The branch, v4-16-stable has been updated
via 32d0bb89272 VERSION: Disable GIT_SNAPSHOT for the 4.16.10 release.
via 62390bac925 WHATSNEW: Add release notes for Samba 4.16.10.
via 6736fc0cff0 CVE-2023-0922 set default ldap client sasl wrapping to
seal
via 4acabb3c285 CVE-2023-0614 ldb: Release LDB 2.5.3
via 3a38d702397 CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated
on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
via 19785d023e3 CVE-2023-0614 lib/ldb-samba: Add test for
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and
ACL hidden attributes
via 979997992a4 CVE-2023-0614 dsdb: Add pre-cleanup and
self.addCleanup() of OU created in match_rules tests
via c64b48b2b26 CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
via 1cfaa078ffc CVE-2023-0614 s4-dsdb: Treat confidential attributes as
unindexed
via a74571b49f5 CVE-2023-0614 ldb: Filter on search base before
redacting message
via d60683e5e9d CVE-2023-0614 ldb: Centralise checking for inaccessible
matches
via 58b4a0e3eb7 CVE-2023-0614 ldb: Use binary search to check whether
attribute is secret
via 353d3df3dd5 CVE-2023-0614 s4-acl: Avoid calling
dsdb_module_am_system() if we can help it
via 9447c4e81e0 CVE-2023-0614 ldb: Prevent disclosure of confidential
attributes
via 134c659d402 CVE-2023-0614 s4-acl: Split out function to set up
access checking variables
via e46739cb897 CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
via 95be170f997 CVE-2023-0614 s4-acl: Split out logic to remove access
checking attributes
via 0b0d8a8ece6 CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
via 1c9736510f3 CVE-2023-0614 tests/krb5: Add test for confidential
attributes timing differences
via e3b8d0a650b CVE-2023-0614 schema_samba4.ldif: Allocate previously
added OID
via f8a674088ac schema_samba4.ldif: Allocate previously added OIDs
via a4193a79035 CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in
confidential attributes test
via d096cd4ed92 CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a
search tree we don't own
via 4bbdd6709bf CVE-2023-0614 ldb: Make use of
ldb_filter_attrs_in_place()
via 4addeaaf5da CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place()
work in place
via 7c2d0e0a06e CVE-2023-0614 ldb: Add function to filter message in
place
via 7982090641e CVE-2023-0614 ldb: Add function to add
distinguishedName to message
via 873d4e465f3 CVE-2023-0614 ldb: Add function to remove excess
capacity from an ldb message
via 891ffeaf99d CVE-2023-0614 ldb: Add function to take ownership of an
ldb message
via 6519d1d8fa1 CVE-2023-0614 ldb:tests: Ensure all tests are accounted
for
via 7153af801e5 CVE-2023-0614 ldb:tests: Ensure ldb_val data is
zero-terminated
via c3419c288c6 CVE-2023-0614 s4-acl: Use ldb functions for handling
inaccessible message elements
via 0f8a3344501 CVE-2023-0614 ldb: Add functions for handling
inaccessible message elements
via 9469c41895a CVE-2023-0614 s4-acl: Make some parameters const
via c91b81ecc92 CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more
consistently
via 26b79d2749b CVE-2023-0614 libcli/security: Make some parameters
const
via 8712a2dc972 CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py
to be slower by matching on large objects
via bf7b9d9d5e4 CVE-2023-0614 selftest: Use setUpClass() to reduce
"make test TESTS=large_ldap" time
via ae3d2737949 CVE-2023-0614 lib/ldb: Avoid allocation and memcpy()
for every wildcard match candidate
via f2461834bbc VERSION: Bump version up to Samba 4.16.10...
from 63f92a37f02 VERSION: Disable GIT_SNAPSHOT for the 4.16.9 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-stable
- Log -----------------------------------------------------------------
commit 32d0bb892727ccdfc7bc81d93ab255898041c02b
Author: Jule Anger <jan...@samba.org>
Date: Wed Mar 22 10:26:09 2023 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.16.10 release.
Signed-off-by: Jule Anger <jan...@samba.org>
commit 62390bac925a84064e93b46dd9e0e418f1b41b7b
Author: Jule Anger <jan...@samba.org>
Date: Wed Mar 22 10:24:15 2023 +0100
WHATSNEW: Add release notes for Samba 4.16.10.
