samba.git/auth, branch v4-7-stable Unnamed repository; edit this file 'description' to name the repository. krb5-samba: interdomain trust uses different salt principal 2018-09-05T16:44:46+00:00 Alexander Bokovoy ab@samba.org 2018-02-16T16:15:28+00:00 dccaea50ce57d6718ffd937cc8b97b64c98c0e79 Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($) The salt principal for the BLA$ user object was generated wrong. dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000 The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'. While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144 (cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060) Autobuild-User(v4-7-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-7-test): Wed Sep 5 18:44:46 CEST 2018 on sn-devel-144 
Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)

The salt principal for the BLA$ user object was generated wrong.

dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA

dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000

The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.

While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep  5 03:57:22 CEST 2018 on sn-devel-144

(cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060)

Autobuild-User(v4-7-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-7-test): Wed Sep  5 18:44:46 CEST 2018 on sn-devel-144
lib: Fix array size in audit_logging 2018-06-27T08:34:21+00:00 Andreas Schneider asn@samba.org 2018-05-16T11:59:55+00:00 6aaf3a88f4bdc0f8fe34779c24b7716fe641561e ../lib/audit_logging/audit_logging.c: In function ‘json_add_timestamp’: ../lib/audit_logging/audit_logging.c:603:12: error: ‘%s’ directive output may be truncated writing up to 9 bytes into a region of size between 0 and 43 [-Werror=format-truncation=] "%s.%06ld%s", ^~ ../lib/audit_logging/audit_logging.c:606:3: tz); ~~ ../lib/audit_logging/audit_logging.c:600:2: note: ‘snprintf’ output between 8 and 70 bytes into a destination of size 50 snprintf( ^~~~~~~~~ timestamp, ~~~~~~~~~~ sizeof(timestamp), ~~~~~~~~~~~~~~~~~~ "%s.%06ld%s", ~~~~~~~~~~~~~ buffer, ~~~~~~~ tv.tv_usec, ~~~~~~~~~~~ tz); ~~~ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> (cherry picked from commit 8b7c8eb3907e2123acee67949e88c26072afc81a) 
../lib/audit_logging/audit_logging.c: In function ‘json_add_timestamp’:
../lib/audit_logging/audit_logging.c:603:12: error: ‘%s’ directive
       output may be truncated writing up to 9 bytes into a region of size
       between 0 and 43 [-Werror=format-truncation=]
   "%s.%06ld%s",
            ^~
../lib/audit_logging/audit_logging.c:606:3:
   tz);
   ~~
../lib/audit_logging/audit_logging.c:600:2: note: ‘snprintf’ output
       between 8 and 70 bytes into a destination of size 50
  snprintf(
  ^~~~~~~~~
   timestamp,
   ~~~~~~~~~~
   sizeof(timestamp),
   ~~~~~~~~~~~~~~~~~~
   "%s.%06ld%s",
   ~~~~~~~~~~~~~
   buffer,
   ~~~~~~~
   tv.tv_usec,
   ~~~~~~~~~~~
   tz);
   ~~~

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

(cherry picked from commit 8b7c8eb3907e2123acee67949e88c26072afc81a)
auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server 2018-06-04T07:54:23+00:00 Stefan Metzmacher metze@samba.org 2018-05-07T12:50:27+00:00 e8489ae8538a06fb224e8af9e45da43fecaef316 This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" error messages, which were generated if the client only sends NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection. This fixes a regession in the combination of commits 77adac8c3cd2f7419894d18db735782c9646a202 and 3a0b835408a6efa339e8b34333906bfe3aacd6e3. We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end of the authentication (as a server, while we already do so at the beginning as a client). As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE (as an internal flag) in order to let us work as a Windows using NTLMSSP for LDAP. Even if only signing is negotiated during the authentication the following PDUs will still be encrypted if NTLMSSP is used. This is exactly the same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL. I guess it's a bug in Windows, but we have to reimplement that bug. Note this only applies to NTLMSSP and only to LDAP! Signing only works fine for LDAP with Kerberos or DCERPC and NTLMSSP. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144 (cherry picked from commit c7a3ce95ac4ce837d8fde36578b3b1f56c3ac2fa) 
This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
error messages, which were generated if the client only sends
NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
connection.

