The branch, v4-15-stable has been updated via 861b4f9fde0 VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release. via 00479fb662f WHATSNEW: Add release notes for Samba 4.15.13. via 2620bea3af8 kdc: avoid re-encoding KDC-REQ-BODY via ff5d6ada80e tests/krb5: Add test requesting a TGT expiring post-2038 via fd3cdcc1800 tests/krb5: Add test requesting a service ticket expiring post-2038 via d1cfdcf3a3d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports via 48d6042dddf CVE-2022-37966 samba-tool: add 'domain trust modify' command via 89b1c78b520 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes" via 18996e99712 CVE-2022-37966 param: Add support for new option "kdc supported enctypes" via 34fc0da7869 CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default via 693a247d3b2 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no" via ee9ffe50e99 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows. via 1815d339417 CVE-2022-37966 python:tests/krb5: test much more etype combinations via d6b9e8b3397 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message via 25d88118903 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest via c768a27bc13 CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes via 9049c5442aa CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req() via a1e91681158 CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022 via 1db952fab82 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18 via 91a030cbf58 CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only via eed3d6a3962 CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default. via 0d7dc04404d CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values via 527a164b410 CVE-2022-37966 s4:kdc: use the strongest possible keys via 8b8835b09fa CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK via f644fc69971 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED via 716149ed2bc CVE-2022-37966 s3:net_ads: no longer reference des encryption types via 5f9e13ce20a CVE-2022-37966 s3:libnet: no longer reference des encryption types via 153e4a39142 CVE-2022-37966 s3:libads: no longer reference des encryption types via ac6563e70ad CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types via ece27efe594 CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES* via c23c17a8d75 CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES* via 6db1a9a9648 CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES* via c0a367ad02a CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES* via 5127bcfded4 CVE-2022-37966 system_mitkrb5: require support for aes enctypes via a4deabde39e CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True) via a7e2f5d32e5 CVE-2022-37966 kdc: Assume trust objects support AES by default via 1e32bfc0fdd CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added via 701b2650d1b CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256 rather than RC4 via 590228fd72f CVE-2022-37966 auth/credentials: Allow specifying password to cli_credentials_get_aes256_key() via eefa5532055 CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key() via 33e5f0b4a44 CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data signatures via cc6196fa005 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC via c273cb75625 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added via 84c28b05a0a CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects via 0ad59767324 CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation via 1c06e8b08ca CVE-2022-37966 third_party/heimdal: Fix error message typo via 36d5770585a CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys" via 1daea832104 CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes" via d775f1ed43a CVE-2022-37967 Add new PAC checksum via 4650ce1fa5c CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key via fed97f46265 CVE-2022-37966 selftest: Don't strictly check etype-info when obtaining a TGT via 07edcef7463 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types via 92763515d9f CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req() via b4be18abf9b CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class via e24512a20ae CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string via e2ac180984e CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy" via 30202568a18 CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy' via 097fa693ded CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used via 4543bd706e5 CVE-2022-37966 s3:utils: Fix old-style function definition via 6f94a270722 CVE-2022-37966 s3:client: Fix old-style function definition via 0fe0643e0b7 CVE-2022-37966 s3:param: Fix old-style function definition via 25402db19b9 CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys() via 8f40d9b7dd2 CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys() via 86834042a18 CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entry via d09d8f995c9 CVE-2022-37966 tests/krb5: Update supported enctype checking via 900c6e2268d CVE-2022-37966 tests/krb5: Check encrypted-pa-data if present via d10dfa85819 CVE-2022-38023 testparm: warn about unsecure schannel related options via 28ac3faa51c CVE-2022-38023 testparm: warn about server/client schannel != yes via 93e4e50d250 CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]" via 15792b4035d CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel() via dba546dbfa5 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options via 2b0dc83e064 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() via 57986cad714 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function via 08b69ca61f7 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no' via ba1482a18a8 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations via b7f0e7f2ccc CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT" via 4cb1e57caaf CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no" via a0c68f4caaa CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' via 5154471bca2 CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM via ade168df393 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes via 33a814d745c CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade() via 90f06ad6d7d CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default via 0be35930722 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto' via e02e8ad46b0 CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages via 643b4c1b95e CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check() via b9269801ed6 CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check() via 9669a41693b CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check() via de121d6c613 CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind via 18bcf0b6496 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes via f1cb8950583 CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" via 4dc0b8d0a89 CVE-2022-38023 s3:net: add and use net_warn_member_options() helper via ae1f4644245 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options() via deffd8ea00f CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db() via ddafd6dc770 CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden" via 1040fa4c235 CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides" via 26249f6c065 selftest: make filter-subunit much more efficient for large knownfail lists via 2ea3f2db808 CVE-2022-45141 source4/heimdal: Fix check-des via 2be27ec1d7f CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection via 73c7c6ec9bc CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC via b4c3ce6fb9b CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec via f3672577a8e CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit via 0b4f495e810 VERSION: Bump version up to Samba 4.15.13... from b86b889c522 VERSION: Disable GIT_SNAPSHOT for the 4.15.12 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 152 +- auth/credentials/credentials.h | 7 + auth/credentials/credentials_krb5.c | 59 + buildtools/wafsamba/samba_autoconf.py | 4 +- docs-xml/manpages/samba-tool.8.xml | 5 + docs-xml/smbdotconf/logon/allownt4crypto.xml | 85 +- docs-xml/smbdotconf/logon/rejectmd5clients.xml | 101 +- .../security/allowdcerpcauthlevelconnect.xml | 2 +- docs-xml/smbdotconf/security/clientschannel.xml | 2 +- .../security/kdcdefaultdomainsupportedenctypes.xml | 42 + .../security/kdcforceenablerc4weaksessionkeys.xml | 24 + .../smbdotconf/security/kdcsupportedenctypes.xml | 40 + .../security/kerberosencryptiontypes.xml | 12 +- docs-xml/smbdotconf/security/serverschannel.xml | 47 +- .../security/serverschannelrequireseal.xml | 118 ++ docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 9 +- docs-xml/smbdotconf/winbind/requirestrongkey.xml | 4 +- lib/krb5_wrap/krb5_samba.c | 6 - lib/param/loadparm.c | 147 ++ libcli/auth/netlogon_creds_cli.c | 89 +- libcli/auth/netlogon_creds_cli.h | 4 +- librpc/idl/drsuapi.idl | 9 + librpc/idl/krb5pac.idl | 4 +- librpc/idl/netlogon.idl | 4 + librpc/idl/security.idl | 1 + python/samba/drs_utils.py | 12 +- python/samba/netcmd/domain.py | 130 +- python/samba/tests/krb5/alias_tests.py | 6 +- .../samba/tests/krb5/as_canonicalization_tests.py | 5 +- python/samba/tests/krb5/as_req_tests.py | 28 +- python/samba/tests/krb5/compatability_tests.py | 22 + python/samba/tests/krb5/etype_tests.py | 597 ++++++++ python/samba/tests/krb5/fast_tests.py | 11 +- python/samba/tests/krb5/kdc_base_test.py | 159 +- python/samba/tests/krb5/kdc_tgs_tests.py | 