The Samba-Bugzilla – Attachment 12981 Details for
Bug 12587
winbindd child segfaults on connect to an NT4 domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-6-test
tmp46.diff.txt (text/plain), 4.29 KB, created by
Stefan Metzmacher
on 2017-02-27 19:14:37 UTC
(
hide
)
Description:
Patches for v4-6-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-02-27 19:14:37 UTC
Size:
4.29 KB
patch
obsolete
>From 2b13f979b733fd48fabd4ce7bfc2dbaefecc68fe Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 24 Feb 2017 16:02:50 +0100 >Subject: [PATCH 1/2] auth/credentials: try to use kerberos with the machine > account unless we're in an AD domain > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit b845f16d3ca02dd27cc40bbf722426d6f81bb4b7) >--- > auth/credentials/credentials_secrets.c | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > >diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c >index d5a37cf..ed148fd 100644 >--- a/auth/credentials/credentials_secrets.c >+++ b/auth/credentials/credentials_secrets.c >@@ -39,7 +39,7 @@ > #include "dbwrap/dbwrap.h" > #include "dbwrap/dbwrap_open.h" > #include "lib/util/util_tdb.h" >- >+#include "libds/common/roles.h" > > /** > * Fill in credentials for the machine trust account, from the secrets database. >@@ -276,6 +276,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti > char *secrets_tdb_password = NULL; > char *secrets_tdb_old_password = NULL; > uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL; >+ int server_role = lpcfg_server_role(lp_ctx); >+ int security = lpcfg_security(lp_ctx); > char *keystr; > char *keystr_upper = NULL; > TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); >@@ -354,13 +356,26 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti > } > > if (secrets_tdb_password_more_recent) { >+ enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS; > char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); > cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); > cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); > cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); > if (strequal(domain, lpcfg_workgroup(lp_ctx))) { > cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); >+ >+ switch (server_role) { >+ case ROLE_DOMAIN_MEMBER: >+ if (security != SEC_ADS) { >+ break; >+ } >+ /* fall through */ >+ case ROLE_ACTIVE_DIRECTORY_DC: >+ use_kerberos = CRED_AUTO_USE_KERBEROS; >+ break; >+ } > } >+ cli_credentials_set_kerberos_state(cred, use_kerberos); > cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); > cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); > cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); >-- >1.9.1 > > >From 6dd6eb3a1daa1d2d1da5a7f61ef5c610f4ba6574 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Feb 2017 19:18:04 +0100 >Subject: [PATCH 2/2] s3:winbindd: fix the valid usage anonymous smb > authentication > >If we are in a situation where we don't have credentials to contact the >remote domain or against an NT4 with the following settings: > > workgroup = NT4DOM > security = domain > require strong key = no > client use spnego = no > client ipc signing = auto > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit c97a29bdfdc0020ec0113073580da56f2d35edc1) >--- > source3/winbindd/winbindd_cm.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 24e0d46..3b4e46d 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -1107,6 +1107,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > machine_domain, machine_account, > machine_principal, machine_realm)); > >+ if (cli_credentials_is_anonymous(creds)) { >+ goto anon_fallback; >+ } >+ > winbindd_set_locator_kdc_envs(domain); > > result = cli_session_setup_creds(*cli, creds); >@@ -1125,10 +1129,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) > || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE)) > { >- if (cli_credentials_is_anonymous(creds)) { >- goto done; >- } >- > if (!cm_is_ipc_credentials(creds)) { > goto ipc_fallback; > } >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12981">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
metze
:
review?
(
gd
)
Actions:
View
Attachments on
bug 12587
: 12981 |
12982
|
12983