The branch, v4-18-stable has been updated
via 4b145ce26b6 VERSION: Disable GIT_SNAPSHOT for the 4.18.1 release.
via 17b49ffd146 WHATSNEW: Add release notes for Samba 4.18.1.
via bb5aecbd102 CVE-2023-0922 set default ldap client sasl wrapping to
seal
via 003f6c16112 CVE-2023-0225 s4-acl: Don't return early if dNSHostName
element has no values
via 016687b3aae CVE-2023-0225 pytest/acl: test deleting dNSHostName as
unprivileged user
via 12617e0ec48 CVE-2023-0614 ldb: Release LDB 2.7.2
via 0776ce5caed CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated
on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
via d564a5c8166 CVE-2023-0614 lib/ldb-samba: Add test for
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and
ACL hidden attributes
via afad0829b16 CVE-2023-0614 dsdb: Add pre-cleanup and
self.addCleanup() of OU created in match_rules tests
via 7e69ecbdc3a CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
via ad4c2204112 CVE-2023-0614 s4-dsdb: Treat confidential attributes as
unindexed
via 7f37b4ce6b5 CVE-2023-0614 ldb: Filter on search base before
redacting message
via 358894675d1 CVE-2023-0614 ldb: Centralise checking for inaccessible
matches
via b0168c2ed0c CVE-2023-0614 ldb: Use binary search to check whether
attribute is secret
via e7065304bd0 CVE-2023-0614 s4-acl: Avoid calling
dsdb_module_am_system() if we can help it
via e54fc56e238 CVE-2023-0614 ldb: Prevent disclosure of confidential
attributes
via c1cb8021392 CVE-2023-0614 s4-acl: Split out function to set up
access checking variables
via 9c9a03d020a CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
via db65f5f7628 CVE-2023-0614 s4-acl: Split out logic to remove access
checking attributes
via 2603728b14d CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
via c23689e97a4 CVE-2023-0614 tests/krb5: Add test for confidential
attributes timing differences
via f20992d7fc9 CVE-2023-0614 schema_samba4.ldif: Allocate previously
added OID
via 5c4086d51f5 CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in
confidential attributes test
via 5f6e01c029d CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a
search tree we don't own
via 7689a2caeb4 CVE-2023-0614 ldb: Make use of
ldb_filter_attrs_in_place()
via 4b956377c66 CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place()
work in place
via feb7ef495c8 CVE-2023-0614 ldb: Add function to filter message in
place
via d2244ec1d3e CVE-2023-0614 ldb: Add function to add
distinguishedName to message
via 15723d6ff5e CVE-2023-0614 ldb: Add function to remove excess
capacity from an ldb message
via 78a7b155cc2 CVE-2023-0614 ldb: Add function to take ownership of an
ldb message
via ba135dceead CVE-2023-0614 ldb:tests: Ensure all tests are accounted
for
via 04de06f18fe CVE-2023-0614 ldb:tests: Ensure ldb_val data is
zero-terminated
via 9222e613f66 CVE-2023-0614 s4-acl: Use ldb functions for handling
inaccessible message elements
via 5a33688dda2 CVE-2023-0614 ldb: Add functions for handling
inaccessible message elements
via ce9b66c6642 CVE-2023-0614 s4-acl: Make some parameters const
via 1b1f6dd4887 CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more
consistently
via 88b5d9215c6 CVE-2023-0614 libcli/security: Make some parameters
const
via 90b5fddb826 CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py
to be slower by matching on large objects
via 64da379aa95 CVE-2023-0614 selftest: Use setUpClass() to reduce
"make test TESTS=large_ldap" time
via 680b865f183 CVE-2023-0614 lib/ldb: Avoid allocation and memcpy()
for every wildcard match candidate
via 6bd15c87430 VERSION: Bump version up to Samba 4.18.1...
from a597a8767fa VERSION: Disable GIT_SNAPSHOT for the 4.18.0 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-stable
- Log -----------------------------------------------------------------
commit 4b145ce26b660af4145310d745d93f5126a48b9a
Author: Jule Anger <jan...@samba.org>
Date: Wed Mar 22 10:12:43 2023 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.18.1 release.