Signed-off-by: Jule Anger <jan...@samba.org>
commit 6736fc0cff07162299ee68aabef81c3d0cda204d
Author: Rob van der Linde <r...@catalyst.net.nz>
Date: Mon Feb 27 14:06:23 2023 +1300
CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315
Signed-off-by: Rob van der Linde <r...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 4acabb3c285615c7a5b6155760a9f301b190a9d7
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 3 17:52:13 2023 +1300
CVE-2023-0614 ldb: Release LDB 2.5.3
* CVE-2023-0614 Not-secret but access controlled LDAP attributes can be
discovered (bug 15270)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
[abart...@samba.org Adapted to LDB 2.5 series in Samba 4.16]
commit 3a38d702397f25cb356a7f71c328b49e00fc1aca
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Mar 2 17:24:15 2023 +1300
CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate
on this request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 19785d023e3524f7aa3fa2ad707432b51076d56e
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Mar 2 16:51:25 2023 +1300
CVE-2023-0614 lib/ldb-samba: Add test for
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and
ACL hidden attributes
The chain for transitive evaluation does consider ACLs, avoiding the
disclosure of
confidential information.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 979997992a436cd32d1818e1c6c94faeedfe2b9f
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 3 16:49:00 2023 +1300
CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in
match_rules tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit c64b48b2b2652d6a8241105d570904219a98d226
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Mar 2 16:31:17 2023 +1300
CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
This will allow our dsdb helper search functions to mark the new
request as untrusted, forcing read ACL evaluation (per current behaviour).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
[abart...@samba.org adapted due to Samba 4.16 and lower
not having the patches for CVE-2022-32743]
commit 1cfaa078ffcbd915f8494cd98b375dd2598010ec
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Feb 24 10:03:25 2023 +1300
CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed
In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a74571b49f5476cde430f11cd7bc256f17925fe8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:35:55 2023 +1300
CVE-2023-0614 ldb: Filter on search base before redacting message
Redaction may be expensive if we end up needing to fetch a security
descriptor to verify rights to an attribute. Checking the search scope
is probably cheaper, so do that first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d60683e5e9daf243e9a2acc203b567c3a6c92567
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 14 13:17:24 2023 +1300
CVE-2023-0614 ldb: Centralise checking for inaccessible matches
This makes it less likely that we forget to handle a case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 58b4a0e3eb7579a389be139bbc6dce8c2eab90bc
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Feb 16 12:35:34 2023 +1300
CVE-2023-0614 ldb: Use binary search to check whether attribute is secret
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 353d3df3dd56e691b6a968c9b716f2a31e8bcfc4
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 13:31:44 2023 +1300
CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help
it
If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9447c4e81e04df5b8d775fb62f3440f0d9076002
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:34:29 2023 +1300
CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.
Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.
Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.
As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Pair-Programmed-With: Andrew Bartlett <abart...@samba.org>
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org adapted due to Samba 4.17 and lower
not having the patches for CVE-2020-25720 and 4.16 and lower
not having the patches for CVE-2022-32743 ]
commit 134c659d4025b2d85c825456fa0c81b47a9a8bb4
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 13:55:36 2023 +1300
CVE-2023-0614 s4-acl: Split out function to set up access checking variables
These variables are often used together, and it is useful to have the
setup code in one place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org adapted to the use of
acl_check_access_on_attribute as
acl_check_access_on_attribute_implicit_owner is
only in Samba 4.18 and newer]
commit e46739cb89763812c29b8e5180e55cb60cbfbca7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 12:19:08 2023 +1300
CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
This function parses a SID from an ldb_message, similar to
samdb_result_dom_sid(), but does it without allocating anything.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Adapted for simple conflicts due to
56297449f9c2e94505a72a70a3a3c5990d00d37f trimming
trailing whitespace]
commit 95be170f9978ed255f1b8cbcdf28de4475cdc96c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 13:40:33 2023 +1300
CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0b0d8a8ece6ac0d18c7cbdb726d2c46cd6c88997
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:31:54 2023 +1300
CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1c9736510f3ca93cb50a5230ce839c3c8c16cd9b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:32:41 2023 +1300
CVE-2023-0614 tests/krb5: Add test for confidential attributes timing
differences
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e3b8d0a650b6b743f2aa37581f73625dc5b35680
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:25:48 2023 +1300
CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID
DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit
08187833fee57a8dba6c67546dfca516cd1f9d7a.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f8a674088ac2e5d5ba6e2913ad4902db02b547f8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 25 20:15:33 2022 +1200
schema_samba4.ldif: Allocate previously added OIDs
DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID was added
to source4/dsdb/samdb/samdb.h in commit
c2ab1f4696fa3f52918a126d0b37993a07f68bcb.
