Rebase on 4.9.1 from el 7.7

With DC support
tags/samba-4.9.1-100.dc.beta0
Daniel Berteaud 5 years ago
parent 58a4cc823d
commit 4e2cf31532
  1. 199
      CVE-2018-10858.patch
  2. 753
      CVE-2018-1139.patch
  3. 38
      samba-4.10-fix_gencache_debug_message.patch
  4. 270
      samba-4.8.3-fix_krb5_plugins.patch
  5. 216
      samba-4.8.3-fix_winbind_getpwnam_local_user.patch
  6. 64
      samba-4.8.3-smbclient_quiet_argument.patch
  7. 6
      samba-4.8.3.tar.asc
  8. BIN
      samba-4.8.3.tar.xz
  9. 151
      samba-4.9-CVE-2019-3880.patch
  10. 280
      samba-4.9-add_smbc_setOptionProtocols.patch
  11. 252
      samba-4.9-disable_netbios.patch
  12. 37
      samba-4.9-doc_smbclient_max_protocol.patch
  13. 32
      samba-4.9-fix_cups_printing.patch
  14. 40
      samba-4.9-fix_debug_segfault.patch
  15. 87
      samba-4.9-fix_force_group_panic.patch
  16. 544
      samba-4.9-fix_net_ads_join_admin_otherdomain.patch
  17. 56
      samba-4.9-fix_net_ads_krb5.patch
  18. 76
      samba-4.9-fix_smbspool_as_cups_backend.patch
  19. 4
      samba-4.9-fix_smbspool_krb5_auth.patch
  20. 2126
      samba-4.9-fix_testparm_crash.patch
  21. 39
      samba-4.9-fix_winbind_passdb_segfault.patch
  22. 402
      samba-4.9-harden_homes_share.patch
  23. 119
      samba-4.9-net_ads_leave_keep_account.patch
  24. 179
      samba-4.9-static_analysis_fixes.patch
  25. 117
      samba-4.9.0rc5-stack-protector.patch
  26. 6
      samba-4.9.1.tar.asc
  27. BIN
      samba-4.9.1.tar.xz
  28. 481
      samba.spec

@ -1,199 +0,0 @@
From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:07:17 -0700
Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in
buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_path.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index 01b0a61e483..ed70ab37550 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,8 +173,13 @@ smbc_urlencode(char *dest,
}
}
- *dest++ = '\0';
- max_dest_len--;
+ if (max_dest_len == 0) {
+ /* Ensure we return -1 if no null termination. */
+ return -1;
+ }
+
+ *dest++ = '\0';
+ max_dest_len--;
return max_dest_len;
}
--
2.11.0
From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:08:17 -0700
Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns
from malicious servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------
source3/libsmb/libsmb_path.c | 2 +-
2 files changed, 51 insertions(+), 8 deletions(-)
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
index 72441c46736..54c2bcb3c73 100644
--- a/source3/libsmb/libsmb_dir.c
+++ b/source3/libsmb/libsmb_dir.c
@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context,
}
-static void
+static int
smbc_readdir_internal(SMBCCTX * context,
struct smbc_dirent *dest,
struct smbc_dirent *src,
int max_namebuf_len)
{
if (smbc_getOptionUrlEncodeReaddirEntries(context)) {
+ int remaining_len;
/* url-encode the name. get back remaining buffer space */
- max_namebuf_len =
+ remaining_len =
smbc_urlencode(dest->name, src->name, max_namebuf_len);
+ /* -1 means no null termination. */
+ if (remaining_len < 0) {
+ return -1;
+ }
+
/* We now know the name length */
dest->namelen = strlen(dest->name);
+ if (dest->namelen + 1 < 1) {
+ /* Integer wrap. */
+ return -1;
+ }
+
+ if (dest->namelen + 1 >= max_namebuf_len) {
+ /* Out of space for comment. */
+ return -1;
+ }
+
/* Save the pointer to the beginning of the comment */
dest->comment = dest->name + dest->namelen + 1;
+ if (remaining_len < 1) {
+ /* No room for comment null termination. */
+ return -1;
+ }
+
/* Copy the comment */
- strncpy(dest->comment, src->comment, max_namebuf_len - 1);
- dest->comment[max_namebuf_len - 1] = '\0';
+ strlcpy(dest->comment, src->comment, remaining_len);
/* Save other fields */
dest->smbc_type = src->smbc_type;
@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context,
} else {
/* No encoding. Just copy the entry as is. */
