_FLAGS_S4U) {
|
|
||||||
- return KRB5_KDB_DBTYPE_NOSUP;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
|
||||||
ks_client_princ = client->princ;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* In protocol transition, we are currently not provided with the tgt
|
|
||||||
+ * client name to verify the PAC, we could probably skip the name
|
|
||||||
+ * verification and just verify the signatures, but since we don't
|
|
||||||
+ * support cross-realm nor aliases, we can just use server->princ */
|
|
||||||
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
|
|
||||||
+ pac_client = server->princ;
|
|
||||||
+ } else {
|
|
||||||
+ pac_client = ks_client_princ;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (client_entry == NULL) {
|
|
||||||
client_entry = client;
|
|
||||||
}
|
|
||||||
@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
|
||||||
|
|
||||||
code = ks_verify_pac(context,
|
|
||||||
flags,
|
|
||||||
- ks_client_princ,
|
|
||||||
+ pac_client,
|
|
||||||
client_entry,
|
|
||||||
server,
|
|
||||||
krbtgt,
|
|
||||||
@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
|
||||||
is_as_req ? "AS-REQ" : "TGS-REQ",
|
|
||||||
client_name);
|
|
||||||
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
|
|
||||||
- server_key, krbtgt_key, &pac_data);
|
|
||||||
+ server_key, krbtgt_key, &pac_data);
|
|
||||||
if (code != 0) {
|
|
||||||
DBG_ERR("krb5_pac_sign failed: %d\n", code);
|
|
||||||
goto done;
|
|
||||||
@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
|
||||||
KRB5_AUTHDATA_IF_RELEVANT,
|
|
||||||
authdata,
|
|
||||||
signed_auth_data);
|
|
||||||
- if (code != 0) {
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- code = 0;
|
|
||||||
-
|
|
||||||
done:
|
|
||||||
if (client_entry != NULL && client_entry != client) {
|
|
||||||
ks_free_principal(context, client_entry);
|
|
||||||
@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
|
|
||||||
* server; -> delegating service
|
|
||||||
* proxy; -> target principal
|
|
||||||
*/
|
|
||||||
- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
|
|
||||||
-
|
|
||||||
- char *target_name = NULL;
|
|
||||||
- bool is_enterprise;
|
|
||||||
- krb5_error_code code;
|
|
||||||
|
|
||||||
mit_ctx = ks_get_context(context);
|
|
||||||
if (mit_ctx == NULL) {
|
|
||||||
return KRB5_KDB_DBNOTINITED;
|
|
||||||
}
|
|
||||||
|
|
||||||
- code = krb5_unparse_name(context, proxy, &target_name);
|
|
||||||
- if (code) {
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
|
|
||||||
-
|
|
||||||
- code = mit_samba_check_s4u2proxy(mit_ctx,
|
|
||||||
- delegating_service,
|
|
||||||
- target_name,
|
|
||||||
- is_enterprise);
|
|
||||||
-
|
|
||||||
-done:
|
|
||||||
- free(target_name);
|
|
||||||
- return code;
|
|
||||||
+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
|
|
||||||
index cb72b5de294..03c2c2ea1de 100644
|
|
||||||
--- a/source4/kdc/mit_samba.c
|
|
||||||
+++ b/source4/kdc/mit_samba.c
|
|
||||||
@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
|
||||||
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
|
||||||
krb5_context context,