DSDB_EXTENDED_SCHEMA_LOAD was added in commit
1fd4cdfafaa6a41c824d1b3d76635bf3e446de0f.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 672ec6135f9ae3d7b5439523a4f456c19fb03a88)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
[abart...@samba.org This required as context for the above bug]
commit a4193a790354414542eb8d049b0f77b9005f51cb
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:48:37 2023 +1300
CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential
attributes test
The object returned by schema_format_value() is a bytes object.
Therefore the search expression would resemble:
(lastKnownParent=<GUID=b'00000000-0000-0000-0000-000000000000'>)
which, due to the extra characters, would fail to match anything.
Fix it to be:
(lastKnownParent=<GUID=00000000-0000-0000-0000-000000000000>)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d096cd4ed92bd96523c2dbe42e99fa17783a7395
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:35:24 2023 +1300
CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't
own
In extended_dn_fix_filter() we had:
req->op.search.tree = ldb_parse_tree_copy_shallow(req,
req->op.search.tree);
which overwrote the parse tree on an existing ldb request with a fixed
up tree. This became a problem if a module performed another search with
that same request structure, as extended_dn_in would try to fix up the
already-modified tree for a second time. The fixed-up tree element now
having an extended DN, it would fall foul of the ldb_dn_match_allowed()
check in extended_dn_filter_callback(), and be replaced with an
ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches
would only work for one search in an ldb request, and fail for
subsequent ones.
Fix this by creating a new request with the modified tree, and leaving
the original request unmodified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4bbdd6709bfe2ba31cee8968751a48a6d454f19e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 10:31:52 2023 +1300
CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place()
Change all uses of ldb_kv_filter_attrs() to use
ldb_filter_attrs_in_place() instead. This function does less work than
its predecessor, and no longer requires the allocation of a second ldb
message. Some of the work is able to be split out into separate
functions that each accomplish a single task, with a purpose to make the
code clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4addeaaf5da96ac8f620a0c27c2a576b17747dd2
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:30:19 2023 +1300
CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place
ldb_filter_attrs() previously did too much. Now its replacement,
ldb_filter_attrs_in_place(), only does the actual filtering, while
taking ownership of each element's values is handled in a separate
function, ldb_msg_elements_take_ownership().
Also, ldb_filter_attrs_in_place() no longer adds the distinguishedName
to the message if it is missing. That is handled in another function,
ldb_msg_add_distinguished_name().
As we're now modifying the original message rather than copying it into
a new one, we no longer need the filtered_msg parameter.
We adapt a test, based on ldb_filter_attrs_test, to exercise the new
function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7c2d0e0a06e6c3523f1ad3fba514505ca094f2fd
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:29:03 2023 +1300
CVE-2023-0614 ldb: Add function to filter message in place
At present this function is an exact duplicate of ldb_filter_attrs(),
but in the next commit we shall modify it to work in place, without the
need for the allocation of a second message.
The test is a near duplicate of the existing test for
ldb_filter_attrs().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7982090641e5199d2bbece3b7aa50f3e7342db12
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:27:38 2023 +1300
CVE-2023-0614 ldb: Add function to add distinguishedName to message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Adapted to conflict from lack of new
ldb_ascii_toupper() in ldb_private.h]
commit 873d4e465f333c487dc1bee748054b6b606c299b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:26:04 2023 +1300
CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb
message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Adapted to conflict from lack of new
ldb_ascii_toupper() in ldb_private.h]
commit 891ffeaf99d150e2a5707d71825e5533570aa974
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:23:42 2023 +1300
CVE-2023-0614 ldb: Add function to take ownership of an ldb message
Many places in Samba depend upon various components of an ldb message
being talloc allocated, and hence able to be used as talloc contexts.
The elements and values of an unpacked ldb message point to unowned data
inside the memory-mapped database, and this function ensures that such
messages have talloc ownership of said elements and values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6519d1d8fa1e1154a388a3bff319da2b0387f157
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 15 14:08:57 2023 +1300
CVE-2023-0614 ldb:tests: Ensure all tests are accounted for
Add ldb_filter_attrs_test to the list of tests so that it actually gets
run.