+ if (src->dirlen > max_namebuf_len) {
+ return -1;
+ }
memcpy(dest, src, src->dirlen);
+ if (src->namelen + 1 < 1) {
+ /* Integer wrap */
+ return -1;
+ }
+ if (src->namelen + 1 >= max_namebuf_len) {
+ /* Comment off the end. */
+ return -1;
+ }
dest->comment = (char *)(&dest->name + src->namelen + 1);
}
-
+ return 0;
}
/*
@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context,
SMBCFILE *dir)
{
int maxlen;
+ int ret;
struct smbc_dirent *dirp, *dirent;
TALLOC_CTX *frame = talloc_stackframe();
@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context,
dirp = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirp, dirent, maxlen);
+ ret = smbc_readdir_internal(context, dirp, dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return NULL;
+ }
dir->dir_next = dir->dir_next->next;
@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context,
*/
while ((dirlist = dir->dir_next)) {
+ int ret;
struct smbc_dirent *dirent;
struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir;
@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context,
/* Do urlencoding of next entry, if so selected */
dirent = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirent,
+ ret = smbc_readdir_internal(context, dirent,
dirlist->dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return -1;
+ }
reqd = dirent->dirlen;
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index ed70ab37550..5b53b386a67 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,7 +173,7 @@ smbc_urlencode(char *dest,
}
}
- if (max_dest_len == 0) {
+ if (max_dest_len <= 0) {
/* Ensure we return -1 if no null termination. */
return -1;
}
--
2.11.0

@ -1,753 +0,0 @@
From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 22 Feb 2018 11:54:45 +1300
Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set
with_cmocka flag
We have cmocka in third_party, so we are never without it.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
by Andrew Bartlett)
---
selftest/tests.py | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/selftest/tests.py b/selftest/tests.py
index 126e1184230..3f5097b680c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -38,7 +38,6 @@ finally:
f.close()
have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
-with_cmocka = ("HAVE_CMOCKA" in config_hash)
with_pam = ("WITH_PAM" in config_hash)
pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
@@ -168,13 +167,12 @@ if with_pam:
valgrindify(python), pam_wrapper_so_path,
"$DOMAIN", "alice", "Secret007"])
-if with_cmocka:
- plantestsuite("samba.unittests.krb5samba", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
- plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
- plantestsuite("samba.unittests.lib_util_modules", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
+plantestsuite("samba.unittests.krb5samba", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
+plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
+plantestsuite("samba.unittests.lib_util_modules", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
- plantestsuite("samba.unittests.smb1cli_session", "none",
- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.smb1cli_session", "none",
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
--
2.14.4
From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 27 Jul 2018 08:44:24 +1200
Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for
ntlm_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++
libcli/auth/wscript_build | 13 ++
selftest/knownfail.d/ntlm | 2 +
selftest/tests.py | 2 +
4 files changed, 430 insertions(+)
create mode 100644 libcli/auth/tests/ntlm_check.c
create mode 100644 selftest/knownfail.d/ntlm
diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
new file mode 100644
index 00000000000..e87a0a276d4
--- /dev/null
+++ b/libcli/auth/tests/ntlm_check.c
@@ -0,0 +1,413 @@
+/*
+ * Unit tests for the ntlm_check password hash check library.
