The branch, v4-17-stable has been updated
via 2761e60b563 VERSION: Disable GIT_SNAPSHOT for the 4.17.7 release.
via 68bdc867b87 WHATSNEW: Add release notes for Samba 4.17.7.
via 04e5a7eb03a CVE-2023-0922 set default ldap client sasl wrapping to
seal
via 888c6ae8177 CVE-2023-0225 s4-acl: Don't return early if dNSHostName
element has no values
via 54691236fc8 CVE-2023-0225 pytest/acl: test deleting dNSHostName as
unprivileged user
via 307b2e65d51 CVE-2023-0225 CVE-2020-25720 pydsdb: Add dsHeuristics
constant definitions
via b7af8aa2552 CVE-2023-0225 CVE-2020-25720 s4/dsdb/util: Add
functions for dsHeuristics 28, 29
via 6b92716e7f8 CVE-2023-0614 ldb: Release LDB 2.6.2
via 0313aa744f1 CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated
on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
via f17179189c6 CVE-2023-0614 lib/ldb-samba: Add test for
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and
ACL hidden attributes
via eaeb3dc461f CVE-2023-0614 dsdb: Add pre-cleanup and
self.addCleanup() of OU created in match_rules tests
via 07fffb3e906 CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
via d148a7dd88d CVE-2023-0614 s4-dsdb: Treat confidential attributes as
unindexed
via e08188bb984 CVE-2023-0614 ldb: Filter on search base before
redacting message
via b98f8c1af77 CVE-2023-0614 ldb: Centralise checking for inaccessible
matches
via bd69d5e9626 CVE-2023-0614 ldb: Use binary search to check whether
attribute is secret
via 8811e67cb2e CVE-2023-0614 s4-acl: Avoid calling
dsdb_module_am_system() if we can help it
via c1921f5ae08 CVE-2023-0614 ldb: Prevent disclosure of confidential
attributes
via 2e3ed6cfd24 CVE-2023-0614 s4-acl: Split out function to set up
access checking variables
via 1ef01830573 CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
via bfab55ebb69 CVE-2023-0614 s4-acl: Split out logic to remove access
checking attributes
via 64604c41c19 CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
via efd1cfab96f CVE-2023-0614 tests/krb5: Add test for confidential
attributes timing differences
via a45fc44c39c CVE-2023-0614 schema_samba4.ldif: Allocate previously
added OID
via 65249df5259 schema_samba4.ldif: Allocate previously added OIDs
via d9a20068a3d CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in
confidential attributes test
via 2ea5bbc269e CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a
search tree we don't own
via 78a7f247dba CVE-2023-0614 ldb: Make use of
ldb_filter_attrs_in_place()
via 4ed84d8fabe CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place()
work in place
via ec3737404e6 CVE-2023-0614 ldb: Add function to filter message in
place
via ddf1ed69d8f CVE-2023-0614 ldb: Add function to add
distinguishedName to message
via d97e92efafc CVE-2023-0614 ldb: Add function to remove excess
capacity from an ldb message
via 43746e79f67 CVE-2023-0614 ldb: Add function to take ownership of an
ldb message
via b4f3aa03e2f CVE-2023-0614 ldb:tests: Ensure all tests are accounted
for
via 132028692f3 CVE-2023-0614 ldb:tests: Ensure ldb_val data is
zero-terminated
via 188e9887210 CVE-2023-0614 s4-acl: Use ldb functions for handling
inaccessible message elements
via cbf8f1c2eb8 CVE-2023-0614 ldb: Add functions for handling
inaccessible message elements
via 7f98e3abdc4 CVE-2023-0614 s4-acl: Make some parameters const
via 9c8bbbf3b57 CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more
consistently
via 50a678be1a6 CVE-2023-0614 libcli/security: Make some parameters
const
via a8c573012f5 CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py
to be slower by matching on large objects
via a91fc6e9f1d CVE-2023-0614 selftest: Use setUpClass() to reduce
"make test TESTS=large_ldap" time
via eb20778b5e6 CVE-2023-0614 lib/ldb: Avoid allocation and memcpy()
for every wildcard match candidate
via 1b775335f57 VERSION: Bump version up to Samba 4.17.7...
from 46e771776b2 VERSION: Disable GIT_SNAPSHOT for the 4.17.6 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable
- Log -----------------------------------------------------------------
commit 2761e60b563891ab2a382d519b3884f31f6f541d
Author: Jule Anger <jan...@samba.org>
Date: Wed Mar 22 10:17:18 2023 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.17.7 release.
