The Samba-Bugzilla – Attachment 12982 Details for
Bug 12587
winbindd child segfaults on connect to an NT4 domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-5-test
tmp45.diff.txt (text/plain), 4.62 KB, created by
Stefan Metzmacher
on 2017-02-27 19:15:25 UTC
(
hide
)
Description:
Patches for v4-5-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-02-27 19:15:25 UTC
Size:
4.62 KB
patch
obsolete
>From 023ee1f736fab97aba4e64ff1bd4008131903173 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 24 Feb 2017 16:02:50 +0100 >Subject: [PATCH 1/2] auth/credentials: try to use kerberos with the machine > account unless we're in an AD domain > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit b845f16d3ca02dd27cc40bbf722426d6f81bb4b7) >--- > auth/credentials/credentials_secrets.c | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > >diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c >index d5a37cf..ed148fd 100644 >--- a/auth/credentials/credentials_secrets.c >+++ b/auth/credentials/credentials_secrets.c >@@ -39,7 +39,7 @@ > #include "dbwrap/dbwrap.h" > #include "dbwrap/dbwrap_open.h" > #include "lib/util/util_tdb.h" >- >+#include "libds/common/roles.h" > > /** > * Fill in credentials for the machine trust account, from the secrets database. >@@ -276,6 +276,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti > char *secrets_tdb_password = NULL; > char *secrets_tdb_old_password = NULL; > uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL; >+ int server_role = lpcfg_server_role(lp_ctx); >+ int security = lpcfg_security(lp_ctx); > char *keystr; > char *keystr_upper = NULL; > TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); >@@ -354,13 +356,26 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti > } > > if (secrets_tdb_password_more_recent) { >+ enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS; > char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); > cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); > cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); > cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); > if (strequal(domain, lpcfg_workgroup(lp_ctx))) { > cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); >+ >+ switch (server_role) { >+ case ROLE_DOMAIN_MEMBER: >+ if (security != SEC_ADS) { >+ break; >+ } >+ /* fall through */ >+ case ROLE_ACTIVE_DIRECTORY_DC: >+ use_kerberos = CRED_AUTO_USE_KERBEROS; >+ break; >+ } > } >+ cli_credentials_set_kerberos_state(cred, use_kerberos); > cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); > cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); > cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); >-- >1.9.1 > > >From 3acbce483c5ecca7ddbac73a9f1c41244dfd953b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Feb 2017 19:18:04 +0100 >Subject: [PATCH 2/2] s3:winbindd: fix the valid usage anonymous smb > authentication > >If we are in a situation where we don't have credentials to contact the >remote domain or against an NT4 with the following settings: > > workgroup = NT4DOM > security = domain > require strong key = no > client use spnego = no > client ipc signing = auto > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(similar to commit c97a29bdfdc0020ec0113073580da56f2d35edc1) >--- > source3/winbindd/winbindd_cm.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 7b210a9..3bb2fb4 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -1098,6 +1098,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > } > } > >+ if (cli_credentials_is_anonymous(creds)) { >+ goto anon_fallback; >+ } >+ > krb5_state = cli_credentials_get_kerberos_state(creds); > > machine_krb5_principal = cli_credentials_get_principal(creds, >@@ -1169,10 +1173,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) > || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE)) > { >- if (cli_credentials_is_anonymous(creds)) { >- goto done; >- } >- > if (!cm_is_ipc_credentials(creds)) { > goto ipc_fallback; > } >@@ -1198,7 +1198,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > } > > if (cli_credentials_is_anonymous(creds)) { >- TALLOC_FREE(creds); > goto anon_fallback; > } > >@@ -1245,6 +1244,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto done; > > anon_fallback: >+ TALLOC_FREE(creds); > > if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) { > goto done; >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12982">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
metze
:
review?
(
gd
)
Actions:
View
Attachments on
bug 12587
:
12981
| 12982 |
12983