samba.git/source4/rpc_server, branch talloc-2.3.2 Unnamed repository; edit this file 'description' to name the repository. s4:rpc_server: Allow to use RC4 for creating trusts 2020-11-09T08:58:35+00:00 Andreas Schneider asn@samba.org 2020-08-20T11:51:39+00:00 c75dd1ea178325b8f65343cb5c35bb93f43a49a3 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob() 2020-11-09T08:58:35+00:00 Andreas Schneider asn@samba.org 2020-11-06T13:33:38+00:00 c93ccebdfedd60c1d19f1b1436ac30062259952a It doesn't matter for RC4, but just to be correct. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
It doesn't matter for RC4, but just to be correct.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 s4:rpc_server: Allow to use RC4 for setting passwords 2020-10-29T14:19:36+00:00 Andreas Schneider asn@samba.org 2019-11-15T12:49:40+00:00 a9c532c6d3e85fbe49b7040254cfc66ab54074bc Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 CVE-2020-1472(ZeroLogon): rpc_server/netlogon: Fix confounder check 2020-10-16T04:45:40+00:00 Gary Lockyer gary@catalyst.net.nz 2020-09-24T01:35:47+00:00 b9b6abf18b873ee83194405719fe993b8fb2073a Add check for zero length confounder, to allow setting of passwords 512 bytes long. This does not need to be backported, as it is extremely unlikely that anyone is using 512 byte passwords. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Add check for zero length confounder, to allow setting of passwords 512
bytes long. This does not need to be backported, as it is extremely
unlikely that anyone is using 512 byte passwords.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Fix build after removal of an extra safe_string.h 2020-10-01T22:45:29+00:00 Alexander Bokovoy ab@samba.org 2020-10-01T12:22:12+00:00 234957a2e4408537c5722edf04dfe03dd31bd1b1 Move of strcasecmp redefine to lib/util/safe_string.h in https://gitlab.com/samba-team/samba/-/merge_requests/1507 broke build on Fedora 33 with GCC 10.2.1 for those compilation units that use ldb_att_cmp(). The reason for that is that ldb_attr_cmp() defined as #define ldb_attr_cmp(a, b) strcasecmp(a, b) because attribute names restricted to be ASCII by RFC2251 (LDAPv3 spec). A solution is to add #undef strcasecmp to all source code files which use ldb_attr_cmp(). Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Oct 1 22:45:29 UTC 2020 on sn-devel-184 
Move of strcasecmp redefine to lib/util/safe_string.h in
https://gitlab.com/samba-team/samba/-/merge_requests/1507 broke build on
Fedora 33 with GCC 10.2.1 for those compilation units that use
ldb_att_cmp().

The reason for that is that ldb_attr_cmp() defined as

   #define ldb_attr_cmp(a, b) strcasecmp(a, b)

because attribute names restricted to be ASCII by RFC2251 (LDAPv3 spec).

A solution is to add

   #undef strcasecmp

to all source code files which use ldb_attr_cmp().

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct  1 22:45:29 UTC 2020 on sn-devel-184
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations 2020-09-18T12:48:39+00:00 Stefan Metzmacher metze@samba.org 2020-09-17T11:37:26+00:00 ca8a0098ac207123a47b8b8f8602599d71d739db This should give admins wawrnings until they have a secure configuration. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
This should give admins wawrnings until they have a secure
configuration.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" 2020-09-18T12:48:38+00:00 Stefan Metzmacher metze@samba.org 2020-09-16T08:56:53+00:00 f9b772bf286b7bde6a29cb8d7bbd241638daf5e7 This allows to add expections for individual workstations, when using "server schannel = yes". "server schannel = auto" is very insecure and will be removed soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
This allows to add expections for individual workstations, when using "server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() 2020-09-18T12:48:38+00:00 Stefan Metzmacher metze@samba.org 2020-09-16T08:18:45+00:00 be8e63949908d8c10d490c8cd0119df4fb917eeb We should debug more details about the failing request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
We should debug more details about the failing request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords 2020-09-18T12:48:38+00:00 Stefan Metzmacher metze@samba.org 2020-09-16T17:20:25+00:00 d8a6e6549c185daa26852d6d85f475cddfb3083a BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of netlogon_creds_random_challenge() 2020-09-18T12:48:38+00:00 Stefan Metzmacher metze@samba.org 2020-09-16T14:10:53+00:00 74eb448adf7fb638fe925eab87a2dbfe9c002cc0 This is not strictly needed, but makes things more clear. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
This is not strictly needed, but makes things more clear.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>