481 ++++-- python/samba/tests/krb5/kpasswd_tests.py | 8 +- python/samba/tests/krb5/raw_testcase.py | 253 +++- python/samba/tests/krb5/rfc4120_constants.py | 4 + python/samba/tests/krb5/rodc_tests.py | 8 +- python/samba/tests/krb5/s4u_tests.py | 122 +- python/samba/tests/krb5/salt_tests.py | 6 +- python/samba/tests/krb5/spn_tests.py | 8 +- python/samba/tests/krb5/test_ccache.py | 6 +- python/samba/tests/krb5/test_idmap_nss.py | 6 +- python/samba/tests/krb5/test_ldap.py | 6 +- python/samba/tests/krb5/test_min_domain_uid.py | 7 +- python/samba/tests/krb5/test_rpc.py | 6 +- python/samba/tests/krb5/test_smb.py | 6 +- python/samba/tests/usage.py | 1 + selftest/knownfail_heimdal_kdc | 1 + selftest/knownfail_mit_kdc | 1580 +++++++++++++++++++- selftest/subunithelper.py | 32 +- selftest/target/Samba4.pm | 121 +- source3/client/clitar.c | 2 +- source3/libads/kerberos.c | 6 +- source3/libads/kerberos_keytab.c | 4 - source3/libnet/libnet_join.c | 9 +- source3/param/loadparm.c | 7 +- source3/rpc_client/cli_netlogon.c | 2 +- source3/utils/destroy_netlogon_creds_cli.c | 2 +- source3/utils/net.c | 6 + source3/utils/net_ads.c | 27 +- source3/utils/net_dom.c | 2 + source3/utils/net_join.c | 2 + source3/utils/net_offlinejoin.c | 2 + source3/utils/net_proto.h | 2 + source3/utils/net_rpc.c | 10 + source3/utils/net_util.c | 14 + source3/utils/ntlm_auth.c | 12 +- source3/utils/testparm.c | 89 +- source3/winbindd/winbindd_cm.c | 41 +- source4/dsdb/pydsdb.c | 1 + source4/heimdal/kdc/kerberos5.c | 48 +- source4/heimdal/kdc/krb5tgs.c | 99 +- source4/heimdal/kdc/misc.c | 4 +- source4/heimdal/kdc/pkinit.c | 16 +- source4/heimdal/lib/asn1/gen_decode.c | 12 +- source4/heimdal/lib/asn1/gen_free.c | 7 + source4/heimdal/lib/asn1/krb5.opt | 1 + source4/heimdal/lib/hdb/hdb.asn1 | 6 +- source4/heimdal/lib/krb5/init_creds_pw.c | 2 +- source4/heimdal/lib/krb5/pac.c | 172 ++- source4/heimdal/lib/krb5/store-int.c | 2 +- source4/kdc/db-glue.c | 295 +++- source4/kdc/kdc-heimdal.c | 23 +- source4/kdc/samba_kdc.h | 1 + source4/kdc/sdb.c | 91 ++ source4/kdc/sdb.h | 12 + source4/kdc/sdb_to_hdb.c | 28 +- source4/kdc/wdc-samba4.c | 23 +- source4/libnet/libnet_join.c | 4 +- source4/libnet/libnet_passwd.c | 71 + source4/libnet/libnet_passwd.h | 7 + source4/libnet/py_net.c | 18 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1013 +++++++++++-- source4/selftest/tests.py | 32 +- source4/torture/ntp/ntp_signd.c | 2 +- source4/torture/rpc/lsa.c | 54 +- source4/torture/rpc/netlogon.c | 24 +- source4/torture/rpc/remote_pac.c | 14 +- source4/torture/rpc/samba3rpc.c | 15 +- wscript_configure_system_mitkrb5 | 4 +- 103 files changed, 6193 insertions(+), 758 deletions(-) create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml create mode 100755 python/samba/tests/krb5/etype_tests.py Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index db3716dfa51..04074a39547 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=15 -SAMBA_VERSION_RELEASE=12 +SAMBA_VERSION_RELEASE=13 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4c2a4bd596f..af861d8246d 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,152 @@ + =============================== + Release Notes for Samba 4.15.13 + December 15, 2022 + =============================== + + +This is the latest stable release of the Samba 4.15 release series. +It also contains security changes in order to address the following defects: + +o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos + RC4-HMAC Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A Samba Active Directory DC will issue weak rc4-hmac + session keys for use between modern clients and servers + despite all modern Kerberos implementations supporting + the aes256-cts-hmac-sha1-96 cipher. + + On Samba Active Directory DCs and members + 'kerberos encryption types = legacy' would force + rc4-hmac as a client even if the server supports + aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. + + https://www.samba.org/samba/security/CVE-2022-37966.html + +o CVE-2022-37967: This is the Samba CVE for the Windows + Kerberos Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A service account with the special constrained + delegation permission could forge a more powerful + ticket than the one it was presented with. + + https://www.samba.org/samba/security/CVE-2022-37967.html + +o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the + same algorithms as rc4-hmac cryptography in Kerberos, + and so must also be assumed to be weak. + + https://www.samba.org/samba/security/CVE-2022-38023.html + +o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege + Vulnerability was disclosed by Microsoft on Nov 8 2022 + and per RFC8429 it is assumed that rc4-hmac is weak, + + Vulnerable Samba Active