The Samba-Bugzilla – Attachment 17013 Details for
Bug 14901
The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch from 4.13 backported to 4.10
bug-14901-v4-10.patch (text/plain), 29.18 KB, created by
Andrew Bartlett
on 2021-11-22 08:49:30 UTC
(
hide
)
Description:
patch from 4.13 backported to 4.10
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-11-22 08:49:30 UTC
Size:
29.18 KB
patch
obsolete
>From 8969da113d80d26f6353670cbeea8fae3e44fa5b Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 15 Jan 2020 14:39:56 +0100 >Subject: [PATCH 1/7] CVECVE-2020-25717 selftest: Add user joe >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Günther Deschner <gd@samba.org> >(cherry picked from commit b4a4adebd94558feb04220a04eadfc8e58624e53) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 > >[abartlet@samba.org Added CVE marker for the CVE this fixes are regression in] >--- > selftest/target/Samba4.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index e5387132214..e10d8d71162 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1060,7 +1060,7 @@ servicePrincipalName: http/testupnspn.$ctx->{dnsname} > } > > # Create to users alice and bob! >- my $user_account_array = ["alice", "bob", "jane"]; >+ my $user_account_array = ["alice", "bob", "jane", "joe"]; > > foreach my $user_account (@{$user_account_array}) { > my $samba_tool_cmd = ""; >-- >2.25.1 > > >From 9b272b42b18c277887dc4eb657e372dccd3d5f5a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 12 Nov 2021 15:27:58 +0100 >Subject: [PATCH 2/7] CVE-2020-25717: idmap_nss: verify that the name of the > sid belongs to the configured domain > >We already check the sid belongs to the domain, but checking the name >too feels better and make it easier to understand. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >[abartlet@samba.org backorted from commit bfd093648b4af51d104096c0cb3535e8706671e5 > as header libcli/security/dom_sid.h was not present for struct dom_sid_buf] > >[abartlet@samba.org fix CVE marker] >--- > source3/winbindd/idmap_nss.c | 27 ++++++++++++++++++++++----- > 1 file changed, 22 insertions(+), 5 deletions(-) > >diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c >index 9e1efefeb24..3ffffd0a20e 100644 >--- a/source3/winbindd/idmap_nss.c >+++ b/source3/winbindd/idmap_nss.c >@@ -25,6 +25,7 @@ > #include "nsswitch/winbind_client.h" > #include "idmap.h" > #include "lib/winbind_util.h" >+#include "libcli/security/dom_sid.h" > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_IDMAP >@@ -135,18 +136,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma > for (i = 0; ids[i]; i++) { > struct group *gr; > enum lsa_SidType type; >- const char *p = NULL; >+ const char *_domain = NULL; >+ const char *_name = NULL; >+ char *domain = NULL; > char *name = NULL; > bool ret; > > /* by default calls to winbindd are disabled > the following call will not recurse so this is safe */ > (void)winbind_on(); >- ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL, >- &p, &type); >+ ret = winbind_lookup_sid(talloc_tos(), >+ ids[i]->sid, >+ &_domain, >+ &_name, >+ &type); > (void)winbind_off(); >- name = discard_const_p(char, p); >- > if (!ret) { > /* TODO: how do we know if the name is really not mapped, > * or something just failed ? */ >@@ -154,6 +158,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma > continue; > } > >+ domain = discard_const_p(char, _domain); >+ name = discard_const_p(char, _name); >+ >+ if (!strequal(domain, dom->name)) { >+ struct dom_sid_buf buf; >+ DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n", >+ dom->name, dom_sid_str_buf(ids[i]->sid, &buf), >+ sid_type_lookup(type), domain, name); >+ ids[i]->status = ID_UNMAPPED; >+ continue; >+ } >+ > switch (type) { > case SID_NAME_USER: { > struct passwd *pw; >@@ -186,6 +202,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma > ids[i]->status = ID_UNKNOWN; > break; > } >+ TALLOC_FREE(domain); > TALLOC_FREE(name); > } > return NT_STATUS_OK; >-- >2.25.1 > > >From f10e305825cca52588fbee91781c0d5ec5dcf64f Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 12 Nov 2021 14:14:55 +1300 >Subject: [PATCH 3/7] CVE-2020-25717: tests/krb5: Add method to automatically > obtain server credentials > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 5ea347d3673e35891613c90ca837d1ce4833c1b0) >--- > python/samba/tests/krb5/kdc_base_test.py | 42 ++++++++++++++++++++++++ > 1 file changed, 42 insertions(+) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index f64bd0b206e..6e96b982167 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -1063,6 +1063,48 @@ class KDCBaseTest(RawKerberosTest): > fallback_creds_fn=download_dc_creds) > return c > >+ def get_server_creds(self, >+ require_keys=True, >+ require_strongest_key=False): >+ if require_strongest_key: >+ self.assertTrue(require_keys) >+ >+ def download_server_creds(): >+ samdb = self.get_samdb() >+ >+ res = samdb.search(base=samdb.get_default_basedn(), >+ expression=(f'(|(sAMAccountName={self.host}*)' >+ f'(dNSHostName={self.host}))'), >+ scope=ldb.SCOPE_SUBTREE, >+ attrs=['sAMAccountName', >+ 'msDS-KeyVersionNumber']) >+ self.assertEqual(1, len(res)) >+ dn = res[0].dn >+ username = str(res[0]['sAMAccountName']) >+ >+ creds = KerberosCredentials() >+ creds.set_domain(self.env_get_var('DOMAIN', 'SERVER')) >+ creds.set_realm(self.env_get_var('REALM', 'SERVER')) >+ creds.set_username(username) >+ >+ kvno = int(res[0]['msDS-KeyVersionNumber'][0]) >+ creds.set_kvno(kvno) >+ creds.set_dn(dn) >+ >+ keys = self.get_keys(samdb, dn) >+ self.creds_set_keys(creds, keys) >+ >+ self.creds_set_enctypes(creds) >+ >+ return creds >+ >+ c = self._get_krb5_creds(prefix='SERVER', >+ allow_missing_password=True, >+ allow_missing_keys=not require_keys, >+ require_strongest_key=require_strongest_key, >+ fallback_creds_fn=download_server_creds) >+ return c >+ > def as_req(self, cname, sname, realm, etypes, padata=None, kdc_options=0): > '''Send a Kerberos AS_REQ, returns the undecoded response > ''' >-- >2.25.1 > > >From 9e29bca5530735378aaf46d2d54de7b89dc28afa Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 12 Nov 2021 20:53:30 +1300 >Subject: [PATCH 4/7] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent > uid' to make room for new accounts > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a) >--- > nsswitch/nsstest.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c >index 6d92806cffc..797f2613486 100644 >--- a/nsswitch/nsstest.c >+++ b/nsswitch/nsstest.c >@@ -460,7 +460,7 @@ static void nss_test_errors(void) > printf("ERROR Non existent user gave error %d\n", last_error); > } > >- pwd = getpwuid(0xFFF0); >+ pwd = getpwuid(0xFF00); > if (pwd || last_error != NSS_STATUS_NOTFOUND) { > total_errors++; > printf("ERROR Non existent uid gave error %d\n", last_error); >-- >2.25.1 > > >From b8e04947de65b230f84002f13f99094255dc2cab Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 12 Nov 2021 14:20:45 +1300 >Subject: [PATCH 5/7] CVE-2020-25717: selftest: turn ad_member_no_nss_wb into > ad_member_idmap_nss > >In reality environments without 'nss_winbind' make use of 'idmap_nss'. > >For testing, DOMAIN/bob is mapped to the local 'bob', >while DOMAIN/jane gets the uid based on the local 'jane' >vis idmap_nss. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Signed-off-by: Stefan Metzmacher <metze@samba.org> > >[metze@samba.org avoid to create a new ad_member_idmap_nss environment >and merge it with ad_member_no_nss_wb instead] >Reviewed-by: Ralph Boehme <slow@samba.org> > >[abartlet@samba.org in Backport to Samba 4.10 adjust to different > test environments present and older interfaces table] > >(cherry picked from commit 8a9f2aa2c1cdfa72ad50d7c4f879220fe37654cd) >--- > selftest/target/Samba.pm | 2 +- > selftest/target/Samba3.pm | 24 ++++++++++++++++++++---- > source4/selftest/tests.py | 2 +- > 3 files changed, 22 insertions(+), 6 deletions(-) > >diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm >index 034d2ccf58c..8ed3af8aa1c 100644 >--- a/selftest/target/Samba.pm >+++ b/selftest/target/Samba.pm >@@ -431,7 +431,7 @@ sub get_interface($) > > $interfaces{"offlineadmem"} = 58; > >- $interfaces{"admemnonsswb"} = 60; >+ $interfaces{"admemidmapnss"} = 60; > > $interfaces{"rootdnsforwarder"} = 64; > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 86cff419b57..16bbaa4d33f 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -186,7 +186,7 @@ sub check_env($$) > ad_member_idmap_rid => ["ad_dc"], > ad_member_idmap_ad => ["fl2008r2dc"], > ad_member_offlogon => ["ad_dc"], >- ad_member_no_nss_wb => ["ad_dc"], >+ ad_member_idmap_nss => ["ad_dc"] > ); > > sub setup_nt4_dc >@@ -931,7 +931,7 @@ sub setup_ad_member_offlogon > 1); > } > >-sub setup_ad_member_no_nss_wb >+sub setup_ad_member_idmap_nss > { > my ($self, > $prefix, >@@ -942,14 +942,23 @@ sub setup_ad_member_no_nss_wb > return "UNKNOWN"; > } > >- print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND..."; >+ print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND WITH idmap_nss config..."; > > my $extra_member_options = " >+ # bob:x:65521:65531:localbob gecos:/:/bin/false >+ # jane:x:65520:65531:localjane gecos:/:/bin/false >+ idmap config $dcvars->{DOMAIN} : backend = nss >+ idmap config $dcvars->{DOMAIN} : range = 65520-65521 >+ >+ # Support SMB1 so that we can use posix_whoami(). >+ client min protocol = CORE >+ server min protocol = LANMAN1 >+ > username map = $prefix/lib/username.map > "; > > my $ret = $self->provision_ad_member($prefix, >- "ADMEMNONSSWB", >+ "ADMEMIDMAPNSS", > $dcvars, > $extra_member_options, > undef, >@@ -958,6 +967,7 @@ sub setup_ad_member_no_nss_wb > open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); > print USERMAP " > root = $dcvars->{DOMAIN}/root >+bob = $dcvars->{DOMAIN}/bob > "; > close(USERMAP); > >@@ -1893,6 +1903,8 @@ sub provision($$$$$$$$$) > my ($uid_gooduser); > my ($uid_eviluser); > my ($uid_slashuser); >+ my ($uid_localbob); >+ my ($uid_localjane); > > if ($unix_uid < 0xffff - 13) { > $max_uid = 0xffff; >@@ -1913,6 +1925,8 @@ sub provision($$$$$$$$$) > $uid_gooduser = $max_uid - 11; > $uid_eviluser = $max_uid - 12; > $uid_slashuser = $max_uid - 13; >+ $uid_localbob = $max_uid - 14; >+ $uid_localjane = $max_uid - 15; > > if ($unix_gids[0] < 0xffff - 8) { > $max_gid = 0xffff; >@@ -2570,6 +2584,8 @@ user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false > gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false > eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false > slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false >+bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false >+jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false > "; > if ($unix_uid != 0) { > print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 02c46bb5da6..9c3a456f99f 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -780,7 +780,7 @@ planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb", > 'TKT_SIG_SUPPORT': tkt_sig_support, > 'EXPECT_PAC': expect_pac > }) >-planoldpythontestsuite("ad_member_no_nss_wb:local", >+planoldpythontestsuite("ad_member_idmap_nss:local", > "samba.tests.krb5.test_min_domain_uid", > environ={ > 'ADMIN_USERNAME': '$DC_USERNAME', >-- >2.25.1 > > >From b134d324696f2747f5ee495233f8f05b1f5107d2 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 12 Nov 2021 14:22:47 +1300 >Subject: [PATCH 6/7] CVE-2020-25717: tests/krb5: Add a test for idmap_nss > mapping users to SIDs > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Signed-off-by: Stefan Metzmacher <metze@samba.org> > >[metze@samba.org removed unused tests for a feature that > was removed before merging] >Reviewed-by: Ralph Boehme <slow@samba.org> > >(cherry picked from commit 494bf7de6ff3e9abeb3753df0635737b80ce5bb7) >--- > python/samba/tests/krb5/test_idmap_nss.py | 232 +++++++++++++++++++++ > selftest/knownfail.d/idmap_nss_sid_mapping | 2 + > source4/selftest/tests.py | 16 ++ > 3 files changed, 250 insertions(+) > create mode 100755 python/samba/tests/krb5/test_idmap_nss.py > create mode 100644 selftest/knownfail.d/idmap_nss_sid_mapping > >diff --git a/python/samba/tests/krb5/test_idmap_nss.py b/python/samba/tests/krb5/test_idmap_nss.py >new file mode 100755 >index 00000000000..d3480dbca3f >--- /dev/null >+++ b/python/samba/tests/krb5/test_idmap_nss.py >@@ -0,0 +1,232 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2021 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+from ldb import SCOPE_SUBTREE >+from samba import NTSTATUSError >+from samba.credentials import DONT_USE_KERBEROS >+from samba.dcerpc import security >+from samba.ndr import ndr_unpack >+from samba.ntstatus import ( >+ NT_STATUS_NO_IMPERSONATION_TOKEN, >+ NT_STATUS_LOGON_FAILURE >+) >+from samba.samba3 import libsmb_samba_internal as libsmb >+from samba.samba3 import param as s3param >+ >+from samba.tests.krb5.kdc_base_test import KDCBaseTest >+ >+sys.path.insert(0, 'bin/python') >+os.environ['PYTHONUNBUFFERED'] = '1' >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class IdmapNssTests(KDCBaseTest): >+ >+ mappeduser_uid = 0xffff - 14 >+ mappeduser_sid = security.dom_sid(f'S-1-22-1-{mappeduser_uid}') >+ unmappeduser_uid = 0xffff - 15 >+ unmappeduser_sid = security.dom_sid(f'S-1-22-1-{unmappeduser_uid}') >+ >+ def get_mapped_creds(self, >+ allow_missing_password=False, >+ allow_missing_keys=True): >+ c = self._get_krb5_creds(prefix='MAPPED', >+ allow_missing_password=allow_missing_password, >+ allow_missing_keys=allow_missing_keys) >+ c.set_workstation('') >+ return c >+ >+ def get_unmapped_creds(self, >+ allow_missing_password=False, >+ allow_missing_keys=True): >+ c = self._get_krb5_creds(prefix='UNMAPPED', >+ allow_missing_password=allow_missing_password, >+ allow_missing_keys=allow_missing_keys) >+ c.set_workstation('') >+ return c >+ >+ def get_invalid_creds(self, >+ allow_missing_password=False, >+ allow_missing_keys=True): >+ c = self._get_krb5_creds(prefix='INVALID', >+ allow_missing_password=allow_missing_password, >+ allow_missing_keys=allow_missing_keys) >+ c.set_workstation('') >+ return c >+ >+ # Expect a mapping to the local user SID. >+ def test_mapped_user_kerberos(self): >+ user_creds = self.get_mapped_creds() >+ self._run_idmap_nss_test(user_creds, use_kerberos=True, >+ expected_first_sid=self.mappeduser_sid, >+ expected_uid=self.mappeduser_uid) >+ >+ # Expect a mapping to the local user SID. >+ def test_mapped_user_ntlm(self): >+ user_creds = self.get_mapped_creds() >+ self._run_idmap_nss_test(user_creds, use_kerberos=False, >+ expected_first_sid=self.mappeduser_sid, >+ expected_uid=self.mappeduser_uid) >+ >+ def test_mapped_user_no_pac_kerberos(self): >+ user_creds = self.get_mapped_creds() >+ self._run_idmap_nss_test( >+ user_creds, use_kerberos=True, remove_pac=True, >+ expected_error=NT_STATUS_NO_IMPERSONATION_TOKEN) >+ >+ def test_unmapped_user_kerberos(self): >+ user_creds = self.get_unmapped_creds() >+ self._run_idmap_nss_test(user_creds, use_kerberos=True, >+ expected_additional_sid=self.unmappeduser_sid, >+ expected_uid=self.unmappeduser_uid) >+ >+ def test_unmapped_user_ntlm(self): >+ user_creds = self.get_unmapped_creds() >+ self._run_idmap_nss_test(user_creds, use_kerberos=False, >+ expected_additional_sid=self.unmappeduser_sid, >+ expected_uid=self.unmappeduser_uid) >+ >+ def test_unmapped_user_no_pac_kerberos(self): >+ user_creds = self.get_unmapped_creds() >+ self._run_idmap_nss_test( >+ user_creds, use_kerberos=True, remove_pac=True, >+ expected_error=NT_STATUS_NO_IMPERSONATION_TOKEN) >+ >+ def test_invalid_user_kerberos(self): >+ user_creds = self.get_invalid_creds() >+ self._run_idmap_nss_test(user_creds, use_kerberos=True, >+ expected_error=NT_STATUS_LOGON_FAILURE) >+ >+ def test_invalid_user_ntlm(self): >+ user_creds = self.get_invalid_creds() >+ self._run_idmap_nss_test(user_creds, use_kerberos=False, >+ expected_error=NT_STATUS_LOGON_FAILURE) >+ >+ def test_invalid_user_no_pac_kerberos(self): >+ user_creds = self.get_invalid_creds() >+ self._run_idmap_nss_test( >+ user_creds, use_kerberos=True, remove_pac=True, >+ expected_error=NT_STATUS_NO_IMPERSONATION_TOKEN) >+ >+ def _run_idmap_nss_test(self, user_creds, >+ use_kerberos, >+ remove_pac=False, >+ expected_error=None, >+ expected_first_sid=None, >+ expected_additional_sid=None, >+ expected_uid=None): >+ if expected_first_sid is not None: >+ self.assertIsNotNone(expected_uid) >+ if expected_additional_sid is not None: >+ self.assertIsNotNone(expected_uid) >+ if expected_uid is not None: >+ self.assertIsNone(expected_error) >+ >+ if not use_kerberos: >+ self.assertFalse(remove_pac) >+ >+ samdb = self.get_samdb() >+ >+ server_name = self.host >+ service = 'cifs' >+ share = 'tmp' >+ >+ server_creds = self.get_server_creds() >+ >+ if expected_first_sid is None: >+ # Retrieve the user account's SID. >+ user_name = user_creds.get_username() >+ res = samdb.search(scope=SCOPE_SUBTREE, >+ expression=f'(sAMAccountName={user_name})', >+ attrs=['objectSid']) >+ self.assertEqual(1, len(res)) >+ >+ expected_first_sid = ndr_unpack(security.dom_sid, >+ res[0].get('objectSid', idx=0)) >+ >+ if use_kerberos: >+ # Talk to the KDC to obtain the service ticket, which gets placed >+ # into the cache. The machine account name has to match the name in >+ # the ticket, to ensure that the krbtgt ticket doesn't also need to >+ # be stored. >+ creds, cachefile = self.create_ccache_with_user( >+ user_creds, >+ server_creds, >+ service, >+ server_name, >+ pac=not remove_pac) >+ >+ # Remove the cached creds file. >+ self.addCleanup(os.remove, cachefile.name) >+ >+ # Set the Kerberos 5 creds cache environment variable. This is >+ # required because the codepath that gets run (gse_krb5) looks for >+ # it in here and not in the creds object. >+ krb5_ccname = os.environ.get('KRB5CCNAME', '') >+ self.addCleanup(os.environ.