Signed-off-by: Jule Anger <jan...@samba.org>
commit 68bdc867b873bce8187aeb3990b95c08a507abda
Author: Jule Anger <jan...@samba.org>
Date: Wed Mar 22 10:13:09 2023 +0100
WHATSNEW: Add release notes for Samba 4.17.7.
Signed-off-by: Jule Anger <jan...@samba.org>
commit 04e5a7eb03a1e913f34d77b7b6c2353b41ef546a
Author: Rob van der Linde <r...@catalyst.net.nz>
Date: Mon Feb 27 14:06:23 2023 +1300
CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315
Signed-off-by: Rob van der Linde <r...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 888c6ae8177d87e408722f67cc03359ae2533402
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jan 9 11:22:34 2023 +1300
CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no
values
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.
Add or replace operations with no values and no privileges are
disallowed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 54691236fc80a932f2069eef0aa21d6818445503
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Wed Jan 4 21:37:49 2023 +1300
CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org The
self.set_heuristic(samba.dsdb.DS_HR_ATTR_AUTHZ_ON_LDAP_ADD, b'11')
in the test setUp() is unused in this test but is included as a
clean backport, so the fact that the server does not implement this
is unimportant]
commit 307b2e65d51903f6805460a2633ebe809d4052ab
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Sep 6 19:23:13 2022 +1200
CVE-2023-0225 CVE-2020-25720 pydsdb: Add dsHeuristics constant definitions
We want to be able to use these values in Python tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit cc709077822a39227174b91ed2345c2bd603f61f)
[abart...@samba.org This patch is needed for a clean backport of
CVE-2023-0225 as these constants are used in the acl_modify test
even when this behaviour is not itself used.]
commit b7af8aa2552e0690aac58fb98e3134b71f678ece
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Apr 28 20:34:36 2022 +1200
CVE-2023-0225 CVE-2020-25720 s4/dsdb/util: Add functions for dsHeuristics
28, 29
These are the newly-added AttributeAuthorizationOnLDAPAdd and
BlockOwnerImplicitRights.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 0af5706b559e89c77123ed174b41fd3d01705aa5)
[abart...@samba.org This patch is needed for a clean backport of
CVE-2023-0225 as these constants are used in the acl_modify test
even when this behaviour is not itself used.]
commit 6b92716e7f89e22cedbf196b97a0203c54608e7a
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 3 17:52:13 2023 +1300
CVE-2023-0614 ldb: Release LDB 2.6.2
* CVE-2023-0614 Not-secret but access controlled LDAP attributes can be
discovered (bug 15270)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
[abart...@samba.org Adapted to LDB 2.6 series in Samba 4.17]
commit 0313aa744f12b70f7446ca3d104a8b5f5052bade
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Mar 2 17:24:15 2023 +1300
CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate
on this request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit f17179189c6364c2b0e202e8b839c7879a2b747a
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Mar 2 16:51:25 2023 +1300
CVE-2023-0614 lib/ldb-samba: Add test for
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and
ACL hidden attributes
The chain for transitive evaluation does consider ACLs, avoiding the
disclosure of
confidential information.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit eaeb3dc461fe2913c3e7ff3db802d37dd7c699c8
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 3 16:49:00 2023 +1300
CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in
match_rules tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 07fffb3e90621c47050929e3ca2232f5a222954e
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Mar 2 16:31:17 2023 +1300
CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
This will allow our dsdb helper search functions to mark the new
request as untrusted, forcing read ACL evaluation (per current behaviour).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit d148a7dd88d4bcc596225be2795fc969284dfd08
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Feb 24 10:03:25 2023 +1300
CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed
In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e08188bb9847b4c34d62f7c812d58b07105f5756
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:35:55 2023 +1300
CVE-2023-0614 ldb: Filter on search base before redacting message
Redaction may be expensive if we end up needing to fetch a security
descriptor to verify rights to an attribute. Checking the search scope
is probably cheaper, so do that first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit b98f8c1af7770b49a447fdcc67ea64d98454955f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 14 13:17:24 2023 +1300
CVE-2023-0614 ldb: Centralise checking for inaccessible matches
This makes it less likely that we forget to handle a case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit bd69d5e962674f4921887ac551e28c9b4c71feae
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Feb 16 12:35:34 2023 +1300
CVE-2023-0614 ldb: Use binary search to check whether attribute is secret
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8811e67cb2e9046f0654f5be53e95fa0a4d1af73
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 13:31:44 2023 +1300
CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help
it
If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c1921f5ae0840c455ad18b2fa19839242bd8a3e8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:34:29 2023 +1300
CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.
Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.
Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.
As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Pair-Programmed-With: Andrew Bartlett <abart...@samba.org>
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org adapted due to Samba 4.17 and lower
not having the patches for CVE-2020-25720]
commit 2e3ed6cfd24cb5f4d75d248cca1eb791c6c44250
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 13:55:36 2023 +1300
CVE-2023-0614 s4-acl: Split out function to set up access checking variables
These variables are often used together, and it is useful to have the
setup code in one place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org adapted to the use of
acl_check_access_on_attribute as
acl_check_access_on_attribute_implicit_owner is
only in Samba 4.18 and newer]
commit 1ef0183057348be265c986f1d212f512d08c59f0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 12:19:08 2023 +1300
CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
This function parses a SID from an ldb_message, similar to
samdb_result_dom_sid(), but does it without allocating anything.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit bfab55ebb69ba1d03c7caee627978513f2825202
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 13:40:33 2023 +1300
CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 64604c41c19e03b6d7f4240894cb4c9ffd9b9406
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:31:54 2023 +1300
CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit efd1cfab96ff439a712897b945fe20ac8358f2c4
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:32:41 2023 +1300
CVE-2023-0614 tests/krb5: Add test for confidential attributes timing
differences
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a45fc44c39c8d956c03ef4acaaceee6c3523556a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:25:48 2023 +1300
CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID
DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit
08187833fee57a8dba6c67546dfca516cd1f9d7a.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 65249df5259d5f17d040ca92a1ac2585621e7c29
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Aug 25 20:15:33 2022 +1200
schema_samba4.ldif: Allocate previously added OIDs
DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID was added
to source4/dsdb/samdb/samdb.h in commit
c2ab1f4696fa3f52918a126d0b37993a07f68bcb.
DSDB_EXTENDED_SCHEMA_LOAD was added in commit
1fd4cdfafaa6a41c824d1b3d76635bf3e446de0f.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 672ec6135f9ae3d7b5439523a4f456c19fb03a88)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
[abart...@samba.org This required as context for the above bug]
commit d9a20068a3dd9905763c5f5991eb8e555da94605
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:48:37 2023 +1300
CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential
attributes test
The object returned by schema_format_value() is a bytes object.
Therefore the search expression would resemble:
(lastKnownParent=<GUID=b'00000000-0000-0000-0000-000000000000'>)
which, due to the extra characters, would fail to match anything.
Fix it to be:
(lastKnownParent=<GUID=00000000-0000-0000-0000-000000000000>)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2ea5bbc269e3d7796247ccf428e082f383d51ec8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:35:24 2023 +1300
CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't
own
In extended_dn_fix_filter() we had:
req->op.search.tree = ldb_parse_tree_copy_shallow(req,
req->op.search.tree);
which overwrote the parse tree on an existing ldb request with a fixed
up tree. This became a problem if a module performed another search with
that same request structure, as extended_dn_in would try to fix up the
already-modified tree for a second time. The fixed-up tree element now
having an extended DN, it would fall foul of the ldb_dn_match_allowed()
check in extended_dn_filter_callback(), and be replaced with an
ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches
would only work for one search in an ldb request, and fail for
subsequent ones.