Remove a duplicate ldb_msg_test that was accidentally added in commit
5ca90e758ade97fb5e335029c7a1768094e70564.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7153af801e59f4cfee54ae020bfca13c73f63e93
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 15 12:34:51 2023 +1300
CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated
If the value of an ldb message element is not zero-terminated, calling
ldb_msg_find_attr_as_string() will cause the function to read off the
end of the buffer in an attempt to verify that the value is
zero-terminated. This can cause unexpected behaviour and make the test
randomly fail.
To avoid this, we must have a terminating null byte that is *not*
counted as part of the length, and so we must calculate the length with
strlen() rather than sizeof.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c3419c288c612743d42179d46091e28ba4c9939b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:29:33 2023 +1300
CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message
elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0f8a3344501e3c07a690e8cf6783eddf5cb4d845
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:28:36 2023 +1300
CVE-2023-0614 ldb: Add functions for handling inaccessible message elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9469c41895ab88e0ef09ff0e175f38c53e704cd1
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:00:32 2023 +1300
CVE-2023-0614 s4-acl: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Adapted to code without newer
acl_check_access_on_attribute_implicit_owner name]
commit c91b81ecc9228be6db6817f876c19b6ba87da4f1
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:29:51 2023 +1300
CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently
It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 26b79d2749b49b4b2e9d517e34aaa750ac552426
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 07:57:27 2023 +1300
CVE-2023-0614 libcli/security: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Updated to add const to sec_access_check_ds()
instead of the sec_access_check_ds_implicit_owner() wrapper
found in 4.18 and later]
commit 8712a2dc972fd336fa6d3c5f6fdc4901b01e8c41
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 3 10:31:40 2023 +1300
CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by
matching on large objects
This changes the slow aspect to be the object matching not the filter
parsing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit bf7b9d9d5e4fd837f5528dc7140082423131d2b5
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Mar 13 17:20:00 2023 +1300
CVE-2023-0614 selftest: Use setUpClass() to reduce "make test
TESTS=large_ldap" time
This reduces the elapsed time to 6m from 20m on my laptop.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224
(cherry picked from commit b4a6c054ec6acefacd22cb7230a783d20cb07c05)
[abart...@samba.org Included in the security release as this
makes working on the large_ldap test practical by reducing
the elapsed time taken]
commit ae3d2737949d9702c5526490c2155740a96a9adb
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Mar 13 14:25:56 2023 +1300
CVE-2023-0614 lib/ldb: Avoid allocation and memcpy() for every wildcard
match candidate
The value can be quite large, the allocation will take much
longer than the actual match and is repeated per candidate
record.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15331
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
(cherry picked from commit cad96f59a08192df927fb1df4e9787c7f70991a2)
[abart...@samba.org Included in the security release as this
makes the new large_ldap.py timeout test more reliable]
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 63 +-
.../smbdotconf/ldap/clientldapsaslwrapping.xml | 27 +-
lib/ldb-samba/ldb_matching_rules.c | 17 +-
lib/ldb-samba/tests/match_rules.py | 135 +--
lib/ldb-samba/tests/match_rules_remote.py | 104 ++
lib/ldb/ABI/{ldb-2.5.2.sigs => ldb-2.5.3.sigs} | 10 +
...pyldb-util-2.1.0.sigs => pyldb-util-2.5.3.sigs} | 0
lib/ldb/common/ldb_match.c | 111 ++-
lib/ldb/common/ldb_msg.c | 42 +
lib/ldb/common/ldb_pack.c | 105 +-
lib/ldb/common/ldb_parse.c | 25 +
lib/ldb/include/ldb_module.h | 31 +
lib/ldb/include/ldb_private.h | 21 +
lib/ldb/ldb_key_value/ldb_kv.h | 6 +-
lib/ldb/ldb_key_value/ldb_kv_index.c | 59 +-
lib/ldb/ldb_key_value/ldb_kv_search.c | 115 ++-
