The Samba-Bugzilla – Attachment 12598 Details for
Bug 12375
member server ntlmssp auth fails with user@realm
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.5.next
ntlmssp-upn-45.patch (text/plain), 6.15 KB, created by
Uri Simchoni
on 2016-10-25 06:18:16 UTC
(
hide
)
Description:
git-am fix for 4.5.next
Filename:
MIME Type:
Creator:
Uri Simchoni
Created:
2016-10-25 06:18:16 UTC
Size:
6.15 KB
patch
obsolete
>From d0953630c343833d51d89e2e1c1d8a26c9041018 Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Sat, 22 Oct 2016 13:33:42 +0300 >Subject: [PATCH 1/3] selftest: test NTLM user@realm authentication > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 6e4c66e339d2eb11c5cb981aac2e20fcff464025) >--- > selftest/knownfail | 2 ++ > source3/selftest/tests.py | 1 + > 2 files changed, 3 insertions(+) > >diff --git a/selftest/knownfail b/selftest/knownfail >index c1899da..3caf7c4 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -292,3 +292,5 @@ > #ntvfs server blocks copychunk with execute access on read handle > ^samba4.smb2.ioctl.copy_chunk_bad_access > ^samba4.drs.getnc_exop.python.*getnc_exop.DrsReplicaPrefixMapTestCase.test_regular_prefix_map_ex_attid.* >+#ad_member does not support for user@realm NTLM authentication >+^samba3.unix.whoami ntlm user@realm.*\(ad_member >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 3e37ad1..7cfebd6 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -340,6 +340,7 @@ for t in tests: > plansmbtorture4testsuite(t, env, '//$SERVER/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER') > plansmbtorture4testsuite(t, env, '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER', description='kerberos connection') > plansmbtorture4testsuite(t, env, '//$SERVER/tmpguest -U% --option=torture:addc=$DC_SERVER', description='anonymous connection') >+ plansmbtorture4testsuite(t, env, '//$SERVER/tmp -k no -U$DC_USERNAME@$REALM%$DC_PASSWORD', description='ntlm user@realm') > elif t == "raw.samba3posixtimedlock": > plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') > plansmbtorture4testsuite(t, "ad_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/ad_dc/share') >-- >2.9.3 > > >From c353b9db0e009c97bbd81b03d740f4aa72cbd2c3 Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Sat, 22 Oct 2016 22:40:26 +0300 >Subject: [PATCH 2/3] winbindd: do not modify credentials in NTLM passthrough > >When doing NTLM validation of credentials, do not modify the >credentials - they might be used in the calculation of >the response. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 8e88b56ebc314a5e3a722d63ca23b4a49b7ac2dc) >--- > source3/winbindd/winbindd_pam_auth_crap.c | 11 +++++------ > 1 file changed, 5 insertions(+), 6 deletions(-) > >diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c >index ffbc322..e6a47c8 100644 >--- a/source3/winbindd/winbindd_pam_auth_crap.c >+++ b/source3/winbindd/winbindd_pam_auth_crap.c >@@ -37,6 +37,7 @@ struct tevent_req *winbindd_pam_auth_crap_send( > struct tevent_req *req, *subreq; > struct winbindd_pam_auth_crap_state *state; > struct winbindd_domain *domain; >+ const char *auth_domain = NULL; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_pam_auth_crap_state); >@@ -77,14 +78,12 @@ struct tevent_req *winbindd_pam_auth_crap_send( > return tevent_req_post(req, ev); > } > >- if ((request->data.auth_crap.domain[0] == '\0') >- && lp_winbind_use_default_domain()) { >- fstrcpy(request->data.auth_crap.domain, >- lp_workgroup()); >+ auth_domain = request->data.auth_crap.domain; >+ if (auth_domain[0] == '\0') { >+ auth_domain = lp_workgroup(); > } > >- domain = find_auth_domain( >- request->flags, request->data.auth_crap.domain); >+ domain = find_auth_domain(request->flags, auth_domain); > if (domain == NULL) { > tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); > return tevent_req_post(req, ev); >-- >2.9.3 > > >From 24236e29bb71932a0448923e5e537818d01fbc68 Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Sat, 22 Oct 2016 22:47:08 +0300 >Subject: [PATCH 3/3] smbd: in ntlm auth, do not map empty domain in case of > \user@realm > >When mapping user and domain during NTLM authentication, an empty domain >is mapped to the local SAM db. However, an empty domain may legitimately >be used if the user field has both user and domain in upn@realm format. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 3f82db56cbf2727abd465e28ac02ad2242b47c29) >--- > selftest/knownfail | 2 -- > source3/auth/auth_util.c | 10 +++++++--- > 2 files changed, 7 insertions(+), 5 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index 3caf7c4..c1899da 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -292,5 +292,3 @@ > #ntvfs server blocks copychunk with execute access on read handle > ^samba4.smb2.ioctl.copy_chunk_bad_access > ^samba4.drs.getnc_exop.python.*getnc_exop.DrsReplicaPrefixMapTestCase.test_regular_prefix_map_ex_attid.* >-#ad_member does not support for user@realm NTLM authentication >-^samba3.unix.whoami ntlm user@realm.*\(ad_member >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 663c0bc..4ae1b71 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -107,6 +107,11 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, > NTSTATUS result; > bool was_mapped; > char *internal_username = NULL; >+ bool upn_form = false; >+ >+ if (client_domain[0] == '\0' && strchr(smb_name, '@')) { >+ upn_form = true; >+ } > > was_mapped = map_username(talloc_tos(), smb_name, &internal_username); > if (!internal_username) { >@@ -126,10 +131,9 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, > * non-domain member box will also map to WORKSTATION\user. > * This also deals with the client passing in a "" domain */ > >- if (!is_trusted_domain(domain) && >+ if (!upn_form && !is_trusted_domain(domain) && > !strequal(domain, my_sam_name()) && >- !strequal(domain, get_global_sam_name())) >- { >+ !strequal(domain, get_global_sam_name())) { > if (lp_map_untrusted_to_domain()) > domain = my_sam_name(); > else >-- >2.9.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12598">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 12375
:
12564
| 12598