+ *
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ *
+ */
+
+/*
+ * Note that the messaging routines (audit_message_send and get_event_server)
+ * are not tested by these unit tests. Currently they are for integration
+ * test support, and as such are exercised by the integration tests.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "../lib/crypto/crypto.h"
+#include "librpc/gen_ndr/netlogon.h"
+#include "libcli/auth/libcli_auth.h"
+#include "auth/credentials/credentials.h"
+
+struct ntlm_state {
+ const char *username;
+ const char *domain;
+ DATA_BLOB challenge;
+ DATA_BLOB ntlm;
+ DATA_BLOB lm;
+ DATA_BLOB ntlm_key;
+ DATA_BLOB lm_key;
+ const struct samr_Password *nt_hash;
+};
+
+static int test_ntlm_setup_with_options(void **state,
+ int flags, bool upn)
+{
+ NTSTATUS status;
+ DATA_BLOB challenge = {
+ .data = discard_const_p(uint8_t, "I am a teapot"),
+ .length = 8
+ };
+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
+ NULL,
+ "serverdom");
+ struct cli_credentials *creds = cli_credentials_init(ntlm_state);
+ cli_credentials_set_username(creds,
+ "testuser",
+ CRED_SPECIFIED);
+ cli_credentials_set_domain(creds,
+ "testdom",
+ CRED_SPECIFIED);
+ cli_credentials_set_workstation(creds,
+ "testwksta",
+ CRED_SPECIFIED);
+ cli_credentials_set_password(creds,
+ "testpass",
+ CRED_SPECIFIED);
+
+ if (upn) {
+ cli_credentials_set_principal(creds,
+ "testuser@samba.org",
+ CRED_SPECIFIED);
+ }
+
+ cli_credentials_get_ntlm_username_domain(creds,
+ ntlm_state,
+ &ntlm_state->username,
+ &ntlm_state->domain);
+
+ status = cli_credentials_get_ntlm_response(creds,
+ ntlm_state,
+ &flags,
+ challenge,
+ NULL,
+ target_info,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ &ntlm_state->lm_key,
+ &ntlm_state->ntlm_key);
+ ntlm_state->challenge = challenge;
+
+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
+ ntlm_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+ }
+
+ *state = ntlm_state;
+ return 0;
+}
+
+static int test_ntlm_setup(void **state) {
+ return test_ntlm_setup_with_options(state, 0, false);
+}
+
+static int test_ntlm_and_lm_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_LANMAN_AUTH,
+ false);
+}
+
+static int test_ntlm2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLM2,
+ false);
+}
+
+static int test_ntlmv2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLMv2_AUTH,
+ false);
+}
+
+static int test_ntlm_teardown(void **state)
+{
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ TALLOC_FREE(ntlm_state);
+ *state = NULL;
+ return 0;
+}
+
+static void test_ntlm_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_allowed_lm_supplied(void **state)
+{
+ return test_ntlm_allowed(state);
+}
+
+static void test_ntlm_disabled(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_DISABLED,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
+}
+
+static void test_ntlm2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ /*
+ * NTLM2 session security (where the real challenge is the
+ * MD5(challenge, client-challenge) (in the first 8 bytes of
+ * the lm) isn't decoded by ntlm_password_check(), it must
+ * first be converted back into normal NTLM by the NTLMSSP
+ * layer
+ */
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlm_mschapv2_only_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ MSV1_0_ALLOW_MSVCHAPV2,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_mschapv2_only_denied(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlmv2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlmv2_only_ntlm(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlm_and_lanman(void **state)
+{
+ return test_ntlmv2_only_ntlm(state);
+}
+
+static void test_ntlmv2_only_ntlm_once(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &data_blob_null,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+int main(int argc, const char **argv)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_disabled,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm2,
+ test_ntlm2_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,
+ test_ntlmv2_setup,
+ test_ntlm_teardown)
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 475b7d69406..d319d9b879e 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
source='spnego_parse.c',
deps='asn1util')
+
+bld.SAMBA_BINARY(
+ 'test_ntlm_check',