Directory DCs will issue rc4-hmac + encrypted tickets despite the target server supporting + better encryption (eg aes256-cts-hmac-sha1-96). + + https://www.samba.org/samba/security/CVE-2022-45141.html + +Note that there are several important behavior changes +included in this release, which may cause compatibility problems +interacting with system still expecting the former behavior. +Please read the advisories of CVE-2022-37966, +CVE-2022-37967 and CVE-2022-38023 carefully! + +samba-tool got a new 'domain trust modify' subcommand +----------------------------------------------------- + +This allows "msDS-SupportedEncryptionTypes" to be changed +on trustedDomain objects. Even against remote DCs (including Windows) +using the --local-dc-ipaddress= (and other --local-dc-* options). +See 'samba-tool domain trust modify --help' for further details. + +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + allow nt4 crypto Deprecated no + allow nt4 crypto:COMPUTERACCOUNT New + kdc default domain supported enctypes New (see manpage) + kdc supported enctypes New (see manpage) + kdc force enable rc4 weak session keys New No + reject md5 clients New Default, Deprecated Yes + reject md5 servers New Default, Deprecated Yes + server schannel Deprecated Yes + server schannel require seal New, Deprecated Yes + server schannel require seal:COMPUTERACCOUNT New + winbind sealed pipes Deprecated Yes + +Changes since 4.15.12 +--------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15237: CVE-2022-37966. + * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. + +o Ralph Boehme <s...@samba.org> + * BUG 15240: CVE-2022-38023. + +o Luke Howard <lu...@padl.com> + * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from + Windows. + * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing + vulnerability. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry + * BUG 15237: CVE-2022-37966. + * BUG 15240: CVE-2022-38023. + +o Andreas Schneider <a...@samba.org> + * BUG 15237: CVE-2022-37966. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15231: CVE-2022-37967. + * BUG 15237: CVE-2022-37966. + +o Nicolas Williams <n...@cryptonector.com> + * BUG 15214: CVE-2022-45141. + * BUG 15237: CVE-2022-37966. + +o Nicolas Williams <n...@twosigma.com> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- =============================== Release Notes for Samba 4.15.12 November 15, 2022 @@ -42,8 +191,7 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- =============================== Release Notes for Samba 4.15.11 October 25, 2022 diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 551b1611826..6fd43472ae0 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -344,4 +344,11 @@ NTSTATUS netlogon_creds_session_encrypt( struct netlogon_creds_CredentialState *state, DATA_BLOB data); +int cli_credentials_get_aes256_key(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + const char *password, + const char *salt, + DATA_BLOB *aes_256); + #endif /* __CREDENTIALS_H__ */ diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index d2e7a76a69e..39b7b8dd57e 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -1459,3 +1459,62 @@ _PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, c cred->target_service = talloc_strdup(cred, target_service); } +_PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + const char *password, + const char *salt, + DATA_BLOB *aes_256) +{ + struct smb_krb5_context *smb_krb5_context = NULL; + krb5_error_code krb5_ret; + int ret; + krb5_data cleartext_data; + krb5_data salt_data; + krb5_keyblock key; + + if (cred->password_will_be_nt_hash) { + DEBUG(1,("cli_credentials_get_aes256_key: cannot generate AES256 key using NT hash\n")); + return EINVAL; + } + + cleartext_data.data = discard_const_p(char, password); + cleartext_data.length = strlen(password); + + ret = cli_credentials_get_krb5_context(cred, lp_ctx, + &smb_krb5_context); + if (ret != 0) { + return ret; + } + + salt_data.data = discard_const_p(char, salt); + salt_data.length = strlen(salt); + + /* + * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of + * the salt and the cleartext password + */ + krb5_ret = smb_krb5_create_key_from_string(smb_krb5_context->krb5_context, + NULL, + &salt_data, + &cleartext_data, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + &key); + if (krb5_ret != 0) { + DEBUG(1,("cli_credentials_get_aes256_key: " + "generation of a aes256-cts-hmac-sha1-96 key failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + krb5_ret, mem_ctx))); + return EINVAL; + } + *aes_256 = data_blob_talloc(mem_ctx, + KRB5_KEY_DATA(&key), + KRB5_KEY_LENGTH(&key)); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &key); + if (aes_256->data == NULL) { + return