[PATCH] Allow duplicate non local objectSIDs

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Allow duplicate non local objectSIDs

Samba - samba-technical mailing list
Patch to allow duplicate objectSIDs for foreign security principals,
while requiring unique objectsSIDs for the primary domain.

Fixes BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004

Review and push appreciated

Thanks Gary


Allow-duplicate-non-local-objectSIDs.patch.txt (51K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Allow duplicate non local objectSIDs

Samba - samba-technical mailing list
Hi Gary,

are we sure we only have to care about the local domain sid?

At least I read somewhere that the automatic creation of
foreignSecurityPrincipal objects (which we don't support yet)
is only done if the domain sid is not known anywhere in the forest.

Can you please check in a windows forest if it's possible to
create a foreignSecurityPrincipal with an already existing sid
from a different domain in the forest, as well as
a non-existing sid, with a known domain sid part but a not yet used rid.

The same test should be done with the local domain sid.

Thanks!
metze

Am 30.11.2017 um 02:37 schrieb Gary Lockyer via samba-technical:
> Patch to allow duplicate objectSIDs for foreign security principals,
> while requiring unique objectsSIDs for the primary domain.
>
> Fixes BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004
>
> Review and push appreciated
>
> Thanks Gary
>



signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Allow duplicate non local objectSIDs

Samba - samba-technical mailing list
On to, 30 marras 2017, Stefan Metzmacher via samba-technical wrote:

> Hi Gary,
>
> are we sure we only have to care about the local domain sid?
>
> At least I read somewhere that the automatic creation of
> foreignSecurityPrincipal objects (which we don't support yet)
> is only done if the domain sid is not known anywhere in the forest.
>
> Can you please check in a windows forest if it's possible to
> create a foreignSecurityPrincipal with an already existing sid
> from a different domain in the forest, as well as
> a non-existing sid, with a known domain sid part but a not yet used rid.
MS-ADTS has two important sections related to foreign principal objects:

3.1.1.5.2.4 Processing Specifics [of LDAP ADD operation]
-----
If the Add assigns a value to an FPO-enabled attribute (section
3.1.1.5.2.3) of the new object, and the DN value in the add request has
<SID=stringizedSid> format (section 3.1.1.3.1.2.4), then the DC creates
a corresponding foreignSecurityPrincipal object in the
ForeignSecurityPrincipals container (section 6.1.1.4.10) and assigns a
reference to the new foreignSecurityPrincipal object as the FPO-enabled
attribute value. [MS-SAMR] section 3.1.1.8.9 specifies the creation of
the foreignSecurityPrincipal object.
-----

and

3.1.1.5.3.3 Processing Specifics [of LDAP MODIFY operation]
-----
If the modify assigns a value to an FPO-enabled attribute (section
3.1.1.5.2.3) of the existing object, and the DN value in the modify
request has <SID=stringizedSid> format (section 3.1.1.3.1.2.4), then the
DC creates a corresponding foreignSecurityPrincipal object in the
Foreign Security Principals Container (section 6.1.1.4.10) and assigns a
reference to the new foreignSecurityPrincipal object as the FPO-enabled
attribute value. [MS-SAMR] section 3.1.1.8.9 specifies the creation of
the foreignSecurityPrincipal object.
-----

Finally, MS-SAMR section 3.1.1.8.9 describes how this new
foreignSecurityPrincipal object should look like and which conditions
have to be satisfied to trigger creation of FPO when member attribute is
updated.

Conditions:

 - The value contains a SID-only dsname value.
 - The dsname value does not resolve to an existing object in the domain
   NC.
 - The server is in a DC configuration, and the domain prefix of the SID
   value is not equal to any domain SID in the forest; or the server is
   in a non-DC configuration, and the value is different than the
   account domain security identifier.

So you are right, Stefan, the domain SID of the object must be external
to the forest in case of a DC.