lib/ldb/tests/ldb_filter_attrs_in_place_test.c | 940 ++++++++++++++++++
lib/ldb/tests/ldb_filter_attrs_test.c | 171 ++--
lib/ldb/wscript | 13 +-
lib/param/loadparm.c | 2 +-
libcli/security/access_check.c | 10 +-
libcli/security/access_check.h | 2 +-
python/samba/tests/auth_log.py | 2 +-
source3/param/loadparm.c | 2 +-
source4/dsdb/common/util.c | 26 +-
source4/dsdb/common/util.h | 1 +
source4/dsdb/samdb/ldb_modules/acl.c | 183 +---
source4/dsdb/samdb/ldb_modules/acl_read.c | 1015 +++++++++++++-------
source4/dsdb/samdb/ldb_modules/acl_util.c | 6 +-
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 50 +-
source4/dsdb/samdb/ldb_modules/linked_attributes.c | 2 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +-
source4/dsdb/samdb/samdb.h | 2 +
source4/dsdb/schema/schema_description.c | 7 +
source4/dsdb/schema/schema_init.c | 11 +-
source4/dsdb/schema/schema_set.c | 9 +-
source4/dsdb/tests/python/confidential_attr.py | 180 +++-
source4/dsdb/tests/python/large_ldap.py | 85 +-
source4/selftest/tests.py | 1 +
source4/setup/schema_samba4.ldif | 4 +
source4/torture/ldb/ldb.c | 12 +-
42 files changed, 2766 insertions(+), 845 deletions(-)
create mode 100755 lib/ldb-samba/tests/match_rules_remote.py
copy lib/ldb/ABI/{ldb-2.5.2.sigs => ldb-2.5.3.sigs} (97%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.5.3.sigs} (100%)
create mode 100644 lib/ldb/tests/ldb_filter_attrs_in_place_test.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 5df61b2737a..2d9c8387993 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=16
-SAMBA_VERSION_RELEASE=9
+SAMBA_VERSION_RELEASE=10
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b5b57e856d9..4ddfe2db83c 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,63 @@
+ ===============================
+ Release Notes for Samba 4.16.10
+ March 29, 2023
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.16.9
+--------------------
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 15270: VE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <r...@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 15270: CVE-2023-0614.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.16.9
February 16, 2023
@@ -72,8 +132,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.8
December 15, 2022
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 3152f0682dd..21bd2090057 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -18,25 +18,24 @@
</para>
<para>
- This option is needed in the case of Domain Controllers enforcing
- the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
- LDAP sign and seal can be controlled with the registry key
- "<literal>HKLM\System\CurrentControlSet\Services\</literal>
- <literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
- on the Windows server side.
- </para>
+ This option is needed firstly to secure the privacy of
+ administrative connections from <command>samba-tool</command>,
+ including in particular new or reset passwords for users. For
+ this reason the default is <emphasis>seal</emphasis>.</para>
- <para>
- Depending on the used KRB5 library (MIT and older Heimdal versions)
- it is possible that the message "integrity only" is not supported.
- In this case, <emphasis>sign</emphasis> is just an alias for
- <emphasis>seal</emphasis>.
+ <para>Additionally, <command>winbindd</command> and the
+ <command>net</command> tool can use LDAP to communicate with
+ Domain Controllers, so this option also controls the level of
+ privacy for those connections. All supported AD DC versions
+ will enforce the usage of at least signed LDAP connections by
+ default, so a value of at least <emphasis>sign</emphasis> is
+ required in practice.
</para>
<para>
- The default value is <emphasis>sign</emphasis>. That implies
synchronizing the time
+ The default value is <emphasis>seal</emphasis>. That implies
synchronizing the time
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">sign</value>
+<value type="default">seal</value>
</samba:parameter>
diff --git a/lib/ldb-samba/ldb_matching_rules.c
b/lib/ldb-samba/ldb_matching_rules.c
index 827f3920ae8..59d1385f4e3 100644
--- a/lib/ldb-samba/ldb_matching_rules.c
+++ b/lib/ldb-samba/ldb_matching_rules.c
@@ -67,7 +67,12 @@ static int ldb_eval_transitive_filter_helper(TALLOC_CTX
*mem_ctx,
* Note also that we don't have the original request
* here, so we can not apply controls or timeouts here.