ENOMEM; + } + talloc_keep_secret(aes_256->data); + + return 0; +} diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py index 4d2aea6c941..e17e667532b 100644 --- a/buildtools/wafsamba/samba_autoconf.py +++ b/buildtools/wafsamba/samba_autoconf.py @@ -184,7 +184,8 @@ def CHECK_TYPE_IN(conf, t, headers=None, alternate=None, define=None): @conf def CHECK_VARIABLE(conf, v, define=None, always=False, - headers=None, msg=None, lib=None): + headers=None, msg=None, lib=None, + mandatory=False): '''check for a variable declaration (or define)''' if define is None: define = 'HAVE_%s' % v.upper() @@ -208,6 +209,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False, lib=lib, headers=headers, define=define, + mandatory=mandatory, always=always) diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 9a40bb1bec4..8e9279cc518 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -676,6 +676,11 @@ <para>Create a domain or forest trust.</para> </refsect3> +<refsect3> + <title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title> + <para>Modify a domain or forest trust.</para> +</refsect3> + <refsect3> <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title> <para>Delete a domain trust.</para> diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml index 03dc8fa93f7..ee63e6cc245 100644 --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml @@ -1,11 +1,18 @@ <samba:parameter name="allow nt4 crypto" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para> + This option is deprecated and will be removed in future, + as it is a security problem if not set to "no" (which will be + the hardcoded behavior in future). + </para> + <para>This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will - reject clients which does not support NETLOGON_NEG_STRONG_KEYS + reject clients which do not support NETLOGON_NEG_STRONG_KEYS nor NETLOGON_NEG_SUPPORTS_AES.</para> <para>This option was added with Samba 4.2.0. It may lock out clients @@ -18,8 +25,82 @@ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para> - <para>This option yields precedence to the 'reject md5 clients' option.</para> + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "yes" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> </description> <value type="default">no</value> </samba:parameter> + +<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members which required 'allow nt4 crypto = yes', + it is possible to specify an explicit exception per computer account + by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "yes", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will log a warning in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> + <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' + is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para> + + <programlisting> + allow nt4 crypto:LEGACYCOMPUTER1$ = yes + server reject md5 schannel:LEGACYCOMPUTER1$ = no + allow nt4 crypto:NASBOX$ = yes + server reject md5 schannel:NASBOX$ = no + allow nt4 crypto:LEGACYCOMPUTER2$ = yes + server reject md5 schannel:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml index 41684ef1080..fe7701d9277 100644 --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml @@ -1,17 +1,110 @@ <samba:parameter name="reject md5 clients" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para> + This option is deprecated and will be removed in a future release, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in the future). + </para> + <para>This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para> - <para>You can set this to yes if all domain members support aes. - This will prevent downgrade attacks.</para> + <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows + starting with Server 2008R2 and Windows 7, it's available in Samba + starting with 4.0, however third party domain members like NetApp ONTAP + still uses RC4 (HMAC-MD5), see + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink> + for more details. + </para> + + <para>The default changed from 'no' to 'yes', with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "no" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para> + + <para>When set to 'yes' this option overrides the + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and + '<smbconfoption name="allow nt4 crypto"/>' options and implies + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. + </para> +</description> + +<value type="default">yes</value> +</samba:parameter> + +<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members or trusted domains, + which required "reject md5 clients = no" before, + it is possible to specify an explicit exception per computer account + by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + -- Samba Shared Repository