The branch, master has been updated via 22eb416 repl: Specify the target realm in dreplsrv_get_target_principal() via 736098e WHATSNEW: Include info on secured winbindd connections via afe02d1 winbindd: Change value of "ldap sasl wrapping" to sign via e2cd325 winbindd: Do not make anonymous connections by default via b9701a0 provision: Change the default functional level of new Samba domains to 2008R2. from bf0ee5f ldb: fix a typo in the comment, LDB_FLAGS_MOD_xxx -> LDB_FLAG_MOD_xxx
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 22eb416d166e5772619518fc2adc26a6783abdb1 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Aug 11 17:31:53 2014 +1200 repl: Specify the target realm in dreplsrv_get_target_principal() We know what realm we need to contact, so avoid trying to correctly get a referral from our KDC. Andrew Bartlett Change-Id: I154ff72f3176d581b64e0c67d4a9c5f1f76b7924 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue Sep 30 14:58:50 CEST 2014 on sn-devel-104 commit 736098e2cf0fc63fb19525f265aff8e07cc7afba Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 23 13:40:23 2014 -0700 WHATSNEW: Include info on secured winbindd connections Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit afe02d12f444ad9a6abf31a61f578320520263a9 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 5 17:38:38 2014 +1200 winbindd: Change value of "ldap sasl wrapping" to sign This is to disrupt MITM attacks between us and our DC Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz> Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> commit e2cd3257141bd4a88cda1fff5bde9df60b253a97 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 5 17:00:31 2014 +1200 winbindd: Do not make anonymous connections by default The requirement is that we have "winbind sealed pipes = false" and "require strong key = false" before we make anonymous connections. These are a security risk as we cannot prevent MITM attacks. Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b9701a0a79dd15dd6f53075638fba9a2a3d92e19 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 24 11:01:18 2014 -0700 provision: Change the default functional level of new Samba domains to 2008R2. Windows 2003 is going out of support shortly, and we want users to have AES by default Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 15 ++++++++++ .../smbdotconf/ldap/clientldapsaslwrapping.xml | 8 ++--- lib/param/loadparm.c | 2 + python/samba/netcmd/domain.py | 4 +- python/samba/provision/__init__.py | 2 +- source3/param/loadparm.c | 2 + source3/winbindd/winbindd_cm.c | 29 ++++++++++++++++++++ source4/dsdb/repl/drepl_partitions.c | 4 +- testprogs/blackbox/upgradeprovision-oldrelease.sh | 2 +- 9 files changed, 57 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 0ab0561..78fc777 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -90,6 +90,21 @@ services parameter specified should ensure they change 'winbind' to The 'samba' binary still manages the starting of this service, there is no need to start the winbindd binary manually. +Winbind now requires secured connections +======================================== + +To improve protection against rouge domain controllers we now require +that when we connect to an AD DC in our forest, that the connection be +signed using SMB Signing. Set 'client signing = off' in the smb.conf +to disable. + +Also and DCE/RPC pipes must be sealed, set 'require strong key = +false' and 'winbind sealed pipes = false' to disable. + +Finally, the default for 'client ldap sasl wrapping' has been set to +'sign', to ensure the integrity of LDAP connections. Set 'client ldap +sasl wrapping = plain' to disable. + Larger IO sizes for SMB2/3 by default ===================================== diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml index 076b05c..e0ce700 100644 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -34,11 +34,9 @@ </para> <para> - The default value is <emphasis>plain</emphasis> which is not irritable - to KRB5 clock skew errors. That implies synchronizing the time - with the KDC in the case of using <emphasis>sign</emphasis> or - <emphasis>seal</emphasis>. + The default value is <emphasis>sign</emphasis>. That implies synchronizing the time + with the KDC in the case of using <emphasis>Kerberos</emphasis>. </para> </description> -<value type="default">plain</value> +<value type="default">sign</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 7b86a1e..9953053 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2665,6 +2665,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10"); + lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); + lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes"); lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800"); diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py index fe34f94..9dfbc39 100644 --- a/python/samba/netcmd/domain.py +++ b/python/samba/netcmd/domain.py @@ -205,8 +205,8 @@ class cmd_domain_provision(Command): default="domain controller"), Option("--function-level", type="choice", metavar="FOR-FUN-LEVEL", choices=["2000", "2003", "2008", "2008_R2"], - help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2003 Native.", - default="2003"), + help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2008R2 Native.", + default="2008_R2"), Option("--next-rid", type="int", metavar="NEXTRID", default=1000, help="The initial nextRid value (only needed for upgrades). Default is 1000."), Option("--partitions-only", diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index ca80e42..1603321 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -1245,7 +1245,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, domainControllerFunctionality = DS_DOMAIN_FUNCTION_2008_R2 if dom_for_fun_level is None: - dom_for_fun_level = DS_DOMAIN_FUNCTION_2003 + dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2 if dom_for_fun_level > domainControllerFunctionality: raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (2008_R2). This won't work!") diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 94d3b8d..5ab0de7 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -739,6 +739,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.ldap_debug_level = 0; Globals.ldap_debug_threshold = 10; + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; + /* This is what we tell the afs client. in reality we set the token * to never expire, though, when this runs out the afs client will * forget the token. Set to 0 to get NEVERDATE.*/ diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 05e9692..3a9780e 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2578,6 +2578,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, anonymous: /* Finally fall back to anonymous. */ + if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { + status = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make SAMR connection to domain %s" + "without connection level security, " + "must set 'winbind sealed pipes = false' and " + "'require strong key = false' to proceed: %s\n", + domain->name, nt_errstr(status))); + goto done; + } status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr, &conn->samr_pipe); @@ -2802,6 +2811,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, anonymous: + if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { + result = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make LSA connection to domain %s" + "without connection level security, " + "must set 'winbind sealed pipes = false' and " + "'require strong key = false' to proceed: %s\n", + domain->name, nt_errstr(result))); + goto done; + } + result = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_lsarpc, &conn->lsa_pipe); @@ -2959,6 +2978,16 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, no_schannel: if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { + if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { + result = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make connection to domain %s" + "without connection level security, " + "must set 'winbind sealed pipes = false' and " + "'require strong key = false' to proceed: %s\n", + domain->name, nt_errstr(result))); + invalidate_cm_connection(conn); + return result; + } result = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_netlogon, &conn->netlogon_pipe); diff --git a/source4/dsdb/repl/drepl_partitions.c b/source4/dsdb/repl/drepl_partitions.c index 8c85ef6..c822ba9 100644 --- a/source4/dsdb/repl/drepl_partitions.c +++ b/source4/dsdb/repl/drepl_partitions.c @@ -270,9 +270,9 @@ static NTSTATUS dreplsrv_get_target_principal(struct dreplsrv_service *s, if (dnsdomain != NULL) { *target_principal = talloc_asprintf(mem_ctx, - "E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s", + "E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s", GUID_string(tmp_ctx, &rft->source_dsa_obj_guid), - dnsdomain); + dnsdomain, dnsdomain); } talloc_free(tmp_ctx); diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh index 3cb7929..26807be 100755 --- a/testprogs/blackbox/upgradeprovision-oldrelease.sh +++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh @@ -91,7 +91,7 @@ samba_upgradedns() { } referenceprovision() { - $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 + $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 } ldapcmp() { -- Samba Shared Repository