The branch, master has been updated
via 22eb416 repl: Specify the target realm in
dreplsrv_get_target_principal()
via 736098e WHATSNEW: Include info on secured winbindd connections
via afe02d1 winbindd: Change value of "ldap sasl wrapping" to sign
via e2cd325 winbindd: Do not make anonymous connections by default
via b9701a0 provision: Change the default functional level of new Samba
domains to 2008R2.
from bf0ee5f ldb: fix a typo in the comment, LDB_FLAGS_MOD_xxx ->
LDB_FLAG_MOD_xxx
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 22eb416d166e5772619518fc2adc26a6783abdb1
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 11 17:31:53 2014 +1200
repl: Specify the target realm in dreplsrv_get_target_principal()
We know what realm we need to contact, so avoid trying to correctly get a
referral from our KDC.
Andrew Bartlett
Change-Id: I154ff72f3176d581b64e0c67d4a9c5f1f76b7924
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Tue Sep 30 14:58:50 CEST 2014 on sn-devel-104
commit 736098e2cf0fc63fb19525f265aff8e07cc7afba
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 23 13:40:23 2014 -0700
WHATSNEW: Include info on secured winbindd connections
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit afe02d12f444ad9a6abf31a61f578320520263a9
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Sep 5 17:38:38 2014 +1200
winbindd: Change value of "ldap sasl wrapping" to sign
This is to disrupt MITM attacks between us and our DC
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit e2cd3257141bd4a88cda1fff5bde9df60b253a97
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Sep 5 17:00:31 2014 +1200
winbindd: Do not make anonymous connections by default
The requirement is that we have "winbind sealed pipes = false" and
"require strong key = false" before we make anonymous connections.
These are a security risk as we cannot prevent MITM attacks.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit b9701a0a79dd15dd6f53075638fba9a2a3d92e19
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Sep 24 11:01:18 2014 -0700
provision: Change the default functional level of new Samba domains to
2008R2.
Windows 2003 is going out of support shortly, and we want users to have AES
by default
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 15 ++++++++++
.../smbdotconf/ldap/clientldapsaslwrapping.xml | 8 ++---
lib/param/loadparm.c | 2 +
python/samba/netcmd/domain.py | 4 +-
python/samba/provision/__init__.py | 2 +-
source3/param/loadparm.c | 2 +
source3/winbindd/winbindd_cm.c | 29 ++++++++++++++++++++
source4/dsdb/repl/drepl_partitions.c | 4 +-
testprogs/blackbox/upgradeprovision-oldrelease.sh | 2 +-
9 files changed, 57 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 0ab0561..78fc777 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -90,6 +90,21 @@ services parameter specified should ensure they change
'winbind' to
The 'samba' binary still manages the starting of this service, there
is no need to start the winbindd binary manually.
+Winbind now requires secured connections
+========================================
+
+To improve protection against rouge domain controllers we now require
+that when we connect to an AD DC in our forest, that the connection be
+signed using SMB Signing. Set 'client signing = off' in the smb.conf
+to disable.
+
+Also and DCE/RPC pipes must be sealed, set 'require strong key =
+false' and 'winbind sealed pipes = false' to disable.
+
+Finally, the default for 'client ldap sasl wrapping' has been set to
+'sign', to ensure the integrity of LDAP connections. Set 'client ldap
+sasl wrapping = plain' to disable.
+
Larger IO sizes for SMB2/3 by default
=====================================
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 076b05c..e0ce700 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
</para>
<para>
- The default value is <emphasis>plain</emphasis> which is not irritable
- to KRB5 clock skew errors. That implies synchronizing the time
- with the KDC in the case of using <emphasis>sign</emphasis> or
- <emphasis>seal</emphasis>.
