From 8ea9f1e02e85e3cc2b4ccda52639e96651d21653 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Mon, 17 Feb 2020 06:03:43 +0000 Subject: Mon Feb 17 06:03:43 UTC 2020 ap/ksh93-20200131_e4fea8c5-x86_64-1.txz: Upgraded. ap/zsh-5.8-x86_64-1.txz: Upgraded. l/brotli-1.0.7-x86_64-1.txz: Added. l/gmime-3.2.6-x86_64-1.txz: Upgraded. l/hyphen-2.8.8-x86_64-1.txz: Added. l/openal-soft-1.20.1-x86_64-1.txz: Upgraded. Thanks to Skaendo and Willy Sudiarto Raharjo. l/qt5-webkit-5.212.0_alpha3-x86_64-1.txz: Added. Thanks to alienBOB. l/woff2-20180531_a0d0ed7-x86_64-1.txz: Added. n/bluez-5.53-x86_64-1.txz: Upgraded. n/mutt-1.13.4-x86_64-1.txz: Upgraded. n/samba-4.11.6-x86_64-3.txz: Rebuilt. n/socat-1.7.3.4-x86_64-1.txz: Added. n/whois-5.5.6-x86_64-1.txz: Upgraded. testing/packages/PAM/samba-4.11.6-x86_64-3_pam.txz: Rebuilt. Added patches to fix joining a DC when using krb5. Looks like the patches are already upstreamed in the latest 4.12.0-rc. Thanks to camerabambai. --- ...001-handle-removal-des-enctypes-from-krb5.patch | 314 +++++++++++++++++++++ 1 file changed, 314 insertions(+) create mode 100644 source/n/samba/0001-handle-removal-des-enctypes-from-krb5.patch (limited to 'source/n/samba/0001-handle-removal-des-enctypes-from-krb5.patch') diff --git a/source/n/samba/0001-handle-removal-des-enctypes-from-krb5.patch b/source/n/samba/0001-handle-removal-des-enctypes-from-krb5.patch new file mode 100644 index 000000000..047532372 --- /dev/null +++ b/source/n/samba/0001-handle-removal-des-enctypes-from-krb5.patch @@ -0,0 +1,314 @@ +From 3828e798da8e0b44356039dd927f0624d5d182f9 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 6 Nov 2019 12:12:55 +0200 +Subject: [PATCH] Remove DES support if MIT Kerberos version does not support + it + +--- + source3/libads/kerberos_keytab.c | 2 - + source3/passdb/machine_account_secrets.c | 36 ------------------ + source4/auth/kerberos/kerberos.h | 2 +- + .../dsdb/samdb/ldb_modules/password_hash.c | 12 ++++++ + source4/kdc/db-glue.c | 4 +- + source4/torture/rpc/remote_pac.c | 37 ------------------- + testprogs/blackbox/dbcheck-oldrelease.sh | 2 +- + testprogs/blackbox/functionalprep.sh | 2 +- + .../blackbox/test_export_keytab_heimdal.sh | 16 ++++---- + .../blackbox/upgradeprovision-oldrelease.sh | 2 +- + 10 files changed, 26 insertions(+), 89 deletions(-) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 97d5535041c..7d193e1a600 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + krb5_data password; + krb5_kvno kvno; + krb5_enctype enctypes[6] = { +- ENCTYPE_DES_CBC_CRC, +- ENCTYPE_DES_CBC_MD5, + #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + #endif +diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c +index dfc21f295a1..efba80f1474 100644 +--- a/source3/passdb/machine_account_secrets.c ++++ b/source3/passdb/machine_account_secrets.c +@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor + krb5_keyblock key; + DATA_BLOB aes_256_b = data_blob_null; + DATA_BLOB aes_128_b = data_blob_null; +- DATA_BLOB des_md5_b = data_blob_null; + bool ok; + #endif /* HAVE_ADS */ + DATA_BLOB arc4_b = data_blob_null; +@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor + return ENOMEM; + } + +- krb5_ret = smb_krb5_create_key_from_string(krb5_ctx, +- NULL, +- &salt, +- &cleartext_utf8, +- ENCTYPE_DES_CBC_MD5, +- &key); +- if (krb5_ret != 0) { +- DBG_ERR("generation of a des-cbc-md5 key failed: %s\n", +- smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys)); +- krb5_free_context(krb5_ctx); +- TALLOC_FREE(keys); +- TALLOC_FREE(salt_data); +- return krb5_ret; +- } +- des_md5_b = data_blob_talloc(keys, +- KRB5_KEY_DATA(&key), +- KRB5_KEY_LENGTH(&key)); +- krb5_free_keyblock_contents(krb5_ctx, &key); +- if (des_md5_b.data == NULL) { +- DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n"); +- krb5_free_context(krb5_ctx); +- TALLOC_FREE(keys); +- TALLOC_FREE(salt_data); +- return ENOMEM; +- } +- + krb5_free_context(krb5_ctx); + no_kerberos: + +@@ -1227,15 +1200,6 @@ no_kerberos: + keys[idx].value = arc4_b; + idx += 1; + +-#ifdef HAVE_ADS +- if (des_md5_b.length != 0) { +- keys[idx].keytype = ENCTYPE_DES_CBC_MD5; +- keys[idx].iteration_count = 4096; +- keys[idx].value = des_md5_b; +- idx += 1; +- } +-#endif /* HAVE_ADS */ +- + p->salt_data = salt_data; + p->default_iteration_count = 4096; + p->num_keys = idx; +diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h +index 2ff9e3868af..1dd63acc838 100644 +--- a/source4/auth/kerberos/kerberos.h ++++ b/source4/auth/kerberos/kerberos.h +@@ -50,7 +50,7 @@ struct keytab_container { + #define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01") + #define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01") + +-#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \ ++#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 | \ + ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256) + + #ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES +diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c +index 006e35c46d5..f16937c6cab 100644 +--- a/source4/dsdb/samdb/ldb_modules/password_hash.c ++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c +@@ -786,6 +786,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + * create ENCTYPE_DES_CBC_MD5 key out of + * the salt and the cleartext password + */ ++#ifdef SAMBA4_USES_HEIMDAL + krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, + NULL, + &salt, +@@ -804,6 +805,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + KRB5_KEY_DATA(&key), + KRB5_KEY_LENGTH(&key)); + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); ++#else ++ /* MIT has dropped support for DES enctypes, store a random key instead. */ ++ io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8); ++ generate_secret_buffer(io->g.des_md5.data, 8); ++#endif + if (!io->g.des_md5.data) { + return ldb_oom(ldb); + } +@@ -812,6 +818,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + * create ENCTYPE_DES_CBC_CRC key out of + * the salt and the cleartext password + */ ++#ifdef SAMBA4_USES_HEIMDAL + krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, + NULL, + &salt, +@@ -830,6 +837,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + KRB5_KEY_DATA(&key), + KRB5_KEY_LENGTH(&key)); + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); ++#else ++ /* MIT has dropped