>
> The same test should be done with the local domain sid.
>
> Thanks!
> metze
>
> Am 30.11.2017 um 02:37 schrieb Gary Lockyer via samba-technical:
> > Patch to allow duplicate objectSIDs for foreign security principals,
> > while requiring unique objectsSIDs for the primary domain.
> >
> > Fixes BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004
> >
> > Review and push appreciated
> >
> > Thanks Gary
> >
>
>




--
/ Alexander Bokovoy

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Allow duplicate non local objectSIDs

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Thu, 2017-11-30 at 09:03 +0100, Stefan Metzmacher via samba-
technical wrote:
> Hi Gary,
>
> are we sure we only have to care about the local domain sid?

As background to this patch:

I'm pretty sure windows has no concept of a unique index.  I've been
asked before to allow a duplicate objectGUID into Samba, and clearly
duplicate objectSid values are possible in general because we see them
with deleted and conflicting objects.

So, the simple patch is just to remove uniqueness:

https://attachments.samba.org/attachment.cgi?id=13522

However, given the things that Samba administrators often do with their
domains, injecting manually created SID values, theft of RID manager
roles, etc, I'm very wary of allowing duplicate SID values for our own
domain.  

So, in hoping to avoid a security débâcle at some important
installation in the future, my hope was to still ban at the LDB index
level objectSID duplication for users/groups (which, given proper RID
allocation should be impossible) while allowing conflict objects for
foreignSecurityPrincipals.

> At least I read somewhere that the automatic creation of
> foreignSecurityPrincipal objects (which we don't support yet)
> is only done if the domain sid is not known anywhere in the forest.
>
> Can you please check in a windows forest if it's possible to
> create a foreignSecurityPrincipal with an already existing sid
> from a different domain in the forest, as well as
> a non-existing sid, with a known domain sid part but a not yet used rid.
>
> The same test should be done with the local domain sid.
These are useful things to explore.  It certainly would be good to lock
this down a bit more, and not allow duplicates to be created in our
domain in the way Gary currently exploits for his testing. 

Thanks,

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba




signature.asc (879 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Allow duplicate non local objectSIDs

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Hi Metze,
         I've spent some time trying to add tests to
source4/dsdb/tests/python/sam.py to test against Windows 2012 R2.  It
appears that Windows does not allow the creation of
foreignSecurityPrincipals via ldap, or at least I can't get it working.

So at the moment I'll confine the change to the index changes only
tested in dsdb.py

I'll repost the patch set once I've tidied it up and it passes local builds.

Cheers
Gary

On 30/11/17 21:03, Stefan Metzmacher via samba-technical wrote:

> Hi Gary,
>
> are we sure we only have to care about the local domain sid?
>
> At least I read somewhere that the automatic creation of
> foreignSecurityPrincipal objects (which we don't support yet)
> is only done if the domain sid is not known anywhere in the forest.
>
> Can you please check in a windows forest if it's possible to
> create a foreignSecurityPrincipal with an already existing sid
> from a different domain in the forest, as well as
> a non-existing sid, with a known domain sid part but a not yet used rid.
>
> The same test should be done with the local domain sid.V

>
> Thanks!
> metze
>
> Am 30.11.2017 um 02:37 schrieb Gary Lockyer via samba-technical:
>> Patch to allow duplicate objectSIDs for foreign security principals,
>> while requiring unique objectsSIDs for the primary domain.
>>
>> Fixes BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004
>>
>> Review and push appreciated
>>
>> Thanks Gary
>>
>
>


signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Allow duplicate non local objectSIDs

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Updated patch set attached, a review would be greatly appreciated

Thanks
Gary

On 30/11/17 14:37, Gary Lockyer via samba-technical wrote:
> Patch to allow duplicate objectSIDs for foreign security principals,
> while requiring unique objectsSIDs for the primary domain.
>
> Fixes BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004
>
> Review and push appreciated
>
> Thanks Gary
>

Allow-duplicate-non-local-objectSIDs.patch.txt (56K) Download Attachment
signature.asc (484 bytes) Download Attachment