+ The default value is <emphasis>sign</emphasis>. That implies
synchronizing the time
+ with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">plain</value>
+<value type="default">sign</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 7b86a1e..9953053 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2665,6 +2665,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10");
+ lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
+
lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800");
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index fe34f94..9dfbc39 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -205,8 +205,8 @@ class cmd_domain_provision(Command):
default="domain controller"),
Option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
choices=["2000", "2003", "2008", "2008_R2"],
- help="The domain and forest function level (2000 | 2003 | 2008
| 2008_R2 - always native). Default is (Windows) 2003 Native.",
- default="2003"),
+ help="The domain and forest function level (2000 | 2003 | 2008
| 2008_R2 - always native). Default is (Windows) 2008R2 Native.",
+ default="2008_R2"),
Option("--next-rid", type="int", metavar="NEXTRID", default=1000,
help="The initial nextRid value (only needed for upgrades).
Default is 1000."),
Option("--partitions-only",
diff --git a/python/samba/provision/__init__.py
b/python/samba/provision/__init__.py
index ca80e42..1603321 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1245,7 +1245,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
domainControllerFunctionality = DS_DOMAIN_FUNCTION_2008_R2
if dom_for_fun_level is None:
- dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2
if dom_for_fun_level > domainControllerFunctionality:
raise ProvisioningError("You want to run SAMBA 4 on a domain and
forest function level which itself is higher than its actual DC function level
(2008_R2). This won't work!")
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 94d3b8d..5ab0de7 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -739,6 +739,8 @@ static void init_globals(struct loadparm_context *lp_ctx,
bool reinit_globals)
Globals.ldap_debug_level = 0;
Globals.ldap_debug_threshold = 10;
+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+
/* This is what we tell the afs client. in reality we set the token
* to never expire, though, when this runs out the afs client will
* forget the token. Set to 0 to get NEVERDATE.*/
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 05e9692..3a9780e 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2578,6 +2578,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
anonymous:
/* Finally fall back to anonymous. */
+ if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ status = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' and "
+ "'require strong key = false' to proceed: %s\n",
+ domain->name, nt_errstr(status)));
+ goto done;
+ }
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
&conn->samr_pipe);
@@ -2802,6 +2811,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
anonymous:
+ if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s"
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' and "
+ "'require strong key = false' to proceed: %s\n",
+ domain->name, nt_errstr(result)));
+ goto done;
+ }
+
result = cli_rpc_pipe_open_noauth(conn->cli,
&ndr_table_lsarpc,
&conn->lsa_pipe);
@@ -2959,6 +2978,16 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain
*domain,
no_schannel:
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+ if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make connection to domain %s"
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' and "
+ "'require strong key = false' to proceed:
%s\n",
+ domain->name, nt_errstr(result)));
+ invalidate_cm_connection(conn);
+ return result;
+ }
result = cli_rpc_pipe_open_noauth(conn->cli,
&ndr_table_netlogon,
&conn->netlogon_pipe);
diff --git a/source4/dsdb/repl/drepl_partitions.c
b/source4/dsdb/repl/drepl_partitions.c
index 8c85ef6..c822ba9 100644
--- a/source4/dsdb/repl/drepl_partitions.c
+++ b/source4/dsdb/repl/drepl_partitions.c
@@ -270,9 +270,9 @@ static NTSTATUS dreplsrv_get_target_principal(struct
dreplsrv_service *s,
if (dnsdomain != NULL) {
*target_principal = talloc_asprintf(mem_ctx,
-
"E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s",
+
"E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s",
GUID_string(tmp_ctx,
&rft->source_dsa_obj_guid),
- dnsdomain);
+ dnsdomain, dnsdomain);
}
talloc_free(tmp_ctx);
diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh
b/testprogs/blackbox/upgradeprovision-oldrelease.sh
index 3cb7929..26807be 100755
--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh
+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
@@ -91,7 +91,7 @@ samba_upgradedns() {
}
referenceprovision() {
- $PYTHON $BINDIR/samba-tool domain provision --server-role="dc"
--domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp
--targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs
--host-ip=127.0.0.1 --host-ip6=::1
+ $PYTHON $BINDIR/samba-tool domain provision --server-role="dc"
--domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp
--targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs
--host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003
}
ldapcmp() {
--
Samba Shared Repository
