samba.git/source4/kdc, branch talloc-2.3.0 Unnamed repository; edit this file 'description' to name the repository. auth auth_log: csbuild unused parm unix_username 2019-06-13T07:16:22+00:00 Gary Lockyer gary@catalyst.net.nz 2019-06-07T01:41:35+00:00 ae4461dce98a70740d8deabf4859cb96032bdf67 Fixes csbuild errors Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_json’ auth/auth_log.c:146:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_human_readable’ auth/auth_log.c:586:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> 
Fixes csbuild errors

Error: COMPILER_WARNING:
auth/auth_log.c: scope_hint: In function ‘log_authentication_event_json’
auth/auth_log.c:146:14: warning: unused parameter ‘unix_username’
[-Wunused-parameter]

Error: COMPILER_WARNING:
auth/auth_log.c: scope_hint: In function
‘log_authentication_event_human_readable’
auth/auth_log.c:586:14: warning: unused parameter ‘unix_username’
[-Wunused-parameter]

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
kdc hdb: Generate and pass logon ID 2019-02-20T05:03:09+00:00 Gary Lockyer gary@catalyst.net.nz 2019-02-01T00:46:01+00:00 e8e4f35bb1d7328ef7871c02d7fbb78d970fa71d Generate and pass the logon_id in SamLogon calls Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Generate and pass the logon_id in SamLogon calls

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
librpc idl: netlogon netr_identity_info logon_id to 64 bit 2019-02-20T05:03:09+00:00 Gary Lockyer gary@catalyst.net.nz 2018-12-20T02:02:30+00:00 96e6adedcd9dfb7556f503a9d7602ac04fe870c1 Fold the two 32 bit values logon_id_high and logon_id_low into a single 64 bit logon_id in netr_identity_info. This will be used to tie together winbind and SamLogon requests in audit logging. Summary of the of the Query and Response from Microsoft on it's usage. [REG:119013019612095] [MS-NRPC]: NETLOGON_LOGON_IDENTITY_INFO: Does the Reserved field have LogonId meaning? Questions: In NetrLogonSamLogonEx does the Reserved field (of NETLOGON_LOGON_IDENTITY_INFO) have LogonId meaning? What is a valid LogonID, and does have any audit usage? Samba is sending a constant "deadbeef" in hex and would like to understand any usage of this field. Response: The NRPC spec is accurate in defining the field as Reserved, and without protocol significance. In the header file in our source code, it is defined as LogonId and commented as such, but it’s effectively not used. This is probably why the API structure has that field name. It may have been intended as such but it’s not used. Samba will send a random value in this field. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Fold the two 32 bit values logon_id_high and logon_id_low into a single
64 bit logon_id in netr_identity_info.  This will be used to tie
together winbind and SamLogon requests in audit logging.

Summary of the of the Query and Response from Microsoft on it's usage.

[REG:119013019612095] [MS-NRPC]: NETLOGON_LOGON_IDENTITY_INFO: Does
the Reserved field have LogonId meaning?

Questions:
  In NetrLogonSamLogonEx does the Reserved field
  (of NETLOGON_LOGON_IDENTITY_INFO) have LogonId meaning?

  What is a valid LogonID, and does have any audit usage?

  Samba is sending a constant "deadbeef" in hex and would like to
  understand any usage of this field.

Response:
  The NRPC spec is accurate in defining the field as Reserved, and without
  protocol significance. In the header file in our source code, it is
  defined as LogonId and commented as such, but it’s effectively not used.
  This is probably why the API structure has that field name. It may have
  been intended as such but it’s not used.

Samba will send a random value in this field.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:kdc: Fix size type for num_bind in kdc-heimdal 2019-01-19T14:36:51+00:00 Andreas Schneider asn@samba.org 2019-01-18T18:09:12+00:00 448d67bae7201523f971f02d2f8578752cd83706 This fixes a compile error on sn-devel184. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Jan 19 15:36:51 CET 2019 on sn-devel-144 
This fixes a compile error on sn-devel184.

Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Jan 19 15:36:51 CET 2019 on sn-devel-144
s4: Add kerberos tracing 2018-12-20T00:31:17+00:00 Swen Schillig swen@linux.ibm.com 2018-12-05T10:55:09+00:00 357fe04bd477858bb21cfb5e8a5e0efc556864d6 Replace kerberos context initialization from raw krb5_init_context() to smb_krb5_init_context_basic() which is adding common tracing as well. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org> Autobuild-User(master): Christof Schmitt <cs@samba.org> Autobuild-Date(master): Thu Dec 20 01:31:17 CET 2018 on sn-devel-144 
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Thu Dec 20 01:31:17 CET 2018 on sn-devel-144
krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm() 2018-11-28T16:44:15+00:00 Volker Lendecke vl@samba.org 2018-11-20T16:45:11+00:00 a167014554c9cac1ed751adce488dce164da5979 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
CVE-2018-16853: fix crash in expired passowrd case 2018-11-28T07:22:25+00:00 Isaac Boukris iboukris@gmail.com 2018-11-07T20:53:35+00:00 6ab51b2af90f5dca11b8587b2a16215ab4497069 When calling encode_krb5_padata_sequence() make sure to pass a null terminated array as required. Fixes expired passowrd case in samba4.blackbox.kinit test. Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
When calling encode_krb5_padata_sequence() make sure to
pass a null terminated array as required.

Fixes expired passowrd case in samba4.blackbox.kinit test.

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CVE-2018-16853: Do not segfault if client is not set 2018-11-28T07:22:24+00:00 Andreas Schneider asn@samba.org 2016-09-28T05:22:32+00:00 7cddbcf039a7a67df2bae1779254e2a136f673f0 This can be triggered with FAST but we don't support this yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This can be triggered with FAST but we don't support this yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CVE-2018-16853: The ticket in check_policy_as can actually be a TGS 2018-11-28T07:22:24+00:00 Isaac Boukris iboukris@gmail.com 2018-08-17T21:40:30+00:00 6c453aeb0c771d14fe501e9a37d9f51b9403872b This happens when we are called from S4U2Self flow, and in that case kdcreq->client is NULL. Use the name from client entry instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This happens when we are called from S4U2Self flow, and in that case
kdcreq->client is NULL.  Use the name from client entry instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal 2018-11-28T07:22:23+00:00 Andrew Bartlett abartlet@samba.org 2018-10-23T04:33:46+00:00 b6e9c4b8bbd63fbf29f576d98ee7ff1154a90565 In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free mem_ctx. This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the MIT KDC effort. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
mem_ctx.

This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
MIT KDC effort.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>