Signed-off-by: Jule Anger <jan...@samba.org>
commit 17b49ffd1465372a223b32c3342766cc677331db
Author: Jule Anger <jan...@samba.org>
Date: Wed Mar 22 10:09:57 2023 +0100
WHATSNEW: Add release notes for Samba 4.18.1.
Signed-off-by: Jule Anger <jan...@samba.org>
commit bb5aecbd10265904156510d5dfc2f97bad442267
Author: Rob van der Linde <r...@catalyst.net.nz>
Date: Mon Feb 27 14:06:23 2023 +1300
CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315
Signed-off-by: Rob van der Linde <r...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 003f6c16112a45af81ed59877d3b416a2f3847d9
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jan 9 11:22:34 2023 +1300
CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no
values
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.
Add or replace operations with no values and no privileges are
disallowed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 016687b3aaea76abf4ae56523aa951547f806e38
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Wed Jan 4 21:37:49 2023 +1300
CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 12617e0ec483d9308714e6e6f2f3ad8c69adeec6
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 3 17:52:13 2023 +1300
CVE-2023-0614 ldb: Release LDB 2.7.2
* CVE-2023-0614 Not-secret but access controlled LDAP attributes can be
discovered (bug 15270)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Mar 2 17:24:15 2023 +1300
CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate
on this request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit d564a5c816642269e0b6d0b37319fd47646487c0
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Mar 2 16:51:25 2023 +1300
CVE-2023-0614 lib/ldb-samba: Add test for
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and
ACL hidden attributes
The chain for transitive evaluation does consider ACLs, avoiding the
disclosure of
confidential information.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit afad0829b16fa202723bb8381bb795e772d87edc
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 3 16:49:00 2023 +1300
CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in
match_rules tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 7e69ecbdc3a48a93b0ba31c3349456c49389d722
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Mar 2 16:31:17 2023 +1300
CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
This will allow our dsdb helper search functions to mark the new
request as untrusted, forcing read ACL evaluation (per current behaviour).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit ad4c220411233d6cbd19885a8a0a91bbec762619
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Feb 24 10:03:25 2023 +1300
CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed
In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7f37b4ce6b5ecf05df6e62563f82e13ab93aa7a4
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:35:55 2023 +1300
CVE-2023-0614 ldb: Filter on search base before redacting message
Redaction may be expensive if we end up needing to fetch a security
descriptor to verify rights to an attribute. Checking the search scope
is probably cheaper, so do that first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 358894675d188b06cc0d24299012c898b394f99f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 14 13:17:24 2023 +1300
CVE-2023-0614 ldb: Centralise checking for inaccessible matches
This makes it less likely that we forget to handle a case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit b0168c2ed0cb5709fc9a5e2a3d6c00e67cefff13
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Feb 16 12:35:34 2023 +1300
CVE-2023-0614 ldb: Use binary search to check whether attribute is secret
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e7065304bd0ea8440e53dda0480ee88574587a42
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 13:31:44 2023 +1300
CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help
it
If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e54fc56e23879bfea023cac1de081625089f8fbf
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:34:29 2023 +1300
CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.
Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.
Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.
As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Pair-Programmed-With: Andrew Bartlett <abart...@samba.org>
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c1cb8021392206ce89b4d5b2705c78e8126710da
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 13:55:36 2023 +1300
CVE-2023-0614 s4-acl: Split out function to set up access checking variables
These variables are often used together, and it is useful to have the
setup code in one place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9c9a03d020addea342b48eb962c8ba7749fbc74c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 12:19:08 2023 +1300
CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
This function parses a SID from an ldb_message, similar to
samdb_result_dom_sid(), but does it without allocating anything.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit db65f5f76287afcd4ca4037a7029b63744317e5f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 13:40:33 2023 +1300
CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2603728b14d069d285f7d10a5d5f157aef13e936
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:31:54 2023 +1300
CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c23689e97a46a72a0d53085c72aaec5185aec001
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:32:41 2023 +1300
CVE-2023-0614 tests/krb5: Add test for confidential attributes timing
differences
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f20992d7fc9ad6289958e83d3b4fb6fa72510ddf
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:25:48 2023 +1300
CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID
DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit
08187833fee57a8dba6c67546dfca516cd1f9d7a.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5c4086d51f5424d153327c3d310add754730b499
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:48:37 2023 +1300
CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential
attributes test
The object returned by schema_format_value() is a bytes object.