Fix this by creating a new request with the modified tree, and leaving
the original request unmodified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 78a7f247dba26ddeffe7a388108cf6c9618d437e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 10:31:52 2023 +1300
CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place()
Change all uses of ldb_kv_filter_attrs() to use
ldb_filter_attrs_in_place() instead. This function does less work than
its predecessor, and no longer requires the allocation of a second ldb
message. Some of the work is able to be split out into separate
functions that each accomplish a single task, with a purpose to make the
code clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4ed84d8fabee352fbe542849b01e83f486389a0a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:30:19 2023 +1300
CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place
ldb_filter_attrs() previously did too much. Now its replacement,
ldb_filter_attrs_in_place(), only does the actual filtering, while
taking ownership of each element's values is handled in a separate
function, ldb_msg_elements_take_ownership().
Also, ldb_filter_attrs_in_place() no longer adds the distinguishedName
to the message if it is missing. That is handled in another function,
ldb_msg_add_distinguished_name().
As we're now modifying the original message rather than copying it into
a new one, we no longer need the filtered_msg parameter.
We adapt a test, based on ldb_filter_attrs_test, to exercise the new
function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ec3737404e6aa9ee79fd27fd2eeba0d840fc624c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:29:03 2023 +1300
CVE-2023-0614 ldb: Add function to filter message in place
At present this function is an exact duplicate of ldb_filter_attrs(),
but in the next commit we shall modify it to work in place, without the
need for the allocation of a second message.
The test is a near duplicate of the existing test for
ldb_filter_attrs().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ddf1ed69d8fd56b929e5d8d41fdbe513849c30f5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:27:38 2023 +1300
CVE-2023-0614 ldb: Add function to add distinguishedName to message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Adapted to conflict from lack of new
ldb_ascii_toupper() in ldb_private.h]
commit d97e92efafc7a9dd6c9143c74178be3aa549dd19
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:26:04 2023 +1300
CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb
message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Adapted to conflict from lack of new
ldb_ascii_toupper() in ldb_private.h]
commit 43746e79f67a57d63f824d1b3b0c19b4117af6cb
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:23:42 2023 +1300
CVE-2023-0614 ldb: Add function to take ownership of an ldb message
Many places in Samba depend upon various components of an ldb message
being talloc allocated, and hence able to be used as talloc contexts.
The elements and values of an unpacked ldb message point to unowned data
inside the memory-mapped database, and this function ensures that such
messages have talloc ownership of said elements and values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit b4f3aa03e2fdc89d50053e20723722b63c9ba7ec
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 15 14:08:57 2023 +1300
CVE-2023-0614 ldb:tests: Ensure all tests are accounted for
Add ldb_filter_attrs_test to the list of tests so that it actually gets
run.
Remove a duplicate ldb_msg_test that was accidentally added in commit
5ca90e758ade97fb5e335029c7a1768094e70564.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 132028692f3bc491795e96dc6b1b440ed808ee2e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 15 12:34:51 2023 +1300
CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated
If the value of an ldb message element is not zero-terminated, calling
ldb_msg_find_attr_as_string() will cause the function to read off the
end of the buffer in an attempt to verify that the value is
zero-terminated. This can cause unexpected behaviour and make the test
randomly fail.
