samba.git/auth/credentials, branch v4-7-stable Unnamed repository; edit this file 'description' to name the repository. krb5-samba: interdomain trust uses different salt principal 2018-09-05T16:44:46+00:00 Alexander Bokovoy ab@samba.org 2018-02-16T16:15:28+00:00 dccaea50ce57d6718ffd937cc8b97b64c98c0e79 Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($) The salt principal for the BLA$ user object was generated wrong. dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000 The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'. While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144 (cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060) Autobuild-User(v4-7-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-7-test): Wed Sep 5 18:44:46 CEST 2018 on sn-devel-144 
Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)

The salt principal for the BLA$ user object was generated wrong.

dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA

dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000

The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.

While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep  5 03:57:22 CEST 2018 on sn-devel-144

(cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060)

Autobuild-User(v4-7-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-7-test): Wed Sep  5 18:44:46 CEST 2018 on sn-devel-144
tests/bind.py: Add a bind test with NTLMSSP with no domain 2018-03-20T16:13:08+00:00 Garming Sam garming@catalyst.net.nz 2018-01-08T03:34:02+00:00 7ea5588d089b5b97f307c71aa4de78fe0aa2441b Confirmed to pass against Windows 2012 R2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0) 
Confirmed to pass against Windows 2012 R2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0)
CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL 2017-09-20T10:00:34+00:00 Stefan Metzmacher metze@samba.org 2017-08-29T13:24:14+00:00 dfd11569de24064bcf8a4348b4b5271807dd501b BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher <metze@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
auth/credentials: remove unused smb_krb5_create_salt_principal() 2017-06-27T14:57:47+00:00 Stefan Metzmacher metze@samba.org 2017-05-18T08:54:06+00:00 5d99f9bb6229bc7c3537796d9d2e71cdb79a7820 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
auth/credentials: make use of smb_krb5_salt_principal() in cli_credentials_get_keytab() 2017-06-27T14:57:47+00:00 Stefan Metzmacher metze@samba.org 2017-05-18T08:50:34+00:00 3e33fb8a3760dba2f25f661bd775a9bdddee8465 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
pycredentials: Add support for netr_crypt_password 2017-06-22T06:56:22+00:00 Gary Lockyer gary@catalyst.net.nz 2017-06-20T20:10:30+00:00 8c909cd7fae8c2232e5b581c66a1a6e75fa0bcdc Add code to encrypt a netr_CryptPassword structure with the current session key. This allows the making of Netr_ServerPasswordSet2 calls from python. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Add code to encrypt a netr_CryptPassword structure with the current
session key.  This allows the making of Netr_ServerPasswordSet2 calls
from python.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pycredentials: add function to return the netr_Authenticator 2017-06-22T06:56:22+00:00 Gary Lockyer gary@catalyst.net.nz 2017-06-15T03:55:43+00:00 b68a3374a56c7117aa1d9fedf56940b6a1ed1cae Add method new_client_authenticator that returns data to allow a netr_Authenticator to be constructed. Allows python to make netr_LogonSamLogonWithFlags, netr_LogonGetDomainInfo and similar calls Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Add method new_client_authenticator that returns data to allow a
netr_Authenticator to be constructed.
Allows python to make netr_LogonSamLogonWithFlags,
netr_LogonGetDomainInfo and similar calls

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth pycredentials: incorrect PyArg_ParseTupleAndKeywords call 2017-05-25T00:25:13+00:00 Gary Lockyer gary@catalyst.net.nz 2017-04-28T01:14:16+00:00 610919e5e665dcb23241055e8ccb11f3d3f2ae2c The challenge parameter was being treated as a string rather than as a data blob. This was causing intermittent seg faults. Removed the server_timestamp parameter as it's not currently used. Unable to produce a test case to reliably replicate the failure. However auth_log_samlogon does flap Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The challenge parameter was being treated as a string rather than as a
data blob.  This was causing intermittent seg faults. Removed the
server_timestamp parameter as it's not currently used.

Unable to produce a test case to reliably replicate the failure.
However auth_log_samlogon does flap

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth pycredentials: correct docstring of get_ntlm_response method 2017-05-25T00:25:12+00:00 Gary Lockyer gary@catalyst.net.nz 2017-04-28T01:13:28+00:00 ee0eb1daa349671386bae0121be6a4b8be06815d Fix copy paste error was incorrectly named "get_ntlm_username_domain" Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Fix copy paste error was incorrectly named "get_ntlm_username_domain"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth_log: Add test that execises the SamLogon python bindings 2017-05-25T00:25:12+00:00 Gary Lockyer gary@catalyst.net.nz 2017-04-27T22:16:39+00:00 68ccebfa59e2fc8b717c93224594f49af556ec6e Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>