This fixes a regession in the combination of commits
77adac8c3cd2f7419894d18db735782c9646a202 and
3a0b835408a6efa339e8b34333906bfe3aacd6e3.

We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
of the authentication (as a server, while we already
do so at the beginning as a client).

As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE
(as an internal flag) in order to let us work as a
Windows using NTLMSSP for LDAP. Even if only signing is
negotiated during the authentication the following PDUs
will still be encrypted if NTLMSSP is used. This is exactly the
same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL.
I guess it's a bug in Windows, but we have to reimplement that
bug. Note this only applies to NTLMSSP and only to LDAP!
Signing only works fine for LDAP with Kerberos
or DCERPC and NTLMSSP.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144

(cherry picked from commit c7a3ce95ac4ce837d8fde36578b3b1f56c3ac2fa)
auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option 2018-06-04T07:54:22+00:00 Stefan Metzmacher metze@samba.org 2018-05-09T11:30:13+00:00 0edc63eb76fbc094085d8599b0b656359517affd This will be used to similate a Windows client only using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection, which is indicated internally by GENSEC_FEATURE_LDAP_STYLE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 7f2bebf09cd8056b3f901dd9ff1fc9e9525f3e9d) 
This will be used to similate a Windows client only
using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL
on an LDAP connection, which is indicated internally by
GENSEC_FEATURE_LDAP_STYLE.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7f2bebf09cd8056b3f901dd9ff1fc9e9525f3e9d)
tests/bind.py: Add a bind test with NTLMSSP with no domain 2018-03-20T16:13:08+00:00 Garming Sam garming@catalyst.net.nz 2018-01-08T03:34:02+00:00 7ea5588d089b5b97f307c71aa4de78fe0aa2441b Confirmed to pass against Windows 2012 R2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0) 
Confirmed to pass against Windows 2012 R2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0)
auth: add auth_user_info_copy() function 2018-03-20T16:13:08+00:00 Stefan Metzmacher metze@samba.org 2018-03-06T15:38:10+00:00 104de61756e6b098985c3a599a3ccf62cbbe7299 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 6ff891195855403bc485725aef8d43d4e3cabacb) 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 6ff891195855403bc485725aef8d43d4e3cabacb)
CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL 2017-09-20T10:00:34+00:00 Stefan Metzmacher metze@samba.org 2017-08-29T13:24:14+00:00 dfd11569de24064bcf8a4348b4b5271807dd501b BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher <metze@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
source4 netlogon: Add authentication logging for ServerAuthenticate3 2017-07-31T09:31:13+00:00 Gary Lockyer gary@catalyst.net.nz 2017-07-09T19:48:08+00:00 32e9367d37be9c6c40e6a1ea896094e5cdf141ea Log NETLOGON authentication activity by instrumenting the netr_ServerAuthenticate3 processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit efc335a03062740f51a6edd09d765a8b77e239c5) 
Log NETLOGON authentication activity by instrumenting the
netr_ServerAuthenticate3 processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit efc335a03062740f51a6edd09d765a8b77e239c5)
rpc: use symbolic constant to replace /root/ncalrpc_as_system 2017-07-31T09:31:12+00:00 Gary Lockyer gary@catalyst.net.nz 2017-07-23T23:00:45+00:00 05231408b4db97f9223f9586d3a51435ba5a8d6f Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of string literal "/root/ncalrpc_as_system" BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit 1898096c7ecef4c323b14b7cf30db4283386f913) 
Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of string literal
"/root/ncalrpc_as_system"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 1898096c7ecef4c323b14b7cf30db4283386f913)
auth: Disable SChannel authentication if we are not a DC 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T01:10:35+00:00 d10e27c350d6e4b389fa15cdbc32dc0689e4fcc6 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>