|
|
||||||
int flags,
|
|
||||||
- krb5_const_principal client_principal,
|
|
||||||
krb5_db_entry *client,
|
|
||||||
krb5_db_entry *server,
|
|
||||||
krb5_db_entry *krbtgt,
|
|
||||||
@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
|
||||||
context,
|
|
||||||
*pac,
|
|
||||||
server->princ,
|
|
||||||
- discard_const(client_principal),
|
|
||||||
+ client->princ,
|
|
||||||
deleg_blob);
|
|
||||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
||||||
DEBUG(0, ("Update delegation info failed: %s\n",
|
|
||||||
@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
|
||||||
- krb5_db_entry *kentry,
|
|
||||||
- const char *target_name,
|
|
||||||
- bool is_nt_enterprise_name)
|
|
||||||
+ const krb5_db_entry *server,
|
|
||||||
+ krb5_const_principal target_principal)
|
|
||||||
{
|
|
||||||
-#if 1
|
|
||||||
- /*
|
|
||||||
- * This is disabled because mit_samba_update_pac_data() does not handle
|
|
||||||
- * S4U_DELEGATION_INFO
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- return KRB5KDC_ERR_BADOPTION;
|
|
||||||
-#else
|
|
||||||
- krb5_principal target_principal;
|
|
||||||
- int flags = 0;
|
|
||||||
- int ret;
|
|
||||||
-
|
|
||||||
- if (is_nt_enterprise_name) {
|
|
||||||
- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = krb5_parse_name_flags(ctx->context, target_name,
|
|
||||||
- flags, &target_principal);
|
|
||||||
- if (ret) {
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = samba_kdc_check_s4u2proxy(ctx->context,
|
|
||||||
- ctx->db_ctx,
|
|
||||||
- skdc_entry,
|
|
||||||
- target_principal);
|
|
||||||
-
|
|
||||||
- krb5_free_principal(ctx->context, target_principal);
|
|
||||||
-
|
|
||||||
- return ret;
|
|
||||||
-#endif
|
|
||||||
+ struct samba_kdc_entry *server_skdc_entry =
|
|
||||||
+ talloc_get_type_abort(server->e_data,
|
|
||||||
+ struct samba_kdc_entry);
|
|
||||||
+
|
|
||||||
+ return samba_kdc_check_s4u2proxy(ctx->context,
|
|
||||||
+ ctx->db_ctx,
|
|
||||||
+ server_skdc_entry,
|
|
||||||
+ target_principal);
|
|
||||||
}
|
|
||||||
|
|
||||||
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
|
|
||||||
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
|
|
||||||
index 4431e82a1b2..9370ab533af 100644
|
|
||||||
--- a/source4/kdc/mit_samba.h
|
|
||||||
+++ b/source4/kdc/mit_samba.h
|
|
||||||
@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
|
||||||
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
|
||||||
krb5_context context,
|
|
||||||
int flags,
|
|
||||||
- krb5_const_principal client_principal,
|
|
||||||
krb5_db_entry *client,
|
|
||||||
krb5_db_entry *server,
|
|
||||||
krb5_db_entry *krbtgt,
|
|
||||||
@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
|
||||||
DATA_BLOB *e_data);
|
|
||||||
|
|
||||||
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
|
||||||
- krb5_db_entry *kentry,
|
|
||||||
- const char *target_name,
|
|
||||||
- bool is_nt_enterprise_name);
|
|
||||||
+ const krb5_db_entry *server,
|
|
||||||
+ krb5_const_principal target_principal);
|
|
||||||
|
|
||||||
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
|
|
||||||