+ source='tests/ntlm_check.c',
+ deps='''
+ NTLM_CHECK
+ CREDENTIALS_NTLM
+ samba-credentials
+ cmocka
+ talloc
+ ''',
+ install=False
+ )
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
new file mode 100644
index 00000000000..c6e6a3739ba
--- /dev/null
+++ b/selftest/knownfail.d/ntlm
@@ -0,0 +1,2 @@
+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
diff --git a/selftest/tests.py b/selftest/tests.py
index 3f5097b680c..dc6486c13f8 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
plantestsuite("samba.unittests.smb1cli_session", "none",
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.ntlm_check", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
--
2.14.4
From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:36:05 +0100
Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in
hash_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 3b02adc1d48..1c6499bd210 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
const struct samr_Password *stored_nt)
{
if (stored_nt == NULL) {
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
username));
}
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
} else if (client_lanman && stored_lanman) {
if (!lanman_auth) {
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
--
2.14.4
From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:35:01 +0100
Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in
ntlm_password_check().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/utils/ntlm_auth.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3f544902a24..8f77680416f 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
*pauthoritative = 1;
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true, NTLM_AUTH_ON, 0,
&auth4_context->challenge.data,
&user_info->password.response.lanman,
&user_info->password.response.nt,
@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true,
+ NTLM_AUTH_ON,
+ 0,
&challenge,
&lm_response,
&nt_response,
--
2.14.4
From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 16 Mar 2018 17:25:12 +0100
Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used
via SMB1 when it is disabled.
Right now, this test will succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/selftest/tests.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 9092c1776c8..034c014e5b8 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:
for env in ["nt4_member", "ad_member"]:
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
--
2.14.4
From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 13 Mar 2018 16:56:20 +0100
Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1
when it is disabled via "ntlm auth".
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
Found by Vivek Das <vdas@redhat.com> (Red Hat QE).
In order to demonstrate simply run:
smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no
against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 2 +-
selftest/knownfail | 3 ++-
selftest/knownfail.d/ntlm | 2 --
3 files changed, 3 insertions(+), 4 deletions(-)
delete mode 100644 selftest/knownfail.d/ntlm
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 1c6499bd210..b68e9c87888 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- I think this is related to Win9X pass-though authentication
*/
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
- if (ntlm_auth) {
+ if (ntlm_auth == NTLM_AUTH_ON) {
if (smb_pwd_check_ntlmv1(mem_ctx,
lm_response,
stored_nt->hash, challenge,
diff --git a/selftest/knownfail b/selftest/knownfail
index ba16fd72290..84776d4f35d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -303,8 +303,9 @@
^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
# fl2000dc doesn't support AES
^samba4.krb5.kdc.*as-req-aes.*fl2000dc
-# nt4_member and ad_member don't support ntlmv1
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
deleted file mode 100644
index c6e6a3739ba..00000000000
--- a/selftest/knownfail.d/ntlm
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
--
2.14.4

@ -0,0 +1,38 @@
From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 17 Jan 2019 13:58:14 +0100
Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries.
To get correct values, we need to cast 'timeout' to 'long int' first in
order to do calculation in that integer space! Calculations are don in
the space of the lvalue!