*/
- ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0);
+ ret = dsdb_search_dn(ldb,
+ tmp_ctx,
+ &res,
+ to_visit->dn,
+ attrs,
+ DSDB_MARK_REQ_UNTRUSTED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -370,6 +375,11 @@ static int dsdb_match_for_dns_to_tombstone_time(struct
ldb_context *ldb,
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"),
struct auth_session_info);
if (session_info == NULL) {
@@ -489,6 +499,11 @@ static int dsdb_match_for_expunge(struct ldb_context *ldb,
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info
= talloc_get_type(ldb_get_opaque(ldb, DSDB_SESSION_INFO),
struct auth_session_info);
diff --git a/lib/ldb-samba/tests/match_rules.py
b/lib/ldb-samba/tests/match_rules.py
index abf485c9eab..2fe6c3e2264 100755
--- a/lib/ldb-samba/tests/match_rules.py
+++ b/lib/ldb-samba/tests/match_rules.py
@@ -20,22 +20,35 @@ from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
# Windows appear to preserve casing of the RDN and uppercase the other keys.
-class MatchRulesTests(samba.tests.TestCase):
+class MatchRulesTestsBase(samba.tests.TestCase):
def setUp(self):
- super(MatchRulesTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds,
session_info=system_session(lp), lp=lp)
+ super().setUp()
+ self.lp = self.sambaopts.get_loadparm()
+ self.creds = self.credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(self.host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
- self.ou = "OU=matchrulestest,%s" % self.base_dn
+ self.ou_rdn = "OU=matchrulestest"
+ self.ou = self.ou_rdn + "," + self.base_dn
self.ou_users = "OU=users,%s" % self.ou
self.ou_groups = "OU=groups,%s" % self.ou
self.ou_computers = "OU=computers,%s" % self.ou
+ try:
+ self.ldb.delete(self.ou, ["tree_delete:1"])
+ except LdbError as e:
+ pass
+
# Add a organizational unit to create objects
self.ldb.add({
"dn": self.ou,
"objectclass": "organizationalUnit"})
+ self.addCleanup(self.ldb.delete, self.ou, controls=['tree_delete:0'])
+
+
# Add the following OU hierarchy and set otherWellKnownObjects,
# which has BinaryDN syntax:
#
@@ -204,6 +217,39 @@ class MatchRulesTests(samba.tests.TestCase):
FLAG_MOD_ADD, "member")
self.ldb.modify(m)
+ # Add a couple of ms-Exch-Configuration-Container to test forward-link
+ # attributes without backward link (addressBookRoots2)
+ # e1
+ # |--> e2
+ # | |--> c1
+ self.ldb.add({
+ "dn": "cn=e1,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+ self.ldb.add({
+ "dn": "cn=e2,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
+ m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
+ m["e1"] = MessageElement("cn=e2,%s" % self.ou,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+
+
+class MatchRulesTests(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+
# The msDS-RevealedUsers is owned by system and cannot be modified
# directly. Set the schemaUpgradeInProgress flag as workaround
# and create this hierarchy:
@@ -243,33 +289,6 @@ class MatchRulesTests(samba.tests.TestCase):
m["e1"] = MessageElement("0", FLAG_MOD_REPLACE,
"schemaUpgradeInProgress")
self.ldb.modify(m)
- # Add a couple of ms-Exch-Configuration-Container to test forward-link
- # attributes without backward link (addressBookRoots2)
- # e1
- # |--> e2
- # | |--> c1
- self.ldb.add({
- "dn": "cn=e1,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
- self.ldb.add({
- "dn": "cn=e2,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
- m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
- m["e1"] = MessageElement("cn=e2,%s" % self.ou,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- def tearDown(self):
- super(MatchRulesTests, self).tearDown()
- self.ldb.delete(self.ou, controls=['tree_delete:0'])
def test_u1_member_of_g4(self):
# Search without transitive match must return 0 results
@@ -945,8 +964,12 @@ class MatchRulesTests(samba.tests.TestCase):
class MatchRuleConditionTests(samba.tests.TestCase):
def setUp(self):
super(MatchRuleConditionTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds,
session_info=system_session(lp), lp=lp)
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
self.ou = "OU=matchruleconditiontests,%s" % self.base_dn
self.ou_users = "OU=users,%s" % self.ou
@@ -1745,32 +1768,30 @@ class MatchRuleConditionTests(samba.tests.TestCase):
self.ou_groups, self.ou_computers))
self.assertEqual(len(res1), 0)
+if __name__ == "__main__":
-parser = optparse.OptionParser("match_rules.py [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-subunitopts = SubunitOptions(parser)
-parser.add_option_group(subunitopts)
+ parser = optparse.OptionParser("match_rules.py [options] <host>")
+ sambaopts = options.SambaOptions(parser)
+ parser.add_option_group(sambaopts)
+ parser.add_option_group(options.VersionOptions(parser))
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