char *pwd,
|
|
||||||
--
|
|
||||||
2.37.1
|
|
||||||
|
|
||||||
|
|
||||||
From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Date: Fri, 27 Sep 2019 18:35:30 +0300
|
|
||||||
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
|
|
||||||
|
|
||||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++
|
|
||||||
lib/krb5_wrap/krb5_samba.h | 2 -
|
|
||||||
source4/auth/kerberos/kerberos_util.c | 11 --
|
|
||||||
3 files changed, 185 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
|
||||||
index 4321f07ca09..3fd95e47fca 100644
|
|
||||||
--- a/lib/krb5_wrap/krb5_samba.c
|
|
||||||
+++ b/lib/krb5_wrap/krb5_samba.c
|
|
||||||
@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+#else /* MIT */
|
|
||||||
+
|
|
||||||
+static bool princ_compare_no_dollar(krb5_context ctx,
|
|
||||||
+ krb5_principal a,
|
|
||||||
+ krb5_principal b)
|
|
||||||
+{
|
|
||||||
+ bool cmp;
|
|
||||||
+ krb5_principal mod = NULL;
|
|
||||||
+
|
|
||||||
+ if (a->length == 1 && b->length == 1 &&
|
|
||||||
+ a->data[0].length != 0 && b->data[0].length != 0 &&
|
|
||||||
+ a->data[0].data[a->data[0].length -1] !=
|
|
||||||
+ b->data[0].data[b->data[0].length -1]) {
|
|
||||||
+ if (a->data[0].data[a->data[0].length -1] == '$') {
|
|
||||||
+ mod = a;
|
|
||||||
+ mod->data[0].length--;
|
|
||||||
+ } else if (b->data[0].data[b->data[0].length -1] == '$') {
|
|
||||||
+ mod = b;
|
|
||||||
+ mod->data[0].length--;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cmp = krb5_principal_compare_flags(ctx, a, b,
|
|
||||||
+ KRB5_PRINCIPAL_COMPARE_CASEFOLD);
|
|
||||||
+
|
|
||||||
+ if (mod != NULL) {
|
|
||||||
+ mod->data[0].length++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return cmp;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
|
||||||
+ krb5_ccache store_cc,
|
|
||||||
+ krb5_principal init_principal,
|
|
||||||
+ const char *init_password,
|
|
||||||
+ krb5_principal impersonate_principal,
|
|
||||||
+ const char *self_service,
|
|
||||||
+ const char *target_service,
|
|
||||||
+ krb5_get_init_creds_opt *krb_options,
|
|
||||||
+ time_t *expire_time,
|
|
||||||
+ time_t *kdc_time)
|
|
||||||
+{
|
|
||||||
+ krb5_error_code code;
|
|
||||||
+ krb5_principal self_princ = NULL;
|
|
||||||
+ krb5_principal target_princ = NULL;
|
|
||||||
+ krb5_creds *store_creds;
|
|
||||||
+ krb5_creds *s4u2self_creds = NULL;
|
|
||||||
+ krb5_creds *s4u2proxy_creds = NULL;
|
|
||||||
+ krb5_creds init_creds = {0};
|
|
||||||
+ krb5_creds mcreds = {0};
|
|
||||||
+ krb5_flags options = KRB5_GC_NO_STORE;
|
|
||||||
+ krb5_ccache tmp_cc;
|
|
||||||
+ bool s4u2proxy;
|
|
||||||
+
|
|
||||||
+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ return code;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ code = krb5_get_init_creds_password(ctx, &init_creds,
|
|
||||||
+ init_principal,
|
|
||||||
+ init_password,
|
|
||||||
+ NULL, NULL,
|
|
||||||
+ 0,
|
|
||||||
+ NULL,
|
|
||||||
+ krb_options);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Check if we also need S4U2Proxy or if S4U2Self is
|
|
||||||
+ * enough in order to get a ticket for the target.