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/lib/gencache.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
index ab12fc1c531..9f4e1cfcaa3 100644
--- a/source3/lib/gencache.c
+++ b/source3/lib/gencache.c
@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob,
dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len };
dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length };
- DEBUG(10, ("Adding cache entry with key=[%s] and timeout="
- "[%s] (%d seconds %s)\n", keystr,
+ DBG_DEBUG("Adding cache entry with key=[%s] and timeout="
+ "[%s] (%ld seconds %s)\n", keystr,
timestring(talloc_tos(), timeout),
- (int)(timeout - time(NULL)),
- timeout > time(NULL) ? "ahead" : "in the past"));
+ ((long int)timeout) - time(NULL),
+ timeout > time(NULL) ? "ahead" : "in the past");
ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr),
dbufs, 2, 0);
--
2.20.1

@ -1,270 +0,0 @@
From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 14:06:39 +0200
Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
nsswitch/wscript_build | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 15e93db2f05..576855bb56c 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
)
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
- bld.SAMBA_LIBRARY('winbind_krb5_locator',
- source='winbind_krb5_locator.c',
- deps='wbclient krb5 com_err',
- realname='winbind_krb5_locator.so')
+ bld.SAMBA_LIBRARY('winbind_krb5_locator',
+ source='winbind_krb5_locator.c',
+ deps='wbclient krb5 com_err',
+ realname='winbind_krb5_locator.so',
+ install_path='${MODULESDIR}/krb5')
if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
bld.SAMBA_LIBRARY('winbind_krb5_localauth',
source='krb5_plugin/winbind_krb5_localauth.c',
deps='wbclient krb5 com_err',
- realname='winbind-krb5-localauth.so')
+ realname='winbind_krb5_localauth.so',
+ install_path='${MODULESDIR}/krb5')
bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
source='wb_reqtrans.c',
--
2.17.1
From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 14:08:56 +0200
Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin
subdir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0
nsswitch/wscript_build | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%)
diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c
similarity index 100%
rename from nsswitch/winbind_krb5_locator.c
rename to nsswitch/krb5_plugin/winbind_krb5_locator.c
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 576855bb56c..dd1952b799b 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
bld.SAMBA_LIBRARY('winbind_krb5_locator',
- source='winbind_krb5_locator.c',
+ source='krb5_plugin/winbind_krb5_locator.c',
deps='wbclient krb5 com_err',
realname='winbind_krb5_locator.so',
install_path='${MODULESDIR}/krb5')
--
2.17.1
From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 15:14:15 +0200
Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8
The vfs and idmap manpages are in volume 8 too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++---
docs-xml/wscript_build | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%)
diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml
similarity index 96%
rename from docs-xml/manpages/winbind_krb5_locator.7.xml
rename to docs-xml/manpages/winbind_krb5_locator.8.xml
index 17e401a9da0..0af0c2cc95f 100644
--- a/docs-xml/manpages/winbind_krb5_locator.7.xml
+++ b/docs-xml/manpages/winbind_krb5_locator.8.xml
@@ -1,12 +1,12 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<refentry id="winbind_krb5_locator.7">
+<refentry id="winbind_krb5_locator.8">
<refmeta>
<refentrytitle>winbind_krb5_locator</refentrytitle>
- <manvolnum>7</manvolnum>
+ <manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
- <refmiscinfo class="manual">7</refmiscinfo>
+ <refmiscinfo class="manual">8</refmiscinfo>
<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 954c62a29bc..2d686eb38b0 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -103,7 +103,7 @@ pam_winbind_manpages = '''
manpages/pam_winbind.conf.5
'''
-krb5_locator_manpages = 'manpages/winbind_krb5_locator.7'
+krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
def smbdotconf_generate_parameter_list(task):
parameter_all = task.outputs[0].bldpath(task.env)
--
2.17.1
From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 15:06:07 +0200
Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
.../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++
docs-xml/wscript_build | 4 +
2 files changed, 90 insertions(+)
create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml
diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml
new file mode 100644
index 00000000000..a382e71ead3
--- /dev/null
+++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="winbind_krb5_localauth.8">
+
+<refmeta>
+ <refentrytitle>winbind_krb5_localauth</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">8</refmiscinfo>
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>winbind_krb5_localauth</refname>
+ <refpurpose>A plugin for MIT Kerberos for mapping user accounts.</refpurpose>
+</refnamediv>
+
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>
+ This plugin is part of the
+ <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.
+ </para>
+
+ <para>
+ <command>winbind_krb5_localauth</command> is a plugin that
+ permits the MIT Kerberos libraries that Kerberos principals can
+ be validated against local user accounts.
+ </para>
+</refsect1>
+<refsect1>
+ <title>PREREQUISITES</title>
+ <para>
+ MIT Kerberos (at least version 1.12) is required.
+ </para>
+
+ <para>
+ The plugin queries the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon which needs to be configured
+ and started separately.