Therefore the search expression would resemble:
(lastKnownParent=<GUID=b'00000000-0000-0000-0000-000000000000'>)
which, due to the extra characters, would fail to match anything.
Fix it to be:
(lastKnownParent=<GUID=00000000-0000-0000-0000-000000000000>)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5f6e01c029d17eb277e6e3d81b14d3b79ea71463
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:35:24 2023 +1300
CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't
own
In extended_dn_fix_filter() we had:
req->op.search.tree = ldb_parse_tree_copy_shallow(req,
req->op.search.tree);
which overwrote the parse tree on an existing ldb request with a fixed
up tree. This became a problem if a module performed another search with
that same request structure, as extended_dn_in would try to fix up the
already-modified tree for a second time. The fixed-up tree element now
having an extended DN, it would fall foul of the ldb_dn_match_allowed()
check in extended_dn_filter_callback(), and be replaced with an
ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches
would only work for one search in an ldb request, and fail for
subsequent ones.
Fix this by creating a new request with the modified tree, and leaving
the original request unmodified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7689a2caeb4d804b671cdffbc4251279dd7d3783
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 27 10:31:52 2023 +1300
CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place()
Change all uses of ldb_kv_filter_attrs() to use
ldb_filter_attrs_in_place() instead. This function does less work than
its predecessor, and no longer requires the allocation of a second ldb
message. Some of the work is able to be split out into separate
functions that each accomplish a single task, with a purpose to make the
code clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4b956377c666b199823d791efe9241de80f05faa
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:30:19 2023 +1300
CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place
ldb_filter_attrs() previously did too much. Now its replacement,
ldb_filter_attrs_in_place(), only does the actual filtering, while
taking ownership of each element's values is handled in a separate
function, ldb_msg_elements_take_ownership().
Also, ldb_filter_attrs_in_place() no longer adds the distinguishedName
to the message if it is missing. That is handled in another function,
ldb_msg_add_distinguished_name().
As we're now modifying the original message rather than copying it into
a new one, we no longer need the filtered_msg parameter.
We adapt a test, based on ldb_filter_attrs_test, to exercise the new
function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit feb7ef495c85e724e0dafe66d6d63d8f19e7374b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:29:03 2023 +1300
CVE-2023-0614 ldb: Add function to filter message in place
At present this function is an exact duplicate of ldb_filter_attrs(),
but in the next commit we shall modify it to work in place, without the
need for the allocation of a second message.
The test is a near duplicate of the existing test for
ldb_filter_attrs().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d2244ec1d3ee414d53d031fa4d846782b5ce9a1a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:27:38 2023 +1300
CVE-2023-0614 ldb: Add function to add distinguishedName to message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 15723d6ff5eaa7f8e7e2803ffeab97f36289f2fe
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:26:04 2023 +1300
CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb
message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 78a7b155cc2b50d5dea8a3e0588f646100ea0a92
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 3 17:23:42 2023 +1300
CVE-2023-0614 ldb: Add function to take ownership of an ldb message
Many places in Samba depend upon various components of an ldb message
being talloc allocated, and hence able to be used as talloc contexts.
The elements and values of an unpacked ldb message point to unowned data
inside the memory-mapped database, and this function ensures that such
messages have talloc ownership of said elements and values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ba135dceead75e3c4ba309a4d1ce54e593e129dc
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 15 14:08:57 2023 +1300
CVE-2023-0614 ldb:tests: Ensure all tests are accounted for
Add ldb_filter_attrs_test to the list of tests so that it actually gets
run.
Remove a duplicate ldb_msg_test that was accidentally added in commit
5ca90e758ade97fb5e335029c7a1768094e70564.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 04de06f18fe8ecd4469f584223c676651be46b6d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 15 12:34:51 2023 +1300
CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated
If the value of an ldb message element is not zero-terminated, calling
ldb_msg_find_attr_as_string() will cause the function to read off the
end of the buffer in an attempt to verify that the value is
zero-terminated. This can cause unexpected behaviour and make the test
randomly fail.