|
|
||||||
+ */
|
|
||||||
+ if (target_service == NULL) {
|
|
||||||
+ s4u2proxy = false;
|
|
||||||
+ } else if (strcmp(target_service, self_service) == 0) {
|
|
||||||
+ s4u2proxy = false;
|
|
||||||
+ } else {
|
|
||||||
+ s4u2proxy = true;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ code = krb5_parse_name(ctx, self_service, &self_princ);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
|
|
||||||
+ * client and the request server to be the same principal name. */
|
|
||||||
+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
|
|
||||||
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ mcreds.client = impersonate_principal;
|
|
||||||
+ mcreds.server = init_creds.client;
|
|
||||||
+
|
|
||||||
+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
|
|
||||||
+ NULL, &s4u2self_creds);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (s4u2proxy) {
|
|
||||||
+ code = krb5_parse_name(ctx, target_service, &target_princ);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ mcreds.client = init_creds.client;
|
|
||||||
+ mcreds.server = target_princ;
|
|
||||||
+ mcreds.second_ticket = s4u2self_creds->ticket;
|
|
||||||
+
|
|
||||||
+ code = krb5_get_credentials(ctx, options |
|
|
||||||
+ KRB5_GC_CONSTRAINED_DELEGATION,
|
|
||||||
+ tmp_cc, &mcreds, &s4u2proxy_creds);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Check KDC support of S4U2Proxy extension */
|
|
||||||
+ if (!krb5_principal_compare(ctx, s4u2self_creds->client,
|
|
||||||
+ s4u2proxy_creds->client)) {
|
|
||||||
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ store_creds = s4u2proxy_creds;
|
|
||||||
+ } else {
|
|
||||||
+ store_creds = s4u2self_creds;;
|
|
||||||
+
|
|
||||||
+ /* We need to save the ticket with the requested server name
|
|
||||||
+ * or the caller won't be able to find it in cache. */
|
|
||||||
+ if (!krb5_principal_compare(ctx, self_princ,
|
|
||||||
+ store_creds->server)) {
|
|
||||||
+ krb5_free_principal(ctx, store_creds->server);
|
|
||||||
+ store_creds->server = NULL;
|
|
||||||
+ code = krb5_copy_principal(ctx, self_princ,
|
|
||||||
+ &store_creds->server);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ code = krb5_cc_store_cred(ctx, store_cc, store_creds);
|
|
||||||
+ if (code != 0) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (expire_time) {
|
|
||||||
+ *expire_time = (time_t) store_creds->times.endtime;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (kdc_time) {
|
|
||||||
+ *kdc_time = (time_t) store_creds->times.starttime;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ krb5_cc_destroy(ctx, tmp_cc);
|
|
||||||
+ krb5_free_cred_contents(ctx, &init_creds);
|
|
||||||
+ krb5_free_creds(ctx, s4u2self_creds);
|
|
||||||
+ krb5_free_creds(ctx, s4u2proxy_creds);
|
|
||||||
+ krb5_free_principal(ctx, self_princ);
|
|
||||||
+ krb5_free_principal(ctx, target_princ);
|
|
||||||
+
|
|
||||||
+ return code;
|
|
||||||
+}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
|
|
||||||
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
|
|
||||||
index a66b7465530..c8573f52bd9 100644
|
|
||||||
--- a/lib/krb5_wrap/krb5_samba.h
|
|
||||||
+++ b/lib/krb5_wrap/krb5_samba.h
|
|
||||||
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
|
|
||||||
krb5_get_init_creds_opt *krb_options,
|
|
||||||
time_t *expire_time,
|
|
||||||
time_t *kdc_time);
|
|
||||||
-#ifdef SAMBA4_USES_HEIMDAL
|
|
||||||
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
|
||||||
krb5_ccache store_cc,
|
|
||||||
krb5_principal init_principal,
|
|
||||||
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
|
||||||
krb5_get_init_creds_opt *krb_options,
|
|
||||||
time_t *expire_time,
|
|
||||||
time_t *kdc_time);
|
|
||||||
-#endif
|
|
||||||
|
|
||||||
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
|
|
||||||
#define smb_krb5_make_principal krb5_make_principal
|
|
||||||
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
|
|
||||||
index 544d9d853cc..c14d8c72d8c 100644
|
|
||||||
--- a/source4/auth/kerberos/kerberos_util.c
|
|