support for DES enctypes, store a random key instead. */ ++ io->g.des_crc = data_blob_talloc(io->ac, NULL, 8); ++ generate_secret_buffer(io->g.des_crc.data, 8); ++#endif + if (!io->g.des_crc.data) { + return ldb_oom(ldb); + } +diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c +index f62a633c6c7..023ae7b580d 100644 +--- a/source4/kdc/db-glue.c ++++ b/source4/kdc/db-glue.c +@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, + + /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ + if (userAccountControl & UF_USE_DES_KEY_ONLY) { +- supported_enctypes = ENC_CRC32|ENC_RSA_MD5; ++ supported_enctypes = 0; + } else { + /* Otherwise, add in the default enc types */ +- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; ++ supported_enctypes |= ENC_RC4_HMAC_MD5; + } + + /* Is this the krbtgt or a RODC krbtgt */ +diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c +index 7a5cda74b74..f12060e3c8f 100644 +--- a/source4/torture/rpc/remote_pac.c ++++ b/source4/torture/rpc/remote_pac.c +@@ -38,7 +38,6 @@ + + #define TEST_MACHINE_NAME_BDC "torturepacbdc" + #define TEST_MACHINE_NAME_WKSTA "torturepacwksta" +-#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes" + #define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc" + #define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk" + +@@ -581,39 +580,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); + } + +-static bool test_PACVerify_workstation_des(struct torture_context *tctx, +- struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx) +-{ +- struct samr_SetUserInfo r; +- union samr_UserInfo user_info; +- struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx); +- struct smb_krb5_context *smb_krb5_context; +- krb5_error_code ret; +- +- ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(), +- tctx->lp_ctx, &smb_krb5_context); +- torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed"); +- +- if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) { +- torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes"); +- } +- +- /* Mark this workstation with DES-only */ +- user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST; +- r.in.user_handle = torture_join_samr_user_policy(join_ctx); +- r.in.level = 16; +- r.in.info = &user_info; +- +- torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r), +- "failed to set DES info account flags"); +- torture_assert_ntstatus_ok(tctx, r.out.result, +- "failed to set DES into account flags"); +- +- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, +- TEST_MACHINE_NAME_WKSTA_DES, +- NETLOGON_NEG_AUTH2_ADS_FLAGS); +-} +- + #ifdef SAMBA4_USES_HEIMDAL + static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx, + uint16_t validation_level, +@@ -1000,9 +966,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) + &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); + torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes); + +- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des", +- &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); +- torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des); + #ifdef SAMBA4_USES_HEIMDAL + tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", + &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC); +diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh +index 3d0ee2c165a..41c55178d4e 100755 +--- a/testprogs/blackbox/dbcheck-oldrelease.sh ++++ b/testprogs/blackbox/dbcheck-oldrelease.sh +@@ -388,7 +388,7 @@ referenceprovision() { + + ldapcmp() { + if [ x$RELEASE = x"release-4-0-0" ]; then +- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName ++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes + fi + } + +diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh +index 80e82252d45..1d37611ef7a 100755 +--- a/testprogs/blackbox/functionalprep.sh ++++ b/testprogs/blackbox/functionalprep.sh +@@ -61,7 +61,7 @@ provision_2012r2() { + ldapcmp_ignore() { + # At some point we will need to ignore, but right now, it should be perfect + IGNORE_ATTRS=$1 +- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn ++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes + } + + ldapcmp() { +diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh +index cfa245fd4de..6a2595cd684 100755 +--- a/testprogs/blackbox/test_export_keytab_heimdal.sh ++++ b/testprogs/blackbox/test_export_keytab_heimdal.sh +@@ -43,7 +43,7 @@ test_keytab() { + + echo "test: $testname" + +- NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour") ++ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour") + status=$? + if [ x$status != x0 ]; then + echo "failure: $testname" +@@ -64,22 +64,22 @@ unc="//$SERVER/tmp" + testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1` + + testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 ++test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 + testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 ++test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 + + testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 ++test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 + testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 ++test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 + + testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1` +-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 ++test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 + testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1` +-test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 ++test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 + + testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1` +-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5 ++test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3 + + KRB5CCNAME="$PREFIX/tmpuserccache" + export KRB5CCNAME +diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh +index 76276168011..208baa54a02 100755 +--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh ++++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh +@@ -106,7 +106,7 @@ referenceprovision() { + + ldapcmp() { + if [ x$RELEASE != x"alpha13" ]; then +- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName ++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes + fi + } + +-- +2.23.0 + -- cgit v1.2.3-65-gdbad