+ </para>
+
+ <para>
+ The following sections needs to be added to the
+ <filename>krb5.conf</filename> file.
+
+ <programlisting>
+[plugins]
+ localauth = {
+ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
+ enable_only = winbind
+ }
+ </programlisting>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>
+ This man page is part of version &doc.version; of the Samba
+ suite.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities were created
+ by Andrew Tridgell. Samba is now developed by the Samba Team as
+ an Open Source project similar to the way the Linux kernel is
+ developed.
+ </para>
+
+ <para>
+ The winbind_krb5_localauth manpage was written by Andreas
+ Schneider.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 2d686eb38b0..ec5d28fc62a 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -104,6 +104,7 @@ pam_winbind_manpages = '''
'''
krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
+krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8'
def smbdotconf_generate_parameter_list(task):
parameter_all = task.outputs[0].bldpath(task.env)
@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']):
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
bld.SAMBAMANPAGES(krb5_locator_manpages)
+ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
+ bld.SAMBAMANPAGES(krb5_localauth_manpages)
+
if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'):
bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8')
--
2.17.1

@ -1,216 +0,0 @@
From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 2 Jul 2018 16:18:52 +0200
Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c)
---
nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++-----
selftest/knownfail.d/upn_handling | 2 +
source3/selftest/tests.py | 4 +-
3 files changed, 66 insertions(+), 11 deletions(-)
diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
index 2803ac1408b..da30f97be74 100755
--- a/nsswitch/tests/test_wbinfo_user_info.sh
+++ b/nsswitch/tests/test_wbinfo_user_info.sh
@@ -2,19 +2,20 @@
# Blackbox test for wbinfo lookup for account name and upn
# Copyright (c) 2018 Andreas Schneider <asn@samba.org>
-if [ $# -lt 5 ]; then
+if [ $# -lt 6 ]; then
cat <<EOF
-Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
+Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
EOF
exit 1;
fi
DOMAIN=$1
REALM=$2
-USERNAME1=$3
-UPN_NAME1=$4
-USERNAME2=$5
-UPN_NAME2=$6
+OWN_DOMAIN=$3
+USERNAME1=$4
+UPN_NAME1=$5
+USERNAME2=$6
+UPN_NAME2=$7
shift 6
failed=0
@@ -31,9 +32,9 @@ test_user_info()
{
local cmd out ret user domain upn userinfo
- domain="$1"
- user="$2"
- upn="$3"
+ local domain="$1"
+ local user="$2"
+ local upn="$3"
if [ $# -lt 3 ]; then
userinfo="$domain/$user"
@@ -62,6 +63,39 @@ test_user_info()
return 0
}
+test_getpwnam()
+{
+ local cmd out ret
+
+ local lookup_username=$1
+ local expected_return=$2
+ local expected_output=$3
+
+ cmd='getent passwd $lookup_username'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+
+ if [ $ret -ne $expected_return ]; then
+ echo "return code: $ret, expected return code is: $expected_return"
+ echo "$out"
+ return 1
+ fi
+
+ if [ -n "$expected_output" ]; then
+ echo "$out" | grep "$expected_output"
+ ret=$?
