samba.git/source3/param, branch talloc-2.4.0 Unnamed repository; edit this file 'description' to name the repository. s3:params:lp_do_section - protect against NULL deref 2022-12-20T18:49:54+00:00 Andrew Walker awalker@ixsystems.com 2022-12-19T13:17:47+00:00 5b19288949e97a5af742ff2719992d56f21e364a iServiceIndex may indicate an empty slot in the ServicePtrs array. In this case, lpcfg_serivce_ok(ServicePtrs[iServiceIndex]) may trigger a NULL deref and crash. Skipping the check here will cause a scan of the array in add_a_service() and the NULL slot will be used safely. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15267 Signed-off-by: Andrew Walker <awalker@ixsystems.com> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Dec 20 18:49:54 UTC 2022 on sn-devel-184 
iServiceIndex may indicate an empty slot in the ServicePtrs
array. In this case, lpcfg_serivce_ok(ServicePtrs[iServiceIndex])
may trigger a NULL deref and crash. Skipping the check
here will cause a scan of the array in add_a_service() and the
NULL slot will be used safely.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15267

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 20 18:49:54 UTC 2022 on sn-devel-184
s3-librpc: add ads.idl and convert ads_struct to talloc. 2022-12-16T20:38:32+00:00 Günther Deschner gd@samba.org 2016-08-17T09:58:02+00:00 39e8489dfc51b2293afa13d58b167819b46918dc Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default 2022-12-13T13:07:30+00:00 Stefan Metzmacher metze@samba.org 2022-11-30T08:05:51+00:00 fa64f8fa8d92167ed15d1109af65bbb4daab4bad In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no" 2022-12-13T13:07:30+00:00 Stefan Metzmacher metze@samba.org 2022-11-30T08:02:41+00:00 7504a4d6fee7805aac7657b9dab88c48353d6db4 This is not squashed in order to allow easier backports... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This is not squashed in order to allow easier backports...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys" 2022-12-13T13:07:29+00:00 Andrew Bartlett abartlet@samba.org 2022-11-18T00:44:28+00:00 ee18bc29b8ef6a3f09070507cc585467e55a1628 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes" 2022-12-13T13:07:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-11-15T05:14:36+00:00 d861d4eb28bd4c091955c11669edcf867b093a6f This matches the Windows registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This matches the Windows registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options 2022-12-13T13:07:29+00:00 Stefan Metzmacher metze@samba.org 2022-11-25T15:53:35+00:00 7732a4b0bde1d9f98a0371f17d22648495329470 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes 2022-12-13T13:07:29+00:00 Stefan Metzmacher metze@samba.org 2022-11-24T17:26:18+00:00 c8e53394b98b128ed460a6111faf05dfbad980d1 AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, so there's no reason to allow md5 clients by default. However some third party domain members may need it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> 
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes 2022-12-13T13:07:29+00:00 Stefan Metzmacher metze@samba.org 2022-11-24T17:22:23+00:00 1c6c1129905d0c7a60018e7bf0f17a0fd198a584 AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no reason to allow md5 servers by default. Note the change in netlogon_creds_cli_context_global() is only cosmetic, but avoids confusion while reading the code. Check with: git show -U35 libcli/auth/netlogon_creds_cli.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> 
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.

Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:

 git show -U35 libcli/auth/netlogon_creds_cli.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
smbd: Remove a few "extern userdom_struct current_user_info" 2022-12-12T22:14:20+00:00 Volker Lendecke vl@samba.org 2022-11-30T17:47:21+00:00 5d82af05f31bab9bea3de6b6a650a5bcc68e00af get_current_username() returns current_user_info.smb_name Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Dec 12 22:14:20 UTC 2022 on sn-devel-184 
get_current_username() returns current_user_info.smb_name

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec 12 22:14:20 UTC 2022 on sn-devel-184