To avoid this, we must have a terminating null byte that is *not*
counted as part of the length, and so we must calculate the length with
strlen() rather than sizeof.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 188e988721065cf16565820e7483067947bd40a6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:29:33 2023 +1300
CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message
elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit cbf8f1c2eb80123736ac4f356171639a0754fda4
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:28:36 2023 +1300
CVE-2023-0614 ldb: Add functions for handling inaccessible message elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7f98e3abdc48195e1ab1b56222d7beae4aa2a215
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:00:32 2023 +1300
CVE-2023-0614 s4-acl: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Adapted to code without newer
acl_check_access_on_attribute_implicit_owner name]
commit 9c8bbbf3b57319ccf14df76d43096a453e1ebedb
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:29:51 2023 +1300
CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently
It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 50a678be1a655dfc08d7bc0f74487b14e79cb0d3
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 07:57:27 2023 +1300
CVE-2023-0614 libcli/security: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Updated to add const to sec_access_check_ds()
instead of the sec_access_check_ds_implicit_owner() wrapper
found in 4.18 and later]
commit a8c573012f54e74e86deec6ac2bd84e2450dad03
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 3 10:31:40 2023 +1300
CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by
matching on large objects
This changes the slow aspect to be the object matching not the filter
parsing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit a91fc6e9f1def8bed920efba9c1bd1f4713eb3ca
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Mar 13 17:20:00 2023 +1300
CVE-2023-0614 selftest: Use setUpClass() to reduce "make test
TESTS=large_ldap" time
This reduces the elapsed time to 6m from 20m on my laptop.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224
(cherry picked from commit b4a6c054ec6acefacd22cb7230a783d20cb07c05)
[abart...@samba.org Included in the security release as this
makes working on the large_ldap test practical by reducing
the elapsed time taken]
commit eb20778b5e66c4e011c9c264ddb8d29180fe6e89
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Mar 13 14:25:56 2023 +1300
CVE-2023-0614 lib/ldb: Avoid allocation and memcpy() for every wildcard
match candidate
The value can be quite large, the allocation will take much
longer than the actual match and is repeated per candidate
record.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15331
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
(cherry picked from commit cad96f59a08192df927fb1df4e9787c7f70991a2)
[abart...@samba.org Included in the security release as this
makes the new large_ldap.py timeout test more reliable]
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 74 +-
.../smbdotconf/ldap/clientldapsaslwrapping.xml | 27 +-
lib/ldb-samba/ldb_matching_rules.c | 17 +-
lib/ldb-samba/tests/match_rules.py | 135 +--
lib/ldb-samba/tests/match_rules_remote.py | 104 ++
lib/ldb/ABI/{ldb-2.6.1.sigs => ldb-2.6.2.sigs} | 10 +
...pyldb-util-2.1.0.sigs => pyldb-util-2.6.2.sigs} | 0
lib/ldb/common/ldb_match.c | 111 ++-
lib/ldb/common/ldb_msg.c | 42 +
lib/ldb/common/ldb_pack.c | 105 +-
lib/ldb/common/ldb_parse.c | 25 +
lib/ldb/include/ldb_module.h | 31 +
lib/ldb/include/ldb_private.h | 21 +
lib/ldb/ldb_key_value/ldb_kv.h | 6 +-
lib/ldb/ldb_key_value/ldb_kv_index.c | 59 +-
lib/ldb/ldb_key_value/ldb_kv_search.c | 115 ++-
lib/ldb/tests/ldb_filter_attrs_in_place_test.c | 940 ++++++++++++++++++
lib/ldb/tests/ldb_filter_attrs_test.c | 171 ++--
lib/ldb/wscript | 13 +-
lib/param/loadparm.c | 2 +-
libcli/security/access_check.c | 10 +-
libcli/security/access_check.h | 2 +-
libds/common/flags.h | 2 +
python/samba/tests/auth_log.py | 2 +-
source3/param/loadparm.c | 2 +-
source4/dsdb/common/util.c | 24 +
source4/dsdb/common/util.h | 1 +
source4/dsdb/pydsdb.c | 30 +
source4/dsdb/samdb/ldb_modules/acl.c | 195 +---