||||||
+++ b/source4/auth/kerberos/kerberos_util.c
|
|
||||||
@@ -234,9 +234,7 @@ done:
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
const char *password;
|
|
||||||
-#ifdef SAMBA4_USES_HEIMDAL
|
|
||||||
const char *self_service;
|
|
||||||
-#endif
|
|
||||||
const char *target_service;
|
|
||||||
time_t kdc_time = 0;
|
|
||||||
krb5_principal princ;
|
|
||||||
@@ -268,9 +266,7 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#ifdef SAMBA4_USES_HEIMDAL
|
|
||||||
self_service = cli_credentials_get_self_service(credentials);
|
|
||||||
-#endif
|
|
||||||
target_service = cli_credentials_get_target_service(credentials);
|
|
||||||
|
|
||||||
password = cli_credentials_get_password(credentials);
|
|
||||||
@@ -331,7 +327,6 @@ done:
|
|
||||||
#endif
|
|
||||||
if (password) {
|
|
||||||
if (impersonate_principal) {
|
|
||||||
-#ifdef SAMBA4_USES_HEIMDAL
|
|
||||||
ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
|
|
||||||
ccache,
|
|
||||||
princ,
|
|
||||||
@@ -342,12 +337,6 @@ done:
|
|
||||||
krb_options,
|
|
||||||
NULL,
|
|
||||||
&kdc_time);
|
|
||||||
-#else
|
|
||||||
- talloc_free(mem_ctx);
|
|
||||||
- (*error_string) = "INTERNAL error: s4u2 ops "
|
|
||||||
- "are not supported with MIT build yet";
|
|
||||||
- return EINVAL;
|
|
||||||
-#endif
|
|
||||||
} else {
|
|
||||||
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
|
|
||||||
ccache,
|
|
||||||
--
|
|
||||||
2.37.1
|
|
||||||
|
|
||||||
|
|
||||||
From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001
|
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Date: Sat, 19 Sep 2020 14:16:20 +0200
|
|
||||||
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
|
|
||||||
|
|
||||||
---
|
|
||||||
source4/kdc/mit_samba.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
|
|
||||||
index 03c2c2ea1de..30fade56531 100644
|
|
||||||
--- a/source4/kdc/mit_samba.c
|
|
||||||
+++ b/source4/kdc/mit_samba.c
|
|
||||||
@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
|
|
||||||
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
|
|
||||||
sflags |= SDB_F_CANON;
|
|
||||||
}
|
|
||||||
+#if KRB5_KDB_API_VERSION >= 10
|
|
||||||
+ sflags |= SDB_F_FORCE_CANON;
|
|
||||||
+#endif
|
|
||||||
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
|
|
||||||
KRB5_KDB_FLAG_INCLUDE_PAC)) {
|
|
||||||
/*
|
|
||||||
--
|
|
||||||
2.37.1
|
|
||||||
|
|
@ -138,7 +138,7 @@
|
|||||||
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
||||||
|
|
||||||
%global samba_version 4.18.4
|
%global samba_version 4.18.4
|
||||||
%global baserelease 101
|
%global baserelease 102
|
||||||
# This should be rc1 or %%nil
|
# This should be rc1 or %%nil
|
||||||
%global pre_release %nil
|
%global pre_release %nil
|
||||||
|
|
||||||
@ -234,6 +234,8 @@ Source17: samba-usershares-systemd-sysusers.conf
|
|||||||
Source201: README.downgrade
|
Source201: README.downgrade
|
||||||
Source202: samba.abignore
|
Source202: samba.abignore
|
||||||
|
|
||||||
|
Patch0: samba-4.18-netlogon.patch
|
||||||
|
|
||||||
Requires(pre): /usr/sbin/groupadd
|
Requires(pre): /usr/sbin/groupadd
|
||||||
|
|
||||||
Requires(pre): %{name}-common = %{samba_depver}
|
Requires(pre): %{name}-common = %{samba_depver}
|
||||||
@ -4328,6 +4330,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 17 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-102
|
||||||
|
- resolves: rhbz#2222883 - Fix trust relationship between workstation and DC
|
||||||
|
|
||||||
* Mon Jul 10 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-101
|
* Mon Jul 10 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-101
|
||||||
- resolves: rhbz#2216712 - Fix broken symlink for libwbclient
|
- resolves: rhbz#2216712 - Fix broken symlink for libwbclient
|
||||||
- resolves: rhbz#2214327 - Fix segfault of winbind child when listing users with `winbind scan trusted domains = yes`
|
- resolves: rhbz#2214327 - Fix segfault of winbind child when listing users with `winbind scan trusted domains = yes`
|
||||||
|
Loading…
Reference in New Issue
Block a user