To avoid this, we must have a terminating null byte that is *not*
counted as part of the length, and so we must calculate the length with
strlen() rather than sizeof.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9222e613f667e57dc88765c1441c410b11077790
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:29:33 2023 +1300
CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message
elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5a33688dda2518df9ec9c54717a2f86d90ce10fe
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:28:36 2023 +1300
CVE-2023-0614 ldb: Add functions for handling inaccessible message elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ce9b66c664257b699b744836c431e7d6a3bdd845
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 08:00:32 2023 +1300
CVE-2023-0614 s4-acl: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1b1f6dd488704bca529f6cc70761dd4972998b8f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 7 09:29:51 2023 +1300
CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently
It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 88b5d9215c6f712ad1932604e2830edd111a5618
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 07:57:27 2023 +1300
CVE-2023-0614 libcli/security: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 90b5fddb8269de4fc8ca33dda3c9f0f3a7aee075
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 3 10:31:40 2023 +1300
CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by
matching on large objects
This changes the slow aspect to be the object matching not the filter
parsing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 64da379aa95de1cd36d72f9aee59372318115e2d
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Mar 13 17:20:00 2023 +1300
CVE-2023-0614 selftest: Use setUpClass() to reduce "make test
TESTS=large_ldap" time
This reduces the elapsed time to 6m from 20m on my laptop.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224
(cherry picked from commit b4a6c054ec6acefacd22cb7230a783d20cb07c05)
[abart...@samba.org Included in the security release as this
makes working on the large_ldap test practical by reducing
the elapsed time taken]
commit 680b865f183d3103cd7d465e6b921fb5f28627b8
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Mar 13 14:25:56 2023 +1300
CVE-2023-0614 lib/ldb: Avoid allocation and memcpy() for every wildcard
match candidate
The value can be quite large, the allocation will take much
longer than the actual match and is repeated per candidate
record.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15331
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
(cherry picked from commit cad96f59a08192df927fb1df4e9787c7f70991a2)
[abart...@samba.org Included in the security release as this
makes the new large_ldap.py timeout test more reliable]
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 71 +-
.../smbdotconf/ldap/clientldapsaslwrapping.xml | 27 +-
lib/ldb-samba/ldb_matching_rules.c | 17 +-
lib/ldb-samba/tests/match_rules.py | 135 +--
lib/ldb-samba/tests/match_rules_remote.py | 104 ++
lib/ldb/ABI/{ldb-2.6.1.sigs => ldb-2.7.2.sigs} | 10 +
...pyldb-util-2.1.0.sigs => pyldb-util-2.7.2.sigs} | 0
lib/ldb/common/ldb_match.c | 111 ++-
lib/ldb/common/ldb_msg.c | 42 +
lib/ldb/common/ldb_pack.c | 105 +-
lib/ldb/common/ldb_parse.c | 25 +
lib/ldb/include/ldb_module.h | 31 +
lib/ldb/include/ldb_private.h | 21 +
lib/ldb/ldb_key_value/ldb_kv.h | 6 +-
lib/ldb/ldb_key_value/ldb_kv_index.c | 59 +-
lib/ldb/ldb_key_value/ldb_kv_search.c | 115 ++-
lib/ldb/tests/ldb_filter_attrs_in_place_test.c | 940 ++++++++++++++++++
lib/ldb/tests/ldb_filter_attrs_test.c | 171 ++--
lib/ldb/wscript | 13 +-
lib/param/loadparm.c | 2 +-
libcli/security/access_check.c | 10 +-
libcli/security/access_check.h | 2 +-
python/samba/tests/auth_log.py | 2 +-
source3/param/loadparm.c | 2 +-
source4/dsdb/common/util.c | 24 +
source4/dsdb/common/util.h | 1 +
source4/dsdb/samdb/ldb_modules/acl.c | 195 +---
source4/dsdb/samdb/ldb_modules/acl_read.c | 1017 +++++++++++++-------
source4/dsdb/samdb/ldb_modules/acl_util.c | 6 +-
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 50 +-