source4/dsdb/samdb/ldb_modules/acl_read.c | 1015 +++++++++++++-------
source4/dsdb/samdb/ldb_modules/acl_util.c | 6 +-
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 50 +-
source4/dsdb/samdb/ldb_modules/linked_attributes.c | 2 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +-
source4/dsdb/samdb/ldb_modules/util.c | 40 +
source4/dsdb/samdb/samdb.h | 2 +
source4/dsdb/schema/schema_description.c | 7 +
source4/dsdb/schema/schema_init.c | 11 +-
source4/dsdb/schema/schema_set.c | 9 +-
source4/dsdb/tests/python/acl_modify.py | 236 +++++
source4/dsdb/tests/python/confidential_attr.py | 180 +++-
source4/dsdb/tests/python/large_ldap.py | 85 +-
source4/selftest/tests.py | 2 +
source4/setup/schema_samba4.ldif | 4 +
source4/torture/ldb/ldb.c | 12 +-
46 files changed, 3092 insertions(+), 849 deletions(-)
create mode 100755 lib/ldb-samba/tests/match_rules_remote.py
copy lib/ldb/ABI/{ldb-2.6.1.sigs => ldb-2.6.2.sigs} (97%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.6.2.sigs} (100%)
create mode 100644 lib/ldb/tests/ldb_filter_attrs_in_place_test.c
create mode 100755 source4/dsdb/tests/python/acl_modify.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 16716ac7539..f1fe0a90b66 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 865697ce109..694e29c45eb 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,74 @@
+ ==============================
+ Release Notes for Samba 4.17.7
+ March 29, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+ but otherwise unprivileged users to delete this attribute from
+ any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.17.6
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 15276: CVE-2023-0225.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <r...@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
+ allow full write to all attributes (additional changes).
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15276: CVE-2023-0225.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.17.6
March 09, 2023
@@ -58,8 +129,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.17.5
January 26, 2023
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 3152f0682dd..21bd2090057 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -18,25 +18,24 @@
</para>
<para>
- This option is needed in the case of Domain Controllers enforcing
- the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
- LDAP sign and seal can be controlled with the registry key
- "<literal>HKLM\System\CurrentControlSet\Services\</literal>
- <literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
- on the Windows server side.
- </para>
+ This option is needed firstly to secure the privacy of
+ administrative connections from <command>samba-tool</command>,
+ including in particular new or reset passwords for users. For
+ this reason the default is <emphasis>seal</emphasis>.</para>
- <para>
- Depending on the used KRB5 library (MIT and older Heimdal versions)
- it is possible that the message "integrity only" is not supported.
- In this case, <emphasis>sign</emphasis> is just an alias for
- <emphasis>seal</emphasis>.
+ <para>Additionally, <command>winbindd</command> and the
+ <command>net</command> tool can use LDAP to communicate with
+ Domain Controllers, so this option also controls the level of
+ privacy for those connections. All supported AD DC versions
+ will enforce the usage of at least signed LDAP connections by
+ default, so a value of at least <emphasis>sign</emphasis> is
+ required in practice.
</para>
<para>
- The default value is <emphasis>sign</emphasis>. That implies
synchronizing the time
+ The default value is <emphasis>seal</emphasis>. That implies
synchronizing the time
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">sign</value>
+<value type="default">seal</value>
</samba:parameter>
diff --git a/lib/ldb-samba/ldb_matching_rules.c
b/lib/ldb-samba/ldb_matching_rules.c
index 827f3920ae8..59d1385f4e3 100644
--- a/lib/ldb-samba/ldb_matching_rules.c
+++ b/lib/ldb-samba/ldb_matching_rules.c
@@ -67,7 +67,12 @@ static int ldb_eval_transitive_filter_helper(TALLOC_CTX
*mem_ctx,
* Note also that we don't have the original request
* here, so we can not apply controls or timeouts here.