+ # use command line creds if available
+ credopts = options.CredentialsOptions(parser)
+ parser.add_option_group(credopts)
+ opts, args = parser.parse_args()
+ subunitopts = SubunitOptions(parser)
+ parser.add_option_group(subunitopts)
-host = args[0]
+ if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
+ host = args[0]
-if "://" not in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s"; % host
+ if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s"; % host
-TestProgram(module=__name__, opts=subunitopts)
+ TestProgram(module=__name__, opts=subunitopts)
diff --git a/lib/ldb-samba/tests/match_rules_remote.py
b/lib/ldb-samba/tests/match_rules_remote.py
new file mode 100755
index 00000000000..122231f2a60
--- /dev/null
+++ b/lib/ldb-samba/tests/match_rules_remote.py
@@ -0,0 +1,104 @@
+#!/usr/bin/env python3
+
+import optparse
+import sys
+import os
+import samba
+import samba.getopt as options
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba import sd_utils
+from samba.ndr import ndr_unpack
+from ldb import Message, MessageElement, Dn, LdbError
+from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
+
+from match_rules import MatchRulesTestsBase
+
+
+class MatchRulesTestsUser(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+ self.sd_utils = sd_utils.SDUtils(self.ldb)
+
+ self.user_pass = "samba123@"
+ self.match_test_user = "matchtestuser"
+ self.ldb.newuser(self.match_test_user,
+ self.user_pass,
+ userou=self.ou_rdn)
+ user_creds = self.insta_creds(template=self.creds,
+ username=self.match_test_user,
+ userpass=self.user_pass)
+ self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp)
+ token_res = self.user_ldb.search(scope=SCOPE_BASE,
+ base="",
+ attrs=["tokenGroups"])
+ self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
+ token_res[0]["tokenGroups"][0])
+
+ self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
+
+ def test_with_denied_link(self):
+
+ # add an ACE that denies the user Read Property (RP) access to
+ # the member attr (which is similar to making the attribute
+ # confidential)
+ ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid,
+ self.user_sid)
+ g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups)
+
+ # add the ACE that denies access to the attr under test
+ self.sd_utils.dacl_add_ace(g2_dn, ace)
+
+ # Search without transitive match must return 0 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+ expression="member=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+ # Search with transitive match must return 1 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 1)
+ self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" %
self.ou_groups).lower())
+
+ # Search as a user match must return 0 results as the intermediate
link can't be seen
+ res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+
+
+parser = optparse.OptionParser("match_rules_remote.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
+
+host = args[0]
+
+if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s"; % host
+
+TestProgram(module=__name__, opts=subunitopts)
diff --git a/lib/ldb/ABI/ldb-2.5.2.sigs b/lib/ldb/ABI/ldb-2.5.3.sigs
similarity index 97%
copy from lib/ldb/ABI/ldb-2.5.2.sigs
copy to lib/ldb/ABI/ldb-2.5.3.sigs
index 40388d9e330..b4c5e20e8c7 100644
--- a/lib/ldb/ABI/ldb-2.5.2.sigs
+++ b/lib/ldb/ABI/ldb-2.5.3.sigs
@@ -86,6 +86,7 @@ ldb_errstring: const char *(struct ldb_context *)
ldb_extended: int (struct ldb_context *, const char *, void *, struct
ldb_result **)
ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *)
ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const
char * const *, struct ldb_message *)
+ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *)
ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *)
ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *)
ldb_get_create_perms: unsigned int (struct ldb_context *)
@@ -125,6 +126,7 @@ ldb_match_message: int (struct ldb_context *, const struct
ldb_message *, const
ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const
struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope)
ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *,
const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *)
ldb_match_msg_objectclass: int (const struct ldb_message *, const char *)
+ldb_match_scope: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *,
enum ldb_scope)
ldb_mod_register_control: int (struct ldb_module *, const char *)
ldb_modify: int (struct ldb_context *, const struct ldb_message *)
ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *)
@@ -149,6 +151,7 @@ ldb_modules_hook: int (struct ldb_context *, enum
ldb_module_hook_type)
ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX
*, const char *)
ldb_modules_load: int (const char *, const char *)
--
Samba Shared Repository
