From 023ee1f736fab97aba4e64ff1bd4008131903173 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 24 Feb 2017 16:02:50 +0100 Subject: [PATCH 1/2] auth/credentials: try to use kerberos with the machine account unless we're in an AD domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit b845f16d3ca02dd27cc40bbf722426d6f81bb4b7) --- auth/credentials/credentials_secrets.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index d5a37cf..ed148fd 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -39,7 +39,7 @@ #include "dbwrap/dbwrap.h" #include "dbwrap/dbwrap_open.h" #include "lib/util/util_tdb.h" - +#include "libds/common/roles.h" /** * Fill in credentials for the machine trust account, from the secrets database. @@ -276,6 +276,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti char *secrets_tdb_password = NULL; char *secrets_tdb_old_password = NULL; uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL; + int server_role = lpcfg_server_role(lp_ctx); + int security = lpcfg_security(lp_ctx); char *keystr; char *keystr_upper = NULL; TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); @@ -354,13 +356,26 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti } if (secrets_tdb_password_more_recent) { + enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS; char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); if (strequal(domain, lpcfg_workgroup(lp_ctx))) { cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); + + switch (server_role) { + case ROLE_DOMAIN_MEMBER: + if (security != SEC_ADS) { + break; + } + /* fall through */ + case ROLE_ACTIVE_DIRECTORY_DC: + use_kerberos = CRED_AUTO_USE_KERBEROS; + break; + } } + cli_credentials_set_kerberos_state(cred, use_kerberos); cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); -- 1.9.1 From 3acbce483c5ecca7ddbac73a9f1c41244dfd953b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 22 Feb 2017 19:18:04 +0100 Subject: [PATCH 2/2] s3:winbindd: fix the valid usage anonymous smb authentication If we are in a situation where we don't have credentials to contact the remote domain or against an NT4 with the following settings: workgroup = NT4DOM security = domain require strong key = no client use spnego = no client ipc signing = auto BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587 Signed-off-by: Stefan Metzmacher (similar to commit c97a29bdfdc0020ec0113073580da56f2d35edc1) --- source3/winbindd/winbindd_cm.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 7b210a9..3bb2fb4 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1098,6 +1098,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, } } + if (cli_credentials_is_anonymous(creds)) { + goto anon_fallback; + } + krb5_state = cli_credentials_get_kerberos_state(creds); machine_krb5_principal = cli_credentials_get_principal(creds, @@ -1169,10 +1173,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE)) { - if (cli_credentials_is_anonymous(creds)) { - goto done; - } - if (!cm_is_ipc_credentials(creds)) { goto ipc_fallback; } @@ -1198,7 +1198,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, } if (cli_credentials_is_anonymous(creds)) { - TALLOC_FREE(creds); goto anon_fallback; } @@ -1245,6 +1244,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, goto done; anon_fallback: + TALLOC_FREE(creds); if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) { goto done; -- 1.9.1