*/
- ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0);
+ ret = dsdb_search_dn(ldb,
+ tmp_ctx,
+ &res,
+ to_visit->dn,
+ attrs,
+ DSDB_MARK_REQ_UNTRUSTED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -370,6 +375,11 @@ static int dsdb_match_for_dns_to_tombstone_time(struct
ldb_context *ldb,
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"),
struct auth_session_info);
if (session_info == NULL) {
@@ -489,6 +499,11 @@ static int dsdb_match_for_expunge(struct ldb_context *ldb,
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info
= talloc_get_type(ldb_get_opaque(ldb, DSDB_SESSION_INFO),
struct auth_session_info);
diff --git a/lib/ldb-samba/tests/match_rules.py
b/lib/ldb-samba/tests/match_rules.py
index abf485c9eab..2fe6c3e2264 100755
--- a/lib/ldb-samba/tests/match_rules.py
+++ b/lib/ldb-samba/tests/match_rules.py
@@ -20,22 +20,35 @@ from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
# Windows appear to preserve casing of the RDN and uppercase the other keys.
-class MatchRulesTests(samba.tests.TestCase):
+class MatchRulesTestsBase(samba.tests.TestCase):
def setUp(self):
- super(MatchRulesTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds,
session_info=system_session(lp), lp=lp)
+ super().setUp()
+ self.lp = self.sambaopts.get_loadparm()
+ self.creds = self.credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(self.host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
- self.ou = "OU=matchrulestest,%s" % self.base_dn
+ self.ou_rdn = "OU=matchrulestest"
+ self.ou = self.ou_rdn + "," + self.base_dn
self.ou_users = "OU=users,%s" % self.ou
self.ou_groups = "OU=groups,%s" % self.ou
self.ou_computers = "OU=computers,%s" % self.ou
+ try:
+ self.ldb.delete(self.ou, ["tree_delete:1"])
+ except LdbError as e:
+ pass
+
# Add a organizational unit to create objects
self.ldb.add({
"dn": self.ou,
"objectclass": "organizationalUnit"})
+ self.addCleanup(self.ldb.delete, self.ou, controls=['tree_delete:0'])
+
+
# Add the following OU hierarchy and set otherWellKnownObjects,
# which has BinaryDN syntax:
#
@@ -204,6 +217,39 @@ class MatchRulesTests(samba.tests.TestCase):
FLAG_MOD_ADD, "member")
self.ldb.modify(m)
+ # Add a couple of ms-Exch-Configuration-Container to test forward-link
+ # attributes without backward link (addressBookRoots2)
+ # e1
+ # |--> e2
+ # | |--> c1
+ self.ldb.add({
+ "dn": "cn=e1,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+ self.ldb.add({
+ "dn": "cn=e2,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
+ m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
+ m["e1"] = MessageElement("cn=e2,%s" % self.ou,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+
+
+class MatchRulesTests(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+
# The msDS-RevealedUsers is owned by system and cannot be modified
# directly. Set the schemaUpgradeInProgress flag as workaround
# and create this hierarchy:
@@ -243,33 +289,6 @@ class MatchRulesTests(samba.tests.TestCase):
m["e1"] = MessageElement("0", FLAG_MOD_REPLACE,
"schemaUpgradeInProgress")
self.ldb.modify(m)
- # Add a couple of ms-Exch-Configuration-Container to test forward-link
- # attributes without backward link (addressBookRoots2)
- # e1
- # |--> e2
- # | |--> c1
- self.ldb.add({
- "dn": "cn=e1,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
- self.ldb.add({
- "dn": "cn=e2,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
- m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
- m["e1"] = MessageElement("cn=e2,%s" % self.ou,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- def tearDown(self):
- super(MatchRulesTests, self).tearDown()
- self.ldb.delete(self.ou, controls=['tree_delete:0'])
def test_u1_member_of_g4(self):
# Search without transitive match must return 0 results
@@ -945,8 +964,12 @@ class MatchRulesTests(samba.tests.TestCase):
class MatchRuleConditionTests(samba.tests.TestCase):
def setUp(self):
super(MatchRuleConditionTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds,
session_info=system_session(lp), lp=lp)
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
self.ou = "OU=matchruleconditiontests,%s" % self.base_dn
self.ou_users = "OU=users,%s" % self.ou
@@ -1745,32 +1768,30 @@ class MatchRuleConditionTests(samba.tests.TestCase):
self.ou_groups, self.ou_computers))
self.assertEqual(len(res1), 0)
+if __name__ == "__main__":