__setitem__, 'KRB5CCNAME', krb5_ccname) >+ os.environ['KRB5CCNAME'] = 'FILE:' + cachefile.name >+ else: >+ creds = user_creds >+ creds.set_kerberos_state(DONT_USE_KERBEROS) >+ >+ # Connect to a share and retrieve the user SID. >+ s3_lp = s3param.get_context() >+ s3_lp.load(self.get_lp().configfile) >+ >+ min_protocol = s3_lp.get('client min protocol') >+ self.addCleanup(s3_lp.set, 'client min protocol', min_protocol) >+ s3_lp.set('client min protocol', 'NT1') >+ >+ max_protocol = s3_lp.get('client max protocol') >+ self.addCleanup(s3_lp.set, 'client max protocol', max_protocol) >+ s3_lp.set('client max protocol', 'NT1') >+ >+ try: >+ conn = libsmb.Conn(server_name, share, lp=s3_lp, creds=creds) >+ except NTSTATUSError as e: >+ enum, _ = e.args >+ self.assertEqual(expected_error, enum) >+ return >+ else: >+ self.assertIsNone(expected_error) >+ >+ uid, gid, gids, sids, guest = conn.posix_whoami() >+ >+ # Ensure that they match. >+ self.assertEqual(expected_first_sid, sids[0]) >+ self.assertNotIn(expected_first_sid, sids[1:-1]) >+ >+ if expected_additional_sid: >+ self.assertNotEqual(expected_additional_sid, sids[0]) >+ self.assertIn(expected_additional_sid, sids) >+ >+ self.assertIsNotNone(expected_uid) >+ self.assertEqual(expected_uid, uid) >+ >+ >+if __name__ == '__main__': >+ global_asn1_print = False >+ global_hexdump = False >+ import unittest >+ unittest.main() >diff --git a/selftest/knownfail.d/idmap_nss_sid_mapping b/selftest/knownfail.d/idmap_nss_sid_mapping >new file mode 100644 >index 00000000000..7e1913f03fc >--- /dev/null >+++ b/selftest/knownfail.d/idmap_nss_sid_mapping >@@ -0,0 +1,2 @@ >+^samba.tests.krb5.test_idmap_nss.samba.tests.krb5.test_idmap_nss.IdmapNssTests.test_unmapped_user_kerberos >+^samba.tests.krb5.test_idmap_nss.samba.tests.krb5.test_idmap_nss.IdmapNssTests.test_unmapped_user_ntlm >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 9c3a456f99f..cb18b5c82a6 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -787,6 +787,22 @@ planoldpythontestsuite("ad_member_idmap_nss:local", > 'ADMIN_PASSWORD': '$DC_PASSWORD', > 'STRICT_CHECKING': '0' > }) >+planoldpythontestsuite("ad_member_idmap_nss:local", >+ "samba.tests.krb5.test_idmap_nss", >+ environ={ >+ 'ADMIN_USERNAME': '$DC_USERNAME', >+ 'ADMIN_PASSWORD': '$DC_PASSWORD', >+ 'MAPPED_USERNAME': 'bob', >+ 'MAPPED_PASSWORD': 'Secret007', >+ 'UNMAPPED_USERNAME': 'jane', >+ 'UNMAPPED_PASSWORD': 'Secret007', >+ 'INVALID_USERNAME': 'joe', >+ 'INVALID_PASSWORD': 'Secret007', >+ 'STRICT_CHECKING': '0', >+ 'FAST_SUPPORT': have_fast_support, >+ 'TKT_SIG_SUPPORT': tkt_sig_support, >+ 'EXPECT_PAC': expect_pac >+ }) > > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) >-- >2.25.1 > > >From e05e7ec2d5d0a4ec20a6fdd97b82b1520fd676ca Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 12 Nov 2021 16:10:31 +1300 >Subject: [PATCH 7/7] CVE-2020-25717: s3:auth: Fallback to a SID/UID based > mapping if the named based lookup fails >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Before the CVE-2020-25717 fixes we had a fallback from >getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and >unpredictable. > >Now we do the fallback based on sid_to_uid() followed by >getpwuid() on the returned uid. > >This obsoletes 'username map [script]' based workaround adviced >for CVE-2020-25717, when nss_winbindd is not used or >idmap_nss is actually used. > >In future we may decide to prefer or only do the SID/UID based >lookup, but for now we want to keep this unchanged as much as possible. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> > >[metze@samba.org moved the new logic into the fallback codepath only > in order to avoid behavior changes as much as possible] >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184 > >[abartlet@samba.org backported from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e > as usage.py is not present in Samba 4.10] >--- > selftest/knownfail.d/idmap_nss_sid_mapping | 2 -- > source3/auth/auth_util.c | 34 +++++++++++++++++++++- > 2 files changed, 33 insertions(+), 3 deletions(-) > delete mode 100644 selftest/knownfail.d/idmap_nss_sid_mapping > >diff --git a/selftest/knownfail.d/idmap_nss_sid_mapping b/selftest/knownfail.d/idmap_nss_sid_mapping >deleted file mode 100644 >index 7e1913f03fc..00000000000 >--- a/selftest/knownfail.d/idmap_nss_sid_mapping >+++ /dev/null >@@ -1,2 +0,0 @@ >-^samba.tests.krb5.test_idmap_nss.samba.tests.krb5.test_idmap_nss.IdmapNssTests.test_unmapped_user_kerberos >-^samba.tests.krb5.test_idmap_nss.samba.tests.krb5.test_idmap_nss.IdmapNssTests.test_unmapped_user_ntlm >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index c0e5cfd7fa8..b463059f259 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1837,7 +1837,9 @@ const struct auth_session_info *get_session_info_system(void) > ***************************************************************************/ > > static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, >- const char *username, char **found_username, >+ const char *username, >+ const struct dom_sid *sid, >+ char **found_username, > struct passwd **pwd, > bool *username_was_mapped) > { >@@ -1872,6 +1874,31 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, > } > > passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false); >+ if (!passwd && !*username_was_mapped) { >+ struct dom_sid_buf buf; >+ uid_t uid; >+ bool ok; >+ >+ DBG_DEBUG("Failed to find authenticated user %s via " >+ "getpwnam(), fallback to sid_to_uid(%s).\n", >+ dom_user, dom_sid_str_buf(sid, &buf)); >+ >+ ok = sid_to_uid(sid, &uid); >+ if (!ok) { >+ DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n", >+ dom_sid_str_buf(sid, &buf), dom_user); >+ return NT_STATUS_NO_SUCH_USER; >+ } >+ passwd = getpwuid_alloc(mem_ctx, uid); >+ if (!passwd) { >+ DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n", >+ (long long)uid, >+ dom_sid_str_buf(sid, &buf), >+ dom_user); >+ return NT_STATUS_NO_SUCH_USER; >+ } >+ real_username = talloc_strdup(mem_ctx, passwd->pw_name); >+ } > if (!passwd) { > DEBUG(3, ("Failed to find authenticated user %s via " > "getpwnam(), denying access.\n", dom_user)); >@@ -2017,6 +2044,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > bool username_was_mapped; > struct passwd *pwd; > struct auth_serversupplied_info *result; >+ struct dom_sid sid; > TALLOC_CTX *tmp_ctx = talloc_stackframe(); > > /* >@@ -2063,9 +2091,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > > /* this call will try to create the user if necessary */ > >+ sid_copy(&sid, info3->base.domain_sid); >+ sid_append_rid(&sid, info3->base.rid); >+ > nt_status = check_account(tmp_ctx, > nt_domain, > nt_username, >+ &sid, > &found_username, > &pwd, > &username_was_mapped); >-- >2.25.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17013">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
ci-passed?
(
abartlet
)
Actions:
View
Attachments on
bug 14901
:
16996
|
16997
|
16998
| 17013