source4/dsdb/samdb/ldb_modules/linked_attributes.c | 2 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +-
source4/dsdb/samdb/samdb.h | 2 +
source4/dsdb/schema/schema_description.c | 7 +
source4/dsdb/schema/schema_init.c | 11 +-
source4/dsdb/schema/schema_set.c | 9 +-
source4/dsdb/tests/python/acl_modify.py | 236 +++++
source4/dsdb/tests/python/confidential_attr.py | 180 +++-
source4/dsdb/tests/python/large_ldap.py | 85 +-
source4/selftest/tests.py | 2 +
source4/setup/schema_samba4.ldif | 2 +
source4/torture/ldb/ldb.c | 12 +-
43 files changed, 3016 insertions(+), 850 deletions(-)
create mode 100755 lib/ldb-samba/tests/match_rules_remote.py
copy lib/ldb/ABI/{ldb-2.6.1.sigs => ldb-2.7.2.sigs} (97%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.7.2.sigs} (100%)
create mode 100644 lib/ldb/tests/ldb_filter_attrs_in_place_test.c
create mode 100755 source4/dsdb/tests/python/acl_modify.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index db0cfae1f29..c976c5b630d 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=18
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index edd3c8828b0..1b49d1b5a6a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,72 @@
+ ==============================
+ Release Notes for Samba 4.18.1
+ March 29, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+ but otherwise unprivileged users to delete this attribute from
+ any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.18.0
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 15276: CVE-2023-0225.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <r...@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15276: CVE-2023-0225.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.18.0
March 08, 2023
@@ -65,7 +134,7 @@ Most commands have very little colour in any case. For those
that
already used it, the defaults have changed slightly.
* samba-tool drs showrepl: default is now 'auto', not 'no'
-
+
* samba-tool visualize: the interactions between --color-scheme,
--color, and --output have changed slightly. When --color-scheme is
set it overrides --color for the purpose of the output diagram, but
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 3152f0682dd..21bd2090057 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -18,25 +18,24 @@
</para>
<para>
- This option is needed in the case of Domain Controllers enforcing
- the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
- LDAP sign and seal can be controlled with the registry key
- "<literal>HKLM\System\CurrentControlSet\Services\</literal>
- <literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
- on the Windows server side.
- </para>
+ This option is needed firstly to secure the privacy of
+ administrative connections from <command>samba-tool</command>,
+ including in particular new or reset passwords for users. For
+ this reason the default is <emphasis>seal</emphasis>.</para>
- <para>
- Depending on the used KRB5 library (MIT and older Heimdal versions)
- it is possible that the message "integrity only" is not supported.
- In this case, <emphasis>sign</emphasis> is just an alias for
- <emphasis>seal</emphasis>.
+ <para>Additionally, <command>winbindd</command> and the
+ <command>net</command> tool can use LDAP to communicate with
+ Domain Controllers, so this option also controls the level of
+ privacy for those connections. All supported AD DC versions
+ will enforce the usage of at least signed LDAP connections by
+ default, so a value of at least <emphasis>sign</emphasis> is
+ required in practice.
</para>
<para>
- The default value is <emphasis>sign</emphasis>. That implies
synchronizing the time
+ The default value is <emphasis>seal</emphasis>. That implies
synchronizing the time
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">sign</value>
+<value type="default">seal</value>
</samba:parameter>
diff --git a/lib/ldb-samba/ldb_matching_rules.c
b/lib/ldb-samba/ldb_matching_rules.c
index 827f3920ae8..59d1385f4e3 100644
--- a/lib/ldb-samba/ldb_matching_rules.c
+++ b/lib/ldb-samba/ldb_matching_rules.c
@@ -67,7 +67,12 @@ static int ldb_eval_transitive_filter_helper(TALLOC_CTX
*mem_ctx,
* Note also that we don't have the original request
* here, so we can not apply controls or timeouts here.