+
+ if [ $ret -ne 0 ]; then
+ echo "Unable to find $expected_output in:"
+ echo "$out"
+ return 1
+ fi
+ fi
+
+ return 0
+}
+
testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
@@ -80,4 +114,23 @@ UPN3="$UPN_NAME3@${REALM}.upn"
testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1)
testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1)
+testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+# We should not be able to lookup the user just by the name
+test_ret=0
+test_output="$DOMAIN/$USERNAME1"
+
+if [ "$ENVNAME" = "ad_member" ]; then
+ test_ret=2
+ test_output=""
+fi
+if [ "$ENVNAME" = "fl2008r2dc" ]; then
+ test_ret=0
+ test_output="$OWN_DOMAIN/$USERNAME1"
+fi
+
+testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1)
+
exit $failed
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index bcbedb4f903..7dc9b71dc5e 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,8 +1,10 @@
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index f43d2b14d3a..a9cb2dad792 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -216,13 +216,13 @@ env = "ad_member:local"
plantestsuite("samba3.wbinfo_user_info", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_user_info.sh"),
- '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+ '$DOMAIN', '$REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
env = "fl2008r2dc:local"
plantestsuite("samba3.wbinfo_user_info", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_user_info.sh"),
- '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+ '$TRUST_DOMAIN', '$TRUST_REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
env = "ad_member"
t = "WBCLIENT-MULTI-PING"
--
2.13.6
From 495f43f5fa972076de996f9c639657672e378c7d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 2 Jul 2018 16:38:01 +0200
Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Bรถhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144
(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c)
---
selftest/knownfail.d/upn_handling | 2 --
source3/winbindd/winbindd_util.c | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index 7dc9b71dc5e..bcbedb4f903 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,10 +1,8 @@
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index aa633419c9a..7a5fb73cdef 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser,
} else if (assume_domain(lp_workgroup())) {
fstrcpy(domain, lp_workgroup());
fstrcpy(namespace, domain);
+ } else {
+ fstrcpy(namespace, lp_netbios_name());
}
}
--
2.13.6

@ -1,64 +0,0 @@
From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 25 Jun 2018 09:58:56 -0400
Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add quiet command-line argument to allow suppressing the help log
message printed automatically after establishing a smbclient connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bjรถrn Baumbach <bb@sernet.de>
(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72)
---
source3/client/client.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/source3/client/client.c b/source3/client/client.c
index 2c1c76036f7..c836e5a0477 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -52,6 +52,7 @@ static int port = 0;
static char *service;
static char *desthost;
static bool grepable = false;
+static bool quiet = false;
static char *cmdstr = NULL;
const char *cmd_ptr = NULL;
@@ -6059,7 +6060,9 @@ static int process_stdin(void)
{
int rc = 0;
- d_printf("Try \"help\" to get a list of possible commands.\n");
+ if (!quiet) {
+ d_printf("Try \"help\" to get a list of possible commands.\n");
+ }
while (!finished) {
TALLOC_CTX *frame = talloc_stackframe();
@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[])
{ "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" },
{ "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" },
{ "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" },
+ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" },
{ "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" },
POPT_COMMON_SAMBA
POPT_COMMON_CONNECTION
@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[])
case 'g':
grepable=true;
break;
+ case 'q':
+ quiet=true;
+ break;
case 'e':
smb_encrypt=true;
break;
--
2.17.1

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iFwEABECABwFAlsyUq4VHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
U/4AoLhX0k1+ci295ajuSRq9yyBHIMysAJ49UqQcyMAhTdRz/BmgwC9hgrBldg==
=em2I
-----END PGP SIGNATURE-----

BIN
samba-4.8.3.tar.xz (Stored with Git LFS)

Binary file not shown.

@ -0,0 +1,151 @@
From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 21 Mar 2019 14:51:30 -0700
Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
SaveKey/RestoreKey.
The were not using VFS backend calls and could only work
locally, and were unsafe against symlink races and other
security issues.
If the incoming handle is valid, return WERR_BAD_PATHNAME.
[MS-RRP] states "The format of the file name is implementation-specific"
so ensure we don't allow this.
As reported by Michael Hanselmann.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
1 file changed, 4 insertions(+), 88 deletions(-)
diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
index d9ee8d0602d..816c6bb2a12 100644
--- a/source3/rpc_server/winreg/srv_winreg_nt.c
+++ b/source3/rpc_server/winreg/srv_winreg_nt.c
@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
}
/*******************************************************************
- ********************************************************************/
-
-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
-{
- char *p = NULL;
- int num_services = lp_numservices();
- int snum = -1;
- const char *share_path = NULL;
- char *fname = *pp_fname;
-
- /* convert to a unix path, stripping the C:\ along the way */