-parser = optparse.OptionParser("match_rules.py [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-subunitopts = SubunitOptions(parser)
-parser.add_option_group(subunitopts)
+ parser = optparse.OptionParser("match_rules.py [options] <host>")
+ sambaopts = options.SambaOptions(parser)
+ parser.add_option_group(sambaopts)
+ parser.add_option_group(options.VersionOptions(parser))
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
+ # use command line creds if available
+ credopts = options.CredentialsOptions(parser)
+ parser.add_option_group(credopts)
+ opts, args = parser.parse_args()
+ subunitopts = SubunitOptions(parser)
+ parser.add_option_group(subunitopts)
-host = args[0]
+ if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
+ host = args[0]
-if "://" not in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s"; % host
+ if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s"; % host
-TestProgram(module=__name__, opts=subunitopts)
+ TestProgram(module=__name__, opts=subunitopts)
diff --git a/lib/ldb-samba/tests/match_rules_remote.py
b/lib/ldb-samba/tests/match_rules_remote.py
new file mode 100755
index 00000000000..122231f2a60
--- /dev/null
+++ b/lib/ldb-samba/tests/match_rules_remote.py
@@ -0,0 +1,104 @@
+#!/usr/bin/env python3
+
+import optparse
+import sys
+import os
+import samba
+import samba.getopt as options
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba import sd_utils
+from samba.ndr import ndr_unpack
+from ldb import Message, MessageElement, Dn, LdbError
+from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
+
+from match_rules import MatchRulesTestsBase
+
+
+class MatchRulesTestsUser(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+ self.sd_utils = sd_utils.SDUtils(self.ldb)
+
+ self.user_pass = "samba123@"
+ self.match_test_user = "matchtestuser"
+ self.ldb.newuser(self.match_test_user,
+ self.user_pass,
+ userou=self.ou_rdn)
+ user_creds = self.insta_creds(template=self.creds,
+ username=self.match_test_user,
+ userpass=self.user_pass)
+ self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp)
+ token_res = self.user_ldb.search(scope=SCOPE_BASE,
+ base="",
+ attrs=["tokenGroups"])
+ self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
+ token_res[0]["tokenGroups"][0])
+
+ self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
+
+ def test_with_denied_link(self):
+
+ # add an ACE that denies the user Read Property (RP) access to
+ # the member attr (which is similar to making the attribute
+ # confidential)
+ ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid,
+ self.user_sid)
+ g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups)
+
+ # add the ACE that denies access to the attr under test
+ self.sd_utils.dacl_add_ace(g2_dn, ace)
+
+ # Search without transitive match must return 0 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+ expression="member=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+ # Search with transitive match must return 1 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 1)
+ self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" %
self.ou_groups).lower())
+
+ # Search as a user match must return 0 results as the intermediate
link can't be seen
+ res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+
+
+parser = optparse.OptionParser("match_rules_remote.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
+
+host = args[0]
+
+if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s"; % host
+
+TestProgram(module=__name__, opts=subunitopts)
diff --git a/lib/ldb/ABI/ldb-2.6.1.sigs b/lib/ldb/ABI/ldb-2.6.2.sigs
similarity index 97%
copy from lib/ldb/ABI/ldb-2.6.1.sigs
copy to lib/ldb/ABI/ldb-2.6.2.sigs
index 40388d9e330..b4c5e20e8c7 100644
--- a/lib/ldb/ABI/ldb-2.6.1.sigs
+++ b/lib/ldb/ABI/ldb-2.6.2.sigs
@@ -86,6 +86,7 @@ ldb_errstring: const char *(struct ldb_context *)
ldb_extended: int (struct ldb_context *, const char *, void *, struct
ldb_result **)
ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *)
ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const
char * const *, struct ldb_message *)
+ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *)
ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *)
ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *)
ldb_get_create_perms: unsigned int (struct ldb_context *)
--
Samba Shared Repository