*/
- ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0);
+ ret = dsdb_search_dn(ldb,
+ tmp_ctx,
+ &res,
+ to_visit->dn,
+ attrs,
+ DSDB_MARK_REQ_UNTRUSTED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -370,6 +375,11 @@ static int dsdb_match_for_dns_to_tombstone_time(struct
ldb_context *ldb,
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"),
struct auth_session_info);
if (session_info == NULL) {
@@ -489,6 +499,11 @@ static int dsdb_match_for_expunge(struct ldb_context *ldb,
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info
= talloc_get_type(ldb_get_opaque(ldb, DSDB_SESSION_INFO),
struct auth_session_info);
diff --git a/lib/ldb-samba/tests/match_rules.py
b/lib/ldb-samba/tests/match_rules.py
index abf485c9eab..2fe6c3e2264 100755
--- a/lib/ldb-samba/tests/match_rules.py
+++ b/lib/ldb-samba/tests/match_rules.py
@@ -20,22 +20,35 @@ from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
# Windows appear to preserve casing of the RDN and uppercase the other keys.
-class MatchRulesTests(samba.tests.TestCase):
+class MatchRulesTestsBase(samba.tests.TestCase):
def setUp(self):
- super(MatchRulesTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds,
session_info=system_session(lp), lp=lp)
+ super().setUp()
+ self.lp = self.sambaopts.get_loadparm()
+ self.creds = self.credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(self.host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
- self.ou = "OU=matchrulestest,%s" % self.base_dn
+ self.ou_rdn = "OU=matchrulestest"
+ self.ou = self.ou_rdn + "," + self.base_dn
self.ou_users = "OU=users,%s" % self.ou
self.ou_groups = "OU=groups,%s" % self.ou
self.ou_computers = "OU=computers,%s" % self.ou
+ try:
+ self.ldb.delete(self.ou, ["tree_delete:1"])
+ except LdbError as e:
+ pass
+
# Add a organizational unit to create objects
self.ldb.add({
"dn": self.ou,
"objectclass": "organizationalUnit"})
+ self.addCleanup(self.ldb.delete, self.ou, controls=['tree_delete:0'])
+
+
# Add the following OU hierarchy and set otherWellKnownObjects,
# which has BinaryDN syntax:
#
@@ -204,6 +217,39 @@ class MatchRulesTests(samba.tests.TestCase):
FLAG_MOD_ADD, "member")
self.ldb.modify(m)
+ # Add a couple of ms-Exch-Configuration-Container to test forward-link
+ # attributes without backward link (addressBookRoots2)
+ # e1
+ # |--> e2
+ # | |--> c1
+ self.ldb.add({
+ "dn": "cn=e1,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+ self.ldb.add({
+ "dn": "cn=e2,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
+ m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
+ m["e1"] = MessageElement("cn=e2,%s" % self.ou,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+
+
+class MatchRulesTests(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+
# The msDS-RevealedUsers is owned by system and cannot be modified
# directly. Set the schemaUpgradeInProgress flag as workaround
# and create this hierarchy:
@@ -243,33 +289,6 @@ class MatchRulesTests(samba.tests.TestCase):
m["e1"] = MessageElement("0", FLAG_MOD_REPLACE,
"schemaUpgradeInProgress")
self.ldb.modify(m)
- # Add a couple of ms-Exch-Configuration-Container to test forward-link
- # attributes without backward link (addressBookRoots2)
- # e1
- # |--> e2
- # | |--> c1
- self.ldb.add({
- "dn": "cn=e1,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
- self.ldb.add({
- "dn": "cn=e2,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
- m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
- m["e1"] = MessageElement("cn=e2,%s" % self.ou,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- def tearDown(self):
- super(MatchRulesTests, self).tearDown()
- self.ldb.delete(self.ou, controls=['tree_delete:0'])
def test_u1_member_of_g4(self):
# Search without transitive match must return 0 results
@@ -945,8 +964,12 @@ class MatchRulesTests(samba.tests.TestCase):
class MatchRuleConditionTests(samba.tests.TestCase):
def setUp(self):
super(MatchRuleConditionTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds,
session_info=system_session(lp), lp=lp)
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
self.ou = "OU=matchruleconditiontests,%s" % self.base_dn
self.ou_users = "OU=users,%s" % self.ou
@@ -1745,32 +1768,30 @@ class MatchRuleConditionTests(samba.tests.TestCase):
self.ou_groups, self.ou_computers))
self.assertEqual(len(res1), 0)
+if __name__ == "__main__":
-parser = optparse.OptionParser("match_rules.py [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-subunitopts = SubunitOptions(parser)
-parser.add_option_group(subunitopts)
+ parser = optparse.OptionParser("match_rules.py [options] <host>")
+ sambaopts = options.SambaOptions(parser)
+ parser.add_option_group(sambaopts)
+ parser.add_option_group(options.VersionOptions(parser))
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
+ # use command line creds if available
+ credopts = options.CredentialsOptions(parser)
+ parser.add_option_group(credopts)
+ opts, args = parser.parse_args()
+ subunitopts = SubunitOptions(parser)
+ parser.add_option_group(subunitopts)
-host = args[0]
+ if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
+ host = args[0]
-if "://" not in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s"; % host
+ if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s"; % host
-TestProgram(module=__name__, opts=subunitopts)
+ TestProgram(module=__name__, opts=subunitopts)
diff --git a/lib/ldb-samba/tests/match_rules_remote.py
b/lib/ldb-samba/tests/match_rules_remote.py
new file mode 100755
index 00000000000..122231f2a60
--- /dev/null
+++ b/lib/ldb-samba/tests/match_rules_remote.py
@@ -0,0 +1,104 @@
+#!/usr/bin/env python3
+
+import optparse
+import sys
+import os
+import samba
+import samba.getopt as options
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba import sd_utils
+from samba.ndr import ndr_unpack
+from ldb import Message, MessageElement, Dn, LdbError
+from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
+
+from match_rules import MatchRulesTestsBase
+
+
+class MatchRulesTestsUser(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+ self.sd_utils = sd_utils.SDUtils(self.ldb)
+
+ self.user_pass = "samba123@"
+ self.match_test_user = "matchtestuser"
+ self.ldb.newuser(self.match_test_user,
+ self.user_pass,
+ userou=self.ou_rdn)
+ user_creds = self.insta_creds(template=self.creds,
+ username=self.match_test_user,
+ userpass=self.user_pass)
+ self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp)
+ token_res = self.user_ldb.search(scope=SCOPE_BASE,
+ base="",
+ attrs=["tokenGroups"])
+ self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
+ token_res[0]["tokenGroups"][0])
+
+ self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
+
+ def test_with_denied_link(self):
+
+ # add an ACE that denies the user Read Property (RP) access to
+ # the member attr (which is similar to making the attribute
+ # confidential)
+ ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid,
+ self.user_sid)
+ g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups)
+
+ # add the ACE that denies access to the attr under test
+ self.sd_utils.dacl_add_ace(g2_dn, ace)
+
+ # Search without transitive match must return 0 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+ expression="member=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+ # Search with transitive match must return 1 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 1)
+ self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" %
self.ou_groups).lower())
+
+ # Search as a user match must return 0 results as the intermediate
link can't be seen
+ res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+
+
+parser = optparse.OptionParser("match_rules_remote.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
+
+host = args[0]
+
+if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s"; % host
+
+TestProgram(module=__name__, opts=subunitopts)
diff --git a/lib/ldb/ABI/ldb-2.6.1.sigs b/lib/ldb/ABI/ldb-2.7.2.sigs
similarity index 97%
copy from lib/ldb/ABI/ldb-2.6.1.sigs
copy to lib/ldb/ABI/ldb-2.7.2.sigs
index 40388d9e330..b4c5e20e8c7 100644
--- a/lib/ldb/ABI/ldb-2.6.1.sigs
+++ b/lib/ldb/ABI/ldb-2.7.2.sigs
@@ -86,6 +86,7 @@ ldb_errstring: const char *(struct ldb_context *)
ldb_extended: int (struct ldb_context *, const char *, void *, struct
ldb_result **)
ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *)
ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const
char * const *, struct ldb_message *)
+ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *)
ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *)
ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *)
ldb_get_create_perms: unsigned int (struct ldb_context *)
@@ -125,6 +126,7 @@ ldb_match_message: int (struct ldb_context *, const struct
ldb_message *, const
ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const
struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope)
ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *,
const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *)
--
Samba Shared Repository
